From 22fe4400d8afd585c21defa348eae3c845fb516a Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Tue, 3 Aug 2021 16:48:28 -0700 Subject: [PATCH 01/63] Openmetrics support using textparser --- go.mod | 85 +- go.sum | 764 ++++++++++++ metricbeat/docs/fields.asciidoc | 64 +- metricbeat/docs/modules/linux/memory.asciidoc | 1 - .../modules/openmetrics/collector.asciidoc | 1 + metricbeat/helper/openmetrics/label.go | 59 + metricbeat/helper/openmetrics/metric.go | 495 ++++++++ metricbeat/helper/openmetrics/module.go | 61 + metricbeat/helper/openmetrics/openmetrics.go | 1020 +++++++++++++++ .../helper/openmetrics/openmetrics_test.go | 1093 +++++++++++++++++ metricbeat/mb/testing/data/data_test.go | 7 +- metricbeat/mb/testing/testdata.go | 25 +- .../module/openmetrics/_meta/fields.yml | 31 +- .../openmetrics/collector/_meta/data.json | 3 +- .../_meta/testdata/docs.plain-expected.json | 40 +- .../module/openmetrics/collector/collector.go | 235 +++- .../openmetrics/collector/collector_test.go | 365 +++++- .../module/openmetrics/collector/config.go | 38 + .../module/openmetrics/collector/data.go | 290 +++++ metricbeat/module/openmetrics/fields.go | 2 +- 20 files changed, 4599 insertions(+), 80 deletions(-) create mode 100644 metricbeat/helper/openmetrics/label.go create mode 100644 metricbeat/helper/openmetrics/metric.go create mode 100644 metricbeat/helper/openmetrics/module.go create mode 100644 metricbeat/helper/openmetrics/openmetrics.go create mode 100644 metricbeat/helper/openmetrics/openmetrics_test.go create mode 100644 metricbeat/module/openmetrics/collector/config.go create mode 100644 metricbeat/module/openmetrics/collector/data.go diff --git a/go.mod b/go.mod index 593410b603d..0fa29ba48ca 100644 --- a/go.mod +++ b/go.mod @@ -4,23 +4,23 @@ go 1.16 require ( 4d63.com/tz v1.1.1-0.20191124060701-6d37baae851b - cloud.google.com/go v0.51.0 - cloud.google.com/go/bigquery v1.0.1 - cloud.google.com/go/pubsub v1.0.1 - cloud.google.com/go/storage v1.0.0 + cloud.google.com/go v0.79.0 + cloud.google.com/go/bigquery v1.8.0 + cloud.google.com/go/pubsub v1.3.1 + cloud.google.com/go/storage v1.10.0 code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee // indirect code.cloudfoundry.org/go-loggregator v7.4.0+incompatible code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a // indirect github.com/Azure/azure-event-hubs-go/v3 v3.1.2 - github.com/Azure/azure-sdk-for-go v37.1.0+incompatible + github.com/Azure/azure-sdk-for-go v52.5.0+incompatible github.com/Azure/azure-storage-blob-go v0.8.0 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect - github.com/Azure/go-autorest/autorest v0.9.6 - github.com/Azure/go-autorest/autorest/adal v0.8.2 + github.com/Azure/go-autorest/autorest v0.11.18 + github.com/Azure/go-autorest/autorest/adal v0.9.13 github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 - github.com/Azure/go-autorest/autorest/date v0.2.0 + github.com/Azure/go-autorest/autorest/date v0.3.0 github.com/Masterminds/semver v1.4.2 - github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 + github.com/Microsoft/go-winio v0.4.16 github.com/Shopify/sarama v1.27.0 github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6 github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc @@ -29,8 +29,8 @@ require ( github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 // indirect github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 - github.com/aws/aws-lambda-go v1.6.0 - github.com/aws/aws-sdk-go-v2 v0.9.0 + github.com/aws/aws-lambda-go v1.13.3 + github.com/aws/aws-sdk-go-v2 v0.18.0 github.com/awslabs/goformation/v4 v4.1.0 github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2 github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible @@ -50,7 +50,7 @@ require ( github.com/dgrijalva/jwt-go v3.2.1-0.20190620180102-5e25c22bd5d6+incompatible // indirect github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1 github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf // indirect - github.com/docker/docker v1.4.2-0.20170802015333-8af4db6f002a + github.com/docker/docker v20.10.5+incompatible github.com/docker/go-connections v0.4.0 github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-plugins-helpers v0.0.0-20181025120712-1e6269c305b8 @@ -81,24 +81,23 @@ require ( github.com/fsnotify/fsnotify v1.4.9 github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647 // indirect github.com/go-sourcemap/sourcemap v2.1.2+incompatible // indirect - github.com/go-sql-driver/mysql v1.4.1 + github.com/go-sql-driver/mysql v1.5.0 github.com/go-test/deep v1.0.7 github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e - github.com/godror/godror v0.10.4 + github.com/godror/godror v0.25.2 github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b github.com/gofrs/uuid v3.3.0+incompatible - github.com/gogo/protobuf v1.3.1 + github.com/gogo/protobuf v1.3.2 github.com/golang/protobuf v1.4.3 - github.com/golang/snappy v0.0.1 + github.com/golang/snappy v0.0.3 github.com/gomodule/redigo v1.8.3 - github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9 - github.com/google/go-cmp v0.5.2 + github.com/google/flatbuffers v1.11.0 + github.com/google/go-cmp v0.5.5 github.com/google/gopacket v1.1.18-0.20191009163724-0ad7f2610e34 github.com/google/uuid v1.1.2 github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75 - github.com/gorilla/mux v1.7.2 - github.com/grpc-ecosystem/grpc-gateway v1.13.0 // indirect + github.com/gorilla/mux v1.7.3 github.com/h2non/filetype v1.1.1 github.com/hashicorp/go-multierror v1.1.0 github.com/hashicorp/go-retryablehttp v0.6.6 @@ -114,30 +113,26 @@ require ( github.com/jpillora/backoff v1.0.0 // indirect github.com/kardianos/service v1.1.0 github.com/kolide/osquery-go v0.0.0-20200604192029-b019be7063ac - github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 github.com/magefile/mage v1.11.0 - github.com/mailru/easyjson v0.7.1 // indirect github.com/mattn/go-colorable v0.1.6 github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect - github.com/miekg/dns v1.1.15 + github.com/miekg/dns v1.1.41 github.com/mitchellh/gox v1.0.1 github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51 - github.com/mitchellh/mapstructure v1.3.3 + github.com/mitchellh/mapstructure v1.4.1 github.com/morikuni/aec v1.0.0 // indirect github.com/oklog/ulid v1.3.1 - github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483 // indirect github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 // indirect github.com/otiai10/copy v1.2.0 github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 - github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc // indirect - github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 - github.com/prometheus/common v0.7.0 - github.com/prometheus/procfs v0.0.11 - github.com/prometheus/prometheus v2.5.0+incompatible + github.com/prometheus/client_model v0.2.0 + github.com/prometheus/common v0.20.0 + github.com/prometheus/procfs v0.6.0 + github.com/prometheus/prometheus v1.8.2-0.20210518124745-6eeded0fdf76 github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e // indirect github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54 @@ -162,36 +157,36 @@ require ( go.elastic.co/ecszap v0.3.0 go.elastic.co/go-licence-detector v0.4.0 go.etcd.io/bbolt v1.3.4 - go.uber.org/atomic v1.5.0 + go.uber.org/atomic v1.7.0 go.uber.org/multierr v1.3.0 go.uber.org/zap v1.14.0 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e - golang.org/x/lint v0.0.0-20200130185559-910be7a94367 - golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 - golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d - golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a + golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 + golang.org/x/net v0.0.0-20210324051636-2c4c8ecb7826 + golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558 + golang.org/x/sync v0.0.0-20210220032951-036812b2e83c golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 golang.org/x/text v0.3.5 - golang.org/x/time v0.0.0-20191024005414-555d28b269f0 - golang.org/x/tools v0.0.0-20200731060945-b5fad4ed8dd6 - google.golang.org/api v0.15.0 - google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb - google.golang.org/grpc v1.29.1 + golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba + golang.org/x/tools v0.1.0 + google.golang.org/api v0.42.0 + google.golang.org/genproto v0.0.0-20210312152112-fc591d9ea70f + google.golang.org/grpc v1.36.0 google.golang.org/protobuf v1.25.0 gopkg.in/inf.v0 v0.9.1 gopkg.in/jcmturner/gokrb5.v7 v7.5.0 gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528 - gopkg.in/yaml.v2 v2.3.0 + gopkg.in/yaml.v2 v2.4.0 gotest.tools v2.2.0+incompatible gotest.tools/gotestsum v0.6.0 howett.net/plist v0.0.0-20181124034731-591f970eefbb - k8s.io/api v0.19.4 - k8s.io/apimachinery v0.19.4 - k8s.io/client-go v0.19.4 + k8s.io/api v0.20.5 + k8s.io/apimachinery v0.20.5 + k8s.io/client-go v0.20.5 ) replace ( - github.com/Azure/go-autorest => github.com/Azure/go-autorest v12.2.0+incompatible + // github.com/Azure/go-autorest => github.com/Azure/go-autorest v12.2.0+incompatible github.com/Microsoft/go-winio => github.com/bi-zone/go-winio v0.4.15 github.com/Shopify/sarama => github.com/elastic/sarama v1.19.1-0.20210120173147-5c8cb347d877 github.com/cucumber/godog => github.com/cucumber/godog v0.8.1 diff --git a/go.sum b/go.sum index 19b2ae2161a..54aefe19fc0 100644 --- a/go.sum +++ b/go.sum @@ -6,20 +6,51 @@ bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxo cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.43.0/go.mod h1:BOSR3VbTLkk6FDC/TcffxP4NF/FFBGA5ku+jvKOP7pg= cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= cloud.google.com/go v0.51.0 h1:PvKAVQWCtlGUSlZkGW3QLelKaWq7KYv/MW1EboG8bfM= cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= +cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= +cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= +cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= +cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= +cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= +cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= +cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= +cloud.google.com/go v0.79.0 h1:oqqswrt4x6b9OGBnNqdssxBl1xf0rSUNjU2BR4BZar0= +cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= cloud.google.com/go/bigquery v1.0.1 h1:hL+ycaJpVE9M7nLoiXb/Pn10ENE2u+oddxbD8uu0ZVU= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= +cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= +cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= +cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= +cloud.google.com/go/bigquery v1.8.0 h1:PQcPefKFdaIzjQFbiyOgAqyx8q5djaE7x9Sqe712DPA= +cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/bigtable v1.2.0/go.mod h1:JcVAOl45lrTmQfLj7T6TxyMzIN/3FGGcFm+2xVAli2o= cloud.google.com/go/datastore v1.0.0 h1:Kt+gOPPp2LEPWp8CSfxhsM8ik9CcyE/gYu+0r+RnZvM= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/pubsub v1.0.1 h1:W9tAK3E57P75u0XLLR82LZyw8VpAnhmyTOxW9qzmyj8= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= +cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= +cloud.google.com/go/pubsub v1.3.1 h1:ukjixP1wl0LpnZ6LWtZJ0mX5tBmjp1f8Sqer8Z2OMUU= +cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= cloud.google.com/go/storage v1.0.0 h1:VV2nUM3wwLLGh9lSABFgZMjInyUbJeaRSE64WuAIQ+4= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= +cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= +cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0 h1:STgFzyU5/8miMl0//zKh2aQeTyeaUH3WN9bSUiJ09bA= +cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee h1:iAAPf9s7/+BIiGf+RjgcXLm3NoZaLIJsBXJuUa63Lx8= code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee/go.mod h1:Jzi+ccHgo/V/PLQUaQ6hnZcC1c4BS790gx21LRRui4g= code.cloudfoundry.org/go-loggregator v7.4.0+incompatible h1:KqZYloMQWM5Zg/BQKunOIA4OODh7djZbk48qqbowNFI= @@ -28,6 +59,7 @@ code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f h1:UrKzEwTg code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f/go.mod h1:sk5LnIjB/nIEU7yP5sDQExVm62wu0pBh3yrElngUisI= code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a h1:8rqv2w8xEceNwckcF5ONeRt0qBHlh5bnNfFnYTrZbxs= code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a/go.mod h1:tkZo8GtzBjySJ7USvxm4E36lNQw1D3xM6oKHGqdaAJ4= +collectd.org v0.3.0/go.mod h1:A/8DzQBkF6abtvrT2j/AU/4tiBgJWYyh0y/oB/4MlWE= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/azure-amqp-common-go/v3 v3.0.0 h1:j9tjcwhypb/jek3raNrwlCIl7iKQYOug7CLpSyBBodc= github.com/Azure/azure-amqp-common-go/v3 v3.0.0/go.mod h1:SY08giD/XbhTz07tJdpw1SoxQXHPN30+DI3Z04SYqyg= @@ -39,6 +71,8 @@ github.com/Azure/azure-pipeline-go v0.2.1 h1:OLBdZJ3yvOn2MezlWvbrBMTEUQC72zAftRZ github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= github.com/Azure/azure-sdk-for-go v37.1.0+incompatible h1:aFlw3lP7ZHQi4m1kWCpcwYtczhDkGhDoRaMTaxcOf68= github.com/Azure/azure-sdk-for-go v37.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v52.5.0+incompatible h1:/NLBWHCnIHtZyLPc1P7WIqi4Te4CC23kIQyK3Ep/7lA= +github.com/Azure/azure-sdk-for-go v52.5.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-storage-blob-go v0.6.0/go.mod h1:oGfmITT1V6x//CswqY2gtAHND+xIP64/qL7a5QJix0Y= github.com/Azure/azure-storage-blob-go v0.8.0 h1:53qhf0Oxa0nOjgbDeeYPUeyiNmafAFEY95rZLK0Tj6o= github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0= @@ -46,15 +80,24 @@ github.com/Azure/go-amqp v0.12.6 h1:34yItuwhA/nusvq2sPSNPQxZLCf/CtaogYH8n578mnY= github.com/Azure/go-amqp v0.12.6/go.mod h1:qApuH6OFTSKZFmCOxccvAv5rLizBQf4v8pRmG138DPo= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= github.com/Azure/go-autorest/autorest v0.9.6 h1:5YWtOnckcudzIw8lPPBcWOnmIFWMtHci1ZWAZulMSx0= github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= +github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest v0.11.18 h1:90Y4srNYrwOtAgVo3ndrQkTYn6kf1Eg/AjTFJ8Is2aM= +github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= github.com/Azure/go-autorest/autorest/adal v0.8.2 h1:O1X4oexUxnZCaEUGsvMnr8ZGj8HI37tNezwY4npRqA0= github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= +github.com/Azure/go-autorest/autorest/adal v0.9.13 h1:Mp5hbtOePIzM8pJVRa3YLrWWmZtoxRXqUEzCfJt3+/Q= +github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 h1:iM6UAvjR97ZIeR93qTcwpKNMpV+/FTWjwEbuPD495Tk= github.com/Azure/go-autorest/autorest/azure/auth v0.4.2/go.mod h1:90gmfKdlmKgfjUpnCEpOJzsUEjrWDSLwHIG73tSXddM= github.com/Azure/go-autorest/autorest/azure/cli v0.3.1 h1:LXl088ZQlP0SBppGFsRZonW6hSvwgL5gRByMbvUbx8U= @@ -62,23 +105,39 @@ github.com/Azure/go-autorest/autorest/azure/cli v0.3.1/go.mod h1:ZG5p860J94/0kI9 github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= github.com/Azure/go-autorest/autorest/date v0.2.0 h1:yW+Zlqf26583pE43KhfnhFcdmSWlm5Ew6bxipnr/tbM= github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= +github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= github.com/Azure/go-autorest/autorest/mocks v0.3.0 h1:qJumjCaCudz+OcqE9/XtEPfvtOjOmKaui4EOpFI6zZc= github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/to v0.3.0 h1:zebkZaadz7+wIQYgC7GXaz3Wb28yKYfVkkBKwc38VF8= github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= +github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= +github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= github.com/Azure/go-autorest/autorest/validation v0.2.0 h1:15vMO4y76dehZSq7pAaOLQxC6dZYsSrj2GQpflyM/L4= github.com/Azure/go-autorest/autorest/validation v0.2.0/go.mod h1:3EEqHnBxQGHXRYq3HT1WyXAvT7LLY3tl70hw6tQIbjI= +github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac= +github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= github.com/Azure/go-autorest/logger v0.1.0 h1:ruG4BSDXONFRrZZJ2GUXDiUyVpayPmb1GnWeHDdaNKY= github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= +github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.5.0 h1:TRn4WjSnkcSy5AEG3pnbtFSwNtwzjr4VYyQflFE619k= github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= +github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= github.com/DataDog/zstd v1.4.1 h1:3oxKN3wbHibqx897utPC2LTQU4J+IHWWJO+glkAkpFM= github.com/DataDog/zstd v1.4.1/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= +github.com/HdrHistogram/hdrhistogram-go v1.0.1/go.mod h1:BWJ+nMSHY3L41Zj7CA3uXnloDp7xxV0YvstAE7nKTaM= +github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= github.com/Masterminds/semver v1.4.2 h1:WBLTQ37jOCzSLtXNdoo8bNM8876KhNqOKvrlGITgsTc= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Microsoft/hcsshim v0.8.7 h1:ptnOoufxGSzauVTsdE+wMYnCWA301PdoN4xg5oRdZpg= @@ -87,43 +146,73 @@ github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb0 github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/toxiproxy v2.1.4+incompatible h1:TKdv8HiTLgE5wdJuEML90aBgNWsokNbMijUGhmcoBJc= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6 h1:2Gl9Tray0NEjP9KC0FjdGWlszbmTIsBP3JYzgyFdL4E= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= +github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g= github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d h1:g0M6kedfjDpyAAuxqBvJzMNjFzlrQ7Av6LCDFqWierk= github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d/go.mod h1:VykaKG/ofkKje+MSvqjrDsz1wfyHIvEVFljhq2EOZ4g= github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41 h1:9OmEpkkO4vm8Wz+JKWHDLZdzYrqXr4dovxIJDkTltKE= github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41/go.mod h1:UdDNZ1OO62aGYVnPhxT1U6aI7ukYtA/kB8vaU0diBUM= github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc h1:9iW/Fbn/R/nyUOiqo6AgwBe8uirqUIoTGF3vKG8qjoc= github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc/go.mod h1:zj8LBEnWBDOVEIJt8LvaRvDG5ARAoa5dBeHaB472NRc= +github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c= +github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= +github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw= github.com/akavel/rsrc v0.8.0 h1:zjWn7ukO9Kc5Q62DOJCcxGpXC18RawVtYAGdz2aLlfw= github.com/akavel/rsrc v0.8.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= +github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE= github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20 h1:7rj9qZ63knnVo2ZeepYHvHuRdG76f3tRUTdIQDzRBeI= github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20/go.mod h1:cI59GRkC2FRaFYtgbYEqMlgnnfvAwXzjojyZKXwklNg= github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43 h1:WFwa9pqou0Nb4DdfBOyaBTH0GqLE74Qwdf61E7ITHwQ= github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43/go.mod h1:tJPYQG4mnMeUtQvQKNkbsFrnmZOg59Qnf8CcctFv5v4= +github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= +github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d h1:OE3kzLBpy7pOJEzE55j9sdgrSilUPzzj++FWvp1cmIs= github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d/go.mod h1:T7PbCXFs94rrTttyxjbyT5+/1V8T2TYDejxUfHJjw1Y= +github.com/apache/arrow/go/arrow v0.0.0-20191024131854-af6fa24be0db/go.mod h1:VTxUBvSJ3s3eHAg65PNgrsn5BtqCRPdmyXh6rAfdxN0= +github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= +github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f h1:33BV5v3u8I6dA2dEoPuXWCsAaHHOJfPtdxZhAMQV4uo= github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 h1:afT88tB6u9JCKQZVAAaa9ICz/uGn5Uw9ekn6P22mYKM= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77/go.mod h1:bXvGk6IkT1Agy7qzJ+DjIw/SJ1AaB3AvAuMDVV+Vkoo= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A= +github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/asaskevich/govalidator v0.0.0-20200108200545-475eaeb16496/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= +github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= +github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-lambda-go v1.6.0 h1:T+u/g79zPKw1oJM7xYhvpq7i4Sjc0iVsXZUaqRVVSOg= github.com/aws/aws-lambda-go v1.6.0/go.mod h1:zUsUQhAUjYzR8AuduJPCfhBuKWUaDbQiPOG+ouzmE1A= +github.com/aws/aws-lambda-go v1.13.3 h1:SuCy7H3NLyp+1Mrfp+m80jcbi9KYWAs9/BXwppwRDzY= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= +github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.34.28/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48= +github.com/aws/aws-sdk-go v1.38.3/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go-v2 v0.9.0 h1:dWtJKGRFv3UZkMBQaIzMsF0/y4ge3iQPWTzeC4r/vl4= github.com/aws/aws-sdk-go-v2 v0.9.0/go.mod h1:sa1GePZ/LfBGI4dSq30f6uR4Tthll8axxtEPvlpXZ8U= +github.com/aws/aws-sdk-go-v2 v0.18.0 h1:qZ+woO4SamnH/eEbjM2IDLhRNwIwND/RQyVlBLp3Jqg= +github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/awslabs/goformation/v3 v3.1.0/go.mod h1:hQ5RXo3GNm2laHWKizDzU5DsDy+yNcenSca2UxN0850= github.com/awslabs/goformation/v4 v4.1.0 h1:JRxIW0IjhYpYDrIZOTJGMu2azXKI+OK5dP56ubpywGU= github.com/awslabs/goformation/v4 v4.1.0/go.mod h1:MBDN7u1lMNDoehbFuO4uPvgwPeolTMA2TzX1yO6KlxI= @@ -131,6 +220,7 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/bi-zone/go-winio v0.4.15 h1:viLHm+U7bzIkfVHuWgc3Wp/sT5zaLoRG7XdOEy1b12w= github.com/bi-zone/go-winio v0.4.15/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= github.com/blakerouse/service v1.1.1-0.20200924160513-057808572ffa h1:aXHPZwx8Y5z8r+1WPylnu095usTf6QSshaHs6nVMBc0= @@ -138,12 +228,18 @@ github.com/blakerouse/service v1.1.1-0.20200924160513-057808572ffa/go.mod h1:RrJ github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2 h1:oMCHnXa6CCCafdPDbMh/lWRhRByN0VFLvv+g+ayx1SI= github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/bmizerany/pat v0.0.0-20170815010413-6226ea591a40/go.mod h1:8rLXio+WjiTceGBHIoTvn60HIbs7Hm7bcHjyrSqYB9c= +github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps= github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible h1:4g18+HnTDwEtO0n7K8B1Kjq+04MEKJRkhJNQ/hb9d5A= github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible/go.mod h1:r7ao+4tTNXvWm+VRpRJchr2kQhqxgmAp2iEX5W96gMM= +github.com/c-bata/go-prompt v0.2.2/go.mod h1:VzqtzE2ksDBcdln8G7mk2RX9QyGjH+OVqOCSiVIqS34= +github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ= github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e h1:YYUjy5BRwO5zPtfk+aa2gw255FIIoi93zMmuy19o0bc= github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e/go.mod h1:V284PjgVwSk4ETmz84rpu9ehpGg7swlIH8npP9k2bGw= github.com/cavaliercoder/go-rpm v0.0.0-20190131055624-7a9c54e3d83e h1:Gbx+iVCXG/1m5WSnidDGuHgN+vbIwl+6fR092ANU+Y8= github.com/cavaliercoder/go-rpm v0.0.0-20190131055624-7a9c54e3d83e/go.mod h1:AZIh1CCnMrcVm6afFf96PBvE2MRpWFco91z8ObJtgDY= +github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= +github.com/cenkalti/backoff/v4 v4.0.2/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= @@ -152,6 +248,7 @@ github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cloudfoundry-community/go-cfclient v0.0.0-20190808214049-35bcce23fc5f h1:fK3ikA1s77arBhpDwFuyO0hUZ2Aa8O6o2Uzy8Q6iLbs= github.com/cloudfoundry-community/go-cfclient v0.0.0-20190808214049-35bcce23fc5f/go.mod h1:RtIewdO+K/czvxvIFCMbPyx7jdxSLL1RZ+DA/Vk8Lwg= @@ -160,6 +257,10 @@ github.com/cloudfoundry/noaa v2.1.0+incompatible/go.mod h1:5LmacnptvxzrTvMfL9+EJ github.com/cloudfoundry/sonde-go v0.0.0-20171206171820-b33733203bb4 h1:cWfya7mo/zbnwYVio6eWGsFJHqYw4/k/uhwIJ1eqRPI= github.com/cloudfoundry/sonde-go v0.0.0-20171206171820-b33733203bb4/go.mod h1:GS0pCHd7onIsewbw8Ue9qa9pZPv2V88cUZDttK6KzgI= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 h1:sDMmm+q/3+BukdIpxwO365v/Rbspp2Nt5XntgQRXq8Q= github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM= github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko= @@ -167,6 +268,8 @@ github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.3 h1:LoIzb5y9x5l8VKAlyrbusNPXqBY0+kviRloxFUMFwKc= github.com/containerd/containerd v1.3.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.4.3 h1:ijQT13JedHSHrQGWFcGEwzcNKrAGIiZ+jSD5QQG07SY= +github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20200107194136-26c1120b8d41 h1:kIFnQBO7rQ0XkMe6xEwbybYHBEaWmh/f++laI6Emt7M= github.com/containerd/continuity v0.0.0-20200107194136-26c1120b8d41/go.mod h1:Dq467ZllaHgAtVp4p1xUQWBrFXR9s/wyoTpG8zOJGkY= @@ -179,18 +282,24 @@ github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kw github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.0.0 h1:XJIw/+VlJ+87J+doOxznsAWIdmWuViOVhkQamW5YV28= github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea h1:n2Ltr3SrfQlf/9nOna1DoGKxLx3qTSI8Ttl6Xrqp6mw= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cucumber/godog v0.8.1 h1:lVb+X41I4YDreE+ibZ50bdXmySxgRviYFgKY6Aw4XE8= github.com/cucumber/godog v0.8.1/go.mod h1:vSh3r/lM+psC1BPXvdkSEuNjmXfpVqrMGYAElF6hxnA= github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg= github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= +github.com/dave/jennifer v1.2.0/go.mod h1:fIb+770HOpJ2fmN9EPPKOqm1vMGhB+TwXKMZhrIygKg= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -208,14 +317,18 @@ github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de/go.mod h1:KP github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgrijalva/jwt-go v3.2.1-0.20190620180102-5e25c22bd5d6+incompatible h1:4jGdduO4ceTJFKf0IhgaB8NJapGqKHwC2b4xQ/cXujM= github.com/dgrijalva/jwt-go v3.2.1-0.20190620180102-5e25c22bd5d6+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8/go.mod h1:VMaSuZ+SZcx/wljOQKvp5srsbCiKDEb6K2wC4+PiBmQ= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= +github.com/dgryski/go-sip13 v0.0.0-20200911182023-62edffca9245/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1 h1:eG5K5GNAAHvQlFmfIuy0Ocjg5dvyX22g/KknwTpmBko= github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1/go.mod h1:PRcPVAAma6zcLpFd4GZrjR/MRpood3TamjKI2m/z/Uw= +github.com/digitalocean/godo v1.58.0/go.mod h1:p7dOjjtSBqCTUksqtA5Fd3uaKs9kyTq2xcz76ulEJRU= github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf h1:uOWCk+L8abzw0BzmnCn7j7VT3g6bv9zW8fkR0yOP0Q4= github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/engine v0.0.0-20191113042239-ea84732a7725 h1:j0zqmciWFnhB01BT/CyfoXNEONoxerGjkcxM8i6tlXI= @@ -237,14 +350,17 @@ github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6/go.mod h1:hn7BA github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-resiliency v1.2.0 h1:v7g92e/KSN71Rq7vSThKaWIq68fL4YHvWyiUKorFR1Q= github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 h1:YEetp8/yCZMuEPMUDHG0CW/brkkEp8mzqk2+ODEitlw= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= +github.com/eclipse/paho.mqtt.golang v1.2.0/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 h1:DW6WrARxK5J+o8uAKCiACi5wy9EK1UzrsCpGBPsKHAA= github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= +github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= github.com/elastic/ecs v1.10.0 h1:C+0ZidF/eh5DKYAZBir3Hq9Q6aMXcwpgEuQnj4bRzKA= @@ -289,48 +405,177 @@ github.com/elastic/sarama v1.19.1-0.20210120173147-5c8cb347d877/go.mod h1:g5s5os github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.9.0+incompatible h1:kLcOMZeuLAJvL2BPWLMIj5oaZQobrkAqrL+WFZwQses= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= +github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk= +github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= +github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= +github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= github.com/frankban/quicktest v1.10.2 h1:19ARM85nVi4xH7xPXuc5eM/udya5ieh7b/Sv+d844Tk= github.com/frankban/quicktest v1.10.2/go.mod h1:K+q6oSqb0W0Ininfk863uOk1lMy69l/P6txr3mVT54s= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= +github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= +github.com/glycerine/go-unsnap-stream v0.0.0-20180323001048-9f0cb55181dd/go.mod h1:/20jfyN9Y5QPEAprSgKAUr+glWDY39ZiUEAYOEv5dsE= +github.com/glycerine/goconvey v0.0.0-20190410193231-58a59202ab31/go.mod h1:Ogl1Tioa0aV7gstGFO7KhffUsb9M4ydbEbbxpcEDc24= +github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0 h1:wDJmvq38kDhkVxi50ni9ykkdUr1PKgqKOoi01fa0Mdk= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0 h1:MP4Eh7ZCb31lleYCFuwm0oe4/YGak+5l1vA2NOE80nA= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-logfmt/logfmt v0.5.0 h1:TrB8swr/68K7m9CcGut2g3UOihhbcbiMAYiuTXdEih4= +github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc= +github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab h1:xveKWz2iaueeTaUgdetzel+U7exyigDYBryyVfV/rZk= github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8= github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647 h1:whypLownH338a3Ork2w9t0KUKtVxbXYySuz7V1YGsJo= github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI= +github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= +github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= +github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk= +github.com/go-openapi/analysis v0.19.4/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk= +github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU= +github.com/go-openapi/analysis v0.19.10/go.mod h1:qmhS3VNFxBlquFJ0RGoDtylO9y4pgTAUNE9AEEMdlJQ= +github.com/go-openapi/analysis v0.19.16/go.mod h1:GLInF007N83Ad3m8a/CbQ5TPzdnGT7workfHwuVjNVk= +github.com/go-openapi/analysis v0.20.0/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og= +github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= +github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= +github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= +github.com/go-openapi/errors v0.19.3/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= +github.com/go-openapi/errors v0.19.4/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= +github.com/go-openapi/errors v0.19.6/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.19.7/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= +github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= +github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs= +github.com/go-openapi/loads v0.19.3/go.mod h1:YVfqhUCdahYwR3f3iiwQLhicVRvLlU/WO5WPaZvcvSI= +github.com/go-openapi/loads v0.19.4/go.mod h1:zZVHonKd8DXyxyw4yfnVjPzBjIQcLt0CCsn0N0ZrQsk= +github.com/go-openapi/loads v0.19.5/go.mod h1:dswLCAdonkRufe/gSUC3gN8nTSaB9uaS2es0x5/IbjY= +github.com/go-openapi/loads v0.19.6/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc= +github.com/go-openapi/loads v0.19.7/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc= +github.com/go-openapi/loads v0.20.0/go.mod h1:2LhKquiE513rN5xC6Aan6lYOSddlL8Mp20AW9kpviM4= +github.com/go-openapi/loads v0.20.2/go.mod h1:hTVUotJ+UonAMMZsvakEgmWKgtulweO9vYP2bQYKA/o= +github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA= +github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64= +github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4= +github.com/go-openapi/runtime v0.19.15/go.mod h1:dhGWCTKRXlAfGnQG0ONViOZpjfg0m2gUt9nTQPQZuoo= +github.com/go-openapi/runtime v0.19.16/go.mod h1:5P9104EJgYcizotuXhEuUrzVc+j1RiSjahULvYmlv98= +github.com/go-openapi/runtime v0.19.24/go.mod h1:Lm9YGCeecBnUUkFTxPC4s1+lwrkJ0pthx8YvyjCfkgk= github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= +github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= +github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/spec v0.19.6/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= +github.com/go-openapi/spec v0.19.8/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= +github.com/go-openapi/spec v0.19.15/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU= +github.com/go-openapi/spec v0.20.0/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU= +github.com/go-openapi/spec v0.20.1/go.mod h1:93x7oh+d+FQsmsieroS4cmR3u0p/ywH649a3qwC9OsQ= +github.com/go-openapi/spec v0.20.3/go.mod h1:gG4F8wdEDN+YPBMVnzE85Rbhf+Th2DTvA9nFPQ5AYEg= +github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= +github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= +github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY= +github.com/go-openapi/strfmt v0.19.2/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU= +github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU= +github.com/go-openapi/strfmt v0.19.4/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk= +github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk= +github.com/go-openapi/strfmt v0.19.11/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= +github.com/go-openapi/strfmt v0.20.0/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= +github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.7/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY= +github.com/go-openapi/swag v0.19.9/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY= +github.com/go-openapi/swag v0.19.12/go.mod h1:eFdyEBkTdoAf/9RXBvj4cr1nH7GD8Kzo5HTt47gr72M= +github.com/go-openapi/swag v0.19.13/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= +github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA= +github.com/go-openapi/validate v0.19.3/go.mod h1:90Vh6jjkTn+OT1Eefm0ZixWNFjhtOH7vS9k0lo6zwJo= +github.com/go-openapi/validate v0.19.8/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4= +github.com/go-openapi/validate v0.19.10/go.mod h1:RKEZTUWDkxKQxN2jDT7ZnZi2bhZlbNMAuKvKB+IaGx8= +github.com/go-openapi/validate v0.19.12/go.mod h1:Rzou8hA/CBw8donlS6WNEUQupNvUZ0waH08tGe6kAQ4= +github.com/go-openapi/validate v0.19.15/go.mod h1:tbn/fdOwYHgrhPBzidZfJC2MIVvs9GA7monOmWBbeCI= +github.com/go-openapi/validate v0.20.1/go.mod h1:b60iJT+xNNLfaQJUqLI7946tYiFEOuE9E4k54HpKcJ0= +github.com/go-openapi/validate v0.20.2/go.mod h1:e7OJoKNgd0twXZwIn0A43tHbvIcr/rZIVCbJBpTUoY0= github.com/go-sourcemap/sourcemap v2.1.2+incompatible h1:0b/xya7BKGhXuqFESKM4oIiRo9WOt2ebz7KxfreD6ug= github.com/go-sourcemap/sourcemap v2.1.2+incompatible/go.mod h1:F8jJfvm2KbVjc5NqelyYJmf/v5J0dwNLS2mL4sNA1Jg= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs= +github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= +github.com/go-zookeeper/zk v1.0.2/go.mod h1:nOB03cncLtlp4t+UAkGSV+9beXP/akpekBwL+UX1Qcw= +github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0= +github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY= +github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg= +github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= +github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= +github.com/gobuffalo/flect v0.1.0/go.mod h1:d2ehjJqGOH/Kjqcoz+F7jHTBbmDb38yXA598Hb50EGs= +github.com/gobuffalo/flect v0.1.1/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= +github.com/gobuffalo/flect v0.1.3/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= +github.com/gobuffalo/genny v0.0.0-20190329151137-27723ad26ef9/go.mod h1:rWs4Z12d1Zbf19rlsn0nurr75KqhYp52EAGGxTbBhNk= +github.com/gobuffalo/genny v0.0.0-20190403191548-3ca520ef0d9e/go.mod h1:80lIj3kVJWwOrXWWMRzzdhW3DsrdjILVil/SFKBzF28= +github.com/gobuffalo/genny v0.1.0/go.mod h1:XidbUqzak3lHdS//TPu2OgiFB+51Ur5f7CSnXZ/JDvo= +github.com/gobuffalo/genny v0.1.1/go.mod h1:5TExbEyY48pfunL4QSXxlDOmdsD44RRq4mVZ0Ex28Xk= +github.com/gobuffalo/gitgen v0.0.0-20190315122116-cc086187d211/go.mod h1:vEHJk/E9DmhejeLeNt7UVvlSGv3ziL+djtTr3yyzcOw= +github.com/gobuffalo/gogen v0.0.0-20190315121717-8f38393713f5/go.mod h1:V9QVDIxsgKNZs6L2IYiGR8datgMhB577vzTDqypH360= +github.com/gobuffalo/gogen v0.1.0/go.mod h1:8NTelM5qd8RZ15VjQTFkAW6qOMx5wBbW4dSCS3BY8gg= +github.com/gobuffalo/gogen v0.1.1/go.mod h1:y8iBtmHmGc4qa3urIyo1shvOD8JftTtfcKi+71xfDNE= github.com/gobuffalo/here v0.6.0 h1:hYrd0a6gDmWxBM4TnrGw8mQg24iSVoIkHEk7FodQcBI= github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM= +github.com/gobuffalo/logger v0.0.0-20190315122211-86e12af44bc2/go.mod h1:QdxcLw541hSGtBnhUc4gaNIXRjiDppFGaDqzbrBd3v8= +github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= +github.com/gobuffalo/mapi v1.0.2/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= +github.com/gobuffalo/packd v0.0.0-20190315124812-a385830c7fc0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= +github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= +github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ= +github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0= +github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be h1:zXHeEEJ231bTf/IXqvCfeaqjLpXsq42ybLoT4ROSR6Y= github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be/go.mod h1:/oj50ZdPq/cUjA02lMZhijk5kR31SEydKyqah1OgBuo= github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e h1:BWhy2j3IXJhjCbC68FptL43tDKIq8FladmaTs3Xs7Z8= @@ -339,28 +584,46 @@ github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME= github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godror/godror v0.10.4 h1:44FcfzDPp/PJZzen5Hm59SZQBhgrbR6E1KwCjg6gnJo= github.com/godror/godror v0.10.4/go.mod h1:9MVLtu25FBJBMHkPs0m3Ngf/VmwGcLpM2HS8PlNGw9U= +github.com/godror/godror v0.25.2 h1:KleIMrkPG/ehoutkpjxyBp55yB3SiMbzehJpqnNzemY= +github.com/godror/godror v0.25.2/go.mod h1:JgtdZ1iSaNoioa/B53BVVWji9J9iGPDDj2763T5d1So= github.com/gofrs/flock v0.7.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b h1:3QNh5Xo2pmr2nZXENtnztfpjej8XY8EPmvYxF5SzY9M= github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/uuid v3.3.0+incompatible h1:8K4tyRfvU1CYPgJsveYFQMhpFd/wXNM7iK6rR7UHz84= github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= +github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= +github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= +github.com/golang/geo v0.0.0-20190916061304-5b978397cfec/go.mod h1:QZ0nwyI2jOfgRAoBvP+ab5aRr7c9x7lhGEJrKvBwjWI= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= @@ -370,21 +633,33 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4= github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA= +github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomodule/redigo v1.8.3 h1:HR0kYDX2RJZvAup8CsiJwxB4dTCSC0AaUq6S4SiLwUc= github.com/gomodule/redigo v1.8.3/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9 h1:b4EyQBj8pgtcWOr7YCSxK6NUQzJr0n4hxJ3mc+dtKk4= github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/flatbuffers v1.11.0 h1:O7CEyB8Cb3/DmtxODGtLHcEvpr81Jm5qLg/hsHnxA2A= +github.com/google/flatbuffers v1.11.0/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -392,12 +667,24 @@ github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0 h1:OggOMm github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M= github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210323184331-8eee2492667d/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -406,19 +693,33 @@ github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gnostic v0.4.1 h1:DLJCy1n/vrD4HPjOvYcT8aYQXpPIzoRZONaYwyycI+I= github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= +github.com/gophercloud/gophercloud v0.16.0/go.mod h1:wRtmUelyIIv3CSSDI47aUwbs075O6i+LY+pXsKCBsb4= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75 h1:f0n1xnMSmBLzVfsMMvriDyA75NB/oBgILX2GcHXIQzY= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA= +github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= +github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.2 h1:zoNxOV7WjqXptQOVngLmcSQgXmgk4NMz1HibBchjl/I= github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.1 h1:q7AeDBpnBk8AogcD4DSag/Ukw/KV+YhzLj2bP5HvKCM= github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.13.0 h1:sBDQoHXrOlfPobnKw69FIKa1wg9qsLLvvQ/Y19WtFgI= github.com/grpc-ecosystem/grpc-gateway v1.13.0/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/h2non/filetype v1.1.1 h1:xvOwnXKAckvtLWsN398qS9QhlxlnVXBjXBydK2/UFB4= github.com/h2non/filetype v1.1.1/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY= +github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE= +github.com/hashicorp/consul/api v1.8.1/go.mod h1:sDjTOq0yUyv5G4h+BqSea7Fn6BU+XbolEz1952UB+mk= +github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/consul/sdk v0.7.0/go.mod h1:fY08Y9z5SvJqevyZNy6WWPXiG3KwBPAvlcdx16zZ0fM= github.com/hashicorp/cronexpr v1.1.0 h1:dnNsWtH0V2ReN7JccYe8m//Bj14+PjJDntR1dz0Cixk= github.com/hashicorp/cronexpr v1.1.0/go.mod h1:P4wA0KBl9C5q2hABiMO7cp6jcIg96CDh1Efb3g1PWA4= github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -428,34 +729,66 @@ github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVo github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxCsHI= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM= github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= +github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE= github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.0.0 h1:21MVWPKDphxa7ineQQTrCU5brh7OuVVAzGOCnnCPtE8= github.com/hashicorp/go-version v1.0.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E= +github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= github.com/hashicorp/nomad/api v0.0.0-20201203164818-6318a8ac7bf8 h1:Yrz9yGVJf5Ce2KS7x8hS/MUTIeBmGEhF8nhzolRpSqY= github.com/hashicorp/nomad/api v0.0.0-20201203164818-6318a8ac7bf8/go.mod h1:vYHP9jMXk4/T2qNUbWlQ1OHCA1hHLil3nvqSmz8mtgc= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk= github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95 h1:S4qyfL2sEm5Budr4KVMyEniCy+PbS55651I/a+Kn/NQ= github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95/go.mod h1:QiyDdbZLaJ/mZP4Zwc9g2QsfaEA4o7XvvgZegSci5/E= +github.com/hetznercloud/hcloud-go v1.24.0/go.mod h1:3YmyK8yaZZ48syie6xpm3dt26rtB6s65AisBHylXYFA= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/influxdata/flux v0.65.1/go.mod h1:J754/zds0vvpfwuq7Gc2wRdVwEodfpCFM7mYlOw2LqY= +github.com/influxdata/influxdb v1.8.4/go.mod h1:JugdFhsvvI8gadxOI6noqNeeBHvWNTbfYGtiAn+2jhI= +github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= +github.com/influxdata/influxql v1.1.1-0.20200828144457-65d3ef77d385/go.mod h1:gHp9y86a/pxhjJ+zMjNXiQAA197Xk9wLxaz+fGG+kWk= +github.com/influxdata/line-protocol v0.0.0-20180522152040-32c6aa80de5e/go.mod h1:4kt73NQhadE3daL3WhR5EJ/J2ocX0PZzwxQ0gXJ7oFE= +github.com/influxdata/promql/v2 v2.12.0/go.mod h1:fxOPu+DY0bqCTCECchSRtWfc+0X19ybifQhZoQNF5D8= +github.com/influxdata/roaring v0.4.13-0.20180809181101-fc520f41fab6/go.mod h1:bSgUQ7q5ZLSO+bKBGqJiCBGAl+9DxyW63zLTujjUlOE= +github.com/influxdata/tdigest v0.0.0-20181121200506-bf2b5ad3c0a9/go.mod h1:Js0mqiSBE6Ffsg94weZZ2c+v/ciT8QRHFOap7EKDrR0= +github.com/influxdata/usage-client v0.0.0-20160829180054-6d3895376368/go.mod h1:Wbbw6tYNvwa5dlB6304Sd+82Z3f7PmVZHVKU637d4po= github.com/jarcoal/httpmock v1.0.4 h1:jp+dy/+nonJE4g4xbVtl9QdrUNbn6/3hDT5R4nDIZnA= github.com/jarcoal/httpmock v1.0.4/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik= github.com/jcmturner/gofork v1.0.0 h1:J7uCkflzTEhUZ64xqKnkDxq3kzc96ajM1Gli5ktUem8= @@ -463,6 +796,9 @@ github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/U github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5 h1:lrdPtrORjGv1HbbEvKWDUAy97mPpFm4B8hp77tcCUJY= github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks= github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 h1:rp+c0RAYOWj8l6qbCUTSiRLG/iKnW3K3/QfPPuSsBt4= @@ -474,31 +810,49 @@ github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9q github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd h1:KikNiFwUO3QLyeKyN4k9yBH9Pcu/gU/yficWi61cJIw= github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd/go.mod h1:eJTEwMjXb7kZ633hO3Ln9mBUCOjX2+FlTljvpl9SYdE= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0= github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfEUpgAwUN0o= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/jsternberg/zap-logfmt v1.0.0/go.mod h1:uvPs/4X51zdkcm5jXl5SYoN+4RK21K8mysFmDaM/h+o= github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= +github.com/jwilder/encoding v0.0.0-20170811194829-b4e1701a28ef/go.mod h1:Ct9fl0F6iIOGgxJ5npU/IUOhOhqlVrGjyIZc8/MagT0= +github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= +github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA= github.com/karrick/godirwalk v1.15.6 h1:Yf2mmR8TJy+8Fa0SuQVto5SYap6IF7lNVX4Jdl8G1qA= github.com/karrick/godirwalk v1.15.6/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.4.0/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= +github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/compress v1.11.0 h1:wJbzvpYMVGG9iTI9VxpnNZfd4DzMPoCWze3GgSqz8yg= github.com/klauspost/compress v1.11.0/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= +github.com/klauspost/cpuid v0.0.0-20170728055534-ae7887de9fa5/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= +github.com/klauspost/crc32 v0.0.0-20161016154125-cb6bfca970f6/go.mod h1:+ZoRqAPRLkC4NPOvfYeR5KNOrY6TD+/sAC3HXPZgDYg= +github.com/klauspost/pgzip v1.0.2-0.20170402124221-0bf5dcad4ada/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/kolide/osquery-go v0.0.0-20200604192029-b019be7063ac h1:TI5z/itepBADxlaodO5U9mmrMHPu8Wb8Jt9Gea6vK4Y= github.com/kolide/osquery-go v0.0.0-20200604192029-b019be7063ac/go.mod h1:rp36fokOKgd/5mOgbvv4fkpdaucQ43mnvb+8BR62Xo8= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8= +github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 h1:T+h1c/A9Gawja4Y9mFVWj2vyii2bbUNDw3kt9VxK2EY= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -506,71 +860,123 @@ github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 h1:EPw7R3OAyxHBCyl0oqh3lUZqS5lu3KSxzzGasE0opXQ= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= +github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4= +github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= github.com/magefile/mage v1.9.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/magefile/mage v1.11.0 h1:C/55Ywp9BpgVVclD3lRnSYCwXTYxmSppIgLeDYlNuls= github.com/magefile/mage v1.11.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= github.com/mailru/easyjson v0.7.1 h1:mdxE1MF9o53iCb2Ghj1VfWvh7ZOwHpnVG/xwXrV90U8= github.com/mailru/easyjson v0.7.1/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= +github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= github.com/markbates/pkger v0.17.0 h1:RFfyBPufP2V6cddUyyEVSHBpaAnM1WzaMNyqomeT+iY= github.com/markbates/pkger v0.17.0/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI= +github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11 h1:YFh+sjyJTMQSYjKwM4dFKhJPJC/wfo98tPUc17HdoYw= github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11/go.mod h1:Ah2dBMoxZEqk118as2T4u4fjfXarE0pPnMJaArZQZsI= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6 h1:6Su7aK7lXmJ/U79bYtBjLNaha4Fs1Rg9plHpcH+vvnE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-ieproxy v0.0.0-20190610004146-91bb50d98149/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc= github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe h1:YioO2TiJyAHWHyCRQCP8jk5IzTqmsbGc5qQPIhHo6xs= github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-runewidth v0.0.3/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-sqlite3 v1.9.0 h1:pDRiWfl+++eC2FEFRy6jXmQlvp4Yh3z1MJKg4UeYM/4= github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/mattn/go-tty v0.0.0-20180907095812-13ff1204f104/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI= github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= +github.com/miekg/dns v1.1.41 h1:WMszZWJG0XmzbK9FEmzH2TVcqYzFesusSIB41b8KHxY= +github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= github.com/mitchellh/gox v1.0.1 h1:x0jD3dcHk9a9xPSDN6YEL4xL6Qz0dvNYm8yZqui5chI= github.com/mitchellh/gox v1.0.1/go.mod h1:ED6BioOGXMswlXa2zxfh/xdd5QhwYliBFn9V18Ap4z4= github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51 h1:qdHlMllk/PTLUrX3XdtXDrLL1lPSfcqUmJD1eYfbapg= github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ= github.com/mitchellh/iochan v1.0.0 h1:C+X3KsSTLFVBr/tK1eYN/vs4rJcvsiLU338UhYPJWeY= github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.3.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.3.3 h1:SzB1nHZ2Xi+17FP0zVQBHIZqvwRN9408fJO8h+eeNA8= github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag= +github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/mschoch/smat v0.0.0-20160514031455-90eadee771ae/go.mod h1:qAyveg+e4CE+eKJXWVjKXM4ck2QobLqTDytGJbLLhJg= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg= +github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= +github.com/nats-io/nats-server/v2 v2.1.2/go.mod h1:Afk+wRZqkMQs/p45uXdrVLuab3gwv3Z8C4HTBu8GD/k= +github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzEE/Zbp4w= +github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= +github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= +github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= +github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= +github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.5.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -579,10 +985,13 @@ github.com/onsi/gomega v1.2.0/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483 h1:eFd3FsB01m/zNg/yBMYdm/XqiqCztcN9SVRPtGtzDHo= github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 h1:yN8BPXVwMBAm3Cuvh1L5XE8XpvYRMdsVLd82ILprhUU= github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= @@ -592,6 +1001,17 @@ github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rm github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= +github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis= +github.com/opentracing-contrib/go-stdlib v1.0.0/go.mod h1:qtI1ogk+2JhVPIXVc6q+NHziSmy2W5GbdQZFUHADCBU= +github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74= +github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/opentracing/opentracing-go v1.0.3-0.20180606204148-bd9c31933947/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= +github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxSfWAKL3wpBW7V8scJMt8N8gnaMCS9E/cA= +github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= +github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= +github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= github.com/otiai10/copy v1.2.0 h1:HvG945u96iNadPoG2/Ja2+AUJeW5YuFQMixq9yirC+k= github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= @@ -601,8 +1021,19 @@ github.com/otiai10/mint v1.3.1 h1:BCmzIS3n71sGfHB5NMNDB3lHYPz8fWSkCAErHed//qc= github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2 h1:CXwSGu/LYmbjEab5aMCs5usQRVBGThelUKBNnoSOuso= github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOThbttwfYRNFOWLLVXMhk5Lkio4GGOtw5UrxS0= +github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/paulbellamy/ratecounter v0.2.0/go.mod h1:Hfx1hDpSGoqxkVVpBi/IlYD7kChlfo5C6hzIHwPqfFE= +github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo= +github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= +github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/peterh/liner v1.0.1-0.20180619022028-8c1271fcf47f/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc= +github.com/philhofer/fwd v1.0.0/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU= +github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= +github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI= github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 h1:i5VIxp6QB8oWZ8IkK8zrDgeT6ORGIUeiN+61iETwJbI= @@ -613,39 +1044,79 @@ github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA= +github.com/pkg/term v0.0.0-20180730021639-bffc007b7fd5/go.mod h1:eCbImbZ95eXtAUIbLAuAVnBnwf83mjf6QIVH8SHYwqQ= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= +github.com/prometheus/alertmanager v0.21.0/go.mod h1:h7tJ81NA0VLWvWEayi1QltevFkLF3KxmC/malTcT8Go= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc h1:6B8wpniGN4FtqzqWhe2OBOGkeZFbhwZpCh+V/pv/oik= github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc/go.mod h1:ikMPikHu8SMvBGWoKulvvOOZN227amf2E9eMYqyAwAY= +github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og= +github.com/prometheus/client_golang v1.6.0/go.mod h1:ZLOG9ck3JLRdB5MgO8f+lLTe83AXG6ro35rLTxvnIl4= +github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= +github.com/prometheus/client_golang v1.10.0 h1:/o0BDeWzLWXNZ+4q5gXltUvaMpJqckTa+jTNoB+z4cg= +github.com/prometheus/client_golang v1.10.0/go.mod h1:WJM3cc3yu7XKBKa/I8WeZm+V3eltZnBwfENSU7mdogU= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 h1:gQz4mCbXsO+nc9n1hCxHcGA3Zx3Eo+UHZoInFGUIXNM= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= +github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= github.com/prometheus/common v0.7.0 h1:L+1lyG48J1zAQXA3RBX/nG/B3gjlHq0zTt2tlbJLyCY= github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA= +github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= +github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= +github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= +github.com/prometheus/common v0.18.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= +github.com/prometheus/common v0.20.0 h1:pfeDeUdQcIxOMutNjCejsEFp7qeP+/iltHSSmLpE+hU= +github.com/prometheus/common v0.20.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= +github.com/prometheus/exporter-toolkit v0.5.1/go.mod h1:OCkM4805mmisBhLmVFw858QYi3v0wKdY6/UxrT0pZVg= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= +github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= github.com/prometheus/procfs v0.0.11 h1:DhHlBtkHWPYi8O2y31JkK0TF+DGM+51OopZjH/Ia5qI= github.com/prometheus/procfs v0.0.11/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= +github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= +github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4= +github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= +github.com/prometheus/prometheus v1.8.2-0.20210518124745-6eeded0fdf76 h1:vRfDo7efjlYnfHzotZZfnuhL8vojzf3ZXhah/a89NDo= +github.com/prometheus/prometheus v1.8.2-0.20210518124745-6eeded0fdf76/go.mod h1:sf7j/iAbhZahjeC0s3wwMmp5dksrJ/Za1UKdR+j6Hmw= github.com/prometheus/prometheus v2.5.0+incompatible h1:7QPitgO2kOFG8ecuRn9O/4L9+10He72rVRJvMXrE9Hg= github.com/prometheus/prometheus v2.5.0+incompatible/go.mod h1:oAIUtOny2rjMX0OWN5vPR5/q/twIROJvdqnQKDdil/s= +github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/retailnext/hllpp v1.0.1-0.20180308014038-101a6d2f8b52/go.mod h1:RDpi1RftBQPUCDRw6SmxeaREsAaRKnOclghuzp/WRzc= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e h1:hUGyBE/4CXRPThr4b6kt+f1CN90no4Fs5CNrYOKYSIg= github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e/go.mod h1:Sb6li54lXV0yYEjI4wX8cucdQ9gqUJV3+Ngg3l9g30I= github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54 h1:jbchLJWyhKcmOjkbC4zDvT/n5EEd7g6hnnF760rEyRA= github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54/go.mod h1:Vrkh1pnjV9Bl8c3P9zH0/D4NlOHWP5d4/hF4YTULaec= +github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b h1:jUK33OXuZP/l6babJtnLo1qsGvq6G9so9KMflGAm4YA= github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b/go.mod h1:8458kAagoME2+LN5//WxE71ysZ3B7r22fdgb7qVmXSY= github.com/sanathkr/yaml v0.0.0-20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ= @@ -655,6 +1126,10 @@ github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKP github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4= github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/scaleway/scaleway-sdk-go v1.0.0-beta.7.0.20210223165440-c65ae3540d44/go.mod h1:CJJ5VAbozOl0yEw7nHB9+7BXTJbIn6h7W+f6Gau5IP8= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/segmentio/kafka-go v0.1.0/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo= +github.com/segmentio/kafka-go v0.2.0/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= @@ -662,15 +1137,25 @@ github.com/shirou/gopsutil v3.20.12+incompatible h1:6VEGkOXP/eP4o2Ilk8cSsX0PhOEf github.com/shirou/gopsutil v3.20.12+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= +github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/shurcooL/vfsgen v0.0.0-20181202132449-6a9ea43bcacd/go.mod h1:TrYk7fJVaAttu97ZZKrO9UbRa8izdowaMIZcxYMbVaw= +github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546/go.mod h1:TrYk7fJVaAttu97ZZKrO9UbRa8izdowaMIZcxYMbVaw= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I= +github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a h1:pa8hGb/2YqsZKovtsgrwcDH1RZhVbTKCjLp47XpqCDs= github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI= github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= @@ -678,20 +1163,26 @@ github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= +github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= +github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.0/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -701,16 +1192,23 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= +github.com/tinylib/msgp v1.0.2/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b h1:X/8hkb4rQq3+QuOxpJK7gWmAXmZucF0EI1s1BfBLq6U= github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b/go.mod h1:jAqhj/JBVC1PwcLTWd6rjQyGyItxxrhpiBl8LSuAGmw= github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786 h1:B/IVHYiI0d04dudYw+CvCAGqSMq8d0yWy56eD6p85BQ= github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786/go.mod h1:RIkfovP3Y7my19aXEjjbNd9E5TlHozzAyt7B8AaEcwg= +github.com/uber/jaeger-client-go v2.25.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk= +github.com/uber/jaeger-lib v2.4.0+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U= github.com/ugorji/go v1.1.8 h1:/D9x7IRpfMHDlizVOgxrag5Fh+/NY+LtI8bsr+AswRA= github.com/ugorji/go v1.1.8/go.mod h1:0lNM99SwWUIRhCXnigEMClngXBk/EmpTXa7mgiewYWA= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= github.com/ugorji/go/codec v1.1.8 h1:4dryPvxMP9OtkjIbuNeK2nb27M38XMHLGlfNSNph/5s= github.com/ugorji/go/codec v1.1.8/go.mod h1:X00B19HDtwvKbQY2DcYjvZxKQp8mzrJoQ6EgoIY/D2E= github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urso/diag v0.0.0-20200210123136-21b3cc8eb797 h1:OHNw/6pXODJAB32NujjdQO/KIYQ3KAbHQfCzH81XdCs= github.com/urso/diag v0.0.0-20200210123136-21b3cc8eb797/go.mod h1:pNWFTeQ+V1OYT/TzWpnWb6eQBdoXpdx+H+lrH97/Oyo= github.com/urso/go-bin v0.0.0-20180220135811-781c575c9f0e h1:NiofbjIUI5gR+ybDsGSVH1fWyjSeDYiYVJHT1+kcsak= @@ -722,10 +1220,13 @@ github.com/urso/qcgen v0.0.0-20180131103024-0b059e7db4f4/go.mod h1:RspW+E2Yb7Fs7 github.com/urso/sderr v0.0.0-20200210124243-c2a16f3d43ec h1:HkZIDJrMKZHPsYhmH2XjTTSk1pbMCFfpxSnyzZUFm+k= github.com/urso/sderr v0.0.0-20200210124243-c2a16f3d43ec/go.mod h1:Wp40HwmjM59FkDIVFfcCb9LzBbnc0XAMp8++hJuWvSU= github.com/vbatts/tar-split v0.11.1/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g= +github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41 h1:NeNpIvfvaFOh0BH7nMEljE5Rk/VJlxhm58M41SeOD20= github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/willf/bitset v1.1.3/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c h1:u40Z8hqBAAQyv+vATcGgV0YCnDjqSL7/q/JyPhhJSPk= github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= +github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= github.com/xdg/stringprep v1.0.0 h1:d9X0esnoa3dFsV0FG35rAT0RIhYFlPq7MiP+DW89La0= github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -733,6 +1234,9 @@ github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= github.com/xeipuuv/gojsonschema v0.0.0-20181112162635-ac52e6811b56/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xlab/treeprint v0.0.0-20180616005107-d6fb6747feb6/go.mod h1:ce1O1j6UtZfjr22oyGxGLbauSBp2YVXpARAosm7dHBg= +github.com/xlab/treeprint v1.0.0/go.mod h1:IoImgRak9i3zJyuxOKUP1v4UZd1tMoKkq/Cimt1uhCg= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7 h1:0gYLpmzecnaDCoeWxSfEJ7J1b6B/67+NV++4HKQXx+Y= github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7/go.mod h1:aEV29XrmTYFr3CiRxZeGHpkvbwq+prZduBqMaascyCU= @@ -750,41 +1254,86 @@ go.elastic.co/fastjson v1.1.0 h1:3MrGBWWVIxe/xvsbpghtkFoPciPhOCmjsR/HfwEeQR4= go.elastic.co/fastjson v1.1.0/go.mod h1:boNGISWMjQsUPy/t6yqt2/1Wx4YNPSe+mZjlyw9vKKI= go.elastic.co/go-licence-detector v0.4.0 h1:it5dP+6LPxLsosdhtbAqk/zJQxzS0QSSpdNkKVuwKMs= go.elastic.co/go-licence-detector v0.4.0/go.mod h1:fSJQU8au4SAgDK+UQFbgUPsXKYNBDv4E/dwWevrMpXU= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg= go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= +go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= +go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= +go.mongodb.org/mongo-driver v1.3.0/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE= +go.mongodb.org/mongo-driver v1.3.4/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE= +go.mongodb.org/mongo-driver v1.4.3/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= +go.mongodb.org/mongo-driver v1.4.4/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= +go.mongodb.org/mongo-driver v1.4.6/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= +go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= +go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2 h1:75k/FF0Q2YM8QYo07VPddOLBslDt1MZOdEslOHvmzAs= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= +go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.0.0 h1:qsup4IcBdlmsnGfqyLl4Ntn3C2XCCuKAE7DwHpScyUo= go.uber.org/goleak v1.0.0/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= +go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0 h1:sFPn2GLc3poCkfrpIXGhBD2X0CMIo4Q/zSULXrj/+uc= go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= +go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= go.uber.org/zap v1.14.0 h1:/pduUoebOeeJzTDFuoMgC6nRkiasr1sBCIEorly7m4o= go.uber.org/zap v1.14.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e h1:gsTQYXdTw2Gq7RBsWvlQ91b+aEQ6bXFUngBGuR8sPpI= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= +golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20191227195350-da58074b4299 h1:zQpM52jfKHG6II1ISZY1ZcpygvuSFZpLwfluuF89XOg= golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -797,20 +1346,34 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367 h1:0IiAsCRByjO2QjX7ZPkw5oU9x+n1YqRL802rjC0c3Aw= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 h1:2M3HP5CCK1Si9FQhwnzYhXdG6DXeebvUHFpre8QvbyI= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.1 h1:Kvvh58BN8Y9/lBi7hTekvtMpm07eUZ0ck5pRHpsMWrY= +golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -818,17 +1381,40 @@ golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191021144547-ec77196f6094/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200904194848-62affa334b73/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 h1:qWPm9rbaAMKs8Bq/9LRpbMqxWRVUAQwMI9fVrssnTfw= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210324051636-2c4c8ecb7826 h1:lNRDRnwZWawoPHDS50ebYHTOHjctRMLSrUSQFcAHiW4= +golang.org/x/net v0.0.0-20210324051636-2c4c8ecb7826/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -836,67 +1422,132 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558 h1:D7nTwh4J0i+5mW4Zjzn5omvlr6YBcWywE6KOcatyNxY= +golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190412183630-56d357773e84/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180810173357-98c5dad5d1a0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180815093151-14742f9018cd/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190529164535-6a60838ec259/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191025021431-6c3a3bfe00ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191220142924-d4481acd189f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200107162124-548cf772de50/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210314195730-07df6a141424/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5 h1:i6eZZ+zk0SOf0xgBpEpPD18qWcJda6q1sxt3S0kzyUQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba h1:O8mE0/t419eoIwhTFpKVkHiTs/Igowgfkj25AcZrtiE= +golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0 h1:6txNFSnY+tteYoO+hf01EpdYcYZiurdC9MDIrcUzEu4= golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -904,12 +1555,36 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo= +gonum.org/v1/gonum v0.0.0-20181121035319-3f7ecaa7e8ca/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo= +gonum.org/v1/gonum v0.6.0/go.mod h1:9mxDZsDKxgMAuccQkewq682L+0eCu4dCN2yonUJTCLU= +gonum.org/v1/netlib v0.0.0-20181029234149-ec6d1f5cefe6/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/plot v0.0.0-20190515093506-e2840ee46a6b/go.mod h1:Wt8AAjI+ypCyYX3nZBvf6cAIx93T+c/OS2HFAYskSZc= +google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.15.0 h1:yzlyyDW/J0w8yNFJIhiAJy4kq74S+1DOLdawELNxFMA= google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= +google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= +google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= +google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= +google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= +google.golang.org/api v0.42.0 h1:uqATLkpxiBrhrvFoebXUjvyzE9nQf+pVyy0Z0IHE+fc= +google.golang.org/api v0.42.0/go.mod h1:+Oj4s6ch2SEGtPjGqfUfZonBH0GjQH89gTeKKAEGZKI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -917,30 +1592,80 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190530194941-fb225487d101/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= +google.golang.org/genproto v0.0.0-20190716160619-c506a9f90610/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200108215221-bd8f9a0ef82f/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= +google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= +google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb h1:hcskBH5qZCOa7WpTUFUFvoebnSFZBYpjykLtjIp9DVk= google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210312152112-fc591d9ea70f h1:YRBxgxUW6GFi+AKsn8WGA9k1SZohK+gGuEqdeT5aoNQ= +google.golang.org/genproto v0.0.0-20210312152112-fc591d9ea70f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= google.golang.org/grpc v1.29.1 h1:EC2SB8S04d2r73uptxphDSUG+kTKVgjRPF+N3xpxRB4= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= +google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.0 h1:o1bcQ6imQMIOpdrO3SWf2z5RV72WbDwdXuK0MDlc8As= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -958,11 +1683,15 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/fsnotify/fsnotify.v1 v1.4.7/go.mod h1:Fyux9zXlo4rWoMSIzpn9fDAYjalPqJ/K1qJ27s+7ltE= +gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= @@ -978,51 +1707,86 @@ gopkg.in/jcmturner/rpc.v1 v1.1.0 h1:QHIUxTX1ISuAv9dD2wJ9HWQVuWDX/Zc0PfeC2tjc4rU= gopkg.in/jcmturner/rpc.v1 v1.1.0/go.mod h1:YIdkC4XfD6GXbzje11McwsDuOlZQSb9W4vfLvuNnlv8= gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528 h1:/saqWwm73dLmuzbNhe92F0QsZ/KiFND+esHco2v1hiY= gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/gotestsum v0.6.0 h1:0zIxynXq9gkAcRpboAi3qOQIkZkCt/stfQzd7ab7Czs= gotest.tools/gotestsum v0.6.0/go.mod h1:LEX+ioCVdeWhZc8GYfiBRag360eBhwixWJ62R9eDQtI= +gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8= +honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= howett.net/plist v0.0.0-20181124034731-591f970eefbb h1:jhnBjNi9UFpfpl8YZhA9CrOqpnJdvzuiHsl/dnxl11M= howett.net/plist v0.0.0-20181124034731-591f970eefbb/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0= k8s.io/api v0.19.4 h1:I+1I4cgJYuCDgiLNjKx7SLmIbwgj9w7N7Zr5vSIdwpo= k8s.io/api v0.19.4/go.mod h1:SbtJ2aHCItirzdJ36YslycFNzWADYH3tgOhvBEFtZAk= +k8s.io/api v0.20.5 h1:zsMTffV0Le2EiI0aKvlTHEnXGxk1HiqGRhJcCPiI7JI= +k8s.io/api v0.20.5/go.mod h1:FQjAceXnVaWDeov2YUWhOb6Yt+5UjErkp6UO3nczO1Y= k8s.io/apimachinery v0.19.4 h1:+ZoddM7nbzrDCp0T3SWnyxqf8cbWPT2fkZImoyvHUG0= k8s.io/apimachinery v0.19.4/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= +k8s.io/apimachinery v0.20.5 h1:wO/FxMVRn223rAKxnBbwCyuN96bS9MFTIvP0e/V7cps= +k8s.io/apimachinery v0.20.5/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/client-go v0.19.4 h1:85D3mDNoLF+xqpyE9Dh/OtrJDyJrSRKkHmDXIbEzer8= k8s.io/client-go v0.19.4/go.mod h1:ZrEy7+wj9PjH5VMBCuu/BDlvtUAku0oVFk4MmnW9mWA= +k8s.io/client-go v0.20.5 h1:dJGtYUvFrFGjQ+GjXEIby0gZWdlAOc0xJBJqY3VyDxA= +k8s.io/client-go v0.20.5/go.mod h1:Ee5OOMMYvlH8FCZhDsacjMlCBwetbGZETwo1OA+e6Zw= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.8.0 h1:Q3gmuM9hKEjefWFFYF0Mat+YyFJvsUyYuwyNNJ5C9Ts= +k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6 h1:+WnxoVtG8TMiudHBSEtrVL1egv36TkkJm+bA8AxicmQ= k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= +k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd h1:sOHNzJIkytDF6qadMNKhhDRpc6ODik8lVC6nOur7B2c= +k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= k8s.io/utils v0.0.0-20200729134348-d5654de09c73 h1:uJmqzgNWG7XyClnU/mLPBWwfKKF1K8Hf8whTseBgJcg= k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20201110183641-67b214c5f920 h1:CbnUZsM497iRC5QMVkHwyl8s2tB3g7yaSHkYPkpgelw= +k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= +rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= +rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/structured-merge-diff/v4 v4.0.1 h1:YXTMot5Qz/X1iBRJhAt+vI+HVttY0WkSqqhKxQ0xVbA= sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.0.2 h1:YHQV7Dajm86OuqnIR6zAelnDWBRjo+YhYV9PmGrh1s8= +sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= +sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index bd277f8f0cf..85377236927 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -45740,10 +45740,50 @@ Openmetrics module +*`openmetrics.help`*:: ++ +-- +Brief description of the MetricFamily + + +type: keyword + +-- + +*`openmetrics.type`*:: ++ +-- +metric type + + +type: keyword + +-- + +*`openmetrics.unit`*:: ++ +-- +metric unit + + +type: keyword + +-- + +*`openmetrics.created`*:: ++ +-- +metric creation time in seconds + + +type: keyword + +-- + *`openmetrics.labels.*`*:: + -- -Prometheus metric labels +Openmetrics metric labels type: object @@ -45753,7 +45793,27 @@ type: object *`openmetrics.metrics.*`*:: + -- -Prometheus metric +Openmetrics metric + + +type: object + +-- + +*`openmetrics.exemplar.*`*:: ++ +-- +Openmetrics exemplars + + +type: object + +-- + +*`openmetrics.exemplar.labels.*`*:: ++ +-- +Openmetrics metric labels type: object diff --git a/metricbeat/docs/modules/linux/memory.asciidoc b/metricbeat/docs/modules/linux/memory.asciidoc index 9ea3d482e57..67459f35909 100644 --- a/metricbeat/docs/modules/linux/memory.asciidoc +++ b/metricbeat/docs/modules/linux/memory.asciidoc @@ -9,7 +9,6 @@ beta[] include::../../../module/linux/memory/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/docs/modules/openmetrics/collector.asciidoc b/metricbeat/docs/modules/openmetrics/collector.asciidoc index 06000e77291..2b184916aa9 100644 --- a/metricbeat/docs/modules/openmetrics/collector.asciidoc +++ b/metricbeat/docs/modules/openmetrics/collector.asciidoc @@ -9,6 +9,7 @@ beta[] include::../../../module/openmetrics/collector/_meta/docs.asciidoc[] +This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/helper/openmetrics/label.go b/metricbeat/helper/openmetrics/label.go new file mode 100644 index 00000000000..0f0a69054dd --- /dev/null +++ b/metricbeat/helper/openmetrics/label.go @@ -0,0 +1,59 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +// LabelMap defines the mapping from OpenMetrics label to a Metricbeat field +type LabelMap interface { + // GetField returns the resulting field name + GetField() string + + // IsKey returns true if the label is a key label + IsKey() bool +} + +// Label maps a OpenMetrics label to a Metricbeat field +func Label(field string) LabelMap { + return &commonLabel{ + field: field, + key: false, + } +} + +// KeyLabel maps a OpenMetrics label to a Metricbeat field. The label is flagged as key. +// Metrics with the same tuple of key labels will be grouped in the same event. +func KeyLabel(field string) LabelMap { + return &commonLabel{ + field: field, + key: true, + } +} + +type commonLabel struct { + field string + key bool +} + +// GetField returns the resulting field name +func (l *commonLabel) GetField() string { + return l.field +} + +// IsKey returns true if the label is a key label +func (l *commonLabel) IsKey() bool { + return l.key +} diff --git a/metricbeat/helper/openmetrics/metric.go b/metricbeat/helper/openmetrics/metric.go new file mode 100644 index 00000000000..f21a6ee16ab --- /dev/null +++ b/metricbeat/helper/openmetrics/metric.go @@ -0,0 +1,495 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +import ( + "fmt" + "math" + "strconv" + "strings" + "time" + + "github.com/elastic/beats/v7/libbeat/common" +) + +// MetricMap defines the mapping from Openmetrics metric to a Metricbeat field +type MetricMap interface { + // GetOptions returns the list of metric options + GetOptions() []MetricOption + + // GetField returns the resulting field name + GetField() string + + // GetValue returns the resulting value + GetValue(m *OpenMetric) interface{} + GetNilValue() interface{} + + // GetConfiguration returns the configuration for the metric + GetConfiguration() Configuration +} + +// Configuration for mappings that needs extended treatment +type Configuration struct { + // StoreNonMappedLables indicates if labels found at the metric that are + // not found at the label map should be part of the resulting event. + // This setting should be used when the label name is not known beforehand + StoreNonMappedLabels bool + // NonMappedLabelsPlacement is used when StoreNonMappedLabels is set to true, and + // defines the key path at the event under which to store the dynamically found labels. + // This key path will be added to the events that match this metric along with a subset of + // key/value pairs will be created under it, one for each non mapped label found. + // + // Example: + // + // given a metric family in a Openmetrics resource in the form: + // metric1{label1="value1",label2="value2"} 1 + // and not mapping labels but using this entry on a the MetriMap definition: + // "metric1": ExtendedInfoMetric(Configuration{StoreNonMappedLabels: true, NonMappedLabelsPlacement: "mypath"}), + // would output an event that contains a metricset field as follows + // "mypath": {"label1":"value1","label2":"value2"} + // + NonMappedLabelsPlacement string + // MetricProcessing options are a set of functions that will be + // applied to metrics after they are retrieved + MetricProcessingOptions []MetricOption + // ExtraFields is used to add fields to the + // event where this metric is included + ExtraFields common.MapStr +} + +// MetricOption adds settings to Metric objects behavior +type MetricOption interface { + // Process a tuple of field, value and labels from a metric, return the same tuple updated + Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) +} + +// OpFilterMap only processes metrics matching the given filter +func OpFilterMap(label string, filterMap map[string]string) MetricOption { + return opFilterMap{ + label: label, + filterMap: filterMap, + } +} + +// OpLowercaseValue lowercases the value if it's a string +func OpLowercaseValue() MetricOption { + return opLowercaseValue{} +} + +// OpUnixTimestampValue parses a value into a Unix timestamp +func OpUnixTimestampValue() MetricOption { + return opUnixTimestampValue{} +} + +// OpMultiplyBuckets multiplies bucket labels in histograms, useful to change units +func OpMultiplyBuckets(multiplier float64) MetricOption { + return opMultiplyBuckets{ + multiplier: multiplier, + } +} + +// OpSetSuffix extends the field's name with the given suffix if the value of the metric +// is numeric (and not histogram or quantile), otherwise does nothing +func OpSetNumericMetricSuffix(suffix string) MetricOption { + return opSetNumericMetricSuffix{ + suffix: suffix, + } +} + +// Metric directly maps a Openmetrics metric to a Metricbeat field +func Metric(field string, options ...MetricOption) MetricMap { + return &commonMetric{ + field: field, + config: Configuration{MetricProcessingOptions: options}, + } +} + +// KeywordMetric maps a Openmetrics metric to a Metricbeat field, stores the +// given keyword when source metric value is 1 +func KeywordMetric(field, keyword string, options ...MetricOption) MetricMap { + return &keywordMetric{ + commonMetric{ + field: field, + config: Configuration{MetricProcessingOptions: options}, + }, + keyword, + } +} + +// BooleanMetric maps a Openmetrics metric to a Metricbeat field of bool type +func BooleanMetric(field string, options ...MetricOption) MetricMap { + return &booleanMetric{ + commonMetric{ + field: field, + config: Configuration{MetricProcessingOptions: options}, + }, + } +} + +// LabelMetric maps a Openmetrics metric to a Metricbeat field, stores the value +// of a given label on it if the gauge value is 1 +func LabelMetric(field, label string, options ...MetricOption) MetricMap { + return &labelMetric{ + commonMetric{ + field: field, + config: Configuration{MetricProcessingOptions: options}, + }, + label, + } +} + +// InfoMetric obtains info labels from the given metric and puts them +// into events matching all the key labels present in the metric +func InfoMetric(options ...MetricOption) MetricMap { + return &infoMetric{ + commonMetric{ + config: Configuration{MetricProcessingOptions: options}, + }, + } +} + +// ExtendedInfoMetric obtains info labels from the given metric and puts them +// into events matching all the key labels present in the metric +func ExtendedInfoMetric(configuration Configuration) MetricMap { + return &infoMetric{ + commonMetric{ + config: configuration, + }, + } +} + +// ExtendedMetric is a metric item that allows extended behaviour +// through configuration +func ExtendedMetric(field string, configuration Configuration) MetricMap { + return &commonMetric{ + field: field, + config: configuration, + } +} + +type commonMetric struct { + field string + config Configuration +} + +// GetOptions returns the list of metric options +func (m *commonMetric) GetOptions() []MetricOption { + return m.config.MetricProcessingOptions +} + +// GetField returns the resulting field name +func (m *commonMetric) GetField() string { + return m.field +} + +// GetConfiguration returns the configuration for the metric +func (m *commonMetric) GetConfiguration() Configuration { + return m.config +} +func (m *commonMetric) GetNilValue() interface{} { + return nil +} + +// GetValue returns the resulting value +func (m *commonMetric) GetValue(metric *OpenMetric) interface{} { + info := metric.GetInfo() + if info != nil { + if info.HasValidValue() { + return info.GetValue() + } + } + + stateset := metric.GetStateset() + if stateset != nil { + if stateset.HasValidValue() { + return stateset.GetValue() + } + } + + unknown := metric.GetUnknown() + if unknown != nil { + if !math.IsNaN(unknown.GetValue()) && !math.IsInf(unknown.GetValue(), 0) { + return int64(unknown.GetValue()) + } + } + + counter := metric.GetCounter() + if counter != nil { + if !math.IsNaN(counter.GetValue()) && !math.IsInf(counter.GetValue(), 0) { + return int64(counter.GetValue()) + } + } + + gauge := metric.GetGauge() + if gauge != nil { + if !math.IsNaN(gauge.GetValue()) && !math.IsInf(gauge.GetValue(), 0) { + return gauge.GetValue() + } + } + + summary := metric.GetSummary() + if summary != nil { + value := common.MapStr{} + if !math.IsNaN(summary.GetSampleSum()) && !math.IsInf(summary.GetSampleSum(), 0) { + value["sum"] = summary.GetSampleSum() + value["count"] = summary.GetSampleCount() + } + + quantiles := summary.GetQuantile() + percentileMap := common.MapStr{} + for _, quantile := range quantiles { + if !math.IsNaN(quantile.GetValue()) && !math.IsInf(quantile.GetValue(), 0) { + key := strconv.FormatFloat(100*quantile.GetQuantile(), 'f', -1, 64) + percentileMap[key] = quantile.GetValue() + } + } + + if len(percentileMap) != 0 { + value["percentile"] = percentileMap + } + + return value + } + + histogram := metric.GetHistogram() + if histogram != nil { + value := common.MapStr{} + if !math.IsNaN(histogram.GetSampleSum()) && !math.IsInf(histogram.GetSampleSum(), 0) { + value["sum"] = histogram.GetSampleSum() + value["count"] = histogram.GetSampleCount() + } + + buckets := histogram.GetBucket() + bucketMap := common.MapStr{} + for _, bucket := range buckets { + if bucket.GetCumulativeCount() != uint64(math.NaN()) && bucket.GetCumulativeCount() != uint64(math.Inf(0)) { + key := strconv.FormatFloat(bucket.GetUpperBound(), 'f', -1, 64) + bucketMap[key] = bucket.GetCumulativeCount() + } + } + + if len(bucketMap) != 0 { + value["bucket"] = bucketMap + } + + return value + } + + gaugehistogram := metric.GetGaugeHistogram() + if gaugehistogram != nil { + value := common.MapStr{} + if !math.IsNaN(gaugehistogram.GetSampleSum()) && !math.IsInf(gaugehistogram.GetSampleSum(), 0) { + value["gsum"] = gaugehistogram.GetSampleSum() + value["gcount"] = gaugehistogram.GetSampleCount() + } + + buckets := gaugehistogram.GetBucket() + bucketMap := common.MapStr{} + for _, bucket := range buckets { + if bucket.GetCumulativeCount() != uint64(math.NaN()) && bucket.GetCumulativeCount() != uint64(math.Inf(0)) { + key := strconv.FormatFloat(bucket.GetUpperBound(), 'f', -1, 64) + bucketMap[key] = bucket.GetCumulativeCount() + } + } + + if len(bucketMap) != 0 { + value["bucket"] = bucketMap + } + + return value + } + + // Other types are not supported here + return nil +} + +type keywordMetric struct { + commonMetric + keyword string +} + +// GetValue returns the resulting value +func (m *keywordMetric) GetValue(metric *OpenMetric) interface{} { + if gauge := metric.GetGauge(); gauge != nil && gauge.GetValue() == 1 { + return m.keyword + } + return nil +} + +type booleanMetric struct { + commonMetric +} + +// GetValue returns the resulting value +func (m *booleanMetric) GetValue(metric *OpenMetric) interface{} { + if gauge := metric.GetGauge(); gauge != nil { + return gauge.GetValue() == 1 + } + return nil +} + +type labelMetric struct { + commonMetric + label string +} + +// GetValue returns the resulting value +func (m *labelMetric) GetValue(metric *OpenMetric) interface{} { + if gauge := metric.GetGauge(); gauge != nil && gauge.GetValue() == 1 { + return getLabel(metric, m.label) + } + return nil +} + +func getLabel(metric *OpenMetric, name string) string { + for _, label := range metric.GetLabel() { + if label.Name == name { + return label.Value + } + } + return "" +} + +type infoMetric struct { + commonMetric +} + +// GetValue returns the resulting value +func (m *infoMetric) GetValue(metric *OpenMetric) interface{} { + return "" +} + +// GetField returns the resulting field name +func (m *infoMetric) GetField() string { + return "" +} + +type opFilterMap struct { + label string + filterMap map[string]string +} + +// Called by the Openmetrics helper to apply extra options on retrieved metrics +// Check whether the value of the specified label is allowed and, if yes, return the metric via the specified mapped field +// Else, if the specified label does not match the filter, return nil +// This is useful in cases where multiple Metricbeat fields need to be defined per Openmetrics metric, based on label values +func (o opFilterMap) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + for k, v := range o.filterMap { + if labels[o.label] == k { + return fmt.Sprintf("%v.%v", field, v), value, labels + } + } + return "", nil, nil +} + +type opLowercaseValue struct{} + +// Process will lowercase the given value if it's a string +func (o opLowercaseValue) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + if val, ok := value.(string); ok { + value = strings.ToLower(val) + } + return field, value, labels +} + +type opMultiplyBuckets struct { + multiplier float64 +} + +// Process will multiply the bucket labels if it is an histogram with numeric labels +func (o opMultiplyBuckets) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + histogram, ok := value.(common.MapStr) + if !ok { + return field, value, labels + } + bucket, ok := histogram["bucket"].(common.MapStr) + if !ok { + return field, value, labels + } + sum, ok := histogram["sum"].(float64) + if !ok { + return field, value, labels + } + multiplied := common.MapStr{} + for k, v := range bucket { + if f, err := strconv.ParseFloat(k, 64); err == nil { + key := strconv.FormatFloat(f*o.multiplier, 'f', -1, 64) + multiplied[key] = v + } else { + multiplied[k] = v + } + } + histogram["bucket"] = multiplied + histogram["sum"] = sum * o.multiplier + return field, histogram, labels +} + +type opSetNumericMetricSuffix struct { + suffix string +} + +// Process will extend the field's name with the given suffix +func (o opSetNumericMetricSuffix) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + _, ok := value.(float64) + if !ok { + return field, value, labels + } + field = fmt.Sprintf("%v.%v", field, o.suffix) + return field, value, labels +} + +type opUnixTimestampValue struct { +} + +// Process converts a value in seconds into an unix time +func (o opUnixTimestampValue) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + return field, common.Time(time.Unix(int64(value.(float64)), 0)), labels +} + +// OpLabelKeyPrefixRemover removes prefix from label keys +func OpLabelKeyPrefixRemover(prefix string) MetricOption { + return opLabelKeyPrefixRemover{prefix} +} + +// opLabelKeyPrefixRemover is a metric option processor that removes a prefix from the key of a label set +type opLabelKeyPrefixRemover struct { + Prefix string +} + +// Process modifies the labels map, removing a prefix when found at keys of the labels set. +// For each label, if the key is found a new key will be created hosting the same value and the +// old key will be deleted. +// Fields, values and not prefixed labels will remain unmodified. +func (o opLabelKeyPrefixRemover) Process(field string, value interface{}, labels common.MapStr) (string, interface{}, common.MapStr) { + renameKeys := []string{} + for k := range labels { + if len(k) < len(o.Prefix) { + continue + } + if k[:6] == o.Prefix { + renameKeys = append(renameKeys, k) + } + } + + for i := range renameKeys { + v := labels[renameKeys[i]] + delete(labels, renameKeys[i]) + labels[renameKeys[i][len(o.Prefix):]] = v + } + return "", value, labels +} diff --git a/metricbeat/helper/openmetrics/module.go b/metricbeat/helper/openmetrics/module.go new file mode 100644 index 00000000000..fac374ee1b4 --- /dev/null +++ b/metricbeat/helper/openmetrics/module.go @@ -0,0 +1,61 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +import ( + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/mb/parse" +) + +const ( + defaultScheme = "http" + defaultPath = "/metrics" +) + +var ( + // HostParser validates OpenMetrics URLs + HostParser = parse.URLHostParserBuilder{ + DefaultScheme: defaultScheme, + DefaultPath: defaultPath, + }.Build() +) + +// MetricSetBuilder returns a builder function for a new OpenMetrics metricset using the given mapping +func MetricSetBuilder(mapping *MetricsMapping) func(base mb.BaseMetricSet) (mb.MetricSet, error) { + return func(base mb.BaseMetricSet) (mb.MetricSet, error) { + openmetrics, err := NewOpenMetricsClient(base) + if err != nil { + return nil, err + } + return &openmetricsMetricSet{ + BaseMetricSet: base, + openmetrics: openmetrics, + mapping: mapping, + }, nil + } +} + +type openmetricsMetricSet struct { + mb.BaseMetricSet + openmetrics OpenMetrics + mapping *MetricsMapping +} + +func (m *openmetricsMetricSet) Fetch(r mb.ReporterV2) error { + return m.openmetrics.ReportProcessedMetrics(m.mapping, r) +} diff --git a/metricbeat/helper/openmetrics/openmetrics.go b/metricbeat/helper/openmetrics/openmetrics.go new file mode 100644 index 00000000000..d473b1d6c2e --- /dev/null +++ b/metricbeat/helper/openmetrics/openmetrics.go @@ -0,0 +1,1020 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +import ( + "compress/gzip" + "fmt" + "io" + "io/ioutil" + "math" + "mime" + "net/http" + "regexp" + "strconv" + "strings" + "time" + + "github.com/prometheus/common/model" + + "github.com/prometheus/prometheus/pkg/exemplar" + "github.com/prometheus/prometheus/pkg/labels" + "github.com/prometheus/prometheus/pkg/textparse" + "github.com/prometheus/prometheus/pkg/timestamp" + + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/metricbeat/helper" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +const acceptHeader = `application/openmetrics-text; version=0.0.1,text/plain;version=0.0.4;q=0.5,*/*;q=0.1` + +var errNameLabelMandatory = fmt.Errorf("missing metric name (%s label)", labels.MetricName) + +type Gauge struct { + Value *float64 +} + +func (m *Gauge) GetValue() float64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} + +type Info struct { + Value *int64 +} + +func (m *Info) GetValue() int64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} +func (m *Info) HasValidValue() bool { + return m != nil && *m.Value == 1 +} + +type Stateset struct { + Value *int64 +} + +func (m *Stateset) GetValue() int64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} +func (m *Stateset) HasValidValue() bool { + return m != nil && (*m.Value == 0 || *m.Value == 1) +} + +type Counter struct { + Value *float64 +} + +func (m *Counter) GetValue() float64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} + +type Quantile struct { + Quantile *float64 + Value *float64 + Exemplar *exemplar.Exemplar +} + +func (m *Quantile) GetQuantile() float64 { + if m != nil && m.Quantile != nil { + return *m.Quantile + } + return 0 +} + +func (m *Quantile) GetValue() float64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} + +type Summary struct { + SampleCount *uint64 + SampleSum *float64 + Quantile []*Quantile +} + +func (m *Summary) GetSampleCount() uint64 { + if m != nil && m.SampleCount != nil { + return *m.SampleCount + } + return 0 +} + +func (m *Summary) GetSampleSum() float64 { + if m != nil && m.SampleSum != nil { + return *m.SampleSum + } + return 0 +} + +func (m *Summary) GetQuantile() []*Quantile { + if m != nil { + return m.Quantile + } + return nil +} + +type Unknown struct { + Value *float64 +} + +func (m *Unknown) GetValue() float64 { + if m != nil && m.Value != nil { + return *m.Value + } + return 0 +} + +type Bucket struct { + CumulativeCount *uint64 + UpperBound *float64 + Exemplar *exemplar.Exemplar +} + +func (m *Bucket) GetCumulativeCount() uint64 { + if m != nil && m.CumulativeCount != nil { + return *m.CumulativeCount + } + return 0 +} + +func (m *Bucket) GetUpperBound() float64 { + if m != nil && m.UpperBound != nil { + return *m.UpperBound + } + return 0 +} + +type Histogram struct { + SampleCount *uint64 + SampleSum *float64 + Bucket []*Bucket + IsGaugeHistogram bool +} + +func (m *Histogram) GetSampleCount() uint64 { + if m != nil && m.SampleCount != nil { + return *m.SampleCount + } + return 0 +} + +func (m *Histogram) GetSampleSum() float64 { + if m != nil && m.SampleSum != nil { + return *m.SampleSum + } + return 0 +} + +func (m *Histogram) GetBucket() []*Bucket { + if m != nil { + return m.Bucket + } + return nil +} + +type OpenMetric struct { + Label []*labels.Label + Exemplar *exemplar.Exemplar + Name *string + Gauge *Gauge + Counter *Counter + Info *Info + Stateset *Stateset + Summary *Summary + Unknown *Unknown + Histogram *Histogram + CreatedMs *int64 + TimestampMs *int64 +} + +func (m *OpenMetric) GetName() *string { + if m != nil { + return m.Name + } + return nil +} + +func (m *OpenMetric) GetLabel() []*labels.Label { + if m != nil { + return m.Label + } + return nil +} + +func (m *OpenMetric) GetGauge() *Gauge { + if m != nil { + return m.Gauge + } + return nil +} + +func (m *OpenMetric) GetCounter() *Counter { + if m != nil { + return m.Counter + } + return nil +} + +func (m *OpenMetric) GetInfo() *Info { + if m != nil { + return m.Info + } + return nil +} + +func (m *OpenMetric) GetStateset() *Stateset { + if m != nil { + return m.Stateset + } + return nil +} + +func (m *OpenMetric) GetSummary() *Summary { + if m != nil { + return m.Summary + } + return nil +} + +func (m *OpenMetric) GetUnknown() *Unknown { + if m != nil { + return m.Unknown + } + return nil +} + +func (m *OpenMetric) GetHistogram() *Histogram { + if m != nil && m.Histogram != nil && !m.Histogram.IsGaugeHistogram { + return m.Histogram + } + return nil +} + +func (m *OpenMetric) GetGaugeHistogram() *Histogram { + if m != nil && m.Histogram != nil && m.Histogram.IsGaugeHistogram { + return m.Histogram + } + return nil +} + +func (m *OpenMetric) GetTimestampMs() int64 { + if m != nil && m.TimestampMs != nil { + return *m.TimestampMs + } + return 0 +} + +type OpenMetricFamily struct { + Name *string + Help *string + Type textparse.MetricType + Unit *string + Metric []*OpenMetric +} + +func (m *OpenMetricFamily) GetName() string { + if m != nil && m.Name != nil { + return *m.Name + } + return "" +} +func (m *OpenMetricFamily) GetUnit() string { + if m != nil && *m.Unit != "" { + return *m.Unit + } + return "" +} + +func (m *OpenMetricFamily) GetMetric() []*OpenMetric { + if m != nil { + return m.Metric + } + return nil +} + +// OpenMetrics helper retrieves openmetrics formatted metrics +// This interface needs to use TextParse +type OpenMetrics interface { + // GetFamilies requests metric families from openmetrics endpoint and returns them + GetFamilies() ([]*OpenMetricFamily, error) + + GetProcessedMetrics(mapping *MetricsMapping) ([]common.MapStr, error) + + ProcessMetrics(families []*OpenMetricFamily, mapping *MetricsMapping) ([]common.MapStr, error) + + ReportProcessedMetrics(mapping *MetricsMapping, r mb.ReporterV2) error +} + +type openmetrics struct { + httpfetcher + logger *logp.Logger +} + +type httpfetcher interface { + FetchResponse() (*http.Response, error) +} + +// NewOpenMetricsClient creates new openmetrics helper +func NewOpenMetricsClient(base mb.BaseMetricSet) (OpenMetrics, error) { + httpclient, err := helper.NewHTTP(base) + if err != nil { + return nil, err + } + + httpclient.SetHeaderDefault("Accept", acceptHeader) + httpclient.SetHeaderDefault("Accept-Encoding", "gzip") + return &openmetrics{httpclient, base.Logger()}, nil +} + +// GetFamilies requests metric families from openmetrics endpoint and returns them +func (p *openmetrics) GetFamilies() ([]*OpenMetricFamily, error) { + var reader io.Reader + + resp, err := p.FetchResponse() + if err != nil { + return nil, err + } + defer resp.Body.Close() + + if resp.Header.Get("Content-Encoding") == "gzip" { + greader, err := gzip.NewReader(resp.Body) + if err != nil { + return nil, err + } + defer greader.Close() + reader = greader + } else { + reader = resp.Body + } + + if resp.StatusCode > 399 { + bodyBytes, err := ioutil.ReadAll(reader) + if err == nil { + p.logger.Debug("error received from openmetrics endpoint: ", string(bodyBytes)) + } + return nil, fmt.Errorf("unexpected status code %d from server", resp.StatusCode) + } + + contentType := getContentType(resp.Header) + if contentType == "" { + return nil, fmt.Errorf("Invalid format for response of response") + } + + appendTime := time.Now().Round(0) + b, err := ioutil.ReadAll(reader) + families, err := parseMetricFamilies(b, contentType, appendTime) + + return families, nil +} + +const ( + suffixInfo = "_info" + //suffixCreated = "_created" + suffixTotal = "_total" + suffixGCount = "_gcount" + suffixGSum = "_gsum" + suffixCount = "_count" + suffixSum = "_sum" + suffixBucket = "_bucket" +) + +func isInfo(name string) bool { + return len(name) > 5 && name[len(name)-5:] == suffixInfo +} + +//func isCreated(name string) bool { +// return len(name) > 8 && name[len(name)-8:] == suffixCreated +//} + +// Counters have _total suffix +func isTotal(name string) bool { + return len(name) > 6 && name[len(name)-6:] == suffixTotal +} + +func isGCount(name string) bool { + return len(name) > 7 && name[len(name)-7:] == suffixGCount +} + +func isGSum(name string) bool { + return len(name) > 5 && name[len(name)-5:] == suffixGSum +} + +func isCount(name string) bool { + return len(name) > 6 && name[len(name)-6:] == suffixCount +} + +func isSum(name string) bool { + return len(name) > 4 && name[len(name)-4:] == suffixSum +} + +func isBucket(name string) bool { + return len(name) > 7 && name[len(name)-7:] == suffixBucket +} + +func summaryMetricName(name string, s float64, qv string, lbls string, t *int64, summariesByName map[string]map[string]*OpenMetric) (string, *OpenMetric) { + var summary = &Summary{} + var quantile = []*Quantile{} + var quant = &Quantile{} + //var created = isCreated(name) + + switch { + case isCount(name): + u := uint64(s) + summary.SampleCount = &u + name = name[:len(name)-6] + case isSum(name): + summary.SampleSum = &s + name = name[:len(name)-4] + //case created: + // name = name[:len(name)-8] + default: + f, err := strconv.ParseFloat(qv, 64) + if err != nil { + f = -1 + } + quant.Quantile = &f + quant.Value = &s + } + + _, k := summariesByName[name] + if !k { + summariesByName[name] = make(map[string]*OpenMetric) + } + metric, ok := summariesByName[name][lbls] + if !ok { + metric = &OpenMetric{} + metric.Name = &name + metric.Summary = summary + metric.Summary.Quantile = quantile + summariesByName[name][lbls] = metric + } + if metric.Summary.SampleSum == nil && summary.SampleSum != nil { + metric.Summary.SampleSum = summary.SampleSum + } else if metric.Summary.SampleCount == nil && summary.SampleCount != nil { + metric.Summary.SampleCount = summary.SampleCount + } else if quant.Quantile != nil { + metric.Summary.Quantile = append(metric.Summary.Quantile, quant) + } + + //if created { + // metric.CreatedMs = t + //} + + return name, metric +} + +func histogramMetricName(name string, s float64, qv string, lbls string, t *int64, isGaugeHistogram bool, e *exemplar.Exemplar, histogramsByName map[string]map[string]*OpenMetric) (string, *OpenMetric) { + var histogram = &Histogram{} + var bucket = []*Bucket{} + var bkt = &Bucket{} + //var created = isCreated(name) + + switch { + case isCount(name): + u := uint64(s) + histogram.SampleCount = &u + name = name[:len(name)-6] + case isSum(name): + histogram.SampleSum = &s + name = name[:len(name)-4] + case isGaugeHistogram && isGCount(name): + u := uint64(s) + histogram.SampleCount = &u + name = name[:len(name)-7] + case isGaugeHistogram && isGSum(name): + histogram.SampleSum = &s + name = name[:len(name)-5] + //case created: + // name = name[:len(name)-8] + default: + if isBucket(name) { + name = name[:len(name)-7] + } + f, err := strconv.ParseFloat(qv, 64) + if err != nil { + f = math.MaxUint64 + } + cnt := uint64(s) + bkt.UpperBound = &f + bkt.CumulativeCount = &cnt + + if e != nil { + if !e.HasTs { + e.Ts = *t + } + bkt.Exemplar = e + } + } + + _, k := histogramsByName[name] + if !k { + histogramsByName[name] = make(map[string]*OpenMetric) + } + metric, ok := histogramsByName[name][lbls] + if !ok { + metric = &OpenMetric{} + metric.Name = &name + metric.Histogram = histogram + metric.Histogram.Bucket = bucket + histogramsByName[name][lbls] = metric + } + if metric.Histogram.SampleSum == nil && histogram.SampleSum != nil { + metric.Histogram.SampleSum = histogram.SampleSum + } else if metric.Histogram.SampleCount == nil && histogram.SampleCount != nil { + metric.Histogram.SampleCount = histogram.SampleCount + } else if bkt.UpperBound != nil { + metric.Histogram.Bucket = append(metric.Histogram.Bucket, bkt) + } + //if created { + // metric.CreatedMs = t + //} + + return name, metric +} + +func parseMetricFamilies(b []byte, contentType string, ts time.Time) ([]*OpenMetricFamily, error) { + var ( + parser = textparse.New(b, contentType) + defTime = timestamp.FromTime(ts) + metricFamiliesByName = map[string]*OpenMetricFamily{} + summariesByName = map[string]map[string]*OpenMetric{} + histogramsByName = map[string]map[string]*OpenMetric{} + fam *OpenMetricFamily + mt = textparse.MetricTypeUnknown + ) + var err error + +loop: + for { + var ( + et textparse.Entry + ok bool + e exemplar.Exemplar + ) + if et, err = parser.Next(); err != nil { + if err == io.EOF { + err = nil + } + break + } + switch et { + case textparse.EntryType: + b, t := parser.Type() + s := string(b) + fam, ok = metricFamiliesByName[s] + if !ok { + fam = &OpenMetricFamily{Name: &s, Type: t} + metricFamiliesByName[s] = fam + } + mt = t + continue + case textparse.EntryHelp: + b, t := parser.Help() + s := string(b) + h := string(t) + fam, ok = metricFamiliesByName[s] + if !ok { + fam = &OpenMetricFamily{Name: &s, Type: textparse.MetricTypeUnknown} + metricFamiliesByName[s] = fam + } + fam.Help = &h + continue + case textparse.EntryUnit: + b, t := parser.Unit() + s := string(b) + u := string(t) + fam, ok = metricFamiliesByName[s] + if !ok { + fam = &OpenMetricFamily{Name: &s, Unit: &u, Type: textparse.MetricTypeUnknown} + metricFamiliesByName[string(b)] = fam + } + fam.Unit = &u + continue + default: + } + + t := defTime + _, tp, v := parser.Series() + + var ( + lset labels.Labels + mets string + ) + + mets = parser.Metric(&lset) + + if !lset.Has(labels.MetricName) { + err = errNameLabelMandatory + break loop + } + + var lbls strings.Builder + lbls.Grow(len(mets)) + var labelPairs = []*labels.Label{} + for _, l := range lset.Copy() { + if l.Name == labels.MetricName { + continue + } + + if l.Name != model.QuantileLabel && l.Name != labels.BucketLabel { // quantile and le are special labels handled below + + lbls.WriteString(l.Name) + lbls.WriteString(l.Value) + } + n := l.Name + v := l.Value + + labelPairs = append(labelPairs, &labels.Label{ + Name: n, + Value: v, + }) + } + + var metric *OpenMetric + + metricName := lset.Get(labels.MetricName) + var lookupMetricName string + var exm *exemplar.Exemplar + + switch mt { + case textparse.MetricTypeCounter: + var counter = &Counter{Value: &v} + mn := lset.Get(labels.MetricName) + metric = &OpenMetric{Name: &mn, Counter: counter, Label: labelPairs} + //if isCreated(metricName) { + // metric.CreatedMs = &t + //} + lookupMetricName = metricName + break + case textparse.MetricTypeGauge: + var gauge = &Gauge{Value: &v} + metric = &OpenMetric{Name: &metricName, Gauge: gauge, Label: labelPairs} + lookupMetricName = metricName + break + case textparse.MetricTypeInfo: + value := int64(v) + var info = &Info{Value: &value} + metric = &OpenMetric{Name: &metricName, Info: info, Label: labelPairs} + lookupMetricName = metricName + break + case textparse.MetricTypeSummary: + lookupMetricName, metric = summaryMetricName(metricName, v, lset.Get(model.QuantileLabel), lbls.String(), &t, summariesByName) + metric.Label = labelPairs + if !isSum(metricName) { + continue + } + metricName = lookupMetricName + break + case textparse.MetricTypeHistogram: + if hasExemplar := parser.Exemplar(&e); hasExemplar { + exm = &e + } + lookupMetricName, metric = histogramMetricName(metricName, v, lset.Get(labels.BucketLabel), lbls.String(), &t, false, exm, histogramsByName) + metric.Label = labelPairs + if !isSum(metricName) { + continue + } + metricName = lookupMetricName + break + case textparse.MetricTypeGaugeHistogram: + if hasExemplar := parser.Exemplar(&e); hasExemplar { + exm = &e + } + lookupMetricName, metric = histogramMetricName(metricName, v, lset.Get(labels.BucketLabel), lbls.String(), &t, true, exm, histogramsByName) + metric.Label = labelPairs + metric.Histogram.IsGaugeHistogram = true + if !isGSum(metricName) { + continue + } + metricName = lookupMetricName + break + case textparse.MetricTypeStateset: + value := int64(v) + var stateset = &Stateset{Value: &value} + metric = &OpenMetric{Name: &metricName, Stateset: stateset, Label: labelPairs} + lookupMetricName = metricName + break + case textparse.MetricTypeUnknown: + var unknown = &Unknown{Value: &v} + metric = &OpenMetric{Name: &metricName, Unknown: unknown, Label: labelPairs} + lookupMetricName = metricName + break + default: + lookupMetricName = metricName + } + + fam, ok = metricFamiliesByName[lookupMetricName] + if !ok { + fam = &OpenMetricFamily{Type: mt} + metricFamiliesByName[lookupMetricName] = fam + } + + fam.Name = &metricName + + if hasExemplar := parser.Exemplar(&e); hasExemplar && mt != textparse.MetricTypeHistogram { + if !e.HasTs { + e.Ts = t + } + metric.Exemplar = &e + } + + if tp != nil { + t = *tp + metric.TimestampMs = &t + } + + fam.Metric = append(fam.Metric, metric) + } + + families := make([]*OpenMetricFamily, 0, len(metricFamiliesByName)) + for _, v := range metricFamiliesByName { + if v.Metric != nil { + families = append(families, v) + } + } + return families, nil +} + +// MetricsMapping defines mapping settings for OpenMetrics metrics, to be used with `GetProcessedMetrics` +type MetricsMapping struct { + // Metrics translates from openmetrics metric name to Metricbeat fields + Metrics map[string]MetricMap + + // Namespace for metrics managed by this mapping + Namespace string + + // Labels translate from openmetrics label names to Metricbeat fields + Labels map[string]LabelMap + + // ExtraFields adds the given fields to all events coming from `GetProcessedMetrics` + ExtraFields map[string]string +} + +func (p *openmetrics) ProcessMetrics(families []*OpenMetricFamily, mapping *MetricsMapping) ([]common.MapStr, error) { + + eventsMap := map[string]common.MapStr{} + infoMetrics := []*infoMetricData{} + for _, family := range families { + for _, metric := range family.GetMetric() { + m, ok := mapping.Metrics[family.GetName()] + if m == nil || !ok { + // Ignore unknown metrics + continue + } + + field := m.GetField() + value := m.GetValue(metric) + + // Ignore retrieval errors (bad conf) + if value == nil { + continue + } + + storeAllLabels := false + labelsLocation := "" + var extraFields common.MapStr + if m != nil { + c := m.GetConfiguration() + storeAllLabels = c.StoreNonMappedLabels + labelsLocation = c.NonMappedLabelsPlacement + extraFields = c.ExtraFields + } + + // Apply extra options + allLabels := getLabels(metric) + for _, option := range m.GetOptions() { + field, value, allLabels = option.Process(field, value, allLabels) + } + + // Convert labels + labels := common.MapStr{} + keyLabels := common.MapStr{} + for k, v := range allLabels { + if l, ok := mapping.Labels[k]; ok { + if l.IsKey() { + keyLabels.Put(l.GetField(), v) + } else { + labels.Put(l.GetField(), v) + } + } else if storeAllLabels { + // if label for this metric is not found at the label mappings but + // it is configured to store any labels found, make it so + labels.Put(labelsLocation+"."+k, v) + } + } + + // if extra fields have been added through metric configuration + // add them to labels. + // + // not considering these extra fields to be keylabels as that case + // have not appeared yet + for k, v := range extraFields { + labels.Put(k, v) + } + + // Keep a info document if it's an infoMetric + if _, ok = m.(*infoMetric); ok { + labels.DeepUpdate(keyLabels) + infoMetrics = append(infoMetrics, &infoMetricData{ + Labels: keyLabels, + Meta: labels, + }) + continue + } + + if field != "" { + event := getEvent(eventsMap, keyLabels) + update := common.MapStr{} + update.Put(field, value) + // value may be a mapstr (for histograms and summaries), do a deep update to avoid smashing existing fields + event.DeepUpdate(update) + + event.DeepUpdate(labels) + } + } + } + + // populate events array from values in eventsMap + events := make([]common.MapStr, 0, len(eventsMap)) + for _, event := range eventsMap { + // Add extra fields + for k, v := range mapping.ExtraFields { + event[k] = v + } + events = append(events, event) + } + + // fill info from infoMetrics + for _, info := range infoMetrics { + for _, event := range events { + found := true + for k, v := range info.Labels.Flatten() { + value, err := event.GetValue(k) + if err != nil || v != value { + found = false + break + } + } + + // fill info from this metric + if found { + event.DeepUpdate(info.Meta) + } + } + } + + return events, nil +} + +func (p *openmetrics) GetProcessedMetrics(mapping *MetricsMapping) ([]common.MapStr, error) { + families, err := p.GetFamilies() + if err != nil { + return nil, err + } + return p.ProcessMetrics(families, mapping) +} + +// infoMetricData keeps data about an infoMetric +type infoMetricData struct { + Labels common.MapStr + Meta common.MapStr +} + +func (p *openmetrics) ReportProcessedMetrics(mapping *MetricsMapping, r mb.ReporterV2) error { + events, err := p.GetProcessedMetrics(mapping) + if err != nil { + return errors.Wrap(err, "error getting processed metrics") + } + for _, event := range events { + r.Event(mb.Event{ + MetricSetFields: event, + Namespace: mapping.Namespace, + }) + } + + return nil +} + +func getEvent(m map[string]common.MapStr, labels common.MapStr) common.MapStr { + hash := labels.String() + res, ok := m[hash] + if !ok { + res = labels + m[hash] = res + } + return res +} + +func getLabels(metric *OpenMetric) common.MapStr { + labels := common.MapStr{} + for _, label := range metric.GetLabel() { + if label.Name != "" && label.Value != "" { + labels.Put(label.Name, label.Value) + } + } + return labels +} + +// CompilePatternList compiles a pattern list and returns the list of the compiled patterns +func CompilePatternList(patterns *[]string) ([]*regexp.Regexp, error) { + var compiledPatterns []*regexp.Regexp + compiledPatterns = []*regexp.Regexp{} + if patterns != nil { + for _, pattern := range *patterns { + r, err := regexp.Compile(pattern) + if err != nil { + return nil, errors.Wrapf(err, "compiling pattern '%s'", pattern) + } + compiledPatterns = append(compiledPatterns, r) + } + return compiledPatterns, nil + } + return []*regexp.Regexp{}, nil +} + +// MatchMetricFamily checks if the given family/metric name matches any of the given patterns +func MatchMetricFamily(family string, matchMetrics []*regexp.Regexp) bool { + for _, checkMetric := range matchMetrics { + matched := checkMetric.MatchString(family) + if matched { + return true + } + } + return false +} + +//type Format string + +const ( + TextVersion = "0.0.4" + OpenMetricsType = `application/openmetrics-text` + + // The Content-Type values for the different wire protocols. + FmtUnknown string = `` + FmtText string = `text/plain; version=` + TextVersion + `; charset=utf-8` +) + +const ( + hdrContentType = "Content-Type" + hdrAccept = "Accept" +) + +func getContentType(h http.Header) string { + ct := h.Get(hdrContentType) + + mediatype, params, err := mime.ParseMediaType(ct) + if err != nil { + return FmtUnknown + } + + const textType = "text/plain" + + switch mediatype { + case OpenMetricsType: + if e, ok := params["encoding"]; ok && e != "delimited" { + return FmtUnknown + } + return OpenMetricsType + + case textType: + if v, ok := params["version"]; ok && v != TextVersion { + return FmtUnknown + } + return FmtText + } + + return FmtUnknown +} diff --git a/metricbeat/helper/openmetrics/openmetrics_test.go b/metricbeat/helper/openmetrics/openmetrics_test.go new file mode 100644 index 00000000000..597556e1635 --- /dev/null +++ b/metricbeat/helper/openmetrics/openmetrics_test.go @@ -0,0 +1,1093 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package openmetrics + +import ( + "bytes" + "compress/gzip" + "io/ioutil" + "net/http" + "sort" + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" +) + +const ( + openMetricsTestSamples = `# TYPE first_metric gauge +first_metric{label1="value1",label2="value2",label3="Value3",label4="FOO"} 1 +# TYPE second_metric gauge +second_metric{label1="value1",label3="othervalue"} 0 +# TYPE summary_metric summary +summary_metric{quantile="0.5"} 29735 +summary_metric{quantile="0.9"} 47103 +summary_metric{quantile="0.99"} 50681 +summary_metric_sum 234892394 +summary_metric_count 44000 +# TYPE histogram_metric histogram +histogram_metric_bucket{le="1000"} 1 +histogram_metric_bucket{le="10000"} 1 +histogram_metric_bucket{le="100000"} 1 +histogram_metric_bucket{le="1e+06"} 1 +histogram_metric_bucket{le="1e+08"} 1 +histogram_metric_bucket{le="1e+09"} 1 +histogram_metric_bucket{le="+Inf"} 1 +histogram_metric_sum 117 +histogram_metric_count 1 +# TYPE histogram_decimal_metric histogram +histogram_decimal_metric_bucket{le="0.001"} 1 +histogram_decimal_metric_bucket{le="0.01"} 1 +histogram_decimal_metric_bucket{le="0.1"} 2 +histogram_decimal_metric_bucket{le="1"} 3 +histogram_decimal_metric_bucket{le="+Inf"} 5 +histogram_decimal_metric_sum 4.31 +histogram_decimal_metric_count 5 +# TYPE gaugehistogram_metric gaugehistogram +gaugehistogram_metric_bucket{le="0.01"} 20.0 +gaugehistogram_metric_bucket{le="0.1"} 25.0 +gaugehistogram_metric_bucket{le="1"} 34.0 +gaugehistogram_metric_bucket{le="10"} 34.0 +gaugehistogram_metric_bucket{le="+Inf"} 42.0 +gaugehistogram_metric_gcount 42.0 +gaugehistogram_metric_gsum 3289.3 +gaugehistogram_metric_created 1520430000.123 +# TYPE target info +target_info 1 +# TYPE target_with_labels info +target_with_labels_info{env="prod",hostname="myhost"} 1 +` + + promGaugeKeyLabel = `# TYPE metrics_one_count_total gauge +metrics_one_count_total{name="jane",surname="foster"} 1 +metrics_one_count_total{name="john",surname="williams"} 2 +metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 +` + + promGaugeKeyLabelWithNaNInf = `# TYPE metrics_one_count_errors gauge +metrics_one_count_errors{name="jane",surname="foster"} 0 +# TYPE metrics_one_count_total gauge +metrics_one_count_total{name="jane",surname="foster"} NaN +metrics_one_count_total{name="foo",surname="bar"} +Inf +metrics_one_count_total{name="john",surname="williams"} -Inf +metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 +` + + promCounterKeyLabel = `# TYPE metrics_one_count_total counter +metrics_one_count_total{name="jane",surname="foster"} 1 +metrics_one_count_total{name="john",surname="williams"} 2 +metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 +` + + promCounterKeyLabelWithNaNInf = `# TYPE metrics_one_count_errors counter +metrics_one_count_errors{name="jane",surname="foster"} 1 +# TYPE metrics_one_count_total counter +metrics_one_count_total{name="jane",surname="foster"} NaN +metrics_one_count_total{name="john",surname="williams"} +Inf +metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 + +` + + promHistogramKeyLabel = `# TYPE metrics_one_midichlorians histogram +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="2000"} 52 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="4000"} 70 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="8000"} 78 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="16000"} 84 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="32000"} 86 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="+Inf"} 86 +metrics_one_midichlorians_sum{rank="youngling",alive="yes"} 1000001 +metrics_one_midichlorians_count{rank="youngling",alive="yes"} 86 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="2000"} 16 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="4000"} 20 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="8000"} 23 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="16000"} 27 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="32000"} 27 +metrics_one_midichlorians_bucket{rank="padawan",alive="yes",le="+Inf"} 28 +metrics_one_midichlorians_sum{rank="padawan",alive="yes"} 800001 +metrics_one_midichlorians_count{rank="padawan",alive="yes"} 28 +` + + promHistogramKeyLabelWithNaNInf = `# TYPE metrics_one_midichlorians histogram +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="2000"} NaN +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="4000"} +Inf +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="8000"} -Inf +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="16000"} 84 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="32000"} 86 +metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="+Inf"} 86 +metrics_one_midichlorians_sum{rank="youngling",alive="yes"} 1000001 +metrics_one_midichlorians_count{rank="youngling",alive="yes"} 86 +` + + promSummaryKeyLabel = `# TYPE metrics_force_propagation_ms summary +metrics_force_propagation_ms{kind="jedi",quantile="0"} 35 +metrics_force_propagation_ms{kind="jedi",quantile="0.25"} 22 +metrics_force_propagation_ms{kind="jedi",quantile="0.5"} 7 +metrics_force_propagation_ms{kind="jedi",quantile="0.75"} 20 +metrics_force_propagation_ms{kind="jedi",quantile="1"} 30 +metrics_force_propagation_ms_sum{kind="jedi"} 89 +metrics_force_propagation_ms_count{kind="jedi"} 651 +metrics_force_propagation_ms{kind="sith",quantile="0"} 30 +metrics_force_propagation_ms{kind="sith",quantile="0.25"} 20 +metrics_force_propagation_ms{kind="sith",quantile="0.5"} 12 +metrics_force_propagation_ms{kind="sith",quantile="0.75"} 21 +metrics_force_propagation_ms{kind="sith",quantile="1"} 29 +metrics_force_propagation_ms_sum{kind="sith"} 112 +metrics_force_propagation_ms_count{kind="sith"} 711 +` + + promSummaryKeyLabelWithNaNInf = `# TYPE metrics_force_propagation_ms summary +metrics_force_propagation_ms{kind="jedi",quantile="0"} NaN +metrics_force_propagation_ms{kind="jedi",quantile="0.25"} +Inf +metrics_force_propagation_ms{kind="jedi",quantile="0.5"} -Inf +metrics_force_propagation_ms{kind="jedi",quantile="0.75"} 20 +metrics_force_propagation_ms{kind="jedi",quantile="1"} 30 +metrics_force_propagation_ms_sum{kind="jedi"} 50 +metrics_force_propagation_ms_count{kind="jedi"} 651 +` + + promGaugeLabeled = `# TYPE metrics_that_inform_labels gauge +metrics_that_inform_labels{label1="I am 1",label2="I am 2"} 1 +metrics_that_inform_labels{label1="I am 1",label3="I am 3"} 1 +# TYPE metrics_that_use_labels gauge +metrics_that_use_labels{label1="I am 1"} 20 +` + promStateset = `# TYPE enable_category stateset +enable_category{category="shoes"} 0 +enable_category{category="collectibles"} 1 +` +) + +type mockFetcher struct { + response string +} + +var _ = httpfetcher(&mockFetcher{}) + +// FetchResponse returns an HTTP response but for the Body, which +// returns the mockFetcher.Response contents +func (m mockFetcher) FetchResponse() (*http.Response, error) { + body := bytes.NewBuffer(nil) + writer := gzip.NewWriter(body) + writer.Write([]byte(m.response)) + writer.Close() + + return &http.Response{ + StatusCode: 200, + Header: http.Header{ + "Content-Encoding": []string{"gzip"}, + "Content-Type": []string{"application/openmetrics-text"}, + }, + Body: ioutil.NopCloser(body), + }, nil +} + +func TestOpenMetrics(t *testing.T) { + + p := &openmetrics{mockFetcher{response: openMetricsTestSamples}, logp.NewLogger("test")} + + tests := []struct { + mapping *MetricsMapping + msg string + expected []common.MapStr + }{ + { + msg: "Simple field map", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": Metric("first.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": 1.0, + }, + }, + }, + }, + { + msg: "Simple field map with labels", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": Metric("first.metric"), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + "label2": Label("labels.label2"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": 1.0, + }, + "labels": common.MapStr{ + "label1": "value1", + "label2": "value2", + }, + }, + }, + }, + { + msg: "Several metrics", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": Metric("first.metric"), + "second_metric": Metric("second.metric"), + }, + Labels: map[string]LabelMap{ + "label3": KeyLabel("labels.label3"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": 1.0, + }, + "labels": common.MapStr{ + "label3": "Value3", + }, + }, + common.MapStr{ + "second": common.MapStr{ + "metric": 0.0, + }, + "labels": common.MapStr{ + "label3": "othervalue", + }, + }, + }, + }, + { + msg: "Grouping by key labels", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": Metric("first.metric"), + "second_metric": Metric("second.metric"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("labels.label1"), + "label2": Label("labels.label2"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": 1.0, + }, + "second": common.MapStr{ + "metric": 0.0, + }, + "labels": common.MapStr{ + "label1": "value1", + "label2": "value2", + }, + }, + }, + }, + { + msg: "Keyword metrics", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": KeywordMetric("first.metric", "works"), + "second_metric": KeywordMetric("second.metric", "itsnot"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": "works", + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Boolean metrics", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": BooleanMetric("first.metric"), + "second_metric": BooleanMetric("second.metric"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": true, + }, + "second": common.MapStr{ + "metric": false, + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label3"), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": "Value3", + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics, lowercase", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label4", OpLowercaseValue()), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": "foo", + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics, filter", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label4", OpFilterMap( + "label1", + map[string]string{"value1": "foo"}, + )), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "first": common.MapStr{ + "metric": common.MapStr{ + "foo": "FOO", + }, + }, + "labels": common.MapStr{ + "label1": "value1", + }, + }, + }, + }, + { + msg: "Label metrics, filter", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "first_metric": LabelMetric("first.metric", "label4", OpLowercaseValue(), OpFilterMap( + "foo", + map[string]string{"Filtered": "filtered"}, + )), + }, + Labels: map[string]LabelMap{ + "label1": Label("labels.label1"), + }, + }, + expected: []common.MapStr{}, + }, + { + msg: "Summary metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "summary_metric": Metric("summary.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "summary": common.MapStr{ + "metric": common.MapStr{ + "sum": 234892394.0, + "count": uint64(44000), + "percentile": common.MapStr{ + "50": 29735.0, + "90": 47103.0, + "99": 50681.0, + }, + }, + }, + }, + }, + }, + { + msg: "Histogram metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "histogram_metric": Metric("histogram.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "histogram": common.MapStr{ + "metric": common.MapStr{ + "count": uint64(1), + "bucket": common.MapStr{ + "1000000000": uint64(1), + "+Inf": uint64(1), + "1000": uint64(1), + "10000": uint64(1), + "100000": uint64(1), + "1000000": uint64(1), + "100000000": uint64(1), + }, + "sum": 117.0, + }, + }, + }, + }, + }, + { + msg: "Histogram decimal metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "histogram_decimal_metric": Metric("histogram.metric", OpMultiplyBuckets(1000)), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "histogram": common.MapStr{ + "metric": common.MapStr{ + "count": uint64(5), + "bucket": common.MapStr{ + "1": uint64(1), + "10": uint64(1), + "100": uint64(2), + "1000": uint64(3), + "+Inf": uint64(5), + }, + "sum": 4310.0, + }, + }, + }, + }, + }, + { + msg: "Gauge histogram metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "gaugehistogram_metric": Metric("gaugehistogram.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "gaugehistogram": common.MapStr{ + "metric": common.MapStr{ + "gcount": uint64(42), + "bucket": common.MapStr{ + "0.01": uint64(20), + "0.1": uint64(25), + "1": uint64(34), + "10": uint64(34), + "+Inf": uint64(42), + }, + "gsum": 3289.3, + }, + }, + }, + }, + }, + { + msg: "Info metric", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "target_info": Metric("target_info.metric"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "target_info": common.MapStr{ + "metric": int64(1), + }, + }, + }, + }, + { + msg: "Info metric with labels", + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "target_with_labels_info": Metric("target_with_labels_info.metric"), + }, + Labels: map[string]LabelMap{ + "env": Label("labels.env"), + "hostname": Label("labels.hostname"), + }, + }, + expected: []common.MapStr{ + common.MapStr{ + "target_with_labels_info": common.MapStr{ + "metric": int64(1), + }, + "labels": common.MapStr{ + "env": "prod", + "hostname": "myhost", + }, + }, + }, + }, + } + + for _, test := range tests { + t.Run(test.msg, func(t *testing.T) { + reporter := &mbtest.CapturingReporterV2{} + p.ReportProcessedMetrics(test.mapping, reporter) + assert.Nil(t, reporter.GetErrors(), test.msg) + // Sort slice to avoid randomness + res := reporter.GetEvents() + sort.Slice(res, func(i, j int) bool { + return res[i].MetricSetFields.String() < res[j].MetricSetFields.String() + }) + assert.Equal(t, len(test.expected), len(res)) + for j, ev := range res { + assert.Equal(t, test.expected[j], ev.MetricSetFields, test.msg) + } + }) + } +} + +func TestOpenMetricsKeyLabels(t *testing.T) { + + testCases := []struct { + testName string + openmetricsResponse string + mapping *MetricsMapping + expectedEvents []common.MapStr + }{ + { + testName: "Test gauge with KeyLabel", + openmetricsResponse: promGaugeKeyLabel, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_count_total": Metric("metrics.one.count"), + }, + Labels: map[string]LabelMap{ + "name": KeyLabel("metrics.one.labels.name"), + "surname": KeyLabel("metrics.one.labels.surname"), + "age": KeyLabel("metrics.one.labels.age"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 1.0, + "labels": common.MapStr{ + "name": "jane", + "surname": "foster", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 2.0, + "labels": common.MapStr{ + "name": "john", + "surname": "williams", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 3.0, + "labels": common.MapStr{ + "name": "jahn", + "surname": "baldwin", + "age": "30", + }, + }, + }, + }, + }, + }, + + { + testName: "Test gauge with KeyLabel With NaN Inf", + openmetricsResponse: promGaugeKeyLabelWithNaNInf, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_count_errors": Metric("metrics.one.count"), + "metrics_one_count_total": Metric("metrics.one.count"), + }, + Labels: map[string]LabelMap{ + "name": KeyLabel("metrics.one.labels.name"), + "surname": KeyLabel("metrics.one.labels.surname"), + "age": KeyLabel("metrics.one.labels.age"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 0.0, + "labels": common.MapStr{ + "name": "jane", + "surname": "foster", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": 3.0, + "labels": common.MapStr{ + "name": "jahn", + "surname": "baldwin", + "age": "30", + }, + }, + }, + }, + }, + }, + + { + testName: "Test counter with KeyLabel", + openmetricsResponse: promCounterKeyLabel, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_count_total": Metric("metrics.one.count"), + }, + Labels: map[string]LabelMap{ + "name": KeyLabel("metrics.one.labels.name"), + "surname": KeyLabel("metrics.one.labels.surname"), + "age": KeyLabel("metrics.one.labels.age"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(1), + "labels": common.MapStr{ + "name": "jane", + "surname": "foster", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(2), + "labels": common.MapStr{ + "name": "john", + "surname": "williams", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(3), + "labels": common.MapStr{ + "name": "jahn", + "surname": "baldwin", + "age": "30", + }, + }, + }, + }, + }, + }, + + { + testName: "Test counter with KeyLabel With NaN Inf", + openmetricsResponse: promCounterKeyLabelWithNaNInf, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_count_errors": Metric("metrics.one.count"), + "metrics_one_count_total": Metric("metrics.one.count"), + }, + Labels: map[string]LabelMap{ + "name": KeyLabel("metrics.one.labels.name"), + "surname": KeyLabel("metrics.one.labels.surname"), + "age": KeyLabel("metrics.one.labels.age"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(1), + "labels": common.MapStr{ + "name": "jane", + "surname": "foster", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "count": int64(3), + "labels": common.MapStr{ + "name": "jahn", + "surname": "baldwin", + "age": "30", + }, + }, + }, + }, + }, + }, + + { + testName: "Test histogram with KeyLabel", + openmetricsResponse: promHistogramKeyLabel, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_midichlorians": Metric("metrics.one.midichlorians"), + }, + Labels: map[string]LabelMap{ + "rank": KeyLabel("metrics.one.midichlorians.rank"), + "alive": KeyLabel("metrics.one.midichlorians.alive"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "midichlorians": common.MapStr{ + "count": uint64(86), + "sum": 1000001.0, + "bucket": common.MapStr{ + "2000": uint64(52), + "4000": uint64(70), + "8000": uint64(78), + "16000": uint64(84), + "32000": uint64(86), + "+Inf": uint64(86), + }, + + "rank": "youngling", + "alive": "yes", + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "midichlorians": common.MapStr{ + "count": uint64(28), + "sum": 800001.0, + "bucket": common.MapStr{ + "2000": uint64(16), + "4000": uint64(20), + "8000": uint64(23), + "16000": uint64(27), + "32000": uint64(27), + "+Inf": uint64(28), + }, + "rank": "padawan", + "alive": "yes", + }, + }, + }, + }, + }, + }, + + { + testName: "Test histogram with KeyLabel With NaN Inf", + openmetricsResponse: promHistogramKeyLabelWithNaNInf, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_one_midichlorians": Metric("metrics.one.midichlorians"), + }, + Labels: map[string]LabelMap{ + "rank": KeyLabel("metrics.one.midichlorians.rank"), + "alive": KeyLabel("metrics.one.midichlorians.alive"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "one": common.MapStr{ + "midichlorians": common.MapStr{ + "count": uint64(86), + "sum": 1000001.0, + "bucket": common.MapStr{ + "16000": uint64(84), + "32000": uint64(86), + "+Inf": uint64(86), + }, + + "rank": "youngling", + "alive": "yes", + }, + }, + }, + }, + }, + }, + + { + testName: "Test summary with KeyLabel", + openmetricsResponse: promSummaryKeyLabel, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_force_propagation_ms": Metric("metrics.force.propagation.ms"), + }, + Labels: map[string]LabelMap{ + "kind": KeyLabel("metrics.force.propagation.ms.labels.kind"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "force": common.MapStr{ + "propagation": common.MapStr{ + "ms": common.MapStr{ + "count": uint64(651), + "sum": 89.0, + "percentile": common.MapStr{ + "0": 35.0, + "25": 22.0, + "50": 7.0, + "75": 20.0, + "100": 30.0, + }, + "labels": common.MapStr{ + "kind": "jedi", + }, + }, + }, + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "force": common.MapStr{ + "propagation": common.MapStr{ + "ms": common.MapStr{ + "count": uint64(711), + "sum": 112.0, + "percentile": common.MapStr{ + "0": 30.0, + "25": 20.0, + "50": 12.0, + "75": 21.0, + "100": 29.0, + }, + "labels": common.MapStr{ + "kind": "sith", + }, + }, + }, + }, + }, + }, + }, + }, + + { + testName: "Test summary with KeyLabel With NaN Inf", + openmetricsResponse: promSummaryKeyLabelWithNaNInf, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_force_propagation_ms": Metric("metrics.force.propagation.ms"), + }, + Labels: map[string]LabelMap{ + "kind": KeyLabel("metrics.force.propagation.ms.labels.kind"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "force": common.MapStr{ + "propagation": common.MapStr{ + "ms": common.MapStr{ + "count": uint64(651), + "sum": 50.0, + "percentile": common.MapStr{ + "75": 20.0, + "100": 30.0, + }, + "labels": common.MapStr{ + "kind": "jedi", + }, + }, + }, + }, + }, + }, + }, + }, + + { + testName: "Test gauge InfoMetrics using ExtendedInfoMetric", + openmetricsResponse: promGaugeLabeled, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_that_inform_labels": ExtendedInfoMetric(Configuration{StoreNonMappedLabels: true, NonMappedLabelsPlacement: "metrics.other_labels"}), + "metrics_that_use_labels": Metric("metrics.value"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("metrics.label1"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "value": 20.0, + "label1": "I am 1", + "other_labels": common.MapStr{ + "label2": "I am 2", + "label3": "I am 3", + }, + }, + }, + }, + }, + { + testName: "Test gauge InfoMetrics using ExtendedInfoMetric and extra fields", + openmetricsResponse: promGaugeLabeled, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "metrics_that_inform_labels": ExtendedInfoMetric(Configuration{ + StoreNonMappedLabels: true, + NonMappedLabelsPlacement: "metrics.other_labels", + ExtraFields: common.MapStr{ + "metrics.extra.field1": "extra1", + "metrics.extra.field2": "extra2", + }}), + "metrics_that_use_labels": Metric("metrics.value"), + }, + Labels: map[string]LabelMap{ + "label1": KeyLabel("metrics.label1"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "value": 20.0, + "label1": "I am 1", + "other_labels": common.MapStr{ + "label2": "I am 2", + "label3": "I am 3", + }, + "extra": common.MapStr{ + "field1": "extra1", + "field2": "extra2", + }, + }, + }, + }, + }, + { + testName: "Stateset metric with labels", + openmetricsResponse: promStateset, + mapping: &MetricsMapping{ + Metrics: map[string]MetricMap{ + "enable_category": Metric("metrics.count"), + }, + Labels: map[string]LabelMap{ + "category": KeyLabel("metrics.labels.category"), + }, + }, + expectedEvents: []common.MapStr{ + common.MapStr{ + "metrics": common.MapStr{ + "count": int64(0), + "labels": common.MapStr{ + "category": "shoes", + }, + }, + }, + common.MapStr{ + "metrics": common.MapStr{ + "count": int64(1), + "labels": common.MapStr{ + "category": "collectibles", + }, + }, + }, + }, + }, + } + + for _, tc := range testCases { + r := &mbtest.CapturingReporterV2{} + p := &openmetrics{mockFetcher{response: tc.openmetricsResponse}, logp.NewLogger("test")} + p.ReportProcessedMetrics(tc.mapping, r) + if !assert.Nil(t, r.GetErrors(), + "error reporting/processing metrics, at %q", tc.testName) { + continue + } + + events := r.GetEvents() + if !assert.Equal(t, len(tc.expectedEvents), len(events), + "number of returned events doesn't match expected, at %q", tc.testName) { + continue + } + + // Sort slices of received and expeected to avoid unmatching + sort.Slice(events, func(i, j int) bool { + return events[i].MetricSetFields.String() < events[j].MetricSetFields.String() + }) + sort.Slice(tc.expectedEvents, func(i, j int) bool { + return tc.expectedEvents[i].String() < tc.expectedEvents[j].String() + }) + + for i := range events { + if !assert.Equal(t, tc.expectedEvents[i], events[i].MetricSetFields, + "mismatch at event #%d, at %q", i, tc.testName) { + + continue + } + } + } +} diff --git a/metricbeat/mb/testing/data/data_test.go b/metricbeat/mb/testing/data/data_test.go index b81b8142676..0d4050c739e 100644 --- a/metricbeat/mb/testing/data/data_test.go +++ b/metricbeat/mb/testing/data/data_test.go @@ -42,7 +42,12 @@ func TestAll(t *testing.T) { t.Run(fmt.Sprintf("%s.%s", moduleName, metricSetName), func(t *testing.T) { config := mbtest.ReadDataConfig(t, f) - mbtest.TestDataFilesWithConfig(t, moduleName, metricSetName, config) + mbtest.TestDataFilesWithConfig(t, moduleName, metricSetName, config, "application/json") + }) + + t.Run(fmt.Sprintf("%s.%s", moduleName, metricSetName), func(t *testing.T) { + config := mbtest.ReadDataConfig(t, f) + mbtest.TestDataFilesWithConfig(t, moduleName, metricSetName, config, "application/openmetrics-text") }) } } diff --git a/metricbeat/mb/testing/testdata.go b/metricbeat/mb/testing/testdata.go index d4e2883aafa..59dca1729e8 100644 --- a/metricbeat/mb/testing/testdata.go +++ b/metricbeat/mb/testing/testdata.go @@ -138,14 +138,19 @@ func TestDataConfig(t *testing.T) DataConfig { } // TestDataFiles run tests with config from the usual path (`_meta/testdata`) -func TestDataFiles(t *testing.T, module, metricSet string) { +func TestDataFiles(t *testing.T, module, metricSet string, contentType ...string) { t.Helper() config := TestDataConfig(t) - TestDataFilesWithConfig(t, module, metricSet, config) + ct := "" + if len(contentType) > 0 { + ct = contentType[0] + } + + TestDataFilesWithConfig(t, module, metricSet, config, ct) } // TestDataFilesWithConfig run tests for a testdata config -func TestDataFilesWithConfig(t *testing.T, module, metricSet string, config DataConfig) { +func TestDataFilesWithConfig(t *testing.T, module, metricSet string, config DataConfig, contentType string) { t.Helper() ff, err := filepath.Glob(filepath.Join(config.Path, "*."+config.Suffix)) if err != nil { @@ -166,7 +171,7 @@ func TestDataFilesWithConfig(t *testing.T, module, metricSet string, config Data for _, f := range files { t.Run(filepath.Base(f), func(t *testing.T) { - runTest(t, f, module, metricSet, config) + runTest(t, f, module, metricSet, config, contentType) }) } } @@ -187,9 +192,9 @@ func TestMetricsetFieldsDocumented(t *testing.T, metricSet mb.MetricSet, events } -func runTest(t *testing.T, file string, module, metricSetName string, config DataConfig) { +func runTest(t *testing.T, file string, module, metricSetName string, config DataConfig, contentType string) { // starts a server serving the given file under the given url - s := server(t, file, config.URL) + s := server(t, file, config.URL, contentType) defer s.Close() moduleConfig := getConfig(module, metricSetName, s.URL, config) @@ -432,7 +437,7 @@ func getConfig(module, metricSet, url string, config DataConfig) map[string]inte } // server starts a server with a mock output -func server(t *testing.T, path string, url string) *httptest.Server { +func server(t *testing.T, path string, url string, contentType string) *httptest.Server { body, err := ioutil.ReadFile(path) if err != nil { @@ -447,7 +452,11 @@ func server(t *testing.T, path string, url string) *httptest.Server { } if r.URL.Path+query == url { - w.Header().Set("Content-Type", "application/json;") + if contentType != "" { + w.Header().Set("Content-Type", contentType) + } else { + w.Header().Set("Content-Type", "application/json;") + } w.WriteHeader(200) w.Write(body) } else { diff --git a/metricbeat/module/openmetrics/_meta/fields.yml b/metricbeat/module/openmetrics/_meta/fields.yml index c83c99f1363..3f23c527c78 100644 --- a/metricbeat/module/openmetrics/_meta/fields.yml +++ b/metricbeat/module/openmetrics/_meta/fields.yml @@ -7,18 +7,45 @@ fields: - name: openmetrics type: group + # release: beta/ga description: > `openmetrics` contains metrics from endpoints that are following Openmetrics format. fields: # Order is important here, labels will match first, the rest are double + - name: help + type: keyword + description: > + Brief description of the MetricFamily + - name: type + type: keyword + description: > + metric type + - name: unit + type: keyword + description: > + metric unit + - name: created + type: keyword + description: > + metric creation time in seconds - name: labels.* type: object object_type: keyword description: > - Prometheus metric labels + Openmetrics metric labels - name: metrics.* type: object object_type: double object_type_mapping_type: "*" description: > - Prometheus metric + Openmetrics metric + - name: exemplar.* + type: object + object_type: keyword + description: > + Openmetrics exemplars + - name: exemplar.labels.* + type: object + object_type: keyword + description: > + Openmetrics metric labels diff --git a/metricbeat/module/openmetrics/collector/_meta/data.json b/metricbeat/module/openmetrics/collector/_meta/data.json index 5c3e9aec6ba..69c4da176ee 100644 --- a/metricbeat/module/openmetrics/collector/_meta/data.json +++ b/metricbeat/module/openmetrics/collector/_meta/data.json @@ -16,7 +16,8 @@ }, "metrics": { "node_network_carrier": 0 - } + }, + "type": "gauge" }, "service": { "address": "127.0.0.1:55555", diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json index 16f5001ba5e..e776cc27de9 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json @@ -17,7 +17,8 @@ }, "metrics": { "node_network_carrier": 0 - } + }, + "type": "gauge" }, "service": { "address": "127.0.0.1:55555", @@ -42,7 +43,8 @@ }, "metrics": { "node_network_carrier": 0 - } + }, + "type": "gauge" }, "service": { "address": "127.0.0.1:55555", @@ -67,7 +69,8 @@ }, "metrics": { "node_network_carrier": 0 - } + }, + "type": "gauge" }, "service": { "address": "127.0.0.1:55555", @@ -91,7 +94,8 @@ }, "metrics": { "up": 1 - } + }, + "type": "gauge" }, "service": { "address": "127.0.0.1:55555", @@ -116,7 +120,8 @@ }, "metrics": { "node_network_carrier": 0 - } + }, + "type": "gauge" }, "service": { "address": "127.0.0.1:55555", @@ -141,7 +146,8 @@ }, "metrics": { "node_network_carrier": 0 - } + }, + "type": "gauge" }, "service": { "address": "127.0.0.1:55555", @@ -166,13 +172,14 @@ }, "metrics": { "node_network_carrier": 0 - } + }, + "type": "gauge" + }, "service": { "address": "127.0.0.1:55555", "type": "openmetrics" - } - }, + } }, { "event": { "dataset": "openmetrics.collector", @@ -191,13 +198,14 @@ }, "metrics": { "node_network_carrier": 0 - } + }, + "type": "gauge" + }, "service": { "address": "127.0.0.1:55555", "type": "openmetrics" - } - }, + } }, { "event": { "dataset": "openmetrics.collector", @@ -216,7 +224,8 @@ }, "metrics": { "node_network_carrier": 0 - } + }, + "type": "gauge" }, "service": { "address": "127.0.0.1:55555", @@ -241,11 +250,12 @@ }, "metrics": { "node_network_carrier": 0 - } + }, + "type": "gauge" }, "service": { "address": "127.0.0.1:55555", "type": "openmetrics" } } -] \ No newline at end of file +] diff --git a/metricbeat/module/openmetrics/collector/collector.go b/metricbeat/module/openmetrics/collector/collector.go index 6ce25dc9068..655bd193534 100644 --- a/metricbeat/module/openmetrics/collector/collector.go +++ b/metricbeat/module/openmetrics/collector/collector.go @@ -18,9 +18,17 @@ package collector import ( + //"github.com/elastic/beats/v7/metricbeat/module/prometheus/collector" + "regexp" + + "github.com/pkg/errors" + "github.com/prometheus/prometheus/pkg/labels" + "github.com/prometheus/prometheus/pkg/textparse" + + "github.com/elastic/beats/v7/libbeat/common" + p "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" - "github.com/elastic/beats/v7/metricbeat/module/prometheus/collector" ) const ( @@ -29,14 +37,235 @@ const ( ) var ( + // HostParser parses a OpenMetrics endpoint URL hostParser = parse.URLHostParserBuilder{ DefaultScheme: defaultScheme, DefaultPath: defaultPath, + PathConfigKey: "metrics_path", }.Build() + + upMetricName = "up" + upMetricType = textparse.MetricTypeGauge + upMetricInstanceLabel = "instance" + upMetricJobLabel = "job" + upMetricJobValue = "prometheus" ) func init() { mb.Registry.MustAddMetricSet("openmetrics", "collector", - collector.MetricSetBuilder("openmetrics", collector.DefaultPromEventsGeneratorFactory), - mb.WithHostParser(hostParser)) + MetricSetBuilder("openmetrics", DefaultOpenMetricsEventsGeneratorFactory), + mb.WithHostParser(hostParser), + mb.DefaultMetricSet(), + ) +} + +// OpenMetricsEventsGenerator converts a OpenMetrics metric family into a OpenMetricEvent list +type OpenMetricsEventsGenerator interface { + // Start must be called before using the generator + Start() + + // converts a OpenMetrics metric family into a list of PromEvents + GenerateOpenMetricsEvents(mf *p.OpenMetricFamily) []OpenMetricEvent + + // Stop must be called when the generator won't be used anymore + Stop() +} + +// OpenMetricsEventsGeneratorFactory creates a OpenMetricsEventsGenerator when instanciating a metricset +type OpenMetricsEventsGeneratorFactory func(ms mb.BaseMetricSet) (OpenMetricsEventsGenerator, error) + +// MetricSet for fetching openmetrics data +type MetricSet struct { + mb.BaseMetricSet + openmetrics p.OpenMetrics + includeMetrics []*regexp.Regexp + excludeMetrics []*regexp.Regexp + namespace string + promEventsGen OpenMetricsEventsGenerator + host string + eventGenStarted bool +} + +// MetricSetBuilder returns a builder function for a new OpenMetrics metricset using +// the given namespace and event generator +func MetricSetBuilder(namespace string, genFactory OpenMetricsEventsGeneratorFactory) func(base mb.BaseMetricSet) (mb.MetricSet, error) { + return func(base mb.BaseMetricSet) (mb.MetricSet, error) { + config := defaultConfig + if err := base.Module().UnpackConfig(&config); err != nil { + return nil, err + } + openmetrics, err := p.NewOpenMetricsClient(base) + if err != nil { + return nil, err + } + + promEventsGen, err := genFactory(base) + if err != nil { + return nil, err + } + + ms := &MetricSet{ + BaseMetricSet: base, + openmetrics: openmetrics, + namespace: namespace, + promEventsGen: promEventsGen, + eventGenStarted: false, + } + // store host here to use it as a pointer when building `up` metric + ms.host = ms.Host() + ms.excludeMetrics, err = p.CompilePatternList(config.MetricsFilters.ExcludeMetrics) + if err != nil { + return nil, errors.Wrapf(err, "unable to compile exclude patterns") + } + ms.includeMetrics, err = p.CompilePatternList(config.MetricsFilters.IncludeMetrics) + if err != nil { + return nil, errors.Wrapf(err, "unable to compile include patterns") + } + + return ms, nil + } +} + +// Fetch fetches data and reports it +func (m *MetricSet) Fetch(reporter mb.ReporterV2) error { + if !m.eventGenStarted { + m.promEventsGen.Start() + m.eventGenStarted = true + } + + families, err := m.openmetrics.GetFamilies() + eventList := map[textparse.MetricType]map[string]common.MapStr{} + if err != nil { + // send up event only + families = append(families, m.upMetricFamily(0.0)) + + // set the error to report it after sending the up event + err = errors.Wrap(err, "unable to decode response from openmetrics endpoint") + } else { + // add up event to the list + families = append(families, m.upMetricFamily(1.0)) + } + + for _, family := range families { + if m.skipFamily(family) { + continue + } + promEvents := m.promEventsGen.GenerateOpenMetricsEvents(family) + + for _, promEvent := range promEvents { + labelsHash := promEvent.LabelsHash() + if _, ok := eventList[promEvent.Type]; !ok { + eventList[promEvent.Type] = make(map[string]common.MapStr) + } + if _, ok := eventList[promEvent.Type][labelsHash]; !ok { + eventList[promEvent.Type][labelsHash] = common.MapStr{} + + // Add default instance label if not already there + if exists, _ := promEvent.Labels.HasKey(upMetricInstanceLabel); !exists { + promEvent.Labels.Put(upMetricInstanceLabel, m.Host()) + } + // Add default job label if not already there + if exists, _ := promEvent.Labels.HasKey("job"); !exists { + promEvent.Labels.Put("job", m.Module().Name()) + } + // Add labels + if len(promEvent.Labels) > 0 { + eventList[promEvent.Type][labelsHash]["labels"] = promEvent.Labels + } + } + + if promEvent.Type != "" { + eventList[promEvent.Type][labelsHash]["type"] = promEvent.Type + } + if promEvent.Unit != "" { + eventList[promEvent.Type][labelsHash]["unit"] = promEvent.Unit + } + if promEvent.Created > 0 { + eventList[promEvent.Type][labelsHash]["created"] = promEvent.Created + } + + if len(promEvent.Exemplars) > 0 { + eventList[promEvent.Type][labelsHash]["exemplar"] = promEvent.Exemplars + } + // Accumulate metrics in the event + eventList[promEvent.Type][labelsHash].DeepUpdate(promEvent.Data) + } + } + + // Report events + for _, e := range eventList { + for _, ev := range e { + isOpen := reporter.Event(mb.Event{ + RootFields: common.MapStr{m.namespace: ev}, + }) + if !isOpen { + break + } + } + } + + return err +} + +// Close stops the metricset +func (m *MetricSet) Close() error { + if m.eventGenStarted { + m.promEventsGen.Stop() + } + return nil +} + +func (m *MetricSet) upMetricFamily(value float64) *p.OpenMetricFamily { + gauge := p.Gauge{ + Value: &value, + } + label1 := labels.Label{ + Name: upMetricInstanceLabel, + Value: m.host, + } + label2 := labels.Label{ + Name: upMetricJobLabel, + Value: upMetricJobValue, + } + metric := p.OpenMetric{ + Gauge: &gauge, + Label: []*labels.Label{&label1, &label2}, + } + return &p.OpenMetricFamily{ + Name: &upMetricName, + Type: textparse.MetricType(upMetricType), + Metric: []*p.OpenMetric{&metric}, + } +} + +func (m *MetricSet) skipFamily(family *p.OpenMetricFamily) bool { + if family == nil || family.Name == nil { + return false + } + return m.skipFamilyName(*family.Name) +} + +func (m *MetricSet) skipFamilyName(family string) bool { + // example: + // include_metrics: + // - node_* + // exclude_metrics: + // - node_disk_* + // + // This would mean that we want to keep only the metrics that start with node_ prefix but + // are not related to disk so we exclude node_disk_* metrics from them. + + // if include_metrics are defined, check if this metric should be included + if len(m.includeMetrics) > 0 { + if !p.MatchMetricFamily(family, m.includeMetrics) { + return true + } + } + // now exclude the metric if it matches any of the given patterns + if len(m.excludeMetrics) > 0 { + if p.MatchMetricFamily(family, m.excludeMetrics) { + return true + } + } + return false } diff --git a/metricbeat/module/openmetrics/collector/collector_test.go b/metricbeat/module/openmetrics/collector/collector_test.go index 072755f3f75..210064a4679 100644 --- a/metricbeat/module/openmetrics/collector/collector_test.go +++ b/metricbeat/module/openmetrics/collector/collector_test.go @@ -22,11 +22,374 @@ package collector import ( "testing" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" + p "github.com/elastic/beats/v7/metricbeat/helper/prometheus" + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/golang/protobuf/proto" + lbl "github.com/prometheus/prometheus/pkg/labels" + "github.com/prometheus/prometheus/pkg/textparse" + "github.com/stretchr/testify/assert" + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" _ "github.com/elastic/beats/v7/metricbeat/module/openmetrics" ) func TestData(t *testing.T) { - mbtest.TestDataFiles(t, "openmetrics", "collector") + mbtest.TestDataFiles(t, "openmetrics", "collector", "application/openmetrics-text") +} + +func TestGetPromEventsFromMetricFamily(t *testing.T) { + labels := common.MapStr{ + "handler": "query", + } + tests := []struct { + Family *openmetrics.OpenMetricFamily + Event []OpenMetricEvent + }{ + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeCounter, + Metric: []*openmetrics.OpenMetric{ + { + Name: proto.String("http_request_duration_microseconds_total"), + Label: []*lbl.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Counter: &openmetrics.Counter{ + Value: proto.Float64(10), + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds_total": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeCounter, + Labels: labels, + Exemplars: common.MapStr{}, + }, + }, + }, + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeGauge, + Metric: []*openmetrics.OpenMetric{ + { + Gauge: &openmetrics.Gauge{ + Value: proto.Float64(10), + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeGauge, + Labels: common.MapStr{}, + }, + }, + }, + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeSummary, + Metric: []*openmetrics.OpenMetric{ + { + Summary: &openmetrics.Summary{ + SampleCount: proto.Uint64(10), + SampleSum: proto.Float64(10), + Quantile: []*openmetrics.Quantile{ + { + Quantile: proto.Float64(0.99), + Value: proto.Float64(10), + }, + }, + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds_count": uint64(10), + "http_request_duration_microseconds_sum": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeSummary, + Labels: common.MapStr{}, + }, + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds": float64(10), + }, + }, + Labels: common.MapStr{ + "quantile": "0.99", + }, + }, + }, + }, + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeHistogram, + Metric: []*openmetrics.OpenMetric{ + { + Histogram: &openmetrics.Histogram{ + SampleCount: proto.Uint64(10), + SampleSum: proto.Float64(10), + Bucket: []*openmetrics.Bucket{ + { + UpperBound: proto.Float64(0.99), + CumulativeCount: proto.Uint64(10), + }, + }, + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds_count": uint64(10), + "http_request_duration_microseconds_sum": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeHistogram, + Labels: common.MapStr{}, + }, + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds_bucket": uint64(10), + }, + }, + Labels: common.MapStr{"le": "0.99"}, + Exemplars: common.MapStr{}, + }, + }, + }, + { + Family: &openmetrics.OpenMetricFamily{ + Name: proto.String("http_request_duration_microseconds"), + Help: proto.String("foo"), + Type: textparse.MetricTypeUnknown, + Metric: []*openmetrics.OpenMetric{ + { + Label: []*lbl.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Unknown: &openmetrics.Unknown{ + Value: proto.Float64(10), + }, + }, + }, + }, + Event: []OpenMetricEvent{ + { + Data: common.MapStr{ + "metrics": common.MapStr{ + "http_request_duration_microseconds": float64(10), + }, + }, + Help: "foo", + Type: textparse.MetricTypeUnknown, + Labels: labels, + }, + }, + }, + } + + p := openmetricEventGenerator{} + for _, test := range tests { + event := p.GenerateOpenMetricsEvents(test.Family) + assert.Equal(t, test.Event, event) + } +} + +func TestSkipMetricFamily(t *testing.T) { + testFamilies := []*openmetrics.OpenMetricFamily{ + { + Name: proto.String("http_request_duration_microseconds_a_a_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeCounter, + Metric: []*openmetrics.OpenMetric{ + { + Label: []*lbl.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Counter: &openmetrics.Counter{ + Value: proto.Float64(10), + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_a_b_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeCounter, + Metric: []*openmetrics.OpenMetric{ + { + Label: []*lbl.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Counter: &openmetrics.Counter{ + Value: proto.Float64(10), + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_b_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeGauge, + Metric: []*openmetrics.OpenMetric{ + { + Gauge: &openmetrics.Gauge{ + Value: proto.Float64(10), + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_c_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeSummary, + Metric: []*openmetrics.OpenMetric{ + { + Summary: &openmetrics.Summary{ + SampleCount: proto.Uint64(10), + SampleSum: proto.Float64(10), + Quantile: []*openmetrics.Quantile{ + { + Quantile: proto.Float64(0.99), + Value: proto.Float64(10), + }, + }, + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_d_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeHistogram, + Metric: []*openmetrics.OpenMetric{ + { + Histogram: &openmetrics.Histogram{ + SampleCount: proto.Uint64(10), + SampleSum: proto.Float64(10), + Bucket: []*openmetrics.Bucket{ + { + UpperBound: proto.Float64(0.99), + CumulativeCount: proto.Uint64(10), + }, + }, + }, + }, + }, + }, + { + Name: proto.String("http_request_duration_microseconds_e_in"), + Help: proto.String("foo"), + Type: textparse.MetricTypeUnknown, + Metric: []*openmetrics.OpenMetric{ + { + Label: []*lbl.Label{ + { + Name: "handler", + Value: "query", + }, + }, + Unknown: &openmetrics.Unknown{ + Value: proto.Float64(10), + }, + }, + }, + }, + } + + ms := &MetricSet{ + BaseMetricSet: mb.BaseMetricSet{}, + } + + // test with no filters + ms.includeMetrics, _ = p.CompilePatternList(&[]string{}) + ms.excludeMetrics, _ = p.CompilePatternList(&[]string{}) + metricsToKeep := 0 + for _, testFamily := range testFamilies { + if !ms.skipFamily(testFamily) { + metricsToKeep++ + } + } + assert.Equal(t, metricsToKeep, len(testFamilies)) + + // test with only one include filter + ms.includeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.excludeMetrics, _ = p.CompilePatternList(&[]string{}) + metricsToKeep = 0 + for _, testFamily := range testFamilies { + if !ms.skipFamily(testFamily) { + metricsToKeep++ + } + } + assert.Equal(t, metricsToKeep, 2) + + // test with only one exclude filter + ms.includeMetrics, _ = p.CompilePatternList(&[]string{""}) + ms.excludeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + metricsToKeep = 0 + for _, testFamily := range testFamilies { + if !ms.skipFamily(testFamily) { + metricsToKeep++ + } + } + assert.Equal(t, len(testFamilies)-2, metricsToKeep) + + // test with ine include and one exclude + ms.includeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.excludeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_b_*"}) + metricsToKeep = 0 + for _, testFamily := range testFamilies { + if !ms.skipFamily(testFamily) { + metricsToKeep++ + } + } + assert.Equal(t, 1, metricsToKeep) + } diff --git a/metricbeat/module/openmetrics/collector/config.go b/metricbeat/module/openmetrics/collector/config.go new file mode 100644 index 00000000000..1a2c5688177 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/config.go @@ -0,0 +1,38 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package collector + +type metricsetConfig struct { + MetricsFilters MetricFilters `config:"metrics_filters" yaml:"metrics_filters,omitempty"` +} + +type MetricFilters struct { + IncludeMetrics *[]string `config:"include" yaml:"include,omitempty"` + ExcludeMetrics *[]string `config:"exclude" yaml:"exclude,omitempty"` +} + +var defaultConfig = metricsetConfig{ + MetricsFilters: MetricFilters{ + IncludeMetrics: nil, + ExcludeMetrics: nil}, +} + +func (c *metricsetConfig) Validate() error { + // validate configuration here + return nil +} diff --git a/metricbeat/module/openmetrics/collector/data.go b/metricbeat/module/openmetrics/collector/data.go new file mode 100644 index 00000000000..1587566b9a9 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/data.go @@ -0,0 +1,290 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package collector + +import ( + "math" + "strconv" + + p "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" + "github.com/prometheus/prometheus/pkg/textparse" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/helper/labelhash" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +// OpenMetricEvent stores a set of one or more metrics with the same labels +type OpenMetricEvent struct { + Data common.MapStr + Labels common.MapStr + Help string + Type textparse.MetricType + Unit string + Created int64 + Exemplars common.MapStr +} + +// LabelsHash returns a repeatable string that is unique for the set of labels in this event +func (p *OpenMetricEvent) LabelsHash() string { + return labelhash.LabelHash(p.Labels) +} + +// DefaultOpenMetricEventsGeneratorFactory returns the default OpenMetrics events generator +func DefaultOpenMetricsEventsGeneratorFactory(ms mb.BaseMetricSet) (OpenMetricsEventsGenerator, error) { + return &openmetricEventGenerator{}, nil +} + +type openmetricEventGenerator struct{} + +func (p *openmetricEventGenerator) Start() {} +func (p *openmetricEventGenerator) Stop() {} + +// DefaultopenmetricEventsGenerator stores all OpenMetrics metrics using +// only double field type in Elasticsearch. +func (p *openmetricEventGenerator) GenerateOpenMetricsEvents(mf *p.OpenMetricFamily) []OpenMetricEvent { + var events []OpenMetricEvent + + name := *mf.Name + metrics := mf.Metric + // info := *mf.Info + help := "" + unit := "" + if mf.Help != nil { + help = *mf.Help + } + if mf.Unit != nil { + unit = *mf.Unit + } + + for _, metric := range metrics { + labels := common.MapStr{} + mn := metric.GetName() + + if len(metric.Label) != 0 { + for _, label := range metric.Label { + if label.Name != "" && label.Value != "" { + labels[label.Name] = label.Value + } + } + } + + exemplars := common.MapStr{} + if metric.Exemplar != nil { + exemplars = common.MapStr{*mn: metric.Exemplar.Value} + if metric.Exemplar.HasTs { + exemplars.Put("timestamp", metric.Exemplar.Ts) + } + for _, label := range metric.Exemplar.Labels { + if label.Name != "" && label.Value != "" { + exemplars.Put("labels."+label.Name, label.Value) + } + } + } + + created := int64(0) + if metric.CreatedMs != nil { + created = *metric.CreatedMs + } + + // TODO: where is timestamp used? + //timestamp := int64(0) + //if metric.TimestampMs != nil { + // timestamp = *metric.TimestampMs + //} + + counter := metric.GetCounter() + if counter != nil { + if !math.IsNaN(counter.GetValue()) && !math.IsInf(counter.GetValue(), 0) { + events = append(events, OpenMetricEvent{ + Created: created, + Type: textparse.MetricTypeCounter, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + *mn: counter.GetValue(), + }, + }, + Labels: labels, + Exemplars: exemplars, + }) + } + } + + gauge := metric.GetGauge() + if gauge != nil { + if !math.IsNaN(gauge.GetValue()) && !math.IsInf(gauge.GetValue(), 0) { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeGauge, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + name: gauge.GetValue(), + }, + }, + Labels: labels, + }) + } + } + + info := metric.GetInfo() + if info != nil { + if info.HasValidValue() { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeInfo, + Data: common.MapStr{ + "metrics": common.MapStr{ + name: info.GetValue(), + }, + }, + Labels: labels, + }) + } + } + + stateset := metric.GetStateset() + if stateset != nil { + if stateset.HasValidValue() { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeStateset, + Data: common.MapStr{ + "metrics": common.MapStr{ + name: stateset.GetValue(), + }, + }, + Labels: labels, + }) + } + } + + summary := metric.GetSummary() + if summary != nil { + if !math.IsNaN(summary.GetSampleSum()) && !math.IsInf(summary.GetSampleSum(), 0) { + events = append(events, OpenMetricEvent{ + Created: created, + Type: textparse.MetricTypeSummary, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + name + "_sum": summary.GetSampleSum(), + name + "_count": summary.GetSampleCount(), + }, + }, + Labels: labels, + }) + } + + for _, quantile := range summary.GetQuantile() { + if math.IsNaN(quantile.GetValue()) || math.IsInf(quantile.GetValue(), 0) { + continue + } + + quantileLabels := labels.Clone() + quantileLabels["quantile"] = strconv.FormatFloat(quantile.GetQuantile(), 'f', -1, 64) + events = append(events, OpenMetricEvent{ + Data: common.MapStr{ + "metrics": common.MapStr{ + name: quantile.GetValue(), + }, + }, + Labels: quantileLabels, + }) + } + } + + histogram := metric.GetHistogram() + if histogram != nil { + if !math.IsNaN(histogram.GetSampleSum()) && !math.IsInf(histogram.GetSampleSum(), 0) { + var sum = "_sum" + var count = "_count" + var typ = textparse.MetricTypeHistogram + if histogram.IsGaugeHistogram { + sum = "_gsum" + count = "_gcount" + typ = textparse.MetricTypeGaugeHistogram + } + + events = append(events, OpenMetricEvent{ + Created: created, + Type: typ, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + name + sum: histogram.GetSampleSum(), + name + count: histogram.GetSampleCount(), + }, + }, + Labels: labels, + }) + } + + for _, bucket := range histogram.GetBucket() { + if bucket.GetCumulativeCount() == uint64(math.NaN()) || bucket.GetCumulativeCount() == uint64(math.Inf(0)) { + continue + } + + if bucket.Exemplar != nil { + exemplars = common.MapStr{name: bucket.Exemplar.Value} + if bucket.Exemplar.HasTs { + exemplars.Put("timestamp", bucket.Exemplar.Ts) + } + for _, label := range bucket.Exemplar.Labels { + if label.Name != "" && label.Value != "" { + exemplars.Put("labels."+label.Name, label.Value) + } + } + } + + bucketLabels := labels.Clone() + bucketLabels["le"] = strconv.FormatFloat(bucket.GetUpperBound(), 'f', -1, 64) + + events = append(events, OpenMetricEvent{ + Data: common.MapStr{ + "metrics": common.MapStr{ + name + "_bucket": bucket.GetCumulativeCount(), + }, + }, + Labels: bucketLabels, + Exemplars: exemplars, + }) + } + } + + unknown := metric.GetUnknown() + if unknown != nil { + if !math.IsNaN(unknown.GetValue()) && !math.IsInf(unknown.GetValue(), 0) { + events = append(events, OpenMetricEvent{ + Type: textparse.MetricTypeUnknown, + Help: help, + Unit: unit, + Data: common.MapStr{ + "metrics": common.MapStr{ + name: unknown.GetValue(), + }, + }, + Labels: labels, + }) + } + } + } + return events +} diff --git a/metricbeat/module/openmetrics/fields.go b/metricbeat/module/openmetrics/fields.go index 213a9974223..f72672c6d34 100644 --- a/metricbeat/module/openmetrics/fields.go +++ b/metricbeat/module/openmetrics/fields.go @@ -32,5 +32,5 @@ func init() { // AssetOpenmetrics returns asset data. // This is the base64 encoded gzipped contents of module/openmetrics. func AssetOpenmetrics() string { - return "eJycUsFuqzAQvPMVI94hUpTkAzi8X8i7P1WJwQu4sb3WelGUv68I0JK0PbRznGHYmZH3uNCtAieKgVRckwtAnXqqsDl+sJsCEPJkMlWoSU0BWMqNuKSOY4W/BQCsHAhsB08FkEnVxS5X+F/2qqncoczZly8F0DryNld38x7RBHoOM0JviSp0wkOamS9ujzivvGc0HNW4mLFEaoUDKNrELmqG9kZhhNCy93x1sXso0LIEo4f55+ukI/7gKJYELsOFxKImKnoS2sGbmnzG1XmPYLTp0TrJuoP2BKE8HbU81Pd9JiztJ/Nh+y4s9bl+pUZX9EScJvVCtyuLXcnfTDTin3Ag7WlYppmvfgozT/HjNE/dHtRTMCm52M2fltvyl6FXaR+f5lsAAAD//0qh20E=" + return "eJzMlD9v1EAQxXt/iidTRIouoXdBQUGH8gEQSva8Y3vI/tPsnI779sheO9gxFIQTYhpLs7vv/eat7Ts806VBTBQ8qXCbK0BZHTW4efjZvakAIUcmU4MjqakAS7kVTsoxNPhQAcDqBHy0J0cVkEmVQ58bfKkH1VQfUOfs6q8V0DE5m5vp8B2C8fQaZiy9JGrQSzylufOuPDZI73szr/6CbKynlfIT2hjUcMhYgDuJHhRsihw0QwejMELoonPxzKHfjNdF8UbvZ/H1HIXvQSwJOIN9iqImKAYSOsCZI7mMMzsHb7Qd0LFkPUAHglAupjaejlN6pZZsBnLppbkE80yXcxS76v8mgLE+ClO33oDYTdafp8E+Gc/usvMdjf7Ot+S2FVrUT4H1KuoboUW9FTJK9ioGk9YYmrIncECmNgabd6bllu9vd67x+I3a9bSl8fgGps3XVviK7Y5m3vXHOK/ews3qozcpcejnrfVt/VbqHS59J5+ckX8X3+K4j+6F5X+50e1v+EcAAAD//y1RpoM=" } From a78259d19d4268609a8aaa84abb6590cdb8715ae Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Wed, 4 Aug 2021 10:39:10 -0700 Subject: [PATCH 02/63] Remove created, commented code, reformat. --- metricbeat/helper/openmetrics/openmetrics.go | 1 - .../module/openmetrics/collector/collector.go | 4 --- .../module/openmetrics/collector/data.go | 33 +++++-------------- 3 files changed, 9 insertions(+), 29 deletions(-) diff --git a/metricbeat/helper/openmetrics/openmetrics.go b/metricbeat/helper/openmetrics/openmetrics.go index d473b1d6c2e..0fafac3d18e 100644 --- a/metricbeat/helper/openmetrics/openmetrics.go +++ b/metricbeat/helper/openmetrics/openmetrics.go @@ -216,7 +216,6 @@ type OpenMetric struct { Summary *Summary Unknown *Unknown Histogram *Histogram - CreatedMs *int64 TimestampMs *int64 } diff --git a/metricbeat/module/openmetrics/collector/collector.go b/metricbeat/module/openmetrics/collector/collector.go index 655bd193534..ebb5837eea7 100644 --- a/metricbeat/module/openmetrics/collector/collector.go +++ b/metricbeat/module/openmetrics/collector/collector.go @@ -18,7 +18,6 @@ package collector import ( - //"github.com/elastic/beats/v7/metricbeat/module/prometheus/collector" "regexp" "github.com/pkg/errors" @@ -180,9 +179,6 @@ func (m *MetricSet) Fetch(reporter mb.ReporterV2) error { if promEvent.Unit != "" { eventList[promEvent.Type][labelsHash]["unit"] = promEvent.Unit } - if promEvent.Created > 0 { - eventList[promEvent.Type][labelsHash]["created"] = promEvent.Created - } if len(promEvent.Exemplars) > 0 { eventList[promEvent.Type][labelsHash]["exemplar"] = promEvent.Exemplars diff --git a/metricbeat/module/openmetrics/collector/data.go b/metricbeat/module/openmetrics/collector/data.go index 1587566b9a9..8b66838cd62 100644 --- a/metricbeat/module/openmetrics/collector/data.go +++ b/metricbeat/module/openmetrics/collector/data.go @@ -36,7 +36,6 @@ type OpenMetricEvent struct { Help string Type textparse.MetricType Unit string - Created int64 Exemplars common.MapStr } @@ -97,25 +96,13 @@ func (p *openmetricEventGenerator) GenerateOpenMetricsEvents(mf *p.OpenMetricFam } } - created := int64(0) - if metric.CreatedMs != nil { - created = *metric.CreatedMs - } - - // TODO: where is timestamp used? - //timestamp := int64(0) - //if metric.TimestampMs != nil { - // timestamp = *metric.TimestampMs - //} - counter := metric.GetCounter() if counter != nil { if !math.IsNaN(counter.GetValue()) && !math.IsInf(counter.GetValue(), 0) { events = append(events, OpenMetricEvent{ - Created: created, - Type: textparse.MetricTypeCounter, - Help: help, - Unit: unit, + Type: textparse.MetricTypeCounter, + Help: help, + Unit: unit, Data: common.MapStr{ "metrics": common.MapStr{ *mn: counter.GetValue(), @@ -178,10 +165,9 @@ func (p *openmetricEventGenerator) GenerateOpenMetricsEvents(mf *p.OpenMetricFam if summary != nil { if !math.IsNaN(summary.GetSampleSum()) && !math.IsInf(summary.GetSampleSum(), 0) { events = append(events, OpenMetricEvent{ - Created: created, - Type: textparse.MetricTypeSummary, - Help: help, - Unit: unit, + Type: textparse.MetricTypeSummary, + Help: help, + Unit: unit, Data: common.MapStr{ "metrics": common.MapStr{ name + "_sum": summary.GetSampleSum(), @@ -223,10 +209,9 @@ func (p *openmetricEventGenerator) GenerateOpenMetricsEvents(mf *p.OpenMetricFam } events = append(events, OpenMetricEvent{ - Created: created, - Type: typ, - Help: help, - Unit: unit, + Type: typ, + Help: help, + Unit: unit, Data: common.MapStr{ "metrics": common.MapStr{ name + sum: histogram.GetSampleSum(), From 8d16c931593f3915b4518736d4c60893e4193bb3 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 5 Aug 2021 22:43:31 -0700 Subject: [PATCH 03/63] Update go.mod for Azure/go-autorest --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 0fa29ba48ca..9e1d51e0837 100644 --- a/go.mod +++ b/go.mod @@ -186,7 +186,7 @@ require ( ) replace ( - // github.com/Azure/go-autorest => github.com/Azure/go-autorest v12.2.0+incompatible + github.com/Azure/go-autorest => github.com/Azure/go-autorest v14.2.0+incompatible github.com/Microsoft/go-winio => github.com/bi-zone/go-winio v0.4.15 github.com/Shopify/sarama => github.com/elastic/sarama v1.19.1-0.20210120173147-5c8cb347d877 github.com/cucumber/godog => github.com/cucumber/godog v0.8.1 From 5c55db1866399bfeb597c59f2f23d1a2df89cd26 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Tue, 31 Aug 2021 22:07:43 -0700 Subject: [PATCH 04/63] Changes based on PR review --- metricbeat/docs/modules/linux/memory.asciidoc | 1 + .../module/openmetrics/_meta/fields.yml | 10 +- .../openmetrics/collector/_meta/data.json | 3 +- .../_meta/testdata/docs.plain-expected.json | 11 +- .../_meta/testdata/openmetrics-features.plain | 18 ++ .../openmetrics-features.plain-expected.json | 275 ++++++++++++++++++ .../module/openmetrics/collector/collector.go | 77 ++--- .../openmetrics/collector/collector_test.go | 2 +- .../module/openmetrics/collector/data.go | 3 +- 9 files changed, 351 insertions(+), 49 deletions(-) create mode 100644 metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain create mode 100644 metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json diff --git a/metricbeat/docs/modules/linux/memory.asciidoc b/metricbeat/docs/modules/linux/memory.asciidoc index 67459f35909..9ea3d482e57 100644 --- a/metricbeat/docs/modules/linux/memory.asciidoc +++ b/metricbeat/docs/modules/linux/memory.asciidoc @@ -9,6 +9,7 @@ beta[] include::../../../module/linux/memory/_meta/docs.asciidoc[] +This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/module/openmetrics/_meta/fields.yml b/metricbeat/module/openmetrics/_meta/fields.yml index 3f23c527c78..f92fc65de8d 100644 --- a/metricbeat/module/openmetrics/_meta/fields.yml +++ b/metricbeat/module/openmetrics/_meta/fields.yml @@ -19,15 +19,11 @@ - name: type type: keyword description: > - metric type + Metric type - name: unit type: keyword description: > - metric unit - - name: created - type: keyword - description: > - metric creation time in seconds + Metric unit - name: labels.* type: object object_type: keyword @@ -48,4 +44,4 @@ type: object object_type: keyword description: > - Openmetrics metric labels + Openmetrics metric exemplar labels diff --git a/metricbeat/module/openmetrics/collector/_meta/data.json b/metricbeat/module/openmetrics/collector/_meta/data.json index 69c4da176ee..548f3b65a0e 100644 --- a/metricbeat/module/openmetrics/collector/_meta/data.json +++ b/metricbeat/module/openmetrics/collector/_meta/data.json @@ -10,8 +10,9 @@ "period": 10000 }, "openmetrics": { + "help": "carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { - "device": "br-3a285aa5e58c", + "device": "br-0cb306323b90", "job": "openmetrics" }, "metrics": { diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json index e776cc27de9..2187dc422f2 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json @@ -10,6 +10,7 @@ "period": 10000 }, "openmetrics": { + "help":"carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { "device": "br-10229e3512d9", "instance": "127.0.0.1:50135", @@ -36,6 +37,7 @@ "period": 10000 }, "openmetrics": { + "help":"carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { "device": "br-425cb4c454a6", "instance": "127.0.0.1:50135", @@ -62,6 +64,7 @@ "period": 10000 }, "openmetrics": { + "help":"carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { "device": "br-38425a39f36b", "instance": "127.0.0.1:50135", @@ -90,7 +93,7 @@ "openmetrics": { "labels": { "instance": "127.0.0.1:50135", - "job": "prometheus" + "job": "openmetrics" }, "metrics": { "up": 1 @@ -113,6 +116,7 @@ "period": 10000 }, "openmetrics": { + "help":"carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { "device": "br-33d819d5f834", "instance": "127.0.0.1:50135", @@ -139,6 +143,7 @@ "period": 10000 }, "openmetrics": { + "help":"carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { "device": "br-4e623477470e", "instance": "127.0.0.1:50135", @@ -165,6 +170,7 @@ "period": 10000 }, "openmetrics": { + "help":"carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { "device": "br-210476dc4ef8", "instance": "127.0.0.1:50135", @@ -191,6 +197,7 @@ "period": 10000 }, "openmetrics": { + "help":"carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { "device": "br-0cb306323b90", "instance": "127.0.0.1:50135", @@ -217,6 +224,7 @@ "period": 10000 }, "openmetrics": { + "help":"carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { "device": "br-38feb0aad6ab", "instance": "127.0.0.1:50135", @@ -243,6 +251,7 @@ "period": 10000 }, "openmetrics": { + "help":"carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { "device": "br-3a285aa5e58c", "instance": "127.0.0.1:50135", diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain new file mode 100644 index 00000000000..ccfb8a35792 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain @@ -0,0 +1,18 @@ +# TYPE disk_errors counter +disk_errors_total{type="netapp"} 17.0 1520879607.789 +# TYPE app info +app_info{name="open metrics collector",version="6.3.9"} 1 +# TYPE collector info +collector_info{name="metrics collector",version="8.2.7"} 1 1622329674 +# TYPE enable_category stateset +enable_category{category="shoes"} 0 +enable_category{category="shirts"} 1 +enable_category{category="shades"} 0 +# TYPE connection_errors unknown +connection_errors 42 +# TYPE cnt_rulefires_deployment counter +cnt_rulefires_deployment_total 66666.0 # {trace_id="KOO5S4vxi0o"} 0.67 +# TYPE process_cpu_seconds counter +# UNIT process_cpu_seconds seconds +# HELP process_cpu_seconds Total user and system CPU time spent in seconds. Exemplar with timestamp and labels. +process_cpu_seconds_total{entity="controller",build="8.2.7"} 11111 1622301927 # {trace_id="0d482-ac43e-d9320-debfe"} 17.0 1622302012 diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json new file mode 100644 index 00000000000..1fd4efce52a --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json @@ -0,0 +1,275 @@ +[ + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "type": "gauge", + "metrics": { + "up": 1 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "type": "netapp" + }, + "metrics": { + "disk_errors_total": 17 + }, + "type": "counter" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "name": "open metrics collector", + "version": "6.3.9" + }, + "metrics": { + "app_info": 1 + }, + "type": "info" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "name": "metrics collector", + "version": "8.2.7" + }, + "metrics": { + "collector_info": 1 + }, + "type": "info" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "category": "shoes" + }, + "metrics": { + "enable_category": 0 + }, + "type": "stateset" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "category": "shirts" + }, + "metrics": { + "enable_category": 1 + }, + "type": "stateset" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "category": "shades" + }, + "metrics": { + "enable_category": 0 + }, + "type": "stateset" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "connection_errors": 42 + }, + "type": "unknown" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "exemplar": { + "cnt_rulefires_deployment_total": 0.67, + "labels": { + "trace_id": "KOO5S4vxi0o" + } + }, + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "cnt_rulefires_deployment_total": 66666 + }, + "type": "counter" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "exemplar": { + "labels": { + "trace_id": "0d482-ac43e-d9320-debfe" + }, + "process_cpu_seconds_total": 17.0, + "timestamp": 1622302012000 + }, + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "entity": "controller", + "build": "8.2.7" + }, + "metrics": { + "process_cpu_seconds_total": 11111 + }, + "type": "counter" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + } +] diff --git a/metricbeat/module/openmetrics/collector/collector.go b/metricbeat/module/openmetrics/collector/collector.go index ebb5837eea7..e05efa38323 100644 --- a/metricbeat/module/openmetrics/collector/collector.go +++ b/metricbeat/module/openmetrics/collector/collector.go @@ -47,7 +47,7 @@ var ( upMetricType = textparse.MetricTypeGauge upMetricInstanceLabel = "instance" upMetricJobLabel = "job" - upMetricJobValue = "prometheus" + upMetricJobValue = "openmetrics" ) func init() { @@ -63,7 +63,7 @@ type OpenMetricsEventsGenerator interface { // Start must be called before using the generator Start() - // converts a OpenMetrics metric family into a list of PromEvents + // converts a OpenMetrics metric family into a list of OpenMetricsEvents GenerateOpenMetricsEvents(mf *p.OpenMetricFamily) []OpenMetricEvent // Stop must be called when the generator won't be used anymore @@ -76,13 +76,13 @@ type OpenMetricsEventsGeneratorFactory func(ms mb.BaseMetricSet) (OpenMetricsEve // MetricSet for fetching openmetrics data type MetricSet struct { mb.BaseMetricSet - openmetrics p.OpenMetrics - includeMetrics []*regexp.Regexp - excludeMetrics []*regexp.Regexp - namespace string - promEventsGen OpenMetricsEventsGenerator - host string - eventGenStarted bool + openmetrics p.OpenMetrics + includeMetrics []*regexp.Regexp + excludeMetrics []*regexp.Regexp + namespace string + openMetricsEventsGen OpenMetricsEventsGenerator + host string + eventGenStarted bool } // MetricSetBuilder returns a builder function for a new OpenMetrics metricset using @@ -98,17 +98,17 @@ func MetricSetBuilder(namespace string, genFactory OpenMetricsEventsGeneratorFac return nil, err } - promEventsGen, err := genFactory(base) + openMetricsEventsGen, err := genFactory(base) if err != nil { return nil, err } ms := &MetricSet{ - BaseMetricSet: base, - openmetrics: openmetrics, - namespace: namespace, - promEventsGen: promEventsGen, - eventGenStarted: false, + BaseMetricSet: base, + openmetrics: openmetrics, + namespace: namespace, + openMetricsEventsGen: openMetricsEventsGen, + eventGenStarted: false, } // store host here to use it as a pointer when building `up` metric ms.host = ms.Host() @@ -128,7 +128,7 @@ func MetricSetBuilder(namespace string, genFactory OpenMetricsEventsGeneratorFac // Fetch fetches data and reports it func (m *MetricSet) Fetch(reporter mb.ReporterV2) error { if !m.eventGenStarted { - m.promEventsGen.Start() + m.openMetricsEventsGen.Start() m.eventGenStarted = true } @@ -149,42 +149,45 @@ func (m *MetricSet) Fetch(reporter mb.ReporterV2) error { if m.skipFamily(family) { continue } - promEvents := m.promEventsGen.GenerateOpenMetricsEvents(family) + openMetricsEvents := m.openMetricsEventsGen.GenerateOpenMetricsEvents(family) - for _, promEvent := range promEvents { - labelsHash := promEvent.LabelsHash() - if _, ok := eventList[promEvent.Type]; !ok { - eventList[promEvent.Type] = make(map[string]common.MapStr) + for _, openMetricEvent := range openMetricsEvents { + labelsHash := openMetricEvent.LabelsHash() + if _, ok := eventList[openMetricEvent.Type]; !ok { + eventList[openMetricEvent.Type] = make(map[string]common.MapStr) } - if _, ok := eventList[promEvent.Type][labelsHash]; !ok { - eventList[promEvent.Type][labelsHash] = common.MapStr{} + if _, ok := eventList[openMetricEvent.Type][labelsHash]; !ok { + eventList[openMetricEvent.Type][labelsHash] = common.MapStr{} // Add default instance label if not already there - if exists, _ := promEvent.Labels.HasKey(upMetricInstanceLabel); !exists { - promEvent.Labels.Put(upMetricInstanceLabel, m.Host()) + if exists, _ := openMetricEvent.Labels.HasKey(upMetricInstanceLabel); !exists { + openMetricEvent.Labels.Put(upMetricInstanceLabel, m.Host()) } // Add default job label if not already there - if exists, _ := promEvent.Labels.HasKey("job"); !exists { - promEvent.Labels.Put("job", m.Module().Name()) + if exists, _ := openMetricEvent.Labels.HasKey("job"); !exists { + openMetricEvent.Labels.Put("job", m.Module().Name()) } // Add labels - if len(promEvent.Labels) > 0 { - eventList[promEvent.Type][labelsHash]["labels"] = promEvent.Labels + if len(openMetricEvent.Labels) > 0 { + eventList[openMetricEvent.Type][labelsHash]["labels"] = openMetricEvent.Labels } } - if promEvent.Type != "" { - eventList[promEvent.Type][labelsHash]["type"] = promEvent.Type + if openMetricEvent.Help != "" { + eventList[openMetricEvent.Type][labelsHash]["help"] = openMetricEvent.Help } - if promEvent.Unit != "" { - eventList[promEvent.Type][labelsHash]["unit"] = promEvent.Unit + if openMetricEvent.Type != "" { + eventList[openMetricEvent.Type][labelsHash]["type"] = openMetricEvent.Type + } + if openMetricEvent.Unit != "" { + eventList[openMetricEvent.Type][labelsHash]["unit"] = openMetricEvent.Unit } - if len(promEvent.Exemplars) > 0 { - eventList[promEvent.Type][labelsHash]["exemplar"] = promEvent.Exemplars + if len(openMetricEvent.Exemplars) > 0 { + eventList[openMetricEvent.Type][labelsHash]["exemplar"] = openMetricEvent.Exemplars } // Accumulate metrics in the event - eventList[promEvent.Type][labelsHash].DeepUpdate(promEvent.Data) + eventList[openMetricEvent.Type][labelsHash].DeepUpdate(openMetricEvent.Data) } } @@ -206,7 +209,7 @@ func (m *MetricSet) Fetch(reporter mb.ReporterV2) error { // Close stops the metricset func (m *MetricSet) Close() error { if m.eventGenStarted { - m.promEventsGen.Stop() + m.openMetricsEventsGen.Stop() } return nil } diff --git a/metricbeat/module/openmetrics/collector/collector_test.go b/metricbeat/module/openmetrics/collector/collector_test.go index 210064a4679..96e536f7e94 100644 --- a/metricbeat/module/openmetrics/collector/collector_test.go +++ b/metricbeat/module/openmetrics/collector/collector_test.go @@ -381,7 +381,7 @@ func TestSkipMetricFamily(t *testing.T) { } assert.Equal(t, len(testFamilies)-2, metricsToKeep) - // test with ine include and one exclude + // test with one include and one exclude ms.includeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) ms.excludeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_b_*"}) metricsToKeep = 0 diff --git a/metricbeat/module/openmetrics/collector/data.go b/metricbeat/module/openmetrics/collector/data.go index 8b66838cd62..01e0bc9dbe4 100644 --- a/metricbeat/module/openmetrics/collector/data.go +++ b/metricbeat/module/openmetrics/collector/data.go @@ -54,14 +54,13 @@ type openmetricEventGenerator struct{} func (p *openmetricEventGenerator) Start() {} func (p *openmetricEventGenerator) Stop() {} -// DefaultopenmetricEventsGenerator stores all OpenMetrics metrics using +// Default openmetricEventsGenerator stores all OpenMetrics metrics using // only double field type in Elasticsearch. func (p *openmetricEventGenerator) GenerateOpenMetricsEvents(mf *p.OpenMetricFamily) []OpenMetricEvent { var events []OpenMetricEvent name := *mf.Name metrics := mf.Metric - // info := *mf.Info help := "" unit := "" if mf.Help != nil { From 64273291a03fa441d1bd496caa7bef45dc2ca5e1 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 2 Sep 2021 00:01:43 -0700 Subject: [PATCH 05/63] Remove ; and commented code, remove import, change import to prometheuslabels --- metricbeat/helper/openmetrics/openmetrics.go | 23 +-------------- metricbeat/mb/testing/testdata.go | 2 +- .../module/openmetrics/_meta/fields.yml | 2 +- .../openmetrics/collector/_meta/data.json | 2 +- .../openmetrics/collector/collector_test.go | 29 +++++++++---------- 5 files changed, 18 insertions(+), 40 deletions(-) diff --git a/metricbeat/helper/openmetrics/openmetrics.go b/metricbeat/helper/openmetrics/openmetrics.go index 0fafac3d18e..cdeadb4dd51 100644 --- a/metricbeat/helper/openmetrics/openmetrics.go +++ b/metricbeat/helper/openmetrics/openmetrics.go @@ -400,8 +400,7 @@ func (p *openmetrics) GetFamilies() ([]*OpenMetricFamily, error) { } const ( - suffixInfo = "_info" - //suffixCreated = "_created" + suffixInfo = "_info" suffixTotal = "_total" suffixGCount = "_gcount" suffixGSum = "_gsum" @@ -414,10 +413,6 @@ func isInfo(name string) bool { return len(name) > 5 && name[len(name)-5:] == suffixInfo } -//func isCreated(name string) bool { -// return len(name) > 8 && name[len(name)-8:] == suffixCreated -//} - // Counters have _total suffix func isTotal(name string) bool { return len(name) > 6 && name[len(name)-6:] == suffixTotal @@ -447,7 +442,6 @@ func summaryMetricName(name string, s float64, qv string, lbls string, t *int64, var summary = &Summary{} var quantile = []*Quantile{} var quant = &Quantile{} - //var created = isCreated(name) switch { case isCount(name): @@ -457,8 +451,6 @@ func summaryMetricName(name string, s float64, qv string, lbls string, t *int64, case isSum(name): summary.SampleSum = &s name = name[:len(name)-4] - //case created: - // name = name[:len(name)-8] default: f, err := strconv.ParseFloat(qv, 64) if err != nil { @@ -488,10 +480,6 @@ func summaryMetricName(name string, s float64, qv string, lbls string, t *int64, metric.Summary.Quantile = append(metric.Summary.Quantile, quant) } - //if created { - // metric.CreatedMs = t - //} - return name, metric } @@ -499,7 +487,6 @@ func histogramMetricName(name string, s float64, qv string, lbls string, t *int6 var histogram = &Histogram{} var bucket = []*Bucket{} var bkt = &Bucket{} - //var created = isCreated(name) switch { case isCount(name): @@ -516,8 +503,6 @@ func histogramMetricName(name string, s float64, qv string, lbls string, t *int6 case isGaugeHistogram && isGSum(name): histogram.SampleSum = &s name = name[:len(name)-5] - //case created: - // name = name[:len(name)-8] default: if isBucket(name) { name = name[:len(name)-7] @@ -557,9 +542,6 @@ func histogramMetricName(name string, s float64, qv string, lbls string, t *int6 } else if bkt.UpperBound != nil { metric.Histogram.Bucket = append(metric.Histogram.Bucket, bkt) } - //if created { - // metric.CreatedMs = t - //} return name, metric } @@ -673,9 +655,6 @@ loop: var counter = &Counter{Value: &v} mn := lset.Get(labels.MetricName) metric = &OpenMetric{Name: &mn, Counter: counter, Label: labelPairs} - //if isCreated(metricName) { - // metric.CreatedMs = &t - //} lookupMetricName = metricName break case textparse.MetricTypeGauge: diff --git a/metricbeat/mb/testing/testdata.go b/metricbeat/mb/testing/testdata.go index 59dca1729e8..1755a35d24a 100644 --- a/metricbeat/mb/testing/testdata.go +++ b/metricbeat/mb/testing/testdata.go @@ -455,7 +455,7 @@ func server(t *testing.T, path string, url string, contentType string) *httptest if contentType != "" { w.Header().Set("Content-Type", contentType) } else { - w.Header().Set("Content-Type", "application/json;") + w.Header().Set("Content-Type", "application/json") } w.WriteHeader(200) w.Write(body) diff --git a/metricbeat/module/openmetrics/_meta/fields.yml b/metricbeat/module/openmetrics/_meta/fields.yml index f92fc65de8d..12592096f5e 100644 --- a/metricbeat/module/openmetrics/_meta/fields.yml +++ b/metricbeat/module/openmetrics/_meta/fields.yml @@ -7,7 +7,7 @@ fields: - name: openmetrics type: group - # release: beta/ga + release: beta description: > `openmetrics` contains metrics from endpoints that are following Openmetrics format. fields: diff --git a/metricbeat/module/openmetrics/collector/_meta/data.json b/metricbeat/module/openmetrics/collector/_meta/data.json index 548f3b65a0e..b0af22421da 100644 --- a/metricbeat/module/openmetrics/collector/_meta/data.json +++ b/metricbeat/module/openmetrics/collector/_meta/data.json @@ -12,7 +12,7 @@ "openmetrics": { "help": "carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { - "device": "br-0cb306323b90", + "device": "br-210476dc4ef8", "job": "openmetrics" }, "metrics": { diff --git a/metricbeat/module/openmetrics/collector/collector_test.go b/metricbeat/module/openmetrics/collector/collector_test.go index 96e536f7e94..2b06dc87d6b 100644 --- a/metricbeat/module/openmetrics/collector/collector_test.go +++ b/metricbeat/module/openmetrics/collector/collector_test.go @@ -24,10 +24,9 @@ import ( "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" - p "github.com/elastic/beats/v7/metricbeat/helper/prometheus" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/golang/protobuf/proto" - lbl "github.com/prometheus/prometheus/pkg/labels" + prometheuslabels "github.com/prometheus/prometheus/pkg/labels" "github.com/prometheus/prometheus/pkg/textparse" "github.com/stretchr/testify/assert" @@ -56,7 +55,7 @@ func TestGetPromEventsFromMetricFamily(t *testing.T) { Metric: []*openmetrics.OpenMetric{ { Name: proto.String("http_request_duration_microseconds_total"), - Label: []*lbl.Label{ + Label: []*prometheuslabels.Label{ { Name: "handler", Value: "query", @@ -202,7 +201,7 @@ func TestGetPromEventsFromMetricFamily(t *testing.T) { Type: textparse.MetricTypeUnknown, Metric: []*openmetrics.OpenMetric{ { - Label: []*lbl.Label{ + Label: []*prometheuslabels.Label{ { Name: "handler", Value: "query", @@ -244,7 +243,7 @@ func TestSkipMetricFamily(t *testing.T) { Type: textparse.MetricTypeCounter, Metric: []*openmetrics.OpenMetric{ { - Label: []*lbl.Label{ + Label: []*prometheuslabels.Label{ { Name: "handler", Value: "query", @@ -262,7 +261,7 @@ func TestSkipMetricFamily(t *testing.T) { Type: textparse.MetricTypeCounter, Metric: []*openmetrics.OpenMetric{ { - Label: []*lbl.Label{ + Label: []*prometheuslabels.Label{ { Name: "handler", Value: "query", @@ -330,7 +329,7 @@ func TestSkipMetricFamily(t *testing.T) { Type: textparse.MetricTypeUnknown, Metric: []*openmetrics.OpenMetric{ { - Label: []*lbl.Label{ + Label: []*prometheuslabels.Label{ { Name: "handler", Value: "query", @@ -349,8 +348,8 @@ func TestSkipMetricFamily(t *testing.T) { } // test with no filters - ms.includeMetrics, _ = p.CompilePatternList(&[]string{}) - ms.excludeMetrics, _ = p.CompilePatternList(&[]string{}) + ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{}) + ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{}) metricsToKeep := 0 for _, testFamily := range testFamilies { if !ms.skipFamily(testFamily) { @@ -360,8 +359,8 @@ func TestSkipMetricFamily(t *testing.T) { assert.Equal(t, metricsToKeep, len(testFamilies)) // test with only one include filter - ms.includeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) - ms.excludeMetrics, _ = p.CompilePatternList(&[]string{}) + ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{}) metricsToKeep = 0 for _, testFamily := range testFamilies { if !ms.skipFamily(testFamily) { @@ -371,8 +370,8 @@ func TestSkipMetricFamily(t *testing.T) { assert.Equal(t, metricsToKeep, 2) // test with only one exclude filter - ms.includeMetrics, _ = p.CompilePatternList(&[]string{""}) - ms.excludeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{""}) + ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) metricsToKeep = 0 for _, testFamily := range testFamilies { if !ms.skipFamily(testFamily) { @@ -382,8 +381,8 @@ func TestSkipMetricFamily(t *testing.T) { assert.Equal(t, len(testFamilies)-2, metricsToKeep) // test with one include and one exclude - ms.includeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) - ms.excludeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_b_*"}) + ms.includeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.excludeMetrics, _ = openmetrics.CompilePatternList(&[]string{"http_request_duration_microseconds_a_b_*"}) metricsToKeep = 0 for _, testFamily := range testFamilies { if !ms.skipFamily(testFamily) { From 4e4ed4476e2f8af81dc9d24a30784e73ce53528a Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 2 Sep 2021 19:45:11 -0700 Subject: [PATCH 06/63] Clean up go.sum. Add examples of multi metrics with Help,Type,Unit --- go.sum | 9 ------ metricbeat/helper/openmetrics/openmetrics.go | 21 ++++++------ .../openmetrics/collector/_meta/data.json | 2 +- .../_meta/testdata/openmetrics-features.plain | 5 +++ .../openmetrics-features.plain-expected.json | 32 ++++++++++++++++++- 5 files changed, 49 insertions(+), 20 deletions(-) diff --git a/go.sum b/go.sum index e1d4138abf4..b374d67b88d 100644 --- a/go.sum +++ b/go.sum @@ -12,7 +12,6 @@ cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxK cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= -cloud.google.com/go v0.51.0 h1:PvKAVQWCtlGUSlZkGW3QLelKaWq7KYv/MW1EboG8bfM= cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= @@ -26,7 +25,6 @@ cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmW cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= cloud.google.com/go v0.79.0 h1:oqqswrt4x6b9OGBnNqdssxBl1xf0rSUNjU2BR4BZar0= cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= -cloud.google.com/go/bigquery v1.0.1 h1:hL+ycaJpVE9M7nLoiXb/Pn10ENE2u+oddxbD8uu0ZVU= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= @@ -35,16 +33,13 @@ cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4g cloud.google.com/go/bigquery v1.8.0 h1:PQcPefKFdaIzjQFbiyOgAqyx8q5djaE7x9Sqe712DPA= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/bigtable v1.2.0/go.mod h1:JcVAOl45lrTmQfLj7T6TxyMzIN/3FGGcFm+2xVAli2o= -cloud.google.com/go/datastore v1.0.0 h1:Kt+gOPPp2LEPWp8CSfxhsM8ik9CcyE/gYu+0r+RnZvM= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/pubsub v1.0.1 h1:W9tAK3E57P75u0XLLR82LZyw8VpAnhmyTOxW9qzmyj8= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1 h1:ukjixP1wl0LpnZ6LWtZJ0mX5tBmjp1f8Sqer8Z2OMUU= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= -cloud.google.com/go/storage v1.0.0 h1:VV2nUM3wwLLGh9lSABFgZMjInyUbJeaRSE64WuAIQ+4= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= @@ -69,7 +64,6 @@ github.com/Azure/azure-pipeline-go v0.1.8/go.mod h1:XA1kFWRVhSK+KNFiOhfv83Fv8L9a github.com/Azure/azure-pipeline-go v0.1.9/go.mod h1:XA1kFWRVhSK+KNFiOhfv83Fv8L9achrP7OxIzeTn1Yg= github.com/Azure/azure-pipeline-go v0.2.1 h1:OLBdZJ3yvOn2MezlWvbrBMTEUQC72zAftRZOMdj5HYo= github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= -github.com/Azure/azure-sdk-for-go v37.1.0+incompatible h1:aFlw3lP7ZHQi4m1kWCpcwYtczhDkGhDoRaMTaxcOf68= github.com/Azure/azure-sdk-for-go v37.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v52.5.0+incompatible h1:/NLBWHCnIHtZyLPc1P7WIqi4Te4CC23kIQyK3Ep/7lA= github.com/Azure/azure-sdk-for-go v52.5.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= @@ -84,15 +78,12 @@ github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= -github.com/Azure/go-autorest/autorest v0.9.6 h1:5YWtOnckcudzIw8lPPBcWOnmIFWMtHci1ZWAZulMSx0= -github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= github.com/Azure/go-autorest/autorest v0.11.18 h1:90Y4srNYrwOtAgVo3ndrQkTYn6kf1Eg/AjTFJ8Is2aM= github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= -github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= diff --git a/metricbeat/helper/openmetrics/openmetrics.go b/metricbeat/helper/openmetrics/openmetrics.go index cdeadb4dd51..96fafc07389 100644 --- a/metricbeat/helper/openmetrics/openmetrics.go +++ b/metricbeat/helper/openmetrics/openmetrics.go @@ -573,8 +573,8 @@ loop: } switch et { case textparse.EntryType: - b, t := parser.Type() - s := string(b) + buf, t := parser.Type() + s := string(buf) fam, ok = metricFamiliesByName[s] if !ok { fam = &OpenMetricFamily{Name: &s, Type: t} @@ -583,24 +583,24 @@ loop: mt = t continue case textparse.EntryHelp: - b, t := parser.Help() - s := string(b) + buf, t := parser.Help() + s := string(buf) h := string(t) fam, ok = metricFamiliesByName[s] if !ok { - fam = &OpenMetricFamily{Name: &s, Type: textparse.MetricTypeUnknown} + fam = &OpenMetricFamily{Name: &s, Help: &h, Type: textparse.MetricTypeUnknown} metricFamiliesByName[s] = fam } fam.Help = &h continue case textparse.EntryUnit: - b, t := parser.Unit() - s := string(b) + buf, t := parser.Unit() + s := string(buf) u := string(t) fam, ok = metricFamiliesByName[s] if !ok { fam = &OpenMetricFamily{Name: &s, Unit: &u, Type: textparse.MetricTypeUnknown} - metricFamiliesByName[string(b)] = fam + metricFamiliesByName[string(buf)] = fam } fam.Unit = &u continue @@ -650,12 +650,15 @@ loop: var lookupMetricName string var exm *exemplar.Exemplar + // Suffixes - https://github.com/OpenObservability/OpenMetrics/blob/main/specification/OpenMetrics.md#suffixes switch mt { case textparse.MetricTypeCounter: var counter = &Counter{Value: &v} mn := lset.Get(labels.MetricName) metric = &OpenMetric{Name: &mn, Counter: counter, Label: labelPairs} - lookupMetricName = metricName + if isTotal(metricName) { // Remove suffix _total, get lookup metricname + lookupMetricName = metricName[:len(metricName)-6] + } break case textparse.MetricTypeGauge: var gauge = &Gauge{Value: &v} diff --git a/metricbeat/module/openmetrics/collector/_meta/data.json b/metricbeat/module/openmetrics/collector/_meta/data.json index b0af22421da..9362d39b379 100644 --- a/metricbeat/module/openmetrics/collector/_meta/data.json +++ b/metricbeat/module/openmetrics/collector/_meta/data.json @@ -12,7 +12,7 @@ "openmetrics": { "help": "carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { - "device": "br-210476dc4ef8", + "device": "br-4e623477470e", "job": "openmetrics" }, "metrics": { diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain index ccfb8a35792..eb046b4b71d 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain @@ -1,4 +1,9 @@ +# HELP my_counter_last_increment_timestamp_milliseconds When my_counter was last incremented +# TYPE my_counter_last_increment_timestamp_milliseconds gauge +# UNIT my_counter_last_increment_timestamp_milliseconds milliseconds +my_counter_last_increment_timestamp_milliseconds 123 # TYPE disk_errors counter +# HELP disk_errors Count total disk errors disk_errors_total{type="netapp"} 17.0 1520879607.789 # TYPE app info app_info{name="open metrics collector",version="6.3.9"} 1 diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json index 1fd4efce52a..b5b58234498 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json @@ -1,4 +1,31 @@ [ + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "help": "When my_counter was last incremented", + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "my_counter_last_increment_timestamp_milliseconds": 123 + }, + "type": "gauge", + "unit": "milliseconds" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, { "event": { "dataset": "openmetrics.collector", @@ -35,6 +62,7 @@ "period": 10000 }, "openmetrics": { + "help":"Count total disk errors", "labels": { "instance": "127.0.0.1:55922", "job": "openmetrics", @@ -256,6 +284,7 @@ "process_cpu_seconds_total": 17.0, "timestamp": 1622302012000 }, + "help":"Total user and system CPU time spent in seconds. Exemplar with timestamp and labels.", "labels": { "instance": "127.0.0.1:55922", "job": "openmetrics", @@ -265,7 +294,8 @@ "metrics": { "process_cpu_seconds_total": 11111 }, - "type": "counter" + "type": "counter", + "unit":"seconds" }, "service": { "address": "127.0.0.1:55555", From be593843d00587ce5676460b3d719e02ff321cb7 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 2 Sep 2021 19:49:57 -0700 Subject: [PATCH 07/63] Cleaned up - go mod tidy --- go.mod | 6 ------ go.sum | 40 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 38 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 5670793ca8a..864308e009d 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,6 @@ require ( github.com/Azure/azure-event-hubs-go/v3 v3.1.2 github.com/Azure/azure-sdk-for-go v52.5.0+incompatible github.com/Azure/azure-storage-blob-go v0.8.0 - github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect github.com/Azure/go-autorest/autorest v0.11.18 github.com/Azure/go-autorest/autorest/adal v0.9.15 github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 @@ -110,9 +109,7 @@ require ( github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 github.com/jonboulle/clockwork v0.2.2 github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd - github.com/jpillora/backoff v1.0.0 // indirect github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7 - github.com/kolide/osquery-go v0.0.0-20200604192029-b019be7063ac // indirect github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 github.com/magefile/mage v1.11.0 github.com/mattn/go-colorable v0.1.6 @@ -122,7 +119,6 @@ require ( github.com/mitchellh/gox v1.0.1 github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51 github.com/mitchellh/mapstructure v1.4.1 - github.com/morikuni/aec v1.0.0 // indirect github.com/oklog/ulid v1.3.1 github.com/olekukonko/tablewriter v0.0.5 github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 // indirect @@ -139,12 +135,10 @@ require ( github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e // indirect github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54 github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522 // indirect - github.com/satori/go.uuid v1.2.0 // indirect github.com/shirou/gopsutil v3.20.12+incompatible github.com/shopspring/decimal v1.2.0 github.com/spf13/cobra v0.0.5 github.com/spf13/pflag v1.0.5 - github.com/stretchr/objx v0.2.0 // indirect github.com/stretchr/testify v1.7.0 github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786 diff --git a/go.sum b/go.sum index b374d67b88d..c1edb13995f 100644 --- a/go.sum +++ b/go.sum @@ -101,6 +101,7 @@ github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxB github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= @@ -128,10 +129,12 @@ github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF0 github.com/Microsoft/hcsshim v0.8.7 h1:ptnOoufxGSzauVTsdE+wMYnCWA301PdoN4xg5oRdZpg= github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/Shopify/toxiproxy v2.1.4+incompatible h1:TKdv8HiTLgE5wdJuEML90aBgNWsokNbMijUGhmcoBJc= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6 h1:2Gl9Tray0NEjP9KC0FjdGWlszbmTIsBP3JYzgyFdL4E= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= @@ -166,6 +169,7 @@ github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f h1:33BV5v3u8I6dA2dEoPuXWCsAaHHOJfPtdxZhAMQV4uo= github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= +github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 h1:afT88tB6u9JCKQZVAAaa9ICz/uGn5Uw9ekn6P22mYKM= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77/go.mod h1:bXvGk6IkT1Agy7qzJ+DjIw/SJ1AaB3AvAuMDVV+Vkoo= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= @@ -208,6 +212,7 @@ github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible/go.mod h1:r7ao+4tTNXvWm+VRpRJchr2kQhqxgmAp2iEX5W96gMM= github.com/c-bata/go-prompt v0.2.2/go.mod h1:VzqtzE2ksDBcdln8G7mk2RX9QyGjH+OVqOCSiVIqS34= github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ= +github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e h1:YYUjy5BRwO5zPtfk+aa2gw255FIIoi93zMmuy19o0bc= github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e/go.mod h1:V284PjgVwSk4ETmz84rpu9ehpGg7swlIH8npP9k2bGw= github.com/cavaliercoder/go-rpm v0.0.0-20190131055624-7a9c54e3d83e h1:Gbx+iVCXG/1m5WSnidDGuHgN+vbIwl+6fR092ANU+Y8= github.com/cavaliercoder/go-rpm v0.0.0-20190131055624-7a9c54e3d83e/go.mod h1:AZIh1CCnMrcVm6afFf96PBvE2MRpWFco91z8ObJtgDY= @@ -234,6 +239,7 @@ github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnht github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= +github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 h1:sDMmm+q/3+BukdIpxwO365v/Rbspp2Nt5XntgQRXq8Q= github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM= github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko= github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= @@ -266,6 +272,7 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:ma github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/cucumber/godog v0.8.1 h1:lVb+X41I4YDreE+ibZ50bdXmySxgRviYFgKY6Aw4XE8= github.com/cucumber/godog v0.8.1/go.mod h1:vSh3r/lM+psC1BPXvdkSEuNjmXfpVqrMGYAElF6hxnA= github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg= github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= @@ -370,6 +377,7 @@ github.com/elastic/gosigar v0.14.1 h1:T0aQ7n/n2ZA9W7DmAnj60v+qzqKERdBgJBO1CG2W6r github.com/elastic/gosigar v0.14.1/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs= github.com/elastic/sarama v1.19.1-0.20210120173147-5c8cb347d877 h1:C9LsbipColsz04JKpKoLlp0pgMJRLq2uXVTeKRDcNcY= github.com/elastic/sarama v1.19.1-0.20210120173147-5c8cb347d877/go.mod h1:g5s5osgELxgM+Md9Qni9rzo7Rbt+vvFQI4bt/Mc93II= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g= @@ -386,9 +394,11 @@ github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= +github.com/frankban/quicktest v1.10.2 h1:19ARM85nVi4xH7xPXuc5eM/udya5ieh7b/Sv+d844Tk= github.com/frankban/quicktest v1.10.2/go.mod h1:K+q6oSqb0W0Ininfk863uOk1lMy69l/P6txr3mVT54s= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= @@ -410,6 +420,7 @@ github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7 github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc= github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab h1:xveKWz2iaueeTaUgdetzel+U7exyigDYBryyVfV/rZk= github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8= github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647 h1:whypLownH338a3Ork2w9t0KUKtVxbXYySuz7V1YGsJo= github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= @@ -616,8 +627,10 @@ github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0 h1:OggOMmdI0JLwg1FkOKH9S7fVHF0oEm8PX6S8kAdpOps= github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M= +github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.1.0 h1:wCKgOCHuUEVfsaQLpPSJb7VdYCdTVZQAuOdYm1yc/60= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= @@ -644,6 +657,7 @@ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5m github.com/googleapis/gnostic v0.4.1 h1:DLJCy1n/vrD4HPjOvYcT8aYQXpPIzoRZONaYwyycI+I= github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= github.com/gophercloud/gophercloud v0.16.0/go.mod h1:wRtmUelyIIv3CSSDI47aUwbs075O6i+LY+pXsKCBsb4= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75 h1:f0n1xnMSmBLzVfsMMvriDyA75NB/oBgILX2GcHXIQzY= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA= @@ -674,6 +688,7 @@ github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVoDkXMzJM= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-hclog v0.12.0 h1:d4QkX8FRTYaKaCZBoXYY8zJX2BXjWxurN/GA2tkrmZM= github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= @@ -714,6 +729,7 @@ github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKEN github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95 h1:S4qyfL2sEm5Budr4KVMyEniCy+PbS55651I/a+Kn/NQ= github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95/go.mod h1:QiyDdbZLaJ/mZP4Zwc9g2QsfaEA4o7XvvgZegSci5/E= github.com/hetznercloud/hcloud-go v1.24.0/go.mod h1:3YmyK8yaZZ48syie6xpm3dt26rtB6s65AisBHylXYFA= +github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -740,11 +756,13 @@ github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJS github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5 h1:lrdPtrORjGv1HbbEvKWDUAy97mPpFm4B8hp77tcCUJY= github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks= github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 h1:rp+c0RAYOWj8l6qbCUTSiRLG/iKnW3K3/QfPPuSsBt4= github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak= +github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc= github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ= @@ -766,6 +784,7 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1 github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfEUpgAwUN0o= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jsternberg/zap-logfmt v1.0.0/go.mod h1:uvPs/4X51zdkcm5jXl5SYoN+4RK21K8mysFmDaM/h+o= +github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= @@ -788,7 +807,6 @@ github.com/klauspost/compress v1.11.0/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYs github.com/klauspost/cpuid v0.0.0-20170728055534-ae7887de9fa5/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= github.com/klauspost/crc32 v0.0.0-20161016154125-cb6bfca970f6/go.mod h1:+ZoRqAPRLkC4NPOvfYeR5KNOrY6TD+/sAC3HXPZgDYg= github.com/klauspost/pgzip v1.0.2-0.20170402124221-0bf5dcad4ada/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= -github.com/kolide/osquery-go v0.0.0-20200604192029-b019be7063ac/go.mod h1:rp36fokOKgd/5mOgbvv4fkpdaucQ43mnvb+8BR62Xo8= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8= @@ -796,10 +814,12 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxv github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= @@ -824,6 +844,7 @@ github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsI github.com/markbates/pkger v0.17.0 h1:RFfyBPufP2V6cddUyyEVSHBpaAnM1WzaMNyqomeT+iY= github.com/markbates/pkger v0.17.0/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI= github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= +github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11 h1:YFh+sjyJTMQSYjKwM4dFKhJPJC/wfo98tPUc17HdoYw= github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11/go.mod h1:Ah2dBMoxZEqk118as2T4u4fjfXarE0pPnMJaArZQZsI= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= @@ -844,6 +865,7 @@ github.com/mattn/go-runewidth v0.0.3/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/mattn/go-sqlite3 v1.11.0 h1:LDdKkqtYlom37fkvqs8rMPFKAMe8+SgjbwZ6ex1/A/Q= github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/mattn/go-tty v0.0.0-20180907095812-13ff1204f104/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= @@ -858,6 +880,7 @@ github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXx github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= @@ -896,6 +919,7 @@ github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzE github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= @@ -910,10 +934,12 @@ github.com/onsi/ginkgo v1.5.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.2.0/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= @@ -947,7 +973,9 @@ github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJCh github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo= +github.com/otiai10/mint v1.3.1 h1:BCmzIS3n71sGfHB5NMNDB3lHYPz8fWSkCAErHed//qc= github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= +github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2 h1:CXwSGu/LYmbjEab5aMCs5usQRVBGThelUKBNnoSOuso= github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOThbttwfYRNFOWLLVXMhk5Lkio4GGOtw5UrxS0= github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= @@ -1068,12 +1096,15 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMB github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI= github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= @@ -1131,6 +1162,7 @@ github.com/urso/go-bin v0.0.0-20180220135811-781c575c9f0e h1:NiofbjIUI5gR+ybDsGS github.com/urso/go-bin v0.0.0-20180220135811-781c575c9f0e/go.mod h1:6GfHrdWBQYjFRIznu7XuQH4lYB2w8nO4bnImVKkzPOM= github.com/urso/magetools v0.0.0-20190919040553-290c89e0c230 h1:Ft1EJ6JL0F/RV6o2qJ1Be+wYxjYUSfRA3srfHgSgojc= github.com/urso/magetools v0.0.0-20190919040553-290c89e0c230/go.mod h1:DFxTNgS/ExCGmmjVjSOgS2WjtfjKXgCyDzAFgbtovSA= +github.com/urso/qcgen v0.0.0-20180131103024-0b059e7db4f4 h1:hhA8EBThzz9PztawVTycKvfETVuBqxAQ5keFlAVtbAw= github.com/urso/qcgen v0.0.0-20180131103024-0b059e7db4f4/go.mod h1:RspW+E2Yb7Fs7HclB2tiDaiu6Rp41BiIG4Wo1YaoXGc= github.com/urso/sderr v0.0.0-20210525210834-52b04e8f5c71 h1:CehQeKbysHV8J2V7AD0w8NL2x1h04kmmo/Ft5su4lU0= github.com/urso/sderr v0.0.0-20210525210834-52b04e8f5c71/go.mod h1:Wp40HwmjM59FkDIVFfcCb9LzBbnc0XAMp8++hJuWvSU= @@ -1196,6 +1228,7 @@ go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.0.0/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= +go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0 h1:sFPn2GLc3poCkfrpIXGhBD2X0CMIo4Q/zSULXrj/+uc= @@ -1352,7 +1385,6 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180810173357-98c5dad5d1a0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180815093151-14742f9018cd/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1584,9 +1616,11 @@ gopkg.in/check.v1 v1.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/fsnotify/fsnotify.v1 v1.4.7/go.mod h1:Fyux9zXlo4rWoMSIzpn9fDAYjalPqJ/K1qJ27s+7ltE= gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= @@ -1606,6 +1640,7 @@ gopkg.in/jcmturner/rpc.v1 v1.1.0/go.mod h1:YIdkC4XfD6GXbzje11McwsDuOlZQSb9W4vfLv gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528 h1:/saqWwm73dLmuzbNhe92F0QsZ/KiFND+esHco2v1hiY= gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= @@ -1629,6 +1664,7 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81 gotest.tools/gotestsum v0.6.0 h1:0zIxynXq9gkAcRpboAi3qOQIkZkCt/stfQzd7ab7Czs= gotest.tools/gotestsum v0.6.0/go.mod h1:LEX+ioCVdeWhZc8GYfiBRag360eBhwixWJ62R9eDQtI= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= +gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From cdd75fa0d22e2ff1ce4dceaee904a3e1e2077426 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 5 Sep 2021 21:42:25 -0700 Subject: [PATCH 08/63] Added config parameters enable_exemplars, enable_metadata to control output of Exemplars, Type, Unit, Help, disabled by default. Updated test cases --- .../openmetrics/collector/_meta/data.json | 11 +- .../collector/_meta/testdata/docs.plain | 17 +- .../_meta/testdata/docs.plain-expected.json | 234 +----------------- .../openmetrics-features.plain-expected.json | 49 +--- .../module/openmetrics/collector/collector.go | 31 ++- .../module/openmetrics/collector/config.go | 6 +- .../module/openmetrics/collector/data.go | 14 ++ 7 files changed, 69 insertions(+), 293 deletions(-) diff --git a/metricbeat/module/openmetrics/collector/_meta/data.json b/metricbeat/module/openmetrics/collector/_meta/data.json index 9362d39b379..425e2d297c0 100644 --- a/metricbeat/module/openmetrics/collector/_meta/data.json +++ b/metricbeat/module/openmetrics/collector/_meta/data.json @@ -10,15 +10,14 @@ "period": 10000 }, "openmetrics": { - "help": "carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { - "device": "br-4e623477470e", - "job": "openmetrics" + "job": "openmetrics", + "listener_name": "http" }, "metrics": { - "node_network_carrier": 0 - }, - "type": "gauge" + "net_conntrack_listener_conn_accepted_total": 3, + "net_conntrack_listener_conn_closed_total": 0 + } }, "service": { "address": "127.0.0.1:55555", diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain index 47c3b38aedb..d5f0fd96fab 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain @@ -1,11 +1,6 @@ -# HELP node_network_carrier carrier value of /sys/class/net/. -# TYPE node_network_carrier gauge -node_network_carrier{device="br-0cb306323b90"} 0 -node_network_carrier{device="br-10229e3512d9"} 0 -node_network_carrier{device="br-210476dc4ef8"} 0 -node_network_carrier{device="br-33d819d5f834"} 0 -node_network_carrier{device="br-38425a39f36b"} 0 -node_network_carrier{device="br-38feb0aad6ab"} 0 -node_network_carrier{device="br-3a285aa5e58c"} 0 -node_network_carrier{device="br-425cb4c454a6"} 0 -node_network_carrier{device="br-4e623477470e"} 0 +# HELP net_conntrack_listener_conn_accepted Total number of connections opened to the listener of a given name. +# TYPE net_conntrack_listener_conn_accepted counter +net_conntrack_listener_conn_accepted_total{listener_name="http"} 3 +# HELP net_conntrack_listener_conn_closed Total number of connections closed that were made to the listener of a given name. +# TYPE net_conntrack_listener_conn_closed counter +net_conntrack_listener_conn_closed_total{listener_name="http"} 0 diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json index 2187dc422f2..e1244391ba7 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json @@ -10,95 +10,13 @@ "period": 10000 }, "openmetrics": { - "help":"carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { - "device": "br-10229e3512d9", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - }, - "type": "gauge" - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "help":"carrier value of /sys/class/net/\u003ciface\u003e.", - "labels": { - "device": "br-425cb4c454a6", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - }, - "type": "gauge" - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "help":"carrier value of /sys/class/net/\u003ciface\u003e.", - "labels": { - "device": "br-38425a39f36b", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - }, - "type": "gauge" - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "labels": { - "instance": "127.0.0.1:50135", + "instance": "127.0.0.1:55922", "job": "openmetrics" }, "metrics": { "up": 1 - }, - "type": "gauge" + } }, "service": { "address": "127.0.0.1:55555", @@ -116,151 +34,15 @@ "period": 10000 }, "openmetrics": { - "help":"carrier value of /sys/class/net/\u003ciface\u003e.", "labels": { - "device": "br-33d819d5f834", - "instance": "127.0.0.1:50135", - "job": "openmetrics" + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "listener_name": "http" }, "metrics": { - "node_network_carrier": 0 - }, - "type": "gauge" - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "help":"carrier value of /sys/class/net/\u003ciface\u003e.", - "labels": { - "device": "br-4e623477470e", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - }, - "type": "gauge" - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "help":"carrier value of /sys/class/net/\u003ciface\u003e.", - "labels": { - "device": "br-210476dc4ef8", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - }, - "type": "gauge" - - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "help":"carrier value of /sys/class/net/\u003ciface\u003e.", - "labels": { - "device": "br-0cb306323b90", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - }, - "type": "gauge" - - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "help":"carrier value of /sys/class/net/\u003ciface\u003e.", - "labels": { - "device": "br-38feb0aad6ab", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - }, - "type": "gauge" - }, - "service": { - "address": "127.0.0.1:55555", - "type": "openmetrics" - } - }, - { - "event": { - "dataset": "openmetrics.collector", - "duration": 115000, - "module": "openmetrics" - }, - "metricset": { - "name": "collector", - "period": 10000 - }, - "openmetrics": { - "help":"carrier value of /sys/class/net/\u003ciface\u003e.", - "labels": { - "device": "br-3a285aa5e58c", - "instance": "127.0.0.1:50135", - "job": "openmetrics" - }, - "metrics": { - "node_network_carrier": 0 - }, - "type": "gauge" + "net_conntrack_listener_conn_accepted_total": 3, + "net_conntrack_listener_conn_closed_total": 0 + } }, "service": { "address": "127.0.0.1:55555", diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json index b5b58234498..911fce38c3a 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json @@ -10,16 +10,13 @@ "period": 10000 }, "openmetrics": { - "help": "When my_counter was last incremented", "labels": { "instance": "127.0.0.1:55922", "job": "openmetrics" }, "metrics": { "my_counter_last_increment_timestamp_milliseconds": 123 - }, - "type": "gauge", - "unit": "milliseconds" + } }, "service": { "address": "127.0.0.1:55555", @@ -41,7 +38,6 @@ "instance": "127.0.0.1:55922", "job": "openmetrics" }, - "type": "gauge", "metrics": { "up": 1 } @@ -62,7 +58,6 @@ "period": 10000 }, "openmetrics": { - "help":"Count total disk errors", "labels": { "instance": "127.0.0.1:55922", "job": "openmetrics", @@ -70,8 +65,7 @@ }, "metrics": { "disk_errors_total": 17 - }, - "type": "counter" + } }, "service": { "address": "127.0.0.1:55555", @@ -97,8 +91,7 @@ }, "metrics": { "app_info": 1 - }, - "type": "info" + } }, "service": { "address": "127.0.0.1:55555", @@ -124,8 +117,7 @@ }, "metrics": { "collector_info": 1 - }, - "type": "info" + } }, "service": { "address": "127.0.0.1:55555", @@ -150,8 +142,7 @@ }, "metrics": { "enable_category": 0 - }, - "type": "stateset" + } }, "service": { "address": "127.0.0.1:55555", @@ -176,8 +167,7 @@ }, "metrics": { "enable_category": 1 - }, - "type": "stateset" + } }, "service": { "address": "127.0.0.1:55555", @@ -202,8 +192,7 @@ }, "metrics": { "enable_category": 0 - }, - "type": "stateset" + } }, "service": { "address": "127.0.0.1:55555", @@ -227,8 +216,7 @@ }, "metrics": { "connection_errors": 42 - }, - "type": "unknown" + } }, "service": { "address": "127.0.0.1:55555", @@ -246,20 +234,13 @@ "period": 10000 }, "openmetrics": { - "exemplar": { - "cnt_rulefires_deployment_total": 0.67, - "labels": { - "trace_id": "KOO5S4vxi0o" - } - }, "labels": { "instance": "127.0.0.1:55922", "job": "openmetrics" }, "metrics": { "cnt_rulefires_deployment_total": 66666 - }, - "type": "counter" + } }, "service": { "address": "127.0.0.1:55555", @@ -277,14 +258,6 @@ "period": 10000 }, "openmetrics": { - "exemplar": { - "labels": { - "trace_id": "0d482-ac43e-d9320-debfe" - }, - "process_cpu_seconds_total": 17.0, - "timestamp": 1622302012000 - }, - "help":"Total user and system CPU time spent in seconds. Exemplar with timestamp and labels.", "labels": { "instance": "127.0.0.1:55922", "job": "openmetrics", @@ -293,9 +266,7 @@ }, "metrics": { "process_cpu_seconds_total": 11111 - }, - "type": "counter", - "unit":"seconds" + } }, "service": { "address": "127.0.0.1:55555", diff --git a/metricbeat/module/openmetrics/collector/collector.go b/metricbeat/module/openmetrics/collector/collector.go index e05efa38323..ba3e9ea6e59 100644 --- a/metricbeat/module/openmetrics/collector/collector.go +++ b/metricbeat/module/openmetrics/collector/collector.go @@ -83,6 +83,8 @@ type MetricSet struct { openMetricsEventsGen OpenMetricsEventsGenerator host string eventGenStarted bool + enableExemplars bool + enableMetadata bool } // MetricSetBuilder returns a builder function for a new OpenMetrics metricset using @@ -109,6 +111,8 @@ func MetricSetBuilder(namespace string, genFactory OpenMetricsEventsGeneratorFac namespace: namespace, openMetricsEventsGen: openMetricsEventsGen, eventGenStarted: false, + enableExemplars: config.EnableExemplars, + enableMetadata: config.EnableMetadata, } // store host here to use it as a pointer when building `up` metric ms.host = ms.Host() @@ -152,7 +156,12 @@ func (m *MetricSet) Fetch(reporter mb.ReporterV2) error { openMetricsEvents := m.openMetricsEventsGen.GenerateOpenMetricsEvents(family) for _, openMetricEvent := range openMetricsEvents { - labelsHash := openMetricEvent.LabelsHash() + var labelsHash string + if m.enableMetadata { + labelsHash = openMetricEvent.MetaDataHash() + } else { + labelsHash = openMetricEvent.LabelsHash() + } if _, ok := eventList[openMetricEvent.Type]; !ok { eventList[openMetricEvent.Type] = make(map[string]common.MapStr) } @@ -173,17 +182,19 @@ func (m *MetricSet) Fetch(reporter mb.ReporterV2) error { } } - if openMetricEvent.Help != "" { - eventList[openMetricEvent.Type][labelsHash]["help"] = openMetricEvent.Help - } - if openMetricEvent.Type != "" { - eventList[openMetricEvent.Type][labelsHash]["type"] = openMetricEvent.Type - } - if openMetricEvent.Unit != "" { - eventList[openMetricEvent.Type][labelsHash]["unit"] = openMetricEvent.Unit + if m.enableMetadata { + if openMetricEvent.Help != "" { + eventList[openMetricEvent.Type][labelsHash]["help"] = openMetricEvent.Help + } + if openMetricEvent.Type != "" { + eventList[openMetricEvent.Type][labelsHash]["type"] = openMetricEvent.Type + } + if openMetricEvent.Unit != "" { + eventList[openMetricEvent.Type][labelsHash]["unit"] = openMetricEvent.Unit + } } - if len(openMetricEvent.Exemplars) > 0 { + if m.enableExemplars && len(openMetricEvent.Exemplars) > 0 { eventList[openMetricEvent.Type][labelsHash]["exemplar"] = openMetricEvent.Exemplars } // Accumulate metrics in the event diff --git a/metricbeat/module/openmetrics/collector/config.go b/metricbeat/module/openmetrics/collector/config.go index 1a2c5688177..0e5a9884db4 100644 --- a/metricbeat/module/openmetrics/collector/config.go +++ b/metricbeat/module/openmetrics/collector/config.go @@ -18,7 +18,9 @@ package collector type metricsetConfig struct { - MetricsFilters MetricFilters `config:"metrics_filters" yaml:"metrics_filters,omitempty"` + MetricsFilters MetricFilters `config:"metrics_filters" yaml:"metrics_filters,omitempty"` + EnableExemplars bool `config:"enable_exemplars" yaml:"enable_exemplars,omitempty"` + EnableMetadata bool `config:"enable_metadata" yaml:"enable_metadata,omitempty"` } type MetricFilters struct { @@ -30,6 +32,8 @@ var defaultConfig = metricsetConfig{ MetricsFilters: MetricFilters{ IncludeMetrics: nil, ExcludeMetrics: nil}, + EnableExemplars: false, + EnableMetadata: false, } func (c *metricsetConfig) Validate() error { diff --git a/metricbeat/module/openmetrics/collector/data.go b/metricbeat/module/openmetrics/collector/data.go index 01e0bc9dbe4..e341873c714 100644 --- a/metricbeat/module/openmetrics/collector/data.go +++ b/metricbeat/module/openmetrics/collector/data.go @@ -43,6 +43,20 @@ type OpenMetricEvent struct { func (p *OpenMetricEvent) LabelsHash() string { return labelhash.LabelHash(p.Labels) } +func (p *OpenMetricEvent) MetaDataHash() string { + m := common.MapStr{} + m.DeepUpdate(p.Labels) + if len(p.Help) > 0 { + m["help"] = p.Help + } + if len(p.Type) > 0 { + m["type"] = p.Type + } + if len(p.Unit) > 0 { + m["unit"] = p.Unit + } + return labelhash.LabelHash(m) +} // DefaultOpenMetricEventsGeneratorFactory returns the default OpenMetrics events generator func DefaultOpenMetricsEventsGeneratorFactory(ms mb.BaseMetricSet) (OpenMetricsEventsGenerator, error) { From 1cab38187182b3ec993350574d2d934b0e51fbca Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Mon, 6 Sep 2021 12:50:12 -0700 Subject: [PATCH 09/63] Fix test cases, clean up, config for contentType --- metricbeat/helper/openmetrics/openmetrics.go | 4 +- metricbeat/mb/testing/data/data_test.go | 7 +-- metricbeat/mb/testing/testdata.go | 33 ++++++------ .../openmetrics/collector/_meta/data.json | 9 ++-- .../collector/_meta/testdata/config.yml | 4 ++ .../_meta/testdata/docs.plain-expected.json | 35 +++++++++++-- .../openmetrics-features.plain-expected.json | 51 +++++++++++++++---- .../openmetrics/collector/collector_test.go | 2 +- metricbeat/module/openmetrics/fields.go | 2 +- 9 files changed, 101 insertions(+), 46 deletions(-) diff --git a/metricbeat/helper/openmetrics/openmetrics.go b/metricbeat/helper/openmetrics/openmetrics.go index 96fafc07389..639dbe8b1a4 100644 --- a/metricbeat/helper/openmetrics/openmetrics.go +++ b/metricbeat/helper/openmetrics/openmetrics.go @@ -45,7 +45,7 @@ import ( "github.com/elastic/beats/v7/metricbeat/mb" ) -const acceptHeader = `application/openmetrics-text; version=0.0.1,text/plain;version=0.0.4;q=0.5,*/*;q=0.1` +const acceptHeader = `application/openmetrics-text; version=1.0.0; charset=utf-8,text/plain` var errNameLabelMandatory = fmt.Errorf("missing metric name (%s label)", labels.MetricName) @@ -604,6 +604,8 @@ loop: } fam.Unit = &u continue + case textparse.EntryComment: + continue default: } diff --git a/metricbeat/mb/testing/data/data_test.go b/metricbeat/mb/testing/data/data_test.go index 0d4050c739e..b81b8142676 100644 --- a/metricbeat/mb/testing/data/data_test.go +++ b/metricbeat/mb/testing/data/data_test.go @@ -42,12 +42,7 @@ func TestAll(t *testing.T) { t.Run(fmt.Sprintf("%s.%s", moduleName, metricSetName), func(t *testing.T) { config := mbtest.ReadDataConfig(t, f) - mbtest.TestDataFilesWithConfig(t, moduleName, metricSetName, config, "application/json") - }) - - t.Run(fmt.Sprintf("%s.%s", moduleName, metricSetName), func(t *testing.T) { - config := mbtest.ReadDataConfig(t, f) - mbtest.TestDataFilesWithConfig(t, moduleName, metricSetName, config, "application/openmetrics-text") + mbtest.TestDataFilesWithConfig(t, moduleName, metricSetName, config) }) } } diff --git a/metricbeat/mb/testing/testdata.go b/metricbeat/mb/testing/testdata.go index 1755a35d24a..ea89c68c39a 100644 --- a/metricbeat/mb/testing/testdata.go +++ b/metricbeat/mb/testing/testdata.go @@ -43,6 +43,7 @@ import ( const ( expectedExtension = "-expected.json" + applicationJson = "application/json" ) // DataConfig is the configuration for testdata tests @@ -75,6 +76,9 @@ type DataConfig struct { // URL of the endpoint that must be tested depending on each module URL string + // ContentType of the data being returned by server + ContentType string `yaml:"content_type"` + // Suffix is the extension of the source file with the input contents. Defaults to `json`, `plain` is also a common use. Suffix string @@ -107,9 +111,10 @@ type DataConfig struct { func defaultDataConfig() DataConfig { return DataConfig{ - Path: ".", - WritePath: ".", - Suffix: "json", + Path: ".", + WritePath: ".", + Suffix: "json", + ContentType: applicationJson, } } @@ -138,19 +143,15 @@ func TestDataConfig(t *testing.T) DataConfig { } // TestDataFiles run tests with config from the usual path (`_meta/testdata`) -func TestDataFiles(t *testing.T, module, metricSet string, contentType ...string) { +func TestDataFiles(t *testing.T, module, metricSet string) { t.Helper() config := TestDataConfig(t) - ct := "" - if len(contentType) > 0 { - ct = contentType[0] - } - TestDataFilesWithConfig(t, module, metricSet, config, ct) + TestDataFilesWithConfig(t, module, metricSet, config) } // TestDataFilesWithConfig run tests for a testdata config -func TestDataFilesWithConfig(t *testing.T, module, metricSet string, config DataConfig, contentType string) { +func TestDataFilesWithConfig(t *testing.T, module, metricSet string, config DataConfig) { t.Helper() ff, err := filepath.Glob(filepath.Join(config.Path, "*."+config.Suffix)) if err != nil { @@ -171,7 +172,7 @@ func TestDataFilesWithConfig(t *testing.T, module, metricSet string, config Data for _, f := range files { t.Run(filepath.Base(f), func(t *testing.T) { - runTest(t, f, module, metricSet, config, contentType) + runTest(t, f, module, metricSet, config) }) } } @@ -192,9 +193,9 @@ func TestMetricsetFieldsDocumented(t *testing.T, metricSet mb.MetricSet, events } -func runTest(t *testing.T, file string, module, metricSetName string, config DataConfig, contentType string) { +func runTest(t *testing.T, file string, module, metricSetName string, config DataConfig) { // starts a server serving the given file under the given url - s := server(t, file, config.URL, contentType) + s := server(t, file, config.URL, config.ContentType) defer s.Close() moduleConfig := getConfig(module, metricSetName, s.URL, config) @@ -452,11 +453,7 @@ func server(t *testing.T, path string, url string, contentType string) *httptest } if r.URL.Path+query == url { - if contentType != "" { - w.Header().Set("Content-Type", contentType) - } else { - w.Header().Set("Content-Type", "application/json") - } + w.Header().Set("Content-Type", contentType) w.WriteHeader(200) w.Write(body) } else { diff --git a/metricbeat/module/openmetrics/collector/_meta/data.json b/metricbeat/module/openmetrics/collector/_meta/data.json index 425e2d297c0..680e66f1a7d 100644 --- a/metricbeat/module/openmetrics/collector/_meta/data.json +++ b/metricbeat/module/openmetrics/collector/_meta/data.json @@ -11,13 +11,12 @@ }, "openmetrics": { "labels": { - "job": "openmetrics", - "listener_name": "http" + "job": "openmetrics" }, "metrics": { - "net_conntrack_listener_conn_accepted_total": 3, - "net_conntrack_listener_conn_closed_total": 0 - } + "up": 1 + }, + "type": "gauge" }, "service": { "address": "127.0.0.1:55555", diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml b/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml index a5d8ee128af..37f3a8443ac 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/config.yml @@ -1,4 +1,8 @@ type: http url: "/metrics" +content_type: "application/openmetrics-text" suffix: plain remove_fields_from_comparison: ["openmetrics.labels.instance"] +module: + enable_exemplars: true + enable_metadata: true diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json index e1244391ba7..04dd247087d 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/docs.plain-expected.json @@ -16,7 +16,35 @@ }, "metrics": { "up": 1 - } + }, + "type":"gauge" + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "help": "Total number of connections opened to the listener of a given name.", + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "listener_name": "http" + }, + "metrics": { + "net_conntrack_listener_conn_accepted_total": 3 + }, + "type":"counter" }, "service": { "address": "127.0.0.1:55555", @@ -34,15 +62,16 @@ "period": 10000 }, "openmetrics": { + "help": "Total number of connections closed that were made to the listener of a given name.", "labels": { "instance": "127.0.0.1:55922", "job": "openmetrics", "listener_name": "http" }, "metrics": { - "net_conntrack_listener_conn_accepted_total": 3, "net_conntrack_listener_conn_closed_total": 0 - } + }, + "type":"counter" }, "service": { "address": "127.0.0.1:55555", diff --git a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json index 911fce38c3a..ce7febdc874 100644 --- a/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json +++ b/metricbeat/module/openmetrics/collector/_meta/testdata/openmetrics-features.plain-expected.json @@ -10,13 +10,16 @@ "period": 10000 }, "openmetrics": { + "help": "When my_counter was last incremented", "labels": { "instance": "127.0.0.1:55922", "job": "openmetrics" }, "metrics": { "my_counter_last_increment_timestamp_milliseconds": 123 - } + }, + "type":"gauge", + "unit":"milliseconds" }, "service": { "address": "127.0.0.1:55555", @@ -40,7 +43,8 @@ }, "metrics": { "up": 1 - } + }, + "type":"gauge" }, "service": { "address": "127.0.0.1:55555", @@ -58,6 +62,7 @@ "period": 10000 }, "openmetrics": { + "help": "Count total disk errors", "labels": { "instance": "127.0.0.1:55922", "job": "openmetrics", @@ -65,7 +70,8 @@ }, "metrics": { "disk_errors_total": 17 - } + }, + "type":"counter" }, "service": { "address": "127.0.0.1:55555", @@ -91,7 +97,8 @@ }, "metrics": { "app_info": 1 - } + }, + "type":"info" }, "service": { "address": "127.0.0.1:55555", @@ -117,7 +124,8 @@ }, "metrics": { "collector_info": 1 - } + }, + "type":"info" }, "service": { "address": "127.0.0.1:55555", @@ -142,7 +150,8 @@ }, "metrics": { "enable_category": 0 - } + }, + "type":"stateset" }, "service": { "address": "127.0.0.1:55555", @@ -167,7 +176,8 @@ }, "metrics": { "enable_category": 1 - } + }, + "type":"stateset" }, "service": { "address": "127.0.0.1:55555", @@ -192,7 +202,8 @@ }, "metrics": { "enable_category": 0 - } + }, + "type":"stateset" }, "service": { "address": "127.0.0.1:55555", @@ -216,7 +227,8 @@ }, "metrics": { "connection_errors": 42 - } + }, + "type":"unknown" }, "service": { "address": "127.0.0.1:55555", @@ -234,13 +246,20 @@ "period": 10000 }, "openmetrics": { + "exemplar": { + "cnt_rulefires_deployment_total":0.67, + "labels": { + "trace_id":"KOO5S4vxi0o" + } + }, "labels": { "instance": "127.0.0.1:55922", "job": "openmetrics" }, "metrics": { "cnt_rulefires_deployment_total": 66666 - } + }, + "type":"counter" }, "service": { "address": "127.0.0.1:55555", @@ -258,6 +277,14 @@ "period": 10000 }, "openmetrics": { + "exemplar": { + "labels": { + "trace_id": "0d482-ac43e-d9320-debfe" + }, + "process_cpu_seconds_total": 17, + "timestamp": 1622302012000 + }, + "help": "Total user and system CPU time spent in seconds. Exemplar with timestamp and labels.", "labels": { "instance": "127.0.0.1:55922", "job": "openmetrics", @@ -266,7 +293,9 @@ }, "metrics": { "process_cpu_seconds_total": 11111 - } + }, + "type":"counter", + "unit":"seconds" }, "service": { "address": "127.0.0.1:55555", diff --git a/metricbeat/module/openmetrics/collector/collector_test.go b/metricbeat/module/openmetrics/collector/collector_test.go index 2b06dc87d6b..d9d0715f231 100644 --- a/metricbeat/module/openmetrics/collector/collector_test.go +++ b/metricbeat/module/openmetrics/collector/collector_test.go @@ -36,7 +36,7 @@ import ( ) func TestData(t *testing.T) { - mbtest.TestDataFiles(t, "openmetrics", "collector", "application/openmetrics-text") + mbtest.TestDataFiles(t, "openmetrics", "collector") } func TestGetPromEventsFromMetricFamily(t *testing.T) { diff --git a/metricbeat/module/openmetrics/fields.go b/metricbeat/module/openmetrics/fields.go index 6cebb6468c0..27c738406f9 100644 --- a/metricbeat/module/openmetrics/fields.go +++ b/metricbeat/module/openmetrics/fields.go @@ -32,5 +32,5 @@ func init() { // AssetOpenmetrics returns asset data. // This is the base64 encoded zlib format compressed contents of module/openmetrics. func AssetOpenmetrics() string { - return "eJzMlD9v1EAQxXt/iidTRIouoXdBQUGH8gEQSva8Y3vI/tPsnI779sheO9gxFIQTYhpLs7vv/eat7Ts806VBTBQ8qXCbK0BZHTW4efjZvakAIUcmU4MjqakAS7kVTsoxNPhQAcDqBHy0J0cVkEmVQ58bfKkH1VQfUOfs6q8V0DE5m5vp8B2C8fQaZiy9JGrQSzylufOuPDZI73szr/6CbKynlfIT2hjUcMhYgDuJHhRsihw0QwejMELoonPxzKHfjNdF8UbvZ/H1HIXvQSwJOIN9iqImKAYSOsCZI7mMMzsHb7Qd0LFkPUAHglAupjaejlN6pZZsBnLppbkE80yXcxS76v8mgLE+ClO33oDYTdafp8E+Gc/usvMdjf7Ot+S2FVrUT4H1KuoboUW9FTJK9ioGk9YYmrIncECmNgabd6bllu9vd67x+I3a9bSl8fgGps3XVviK7Y5m3vXHOK/ews3qozcpcejnrfVt/VbqHS59J5+ckX8X3+K4j+6F5X+50e1v+EcAAAD//y1RpoM=" + return "eJzElL2O1EAQhHM/RckEJ5327gEcEBCQoXsAhO7Gdttudv7U09bit0f+W+w1BCwIKmzPVH1TM/ITzjQUCJG8IxWuUgYoq6UCDy8/pg8ZIGTJJCpQkpoMqClVwlE5+ALvMwDY7IALdW8pAxKpsm9Tgc95pxrzE/KUbP4lAxomW6di2vwEbxzdwozSIVKBVkIfl8kty6if8Ix62/i9oQpeDfuEFbOR4EC+joG9JmhnFEYITbA2XNi3u0M1QZzR58V8Sz/qHV6kJgEnsItB1HhFR0InWFOSTbiwtXBGqw4NS9ITtCMIpTm0Dn05dTZrbaQjG6/DtY4zDZcg9Wb+iwJGfRCmZrsAoZmiP00H+2gc2+GQOwb9We5svzda3XvP+lfcd0ar+1z48+MhIZRfqdoGz4PXO/J3z31mmWMPNMuq38a5eRC7r6/OxMi+XZbmj/m91Adc+kYuWiP/rr418VjdleU/3eiaf7za/U/oewAAAP//WDeHdA==" } From 414a5f07a740582a9298bdc86573a5c396eaaaf9 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Mon, 6 Sep 2021 13:15:37 -0700 Subject: [PATCH 10/63] change prom to openMetrics --- .../helper/openmetrics/openmetrics_test.go | 42 +++++++++---------- metricbeat/mb/testing/testdata.go | 1 - .../openmetrics/collector/collector_test.go | 2 +- 3 files changed, 22 insertions(+), 23 deletions(-) diff --git a/metricbeat/helper/openmetrics/openmetrics_test.go b/metricbeat/helper/openmetrics/openmetrics_test.go index 597556e1635..5ebf1903c0f 100644 --- a/metricbeat/helper/openmetrics/openmetrics_test.go +++ b/metricbeat/helper/openmetrics/openmetrics_test.go @@ -76,13 +76,13 @@ target_info 1 target_with_labels_info{env="prod",hostname="myhost"} 1 ` - promGaugeKeyLabel = `# TYPE metrics_one_count_total gauge + openMetricsGaugeKeyLabel = `# TYPE metrics_one_count_total gauge metrics_one_count_total{name="jane",surname="foster"} 1 metrics_one_count_total{name="john",surname="williams"} 2 metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 ` - promGaugeKeyLabelWithNaNInf = `# TYPE metrics_one_count_errors gauge + openMetricsGaugeKeyLabelWithNaNInf = `# TYPE metrics_one_count_errors gauge metrics_one_count_errors{name="jane",surname="foster"} 0 # TYPE metrics_one_count_total gauge metrics_one_count_total{name="jane",surname="foster"} NaN @@ -91,13 +91,13 @@ metrics_one_count_total{name="john",surname="williams"} -Inf metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 ` - promCounterKeyLabel = `# TYPE metrics_one_count_total counter + openMetricsCounterKeyLabel = `# TYPE metrics_one_count_total counter metrics_one_count_total{name="jane",surname="foster"} 1 metrics_one_count_total{name="john",surname="williams"} 2 metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 ` - promCounterKeyLabelWithNaNInf = `# TYPE metrics_one_count_errors counter + openMetricsCounterKeyLabelWithNaNInf = `# TYPE metrics_one_count_errors counter metrics_one_count_errors{name="jane",surname="foster"} 1 # TYPE metrics_one_count_total counter metrics_one_count_total{name="jane",surname="foster"} NaN @@ -106,7 +106,7 @@ metrics_one_count_total{name="jahn",surname="baldwin",age="30"} 3 ` - promHistogramKeyLabel = `# TYPE metrics_one_midichlorians histogram + openMetricsHistogramKeyLabel = `# TYPE metrics_one_midichlorians histogram metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="2000"} 52 metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="4000"} 70 metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="8000"} 78 @@ -125,7 +125,7 @@ metrics_one_midichlorians_sum{rank="padawan",alive="yes"} 800001 metrics_one_midichlorians_count{rank="padawan",alive="yes"} 28 ` - promHistogramKeyLabelWithNaNInf = `# TYPE metrics_one_midichlorians histogram + openMetricsHistogramKeyLabelWithNaNInf = `# TYPE metrics_one_midichlorians histogram metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="2000"} NaN metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="4000"} +Inf metrics_one_midichlorians_bucket{rank="youngling",alive="yes",le="8000"} -Inf @@ -136,7 +136,7 @@ metrics_one_midichlorians_sum{rank="youngling",alive="yes"} 1000001 metrics_one_midichlorians_count{rank="youngling",alive="yes"} 86 ` - promSummaryKeyLabel = `# TYPE metrics_force_propagation_ms summary + openMetricsSummaryKeyLabel = `# TYPE metrics_force_propagation_ms summary metrics_force_propagation_ms{kind="jedi",quantile="0"} 35 metrics_force_propagation_ms{kind="jedi",quantile="0.25"} 22 metrics_force_propagation_ms{kind="jedi",quantile="0.5"} 7 @@ -153,7 +153,7 @@ metrics_force_propagation_ms_sum{kind="sith"} 112 metrics_force_propagation_ms_count{kind="sith"} 711 ` - promSummaryKeyLabelWithNaNInf = `# TYPE metrics_force_propagation_ms summary + openMetricsSummaryKeyLabelWithNaNInf = `# TYPE metrics_force_propagation_ms summary metrics_force_propagation_ms{kind="jedi",quantile="0"} NaN metrics_force_propagation_ms{kind="jedi",quantile="0.25"} +Inf metrics_force_propagation_ms{kind="jedi",quantile="0.5"} -Inf @@ -163,13 +163,13 @@ metrics_force_propagation_ms_sum{kind="jedi"} 50 metrics_force_propagation_ms_count{kind="jedi"} 651 ` - promGaugeLabeled = `# TYPE metrics_that_inform_labels gauge + openMetricsGaugeLabeled = `# TYPE metrics_that_inform_labels gauge metrics_that_inform_labels{label1="I am 1",label2="I am 2"} 1 metrics_that_inform_labels{label1="I am 1",label3="I am 3"} 1 # TYPE metrics_that_use_labels gauge metrics_that_use_labels{label1="I am 1"} 20 ` - promStateset = `# TYPE enable_category stateset + openMetricsStateset = `# TYPE enable_category stateset enable_category{category="shoes"} 0 enable_category{category="collectibles"} 1 ` @@ -601,7 +601,7 @@ func TestOpenMetricsKeyLabels(t *testing.T) { }{ { testName: "Test gauge with KeyLabel", - openmetricsResponse: promGaugeKeyLabel, + openmetricsResponse: openMetricsGaugeKeyLabel, mapping: &MetricsMapping{ Metrics: map[string]MetricMap{ "metrics_one_count_total": Metric("metrics.one.count"), @@ -652,7 +652,7 @@ func TestOpenMetricsKeyLabels(t *testing.T) { { testName: "Test gauge with KeyLabel With NaN Inf", - openmetricsResponse: promGaugeKeyLabelWithNaNInf, + openmetricsResponse: openMetricsGaugeKeyLabelWithNaNInf, mapping: &MetricsMapping{ Metrics: map[string]MetricMap{ "metrics_one_count_errors": Metric("metrics.one.count"), @@ -693,7 +693,7 @@ func TestOpenMetricsKeyLabels(t *testing.T) { { testName: "Test counter with KeyLabel", - openmetricsResponse: promCounterKeyLabel, + openmetricsResponse: openMetricsCounterKeyLabel, mapping: &MetricsMapping{ Metrics: map[string]MetricMap{ "metrics_one_count_total": Metric("metrics.one.count"), @@ -744,7 +744,7 @@ func TestOpenMetricsKeyLabels(t *testing.T) { { testName: "Test counter with KeyLabel With NaN Inf", - openmetricsResponse: promCounterKeyLabelWithNaNInf, + openmetricsResponse: openMetricsCounterKeyLabelWithNaNInf, mapping: &MetricsMapping{ Metrics: map[string]MetricMap{ "metrics_one_count_errors": Metric("metrics.one.count"), @@ -785,7 +785,7 @@ func TestOpenMetricsKeyLabels(t *testing.T) { { testName: "Test histogram with KeyLabel", - openmetricsResponse: promHistogramKeyLabel, + openmetricsResponse: openMetricsHistogramKeyLabel, mapping: &MetricsMapping{ Metrics: map[string]MetricMap{ "metrics_one_midichlorians": Metric("metrics.one.midichlorians"), @@ -842,7 +842,7 @@ func TestOpenMetricsKeyLabels(t *testing.T) { { testName: "Test histogram with KeyLabel With NaN Inf", - openmetricsResponse: promHistogramKeyLabelWithNaNInf, + openmetricsResponse: openMetricsHistogramKeyLabelWithNaNInf, mapping: &MetricsMapping{ Metrics: map[string]MetricMap{ "metrics_one_midichlorians": Metric("metrics.one.midichlorians"), @@ -876,7 +876,7 @@ func TestOpenMetricsKeyLabels(t *testing.T) { { testName: "Test summary with KeyLabel", - openmetricsResponse: promSummaryKeyLabel, + openmetricsResponse: openMetricsSummaryKeyLabel, mapping: &MetricsMapping{ Metrics: map[string]MetricMap{ "metrics_force_propagation_ms": Metric("metrics.force.propagation.ms"), @@ -935,7 +935,7 @@ func TestOpenMetricsKeyLabels(t *testing.T) { { testName: "Test summary with KeyLabel With NaN Inf", - openmetricsResponse: promSummaryKeyLabelWithNaNInf, + openmetricsResponse: openMetricsSummaryKeyLabelWithNaNInf, mapping: &MetricsMapping{ Metrics: map[string]MetricMap{ "metrics_force_propagation_ms": Metric("metrics.force.propagation.ms"), @@ -969,7 +969,7 @@ func TestOpenMetricsKeyLabels(t *testing.T) { { testName: "Test gauge InfoMetrics using ExtendedInfoMetric", - openmetricsResponse: promGaugeLabeled, + openmetricsResponse: openMetricsGaugeLabeled, mapping: &MetricsMapping{ Metrics: map[string]MetricMap{ "metrics_that_inform_labels": ExtendedInfoMetric(Configuration{StoreNonMappedLabels: true, NonMappedLabelsPlacement: "metrics.other_labels"}), @@ -994,7 +994,7 @@ func TestOpenMetricsKeyLabels(t *testing.T) { }, { testName: "Test gauge InfoMetrics using ExtendedInfoMetric and extra fields", - openmetricsResponse: promGaugeLabeled, + openmetricsResponse: openMetricsGaugeLabeled, mapping: &MetricsMapping{ Metrics: map[string]MetricMap{ "metrics_that_inform_labels": ExtendedInfoMetric(Configuration{ @@ -1029,7 +1029,7 @@ func TestOpenMetricsKeyLabels(t *testing.T) { }, { testName: "Stateset metric with labels", - openmetricsResponse: promStateset, + openmetricsResponse: openMetricsStateset, mapping: &MetricsMapping{ Metrics: map[string]MetricMap{ "enable_category": Metric("metrics.count"), diff --git a/metricbeat/mb/testing/testdata.go b/metricbeat/mb/testing/testdata.go index ea89c68c39a..6a738254982 100644 --- a/metricbeat/mb/testing/testdata.go +++ b/metricbeat/mb/testing/testdata.go @@ -146,7 +146,6 @@ func TestDataConfig(t *testing.T) DataConfig { func TestDataFiles(t *testing.T, module, metricSet string) { t.Helper() config := TestDataConfig(t) - TestDataFilesWithConfig(t, module, metricSet, config) } diff --git a/metricbeat/module/openmetrics/collector/collector_test.go b/metricbeat/module/openmetrics/collector/collector_test.go index d9d0715f231..727e322ed66 100644 --- a/metricbeat/module/openmetrics/collector/collector_test.go +++ b/metricbeat/module/openmetrics/collector/collector_test.go @@ -39,7 +39,7 @@ func TestData(t *testing.T) { mbtest.TestDataFiles(t, "openmetrics", "collector") } -func TestGetPromEventsFromMetricFamily(t *testing.T) { +func TestGetOpenMetricsEventsFromMetricFamily(t *testing.T) { labels := common.MapStr{ "handler": "query", } From 1dd465fb7dbdd4bfd0cb6b63a41f3f67094f0d54 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Tue, 7 Sep 2021 15:26:23 -0700 Subject: [PATCH 11/63] Add test case to show same labels are collapsed when metadata and exemplars are turned off. --- metricbeat/helper/openmetrics/metric.go | 4 +- metricbeat/helper/openmetrics/openmetrics.go | 4 +- .../openmetrics/collector/_meta/data.json | 3 +- .../_meta/samelabeltestdata/config.yml | 8 +++ .../_meta/samelabeltestdata/docs.plain | 6 +++ .../docs.plain-expected.json | 52 +++++++++++++++++++ .../openmetrics/collector/collector_test.go | 4 ++ 7 files changed, 75 insertions(+), 6 deletions(-) create mode 100644 metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml create mode 100644 metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain create mode 100644 metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json diff --git a/metricbeat/helper/openmetrics/metric.go b/metricbeat/helper/openmetrics/metric.go index f21a6ee16ab..4907ab59c9e 100644 --- a/metricbeat/helper/openmetrics/metric.go +++ b/metricbeat/helper/openmetrics/metric.go @@ -45,7 +45,7 @@ type MetricMap interface { // Configuration for mappings that needs extended treatment type Configuration struct { - // StoreNonMappedLables indicates if labels found at the metric that are + // StoreNonMappedLabels indicates if labels found at the metric that are // not found at the label map should be part of the resulting event. // This setting should be used when the label name is not known beforehand StoreNonMappedLabels bool @@ -58,7 +58,7 @@ type Configuration struct { // // given a metric family in a Openmetrics resource in the form: // metric1{label1="value1",label2="value2"} 1 - // and not mapping labels but using this entry on a the MetriMap definition: + // and not mapping labels but using this entry on a the MetricMap definition: // "metric1": ExtendedInfoMetric(Configuration{StoreNonMappedLabels: true, NonMappedLabelsPlacement: "mypath"}), // would output an event that contains a metricset field as follows // "mypath": {"label1":"value1","label2":"value2"} diff --git a/metricbeat/helper/openmetrics/openmetrics.go b/metricbeat/helper/openmetrics/openmetrics.go index 639dbe8b1a4..db2aa964730 100644 --- a/metricbeat/helper/openmetrics/openmetrics.go +++ b/metricbeat/helper/openmetrics/openmetrics.go @@ -727,14 +727,14 @@ loop: fam.Name = &metricName - if hasExemplar := parser.Exemplar(&e); hasExemplar && mt != textparse.MetricTypeHistogram { + if hasExemplar := parser.Exemplar(&e); hasExemplar && mt != textparse.MetricTypeHistogram && metric != nil { if !e.HasTs { e.Ts = t } metric.Exemplar = &e } - if tp != nil { + if tp != nil && metric != nil { t = *tp metric.TimestampMs = &t } diff --git a/metricbeat/module/openmetrics/collector/_meta/data.json b/metricbeat/module/openmetrics/collector/_meta/data.json index 680e66f1a7d..ebbb4a0efd2 100644 --- a/metricbeat/module/openmetrics/collector/_meta/data.json +++ b/metricbeat/module/openmetrics/collector/_meta/data.json @@ -15,8 +15,7 @@ }, "metrics": { "up": 1 - }, - "type": "gauge" + } }, "service": { "address": "127.0.0.1:55555", diff --git a/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml new file mode 100644 index 00000000000..a8369b90cf2 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/config.yml @@ -0,0 +1,8 @@ +type: http +url: "/metrics" +content_type: "application/openmetrics-text" +suffix: plain +remove_fields_from_comparison: ["openmetrics.labels.instance"] +module: + enable_exemplars: false + enable_metadata: false diff --git a/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain new file mode 100644 index 00000000000..d5f0fd96fab --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain @@ -0,0 +1,6 @@ +# HELP net_conntrack_listener_conn_accepted Total number of connections opened to the listener of a given name. +# TYPE net_conntrack_listener_conn_accepted counter +net_conntrack_listener_conn_accepted_total{listener_name="http"} 3 +# HELP net_conntrack_listener_conn_closed Total number of connections closed that were made to the listener of a given name. +# TYPE net_conntrack_listener_conn_closed counter +net_conntrack_listener_conn_closed_total{listener_name="http"} 0 diff --git a/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json new file mode 100644 index 00000000000..e1244391ba7 --- /dev/null +++ b/metricbeat/module/openmetrics/collector/_meta/samelabeltestdata/docs.plain-expected.json @@ -0,0 +1,52 @@ +[ + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics" + }, + "metrics": { + "up": 1 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + }, + { + "event": { + "dataset": "openmetrics.collector", + "duration": 115000, + "module": "openmetrics" + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "openmetrics": { + "labels": { + "instance": "127.0.0.1:55922", + "job": "openmetrics", + "listener_name": "http" + }, + "metrics": { + "net_conntrack_listener_conn_accepted_total": 3, + "net_conntrack_listener_conn_closed_total": 0 + } + }, + "service": { + "address": "127.0.0.1:55555", + "type": "openmetrics" + } + } +] diff --git a/metricbeat/module/openmetrics/collector/collector_test.go b/metricbeat/module/openmetrics/collector/collector_test.go index 727e322ed66..826ac4b3a8c 100644 --- a/metricbeat/module/openmetrics/collector/collector_test.go +++ b/metricbeat/module/openmetrics/collector/collector_test.go @@ -39,6 +39,10 @@ func TestData(t *testing.T) { mbtest.TestDataFiles(t, "openmetrics", "collector") } +func TestSameLabels(t *testing.T) { + dataConfig := mbtest.ReadDataConfig(t, "_meta/samelabeltestdata/config.yml") + mbtest.TestDataFilesWithConfig(t, "openmetrics", "collector", dataConfig) +} func TestGetOpenMetricsEventsFromMetricFamily(t *testing.T) { labels := common.MapStr{ "handler": "query", From e9ccfc68098ae2ca2189698de21f4687898ec964 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Wed, 8 Sep 2021 23:20:03 -0700 Subject: [PATCH 12/63] Change go.mod, go.sum --- go.mod | 66 +++-- go.sum | 857 ++++++++------------------------------------------------- 2 files changed, 151 insertions(+), 772 deletions(-) diff --git a/go.mod b/go.mod index 9c622960d7b..86424943f1f 100644 --- a/go.mod +++ b/go.mod @@ -11,14 +11,15 @@ require ( code.cloudfoundry.org/go-loggregator v7.4.0+incompatible code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a // indirect github.com/Azure/azure-event-hubs-go/v3 v3.1.2 - github.com/Azure/azure-sdk-for-go v52.5.0+incompatible + github.com/Azure/azure-sdk-for-go v37.1.0+incompatible github.com/Azure/azure-storage-blob-go v0.8.0 - github.com/Azure/go-autorest/autorest v0.11.18 + github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect + github.com/Azure/go-autorest/autorest v0.9.6 github.com/Azure/go-autorest/autorest/adal v0.9.15 github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 github.com/Azure/go-autorest/autorest/date v0.3.0 github.com/Masterminds/semver v1.4.2 - github.com/Microsoft/go-winio v0.4.16 + github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 github.com/Shopify/sarama v1.27.0 github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6 github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc @@ -27,7 +28,7 @@ require ( github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 // indirect github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 - github.com/aws/aws-lambda-go v1.13.3 + github.com/aws/aws-lambda-go v1.6.0 github.com/aws/aws-sdk-go-v2 v0.24.0 github.com/awslabs/goformation/v4 v4.1.0 github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2 @@ -47,7 +48,7 @@ require ( github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1 github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf // indirect - github.com/docker/docker v20.10.5+incompatible + github.com/docker/docker v1.4.2-0.20170802015333-8af4db6f002a github.com/docker/go-connections v0.4.0 github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-plugins-helpers v0.0.0-20181025120712-1e6269c305b8 @@ -82,20 +83,21 @@ require ( github.com/go-test/deep v1.0.7 github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e - github.com/godror/godror v0.25.2 + github.com/godror/godror v0.10.4 github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b github.com/gofrs/uuid v3.3.0+incompatible - github.com/gogo/protobuf v1.3.2 + github.com/gogo/protobuf v1.3.1 github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.4.3 github.com/golang/snappy v0.0.3 github.com/gomodule/redigo v1.8.3 - github.com/google/flatbuffers v1.11.0 - github.com/google/go-cmp v0.5.5 + github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9 + github.com/google/go-cmp v0.5.4 github.com/google/gopacket v1.1.18-0.20191009163724-0ad7f2610e34 github.com/google/uuid v1.1.2 github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75 - github.com/gorilla/mux v1.7.3 + github.com/gorilla/mux v1.7.2 + github.com/grpc-ecosystem/grpc-gateway v1.13.0 // indirect github.com/h2non/filetype v1.1.1 github.com/hashicorp/go-multierror v1.1.0 github.com/hashicorp/go-retryablehttp v0.6.6 @@ -108,36 +110,44 @@ require ( github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 github.com/jonboulle/clockwork v0.2.2 github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd + github.com/jpillora/backoff v1.0.0 // indirect github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7 + github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 github.com/magefile/mage v1.11.0 + github.com/mailru/easyjson v0.7.1 // indirect github.com/mattn/go-colorable v0.1.6 github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect - github.com/miekg/dns v1.1.41 + github.com/miekg/dns v1.1.25 github.com/mitchellh/gox v1.0.1 github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51 - github.com/mitchellh/mapstructure v1.4.1 + github.com/mitchellh/mapstructure v1.3.3 + github.com/morikuni/aec v1.0.0 // indirect github.com/oklog/ulid v1.3.1 github.com/olekukonko/tablewriter v0.0.5 + github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483 // indirect github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 // indirect github.com/osquery/osquery-go v0.0.0-20210622151333-99b4efa62ec5 github.com/otiai10/copy v1.2.0 github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 - github.com/prometheus/client_model v0.2.0 - github.com/prometheus/common v0.20.0 - github.com/prometheus/procfs v0.6.0 - github.com/prometheus/prometheus v1.8.2-0.20210518124745-6eeded0fdf76 + github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc // indirect + github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 + github.com/prometheus/common v0.7.0 + github.com/prometheus/procfs v0.0.11 + github.com/prometheus/prometheus v1.8.2-0.20210701133801-b0944590a1c9 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e // indirect github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54 github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522 // indirect + github.com/satori/go.uuid v1.2.0 // indirect github.com/shirou/gopsutil v3.20.12+incompatible github.com/shopspring/decimal v1.2.0 github.com/spf13/cobra v0.0.5 github.com/spf13/pflag v1.0.5 + github.com/stretchr/objx v0.2.0 // indirect github.com/stretchr/testify v1.7.0 github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786 @@ -152,21 +162,21 @@ require ( go.elastic.co/ecszap v0.3.0 go.elastic.co/go-licence-detector v0.4.0 go.etcd.io/bbolt v1.3.4 - go.uber.org/atomic v1.7.0 + go.uber.org/atomic v1.5.0 go.uber.org/multierr v1.3.0 go.uber.org/zap v1.14.0 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e - golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 + golang.org/x/lint v0.0.0-20200130185559-910be7a94367 golang.org/x/net v0.0.0-20210614182718-04defd469f4e - golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558 - golang.org/x/sync v0.0.0-20210220032951-036812b2e83c + golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d + golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c golang.org/x/text v0.3.6 - golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba + golang.org/x/time v0.0.0-20191024005414-555d28b269f0 golang.org/x/tools v0.1.1 - google.golang.org/api v0.42.0 - google.golang.org/genproto v0.0.0-20210312152112-fc591d9ea70f - google.golang.org/grpc v1.36.0 + google.golang.org/api v0.15.0 + google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb + google.golang.org/grpc v1.29.1 google.golang.org/protobuf v1.25.0 gopkg.in/inf.v0 v0.9.1 gopkg.in/jcmturner/aescts.v1 v1.0.1 // indirect @@ -175,13 +185,13 @@ require ( gopkg.in/jcmturner/gokrb5.v7 v7.5.0 gopkg.in/jcmturner/rpc.v1 v1.1.0 // indirect gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528 - gopkg.in/yaml.v2 v2.4.0 + gopkg.in/yaml.v2 v2.3.0 gotest.tools v2.2.0+incompatible gotest.tools/gotestsum v0.6.0 howett.net/plist v0.0.0-20181124034731-591f970eefbb - k8s.io/api v0.20.5 - k8s.io/apimachinery v0.20.5 - k8s.io/client-go v0.20.5 + k8s.io/api v0.19.4 + k8s.io/apimachinery v0.19.4 + k8s.io/client-go v0.19.4 ) replace ( diff --git a/go.sum b/go.sum index 8c99f3d962b..36c8653d178 100644 --- a/go.sum +++ b/go.sum @@ -2,46 +2,20 @@ bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxo cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -cloud.google.com/go v0.43.0/go.mod h1:BOSR3VbTLkk6FDC/TcffxP4NF/FFBGA5ku+jvKOP7pg= cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= -cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= +cloud.google.com/go v0.51.0 h1:PvKAVQWCtlGUSlZkGW3QLelKaWq7KYv/MW1EboG8bfM= cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= -cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= -cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= -cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= -cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= -cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= -cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= -cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= -cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= -cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= -cloud.google.com/go v0.79.0 h1:oqqswrt4x6b9OGBnNqdssxBl1xf0rSUNjU2BR4BZar0= -cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go/bigquery v1.0.1 h1:hL+ycaJpVE9M7nLoiXb/Pn10ENE2u+oddxbD8uu0ZVU= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= -cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= -cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= -cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= -cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= -cloud.google.com/go/bigquery v1.8.0 h1:PQcPefKFdaIzjQFbiyOgAqyx8q5djaE7x9Sqe712DPA= -cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/bigtable v1.2.0/go.mod h1:JcVAOl45lrTmQfLj7T6TxyMzIN/3FGGcFm+2xVAli2o= +cloud.google.com/go/datastore v1.0.0 h1:Kt+gOPPp2LEPWp8CSfxhsM8ik9CcyE/gYu+0r+RnZvM= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= -cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/pubsub v1.0.1 h1:W9tAK3E57P75u0XLLR82LZyw8VpAnhmyTOxW9qzmyj8= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= -cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= -cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= -cloud.google.com/go/pubsub v1.3.1 h1:ukjixP1wl0LpnZ6LWtZJ0mX5tBmjp1f8Sqer8Z2OMUU= -cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/storage v1.0.0 h1:VV2nUM3wwLLGh9lSABFgZMjInyUbJeaRSE64WuAIQ+4= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= -cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= -cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= -cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= -cloud.google.com/go/storage v1.10.0 h1:STgFzyU5/8miMl0//zKh2aQeTyeaUH3WN9bSUiJ09bA= -cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee h1:iAAPf9s7/+BIiGf+RjgcXLm3NoZaLIJsBXJuUa63Lx8= code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee/go.mod h1:Jzi+ccHgo/V/PLQUaQ6hnZcC1c4BS790gx21LRRui4g= code.cloudfoundry.org/go-loggregator v7.4.0+incompatible h1:KqZYloMQWM5Zg/BQKunOIA4OODh7djZbk48qqbowNFI= @@ -50,7 +24,6 @@ code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f h1:UrKzEwTg code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f/go.mod h1:sk5LnIjB/nIEU7yP5sDQExVm62wu0pBh3yrElngUisI= code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a h1:8rqv2w8xEceNwckcF5ONeRt0qBHlh5bnNfFnYTrZbxs= code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a/go.mod h1:tkZo8GtzBjySJ7USvxm4E36lNQw1D3xM6oKHGqdaAJ4= -collectd.org v0.3.0/go.mod h1:A/8DzQBkF6abtvrT2j/AU/4tiBgJWYyh0y/oB/4MlWE= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/azure-amqp-common-go/v3 v3.0.0 h1:j9tjcwhypb/jek3raNrwlCIl7iKQYOug7CLpSyBBodc= github.com/Azure/azure-amqp-common-go/v3 v3.0.0/go.mod h1:SY08giD/XbhTz07tJdpw1SoxQXHPN30+DI3Z04SYqyg= @@ -60,9 +33,8 @@ github.com/Azure/azure-pipeline-go v0.1.8/go.mod h1:XA1kFWRVhSK+KNFiOhfv83Fv8L9a github.com/Azure/azure-pipeline-go v0.1.9/go.mod h1:XA1kFWRVhSK+KNFiOhfv83Fv8L9achrP7OxIzeTn1Yg= github.com/Azure/azure-pipeline-go v0.2.1 h1:OLBdZJ3yvOn2MezlWvbrBMTEUQC72zAftRZOMdj5HYo= github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= +github.com/Azure/azure-sdk-for-go v37.1.0+incompatible h1:aFlw3lP7ZHQi4m1kWCpcwYtczhDkGhDoRaMTaxcOf68= github.com/Azure/azure-sdk-for-go v37.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v52.5.0+incompatible h1:/NLBWHCnIHtZyLPc1P7WIqi4Te4CC23kIQyK3Ep/7lA= -github.com/Azure/azure-sdk-for-go v52.5.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-storage-blob-go v0.6.0/go.mod h1:oGfmITT1V6x//CswqY2gtAHND+xIP64/qL7a5QJix0Y= github.com/Azure/azure-storage-blob-go v0.8.0 h1:53qhf0Oxa0nOjgbDeeYPUeyiNmafAFEY95rZLK0Tj6o= github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0= @@ -74,15 +46,12 @@ github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= -github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= -github.com/Azure/go-autorest/autorest v0.11.18 h1:90Y4srNYrwOtAgVo3ndrQkTYn6kf1Eg/AjTFJ8Is2aM= -github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= +github.com/Azure/go-autorest/autorest v0.9.6 h1:5YWtOnckcudzIw8lPPBcWOnmIFWMtHci1ZWAZulMSx0= +github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= -github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= -github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= -github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= +github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= github.com/Azure/go-autorest/autorest/adal v0.9.15 h1:X+p2GF0GWyOiSmqohIaEeuNFNDY4I4EOlVuUQvFdWMk= github.com/Azure/go-autorest/autorest/adal v0.9.15/go.mod h1:tGMin8I49Yij6AQ+rvV+Xa/zwxYQB5hmsd6DkfAx2+A= github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 h1:iM6UAvjR97ZIeR93qTcwpKNMpV+/FTWjwEbuPD495Tk= @@ -96,17 +65,13 @@ github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSY github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= -github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/to v0.3.0 h1:zebkZaadz7+wIQYgC7GXaz3Wb28yKYfVkkBKwc38VF8= github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= -github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= -github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= +github.com/Azure/go-autorest/autorest/validation v0.2.0 h1:15vMO4y76dehZSq7pAaOLQxC6dZYsSrj2GQpflyM/L4= github.com/Azure/go-autorest/autorest/validation v0.2.0/go.mod h1:3EEqHnBxQGHXRYq3HT1WyXAvT7LLY3tl70hw6tQIbjI= -github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac= -github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= -github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= @@ -115,11 +80,8 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= github.com/DataDog/zstd v1.4.1 h1:3oxKN3wbHibqx897utPC2LTQU4J+IHWWJO+glkAkpFM= github.com/DataDog/zstd v1.4.1/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= -github.com/HdrHistogram/hdrhistogram-go v1.0.1/go.mod h1:BWJ+nMSHY3L41Zj7CA3uXnloDp7xxV0YvstAE7nKTaM= -github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= github.com/Masterminds/semver v1.4.2 h1:WBLTQ37jOCzSLtXNdoo8bNM8876KhNqOKvrlGITgsTc= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Microsoft/hcsshim v0.8.7 h1:ptnOoufxGSzauVTsdE+wMYnCWA301PdoN4xg5oRdZpg= @@ -127,66 +89,42 @@ github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEY github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= -github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/toxiproxy v2.1.4+incompatible h1:TKdv8HiTLgE5wdJuEML90aBgNWsokNbMijUGhmcoBJc= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6 h1:2Gl9Tray0NEjP9KC0FjdGWlszbmTIsBP3JYzgyFdL4E= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= -github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g= github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d h1:g0M6kedfjDpyAAuxqBvJzMNjFzlrQ7Av6LCDFqWierk= github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d/go.mod h1:VykaKG/ofkKje+MSvqjrDsz1wfyHIvEVFljhq2EOZ4g= github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41 h1:9OmEpkkO4vm8Wz+JKWHDLZdzYrqXr4dovxIJDkTltKE= github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41/go.mod h1:UdDNZ1OO62aGYVnPhxT1U6aI7ukYtA/kB8vaU0diBUM= github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc h1:9iW/Fbn/R/nyUOiqo6AgwBe8uirqUIoTGF3vKG8qjoc= github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc/go.mod h1:zj8LBEnWBDOVEIJt8LvaRvDG5ARAoa5dBeHaB472NRc= -github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c= -github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= -github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw= github.com/akavel/rsrc v0.8.0 h1:zjWn7ukO9Kc5Q62DOJCcxGpXC18RawVtYAGdz2aLlfw= github.com/akavel/rsrc v0.8.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= -github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE= github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20 h1:7rj9qZ63knnVo2ZeepYHvHuRdG76f3tRUTdIQDzRBeI= github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20/go.mod h1:cI59GRkC2FRaFYtgbYEqMlgnnfvAwXzjojyZKXwklNg= github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43 h1:WFwa9pqou0Nb4DdfBOyaBTH0GqLE74Qwdf61E7ITHwQ= github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43/go.mod h1:tJPYQG4mnMeUtQvQKNkbsFrnmZOg59Qnf8CcctFv5v4= -github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= -github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d h1:OE3kzLBpy7pOJEzE55j9sdgrSilUPzzj++FWvp1cmIs= github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d/go.mod h1:T7PbCXFs94rrTttyxjbyT5+/1V8T2TYDejxUfHJjw1Y= -github.com/apache/arrow/go/arrow v0.0.0-20191024131854-af6fa24be0db/go.mod h1:VTxUBvSJ3s3eHAg65PNgrsn5BtqCRPdmyXh6rAfdxN0= -github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= -github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f h1:33BV5v3u8I6dA2dEoPuXWCsAaHHOJfPtdxZhAMQV4uo= github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 h1:afT88tB6u9JCKQZVAAaa9ICz/uGn5Uw9ekn6P22mYKM= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77/go.mod h1:bXvGk6IkT1Agy7qzJ+DjIw/SJ1AaB3AvAuMDVV+Vkoo= -github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= -github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= -github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= -github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A= -github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= -github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= -github.com/asaskevich/govalidator v0.0.0-20200108200545-475eaeb16496/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= -github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= -github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-lambda-go v1.13.3 h1:SuCy7H3NLyp+1Mrfp+m80jcbi9KYWAs9/BXwppwRDzY= -github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= -github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.34.28/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48= -github.com/aws/aws-sdk-go v1.38.3/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= -github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= +github.com/aws/aws-lambda-go v1.6.0 h1:T+u/g79zPKw1oJM7xYhvpq7i4Sjc0iVsXZUaqRVVSOg= +github.com/aws/aws-lambda-go v1.6.0/go.mod h1:zUsUQhAUjYzR8AuduJPCfhBuKWUaDbQiPOG+ouzmE1A= github.com/aws/aws-sdk-go-v2 v0.24.0 h1:R0lL0krk9EyTI1vmO1ycoeceGZotSzCKO51LbPGq3rU= github.com/aws/aws-sdk-go-v2 v0.24.0/go.mod h1:2LhT7UgHOXK3UXONKI5OMgIyoQL6zTAw/jwIeX6yqzw= github.com/awslabs/goformation/v3 v3.1.0/go.mod h1:hQ5RXo3GNm2laHWKizDzU5DsDy+yNcenSca2UxN0850= @@ -196,24 +134,17 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/bi-zone/go-winio v0.4.15 h1:viLHm+U7bzIkfVHuWgc3Wp/sT5zaLoRG7XdOEy1b12w= github.com/bi-zone/go-winio v0.4.15/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2 h1:oMCHnXa6CCCafdPDbMh/lWRhRByN0VFLvv+g+ayx1SI= github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= -github.com/bmizerany/pat v0.0.0-20170815010413-6226ea591a40/go.mod h1:8rLXio+WjiTceGBHIoTvn60HIbs7Hm7bcHjyrSqYB9c= -github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps= github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible h1:4g18+HnTDwEtO0n7K8B1Kjq+04MEKJRkhJNQ/hb9d5A= github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible/go.mod h1:r7ao+4tTNXvWm+VRpRJchr2kQhqxgmAp2iEX5W96gMM= -github.com/c-bata/go-prompt v0.2.2/go.mod h1:VzqtzE2ksDBcdln8G7mk2RX9QyGjH+OVqOCSiVIqS34= -github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ= github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e h1:YYUjy5BRwO5zPtfk+aa2gw255FIIoi93zMmuy19o0bc= github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e/go.mod h1:V284PjgVwSk4ETmz84rpu9ehpGg7swlIH8npP9k2bGw= github.com/cavaliercoder/go-rpm v0.0.0-20190131055624-7a9c54e3d83e h1:Gbx+iVCXG/1m5WSnidDGuHgN+vbIwl+6fR092ANU+Y8= github.com/cavaliercoder/go-rpm v0.0.0-20190131055624-7a9c54e3d83e/go.mod h1:AZIh1CCnMrcVm6afFf96PBvE2MRpWFco91z8ObJtgDY= -github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= -github.com/cenkalti/backoff/v4 v4.0.2/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= @@ -222,7 +153,6 @@ github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cloudfoundry-community/go-cfclient v0.0.0-20190808214049-35bcce23fc5f h1:fK3ikA1s77arBhpDwFuyO0hUZ2Aa8O6o2Uzy8Q6iLbs= github.com/cloudfoundry-community/go-cfclient v0.0.0-20190808214049-35bcce23fc5f/go.mod h1:RtIewdO+K/czvxvIFCMbPyx7jdxSLL1RZ+DA/Vk8Lwg= @@ -231,18 +161,13 @@ github.com/cloudfoundry/noaa v2.1.0+incompatible/go.mod h1:5LmacnptvxzrTvMfL9+EJ github.com/cloudfoundry/sonde-go v0.0.0-20171206171820-b33733203bb4 h1:cWfya7mo/zbnwYVio6eWGsFJHqYw4/k/uhwIJ1eqRPI= github.com/cloudfoundry/sonde-go v0.0.0-20171206171820-b33733203bb4/go.mod h1:GS0pCHd7onIsewbw8Ue9qa9pZPv2V88cUZDttK6KzgI= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= -github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 h1:sDMmm+q/3+BukdIpxwO365v/Rbspp2Nt5XntgQRXq8Q= github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM= github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko= github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.3.3 h1:LoIzb5y9x5l8VKAlyrbusNPXqBY0+kviRloxFUMFwKc= github.com/containerd/containerd v1.3.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= -github.com/containerd/containerd v1.4.3 h1:ijQT13JedHSHrQGWFcGEwzcNKrAGIiZ+jSD5QQG07SY= -github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20200107194136-26c1120b8d41 h1:kIFnQBO7rQ0XkMe6xEwbybYHBEaWmh/f++laI6Emt7M= github.com/containerd/continuity v0.0.0-20200107194136-26c1120b8d41/go.mod h1:Dq467ZllaHgAtVp4p1xUQWBrFXR9s/wyoTpG8zOJGkY= @@ -255,24 +180,18 @@ github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kw github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.0.0 h1:XJIw/+VlJ+87J+doOxznsAWIdmWuViOVhkQamW5YV28= github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= -github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea h1:n2Ltr3SrfQlf/9nOna1DoGKxLx3qTSI8Ttl6Xrqp6mw= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= -github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cucumber/godog v0.8.1 h1:lVb+X41I4YDreE+ibZ50bdXmySxgRviYFgKY6Aw4XE8= github.com/cucumber/godog v0.8.1/go.mod h1:vSh3r/lM+psC1BPXvdkSEuNjmXfpVqrMGYAElF6hxnA= github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg= github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= -github.com/dave/jennifer v1.2.0/go.mod h1:fIb+770HOpJ2fmN9EPPKOqm1vMGhB+TwXKMZhrIygKg= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -288,18 +207,14 @@ github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b/go.mod h1 github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de h1:t0UHb5vdojIDUqktM6+xJAfScFBsVpXZmqC9dsgJmeA= github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8/go.mod h1:VMaSuZ+SZcx/wljOQKvp5srsbCiKDEb6K2wC4+PiBmQ= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= -github.com/dgryski/go-sip13 v0.0.0-20200911182023-62edffca9245/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1 h1:eG5K5GNAAHvQlFmfIuy0Ocjg5dvyX22g/KknwTpmBko= github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1/go.mod h1:PRcPVAAma6zcLpFd4GZrjR/MRpood3TamjKI2m/z/Uw= -github.com/digitalocean/godo v1.58.0/go.mod h1:p7dOjjtSBqCTUksqtA5Fd3uaKs9kyTq2xcz76ulEJRU= github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf h1:uOWCk+L8abzw0BzmnCn7j7VT3g6bv9zW8fkR0yOP0Q4= github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc= -github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/engine v0.0.0-20191113042239-ea84732a7725 h1:j0zqmciWFnhB01BT/CyfoXNEONoxerGjkcxM8i6tlXI= @@ -321,17 +236,14 @@ github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6/go.mod h1:hn7BA github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-resiliency v1.2.0 h1:v7g92e/KSN71Rq7vSThKaWIq68fL4YHvWyiUKorFR1Q= github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 h1:YEetp8/yCZMuEPMUDHG0CW/brkkEp8mzqk2+ODEitlw= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= -github.com/eclipse/paho.mqtt.golang v1.2.0/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= github.com/eclipse/paho.mqtt.golang v1.3.5 h1:sWtmgNxYM9P2sP+xEItMozsR3w0cqZFlqnNN1bdl41Y= github.com/eclipse/paho.mqtt.golang v1.3.5/go.mod h1:eTzb4gxwwyWpqBUHGQZ4ABAV7+Jgm1PklsYT/eo8Hcc= -github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= github.com/elastic/ecs v1.11.0 h1:eqcKejxlTzy+6TsCIkd0aBnKHEQOkSfeXnu+pmGYMUY= @@ -376,214 +288,82 @@ github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752/go.mod h1:mdtqvC github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= -github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.9.0+incompatible h1:kLcOMZeuLAJvL2BPWLMIj5oaZQobrkAqrL+WFZwQses= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= -github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= -github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= -github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= -github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= +github.com/frankban/quicktest v1.11.3 h1:8sXhOn0uLys67V8EsXLc6eszDs8VXWxL3iRvebPhedY= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= -github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= -github.com/glycerine/go-unsnap-stream v0.0.0-20180323001048-9f0cb55181dd/go.mod h1:/20jfyN9Y5QPEAprSgKAUr+glWDY39ZiUEAYOEv5dsE= -github.com/glycerine/goconvey v0.0.0-20190410193231-58a59202ab31/go.mod h1:Ogl1Tioa0aV7gstGFO7KhffUsb9M4ydbEbbxpcEDc24= -github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/kit v0.9.0 h1:wDJmvq38kDhkVxi50ni9ykkdUr1PKgqKOoi01fa0Mdk= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0 h1:MP4Eh7ZCb31lleYCFuwm0oe4/YGak+5l1vA2NOE80nA= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= -github.com/go-logfmt/logfmt v0.5.0 h1:TrB8swr/68K7m9CcGut2g3UOihhbcbiMAYiuTXdEih4= -github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc= -github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab h1:xveKWz2iaueeTaUgdetzel+U7exyigDYBryyVfV/rZk= github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8= github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647 h1:whypLownH338a3Ork2w9t0KUKtVxbXYySuz7V1YGsJo= github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= -github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI= -github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= -github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= -github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk= -github.com/go-openapi/analysis v0.19.4/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk= -github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU= -github.com/go-openapi/analysis v0.19.10/go.mod h1:qmhS3VNFxBlquFJ0RGoDtylO9y4pgTAUNE9AEEMdlJQ= -github.com/go-openapi/analysis v0.19.16/go.mod h1:GLInF007N83Ad3m8a/CbQ5TPzdnGT7workfHwuVjNVk= -github.com/go-openapi/analysis v0.20.0/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og= -github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= -github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= -github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= -github.com/go-openapi/errors v0.19.3/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= -github.com/go-openapi/errors v0.19.4/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= -github.com/go-openapi/errors v0.19.6/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/errors v0.19.7/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= -github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= -github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= -github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= -github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= -github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= -github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= -github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= -github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= -github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= -github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs= -github.com/go-openapi/loads v0.19.3/go.mod h1:YVfqhUCdahYwR3f3iiwQLhicVRvLlU/WO5WPaZvcvSI= -github.com/go-openapi/loads v0.19.4/go.mod h1:zZVHonKd8DXyxyw4yfnVjPzBjIQcLt0CCsn0N0ZrQsk= -github.com/go-openapi/loads v0.19.5/go.mod h1:dswLCAdonkRufe/gSUC3gN8nTSaB9uaS2es0x5/IbjY= -github.com/go-openapi/loads v0.19.6/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc= -github.com/go-openapi/loads v0.19.7/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc= -github.com/go-openapi/loads v0.20.0/go.mod h1:2LhKquiE513rN5xC6Aan6lYOSddlL8Mp20AW9kpviM4= -github.com/go-openapi/loads v0.20.2/go.mod h1:hTVUotJ+UonAMMZsvakEgmWKgtulweO9vYP2bQYKA/o= -github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA= -github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64= -github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4= -github.com/go-openapi/runtime v0.19.15/go.mod h1:dhGWCTKRXlAfGnQG0ONViOZpjfg0m2gUt9nTQPQZuoo= -github.com/go-openapi/runtime v0.19.16/go.mod h1:5P9104EJgYcizotuXhEuUrzVc+j1RiSjahULvYmlv98= -github.com/go-openapi/runtime v0.19.24/go.mod h1:Lm9YGCeecBnUUkFTxPC4s1+lwrkJ0pthx8YvyjCfkgk= -github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= -github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= -github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY= -github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= -github.com/go-openapi/spec v0.19.6/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= -github.com/go-openapi/spec v0.19.8/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= -github.com/go-openapi/spec v0.19.15/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU= -github.com/go-openapi/spec v0.20.0/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU= -github.com/go-openapi/spec v0.20.1/go.mod h1:93x7oh+d+FQsmsieroS4cmR3u0p/ywH649a3qwC9OsQ= -github.com/go-openapi/spec v0.20.3/go.mod h1:gG4F8wdEDN+YPBMVnzE85Rbhf+Th2DTvA9nFPQ5AYEg= -github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= -github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= -github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY= -github.com/go-openapi/strfmt v0.19.2/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU= -github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU= -github.com/go-openapi/strfmt v0.19.4/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk= -github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk= -github.com/go-openapi/strfmt v0.19.11/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= -github.com/go-openapi/strfmt v0.20.0/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= -github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= -github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= -github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.7/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY= -github.com/go-openapi/swag v0.19.9/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY= -github.com/go-openapi/swag v0.19.12/go.mod h1:eFdyEBkTdoAf/9RXBvj4cr1nH7GD8Kzo5HTt47gr72M= -github.com/go-openapi/swag v0.19.13/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= -github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA= -github.com/go-openapi/validate v0.19.3/go.mod h1:90Vh6jjkTn+OT1Eefm0ZixWNFjhtOH7vS9k0lo6zwJo= -github.com/go-openapi/validate v0.19.8/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4= -github.com/go-openapi/validate v0.19.10/go.mod h1:RKEZTUWDkxKQxN2jDT7ZnZi2bhZlbNMAuKvKB+IaGx8= -github.com/go-openapi/validate v0.19.12/go.mod h1:Rzou8hA/CBw8donlS6WNEUQupNvUZ0waH08tGe6kAQ4= -github.com/go-openapi/validate v0.19.15/go.mod h1:tbn/fdOwYHgrhPBzidZfJC2MIVvs9GA7monOmWBbeCI= -github.com/go-openapi/validate v0.20.1/go.mod h1:b60iJT+xNNLfaQJUqLI7946tYiFEOuE9E4k54HpKcJ0= -github.com/go-openapi/validate v0.20.2/go.mod h1:e7OJoKNgd0twXZwIn0A43tHbvIcr/rZIVCbJBpTUoY0= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= github.com/go-sourcemap/sourcemap v2.1.2+incompatible h1:0b/xya7BKGhXuqFESKM4oIiRo9WOt2ebz7KxfreD6ug= github.com/go-sourcemap/sourcemap v2.1.2+incompatible/go.mod h1:F8jJfvm2KbVjc5NqelyYJmf/v5J0dwNLS2mL4sNA1Jg= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= -github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= -github.com/go-zookeeper/zk v1.0.2/go.mod h1:nOB03cncLtlp4t+UAkGSV+9beXP/akpekBwL+UX1Qcw= -github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0= -github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY= -github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg= -github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= -github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= -github.com/gobuffalo/flect v0.1.0/go.mod h1:d2ehjJqGOH/Kjqcoz+F7jHTBbmDb38yXA598Hb50EGs= -github.com/gobuffalo/flect v0.1.1/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= -github.com/gobuffalo/flect v0.1.3/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= -github.com/gobuffalo/genny v0.0.0-20190329151137-27723ad26ef9/go.mod h1:rWs4Z12d1Zbf19rlsn0nurr75KqhYp52EAGGxTbBhNk= -github.com/gobuffalo/genny v0.0.0-20190403191548-3ca520ef0d9e/go.mod h1:80lIj3kVJWwOrXWWMRzzdhW3DsrdjILVil/SFKBzF28= -github.com/gobuffalo/genny v0.1.0/go.mod h1:XidbUqzak3lHdS//TPu2OgiFB+51Ur5f7CSnXZ/JDvo= -github.com/gobuffalo/genny v0.1.1/go.mod h1:5TExbEyY48pfunL4QSXxlDOmdsD44RRq4mVZ0Ex28Xk= -github.com/gobuffalo/gitgen v0.0.0-20190315122116-cc086187d211/go.mod h1:vEHJk/E9DmhejeLeNt7UVvlSGv3ziL+djtTr3yyzcOw= -github.com/gobuffalo/gogen v0.0.0-20190315121717-8f38393713f5/go.mod h1:V9QVDIxsgKNZs6L2IYiGR8datgMhB577vzTDqypH360= -github.com/gobuffalo/gogen v0.1.0/go.mod h1:8NTelM5qd8RZ15VjQTFkAW6qOMx5wBbW4dSCS3BY8gg= -github.com/gobuffalo/gogen v0.1.1/go.mod h1:y8iBtmHmGc4qa3urIyo1shvOD8JftTtfcKi+71xfDNE= github.com/gobuffalo/here v0.6.0 h1:hYrd0a6gDmWxBM4TnrGw8mQg24iSVoIkHEk7FodQcBI= github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM= -github.com/gobuffalo/logger v0.0.0-20190315122211-86e12af44bc2/go.mod h1:QdxcLw541hSGtBnhUc4gaNIXRjiDppFGaDqzbrBd3v8= -github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= -github.com/gobuffalo/mapi v1.0.2/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= -github.com/gobuffalo/packd v0.0.0-20190315124812-a385830c7fc0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= -github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= -github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ= -github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0= -github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be h1:zXHeEEJ231bTf/IXqvCfeaqjLpXsq42ybLoT4ROSR6Y= github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be/go.mod h1:/oj50ZdPq/cUjA02lMZhijk5kR31SEydKyqah1OgBuo= github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e h1:BWhy2j3IXJhjCbC68FptL43tDKIq8FladmaTs3Xs7Z8= github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4= github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME= github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/godror/godror v0.25.2 h1:KleIMrkPG/ehoutkpjxyBp55yB3SiMbzehJpqnNzemY= -github.com/godror/godror v0.25.2/go.mod h1:JgtdZ1iSaNoioa/B53BVVWji9J9iGPDDj2763T5d1So= +github.com/godror/godror v0.10.4 h1:44FcfzDPp/PJZzen5Hm59SZQBhgrbR6E1KwCjg6gnJo= +github.com/godror/godror v0.10.4/go.mod h1:9MVLtu25FBJBMHkPs0m3Ngf/VmwGcLpM2HS8PlNGw9U= github.com/gofrs/flock v0.7.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b h1:3QNh5Xo2pmr2nZXENtnztfpjej8XY8EPmvYxF5SzY9M= github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/uuid v3.3.0+incompatible h1:8K4tyRfvU1CYPgJsveYFQMhpFd/wXNM7iK6rR7UHz84= github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= -github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= -github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= -github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= -github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0 h1:RAqyYixv1p7uEnocuy8P1nru5wprCh/MH2BIlW5z5/o= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= -github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= -github.com/golang/geo v0.0.0-20190916061304-5b978397cfec/go.mod h1:QZ0nwyI2jOfgRAoBvP+ab5aRr7c9x7lhGEJrKvBwjWI= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY= -github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= -github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= -github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= @@ -593,7 +373,6 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= @@ -601,45 +380,29 @@ github.com/gomodule/redigo v1.8.3 h1:HR0kYDX2RJZvAup8CsiJwxB4dTCSC0AaUq6S4SiLwUc github.com/gomodule/redigo v1.8.3/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/flatbuffers v1.11.0 h1:O7CEyB8Cb3/DmtxODGtLHcEvpr81Jm5qLg/hsHnxA2A= -github.com/google/flatbuffers v1.11.0/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9 h1:b4EyQBj8pgtcWOr7YCSxK6NUQzJr0n4hxJ3mc+dtKk4= +github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0 h1:OggOMmdI0JLwg1FkOKH9S7fVHF0oEm8PX6S8kAdpOps= github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M= +github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210323184331-8eee2492667d/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= -github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -648,31 +411,22 @@ github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gnostic v0.4.1 h1:DLJCy1n/vrD4HPjOvYcT8aYQXpPIzoRZONaYwyycI+I= github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= -github.com/gophercloud/gophercloud v0.16.0/go.mod h1:wRtmUelyIIv3CSSDI47aUwbs075O6i+LY+pXsKCBsb4= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75 h1:f0n1xnMSmBLzVfsMMvriDyA75NB/oBgILX2GcHXIQzY= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA= -github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= -github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= -github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw= -github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.7.2 h1:zoNxOV7WjqXptQOVngLmcSQgXmgk4NMz1HibBchjl/I= +github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= -github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= -github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= -github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/grpc-ecosystem/grpc-gateway v1.13.0 h1:sBDQoHXrOlfPobnKw69FIKa1wg9qsLLvvQ/Y19WtFgI= +github.com/grpc-ecosystem/grpc-gateway v1.13.0/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= github.com/h2non/filetype v1.1.1 h1:xvOwnXKAckvtLWsN398qS9QhlxlnVXBjXBydK2/UFB4= github.com/h2non/filetype v1.1.1/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY= -github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE= -github.com/hashicorp/consul/api v1.8.1/go.mod h1:sDjTOq0yUyv5G4h+BqSea7Fn6BU+XbolEz1952UB+mk= -github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= -github.com/hashicorp/consul/sdk v0.7.0/go.mod h1:fY08Y9z5SvJqevyZNy6WWPXiG3KwBPAvlcdx16zZ0fM= github.com/hashicorp/cronexpr v1.1.0 h1:dnNsWtH0V2ReN7JccYe8m//Bj14+PjJDntR1dz0Cixk= github.com/hashicorp/cronexpr v1.1.0/go.mod h1:P4wA0KBl9C5q2hABiMO7cp6jcIg96CDh1Efb3g1PWA4= github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -680,65 +434,36 @@ github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/U github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVoDkXMzJM= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxCsHI= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= -github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= -github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= -github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I= -github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM= github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= -github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= -github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= -github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= -github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= -github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE= github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-version v1.0.0 h1:21MVWPKDphxa7ineQQTrCU5brh7OuVVAzGOCnnCPtE8= github.com/hashicorp/go-version v1.0.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E= -github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= -github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= -github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY= -github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= -github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= github.com/hashicorp/nomad/api v0.0.0-20201203164818-6318a8ac7bf8 h1:Yrz9yGVJf5Ce2KS7x8hS/MUTIeBmGEhF8nhzolRpSqY= github.com/hashicorp/nomad/api v0.0.0-20201203164818-6318a8ac7bf8/go.mod h1:vYHP9jMXk4/T2qNUbWlQ1OHCA1hHLil3nvqSmz8mtgc= -github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= -github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk= github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95 h1:S4qyfL2sEm5Budr4KVMyEniCy+PbS55651I/a+Kn/NQ= github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95/go.mod h1:QiyDdbZLaJ/mZP4Zwc9g2QsfaEA4o7XvvgZegSci5/E= -github.com/hetznercloud/hcloud-go v1.24.0/go.mod h1:3YmyK8yaZZ48syie6xpm3dt26rtB6s65AisBHylXYFA= +github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= -github.com/influxdata/flux v0.65.1/go.mod h1:J754/zds0vvpfwuq7Gc2wRdVwEodfpCFM7mYlOw2LqY= -github.com/influxdata/influxdb v1.8.4/go.mod h1:JugdFhsvvI8gadxOI6noqNeeBHvWNTbfYGtiAn+2jhI= -github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= -github.com/influxdata/influxql v1.1.1-0.20200828144457-65d3ef77d385/go.mod h1:gHp9y86a/pxhjJ+zMjNXiQAA197Xk9wLxaz+fGG+kWk= -github.com/influxdata/line-protocol v0.0.0-20180522152040-32c6aa80de5e/go.mod h1:4kt73NQhadE3daL3WhR5EJ/J2ocX0PZzwxQ0gXJ7oFE= -github.com/influxdata/promql/v2 v2.12.0/go.mod h1:fxOPu+DY0bqCTCECchSRtWfc+0X19ybifQhZoQNF5D8= -github.com/influxdata/roaring v0.4.13-0.20180809181101-fc520f41fab6/go.mod h1:bSgUQ7q5ZLSO+bKBGqJiCBGAl+9DxyW63zLTujjUlOE= -github.com/influxdata/tdigest v0.0.0-20181121200506-bf2b5ad3c0a9/go.mod h1:Js0mqiSBE6Ffsg94weZZ2c+v/ciT8QRHFOap7EKDrR0= -github.com/influxdata/usage-client v0.0.0-20160829180054-6d3895376368/go.mod h1:Wbbw6tYNvwa5dlB6304Sd+82Z3f7PmVZHVKU637d4po= github.com/jarcoal/httpmock v1.0.4 h1:jp+dy/+nonJE4g4xbVtl9QdrUNbn6/3hDT5R4nDIZnA= github.com/jarcoal/httpmock v1.0.4/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik= github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= @@ -747,194 +472,137 @@ github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8 github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= github.com/jcmturner/gofork v1.0.0 h1:J7uCkflzTEhUZ64xqKnkDxq3kzc96ajM1Gli5ktUem8= github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o= +github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o= github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= github.com/jcmturner/gokrb5/v8 v8.4.2 h1:6ZIM6b/JJN0X8UM43ZOM6Z4SJzla+a/u7scXFJzodkA= github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= -github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= -github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= -github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5 h1:lrdPtrORjGv1HbbEvKWDUAy97mPpFm4B8hp77tcCUJY= github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks= github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 h1:rp+c0RAYOWj8l6qbCUTSiRLG/iKnW3K3/QfPPuSsBt4= github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak= +github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc= github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ= github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd h1:KikNiFwUO3QLyeKyN4k9yBH9Pcu/gU/yficWi61cJIw= github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd/go.mod h1:eJTEwMjXb7kZ633hO3Ln9mBUCOjX2+FlTljvpl9SYdE= -github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= -github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0= github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfEUpgAwUN0o= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/jsternberg/zap-logfmt v1.0.0/go.mod h1:uvPs/4X51zdkcm5jXl5SYoN+4RK21K8mysFmDaM/h+o= +github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= -github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= -github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= -github.com/jwilder/encoding v0.0.0-20170811194829-b4e1701a28ef/go.mod h1:Ct9fl0F6iIOGgxJ5npU/IUOhOhqlVrGjyIZc8/MagT0= github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7 h1:oohm9Rk9JAxxmp2NLZa7Kebgz9h4+AJDcc64txg3dQ0= github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM= -github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= -github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA= github.com/karrick/godirwalk v1.15.6 h1:Yf2mmR8TJy+8Fa0SuQVto5SYap6IF7lNVX4Jdl8G1qA= github.com/karrick/godirwalk v1.15.6/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= -github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.4.0/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= -github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/compress v1.12.2 h1:2KCfW3I9M7nSc5wOqXAlW2v2U6v+w6cbjvbfp+OykW8= github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= -github.com/klauspost/cpuid v0.0.0-20170728055534-ae7887de9fa5/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= -github.com/klauspost/crc32 v0.0.0-20161016154125-cb6bfca970f6/go.mod h1:+ZoRqAPRLkC4NPOvfYeR5KNOrY6TD+/sAC3HXPZgDYg= -github.com/klauspost/pgzip v1.0.2-0.20170402124221-0bf5dcad4ada/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8= -github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 h1:T+h1c/A9Gawja4Y9mFVWj2vyii2bbUNDw3kt9VxK2EY= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 h1:EPw7R3OAyxHBCyl0oqh3lUZqS5lu3KSxzzGasE0opXQ= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= -github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= -github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4= -github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= github.com/magefile/mage v1.9.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/magefile/mage v1.11.0 h1:C/55Ywp9BpgVVclD3lRnSYCwXTYxmSppIgLeDYlNuls= github.com/magefile/mage v1.11.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.1 h1:mdxE1MF9o53iCb2Ghj1VfWvh7ZOwHpnVG/xwXrV90U8= github.com/mailru/easyjson v0.7.1/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= -github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= -github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= github.com/markbates/pkger v0.17.0 h1:RFfyBPufP2V6cddUyyEVSHBpaAnM1WzaMNyqomeT+iY= github.com/markbates/pkger v0.17.0/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI= -github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= +github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11 h1:YFh+sjyJTMQSYjKwM4dFKhJPJC/wfo98tPUc17HdoYw= github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11/go.mod h1:Ah2dBMoxZEqk118as2T4u4fjfXarE0pPnMJaArZQZsI= -github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6 h1:6Su7aK7lXmJ/U79bYtBjLNaha4Fs1Rg9plHpcH+vvnE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-ieproxy v0.0.0-20190610004146-91bb50d98149/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc= github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe h1:YioO2TiJyAHWHyCRQCP8jk5IzTqmsbGc5qQPIhHo6xs= github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E= -github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= -github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= -github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= -github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-runewidth v0.0.3/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/mattn/go-sqlite3 v1.9.0 h1:pDRiWfl+++eC2FEFRy6jXmQlvp4Yh3z1MJKg4UeYM/4= github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= -github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= -github.com/mattn/go-tty v0.0.0-20180907095812-13ff1204f104/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= -github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= -github.com/miekg/dns v1.1.41 h1:WMszZWJG0XmzbK9FEmzH2TVcqYzFesusSIB41b8KHxY= -github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI= -github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= -github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI= -github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/miekg/dns v1.1.25 h1:dFwPR6SfLtrSwgDcIq2bcU/gVutB4sNApq2HBdqcakg= +github.com/miekg/dns v1.1.25/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= -github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= -github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= github.com/mitchellh/gox v1.0.1 h1:x0jD3dcHk9a9xPSDN6YEL4xL6Qz0dvNYm8yZqui5chI= github.com/mitchellh/gox v1.0.1/go.mod h1:ED6BioOGXMswlXa2zxfh/xdd5QhwYliBFn9V18Ap4z4= github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51 h1:qdHlMllk/PTLUrX3XdtXDrLL1lPSfcqUmJD1eYfbapg= github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ= github.com/mitchellh/iochan v1.0.0 h1:C+X3KsSTLFVBr/tK1eYN/vs4rJcvsiLU338UhYPJWeY= github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= -github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/mitchellh/mapstructure v1.3.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.3.3 h1:SzB1nHZ2Xi+17FP0zVQBHIZqvwRN9408fJO8h+eeNA8= github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/mitchellh/mapstructure v1.4.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag= -github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= -github.com/mschoch/smat v0.0.0-20160514031455-90eadee771ae/go.mod h1:qAyveg+e4CE+eKJXWVjKXM4ck2QobLqTDytGJbLLhJg= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg= -github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= -github.com/nats-io/nats-server/v2 v2.1.2/go.mod h1:Afk+wRZqkMQs/p45uXdrVLuab3gwv3Z8C4HTBu8GD/k= -github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzEE/Zbp4w= -github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= -github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= -github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= -github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= -github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= -github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.5.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.2.0/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= -github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= -github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483 h1:eFd3FsB01m/zNg/yBMYdm/XqiqCztcN9SVRPtGtzDHo= +github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 h1:yN8BPXVwMBAm3Cuvh1L5XE8XpvYRMdsVLd82ILprhUU= github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= @@ -944,17 +612,6 @@ github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rm github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= -github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis= -github.com/opentracing-contrib/go-stdlib v1.0.0/go.mod h1:qtI1ogk+2JhVPIXVc6q+NHziSmy2W5GbdQZFUHADCBU= -github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74= -github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= -github.com/opentracing/opentracing-go v1.0.3-0.20180606204148-bd9c31933947/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= -github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= -github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= -github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxSfWAKL3wpBW7V8scJMt8N8gnaMCS9E/cA= -github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= -github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= -github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= github.com/osquery/osquery-go v0.0.0-20210622151333-99b4efa62ec5 h1:E275nJIUAvIK/RSN8cq9MAcRLk23jaZq+s24B0I8bEw= github.com/osquery/osquery-go v0.0.0-20210622151333-99b4efa62ec5/go.mod h1:JKR5QhjsYdnIPY7hakgas5sxf8qlA/9wQnLqaMfWdcg= github.com/otiai10/copy v1.2.0 h1:HvG945u96iNadPoG2/Ja2+AUJeW5YuFQMixq9yirC+k= @@ -962,21 +619,12 @@ github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJCh github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo= +github.com/otiai10/mint v1.3.1 h1:BCmzIS3n71sGfHB5NMNDB3lHYPz8fWSkCAErHed//qc= github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= +github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2 h1:CXwSGu/LYmbjEab5aMCs5usQRVBGThelUKBNnoSOuso= github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOThbttwfYRNFOWLLVXMhk5Lkio4GGOtw5UrxS0= -github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM= -github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= -github.com/paulbellamy/ratecounter v0.2.0/go.mod h1:Hfx1hDpSGoqxkVVpBi/IlYD7kChlfo5C6hzIHwPqfFE= -github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= -github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo= -github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= -github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= -github.com/peterh/liner v1.0.1-0.20180619022028-8c1271fcf47f/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc= -github.com/philhofer/fwd v1.0.0/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU= -github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= -github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrec/lz4 v2.6.0+incompatible h1:Ix9yFKn1nSPBLFl/yZknTp8TU5G4Ps0JDmguYK6iH1A= github.com/pierrec/lz4 v2.6.0+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 h1:i5VIxp6QB8oWZ8IkK8zrDgeT6ORGIUeiN+61iETwJbI= @@ -987,72 +635,39 @@ github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA= -github.com/pkg/term v0.0.0-20180730021639-bffc007b7fd5/go.mod h1:eCbImbZ95eXtAUIbLAuAVnBnwf83mjf6QIVH8SHYwqQ= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= -github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= -github.com/prometheus/alertmanager v0.21.0/go.mod h1:h7tJ81NA0VLWvWEayi1QltevFkLF3KxmC/malTcT8Go= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= -github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og= -github.com/prometheus/client_golang v1.6.0/go.mod h1:ZLOG9ck3JLRdB5MgO8f+lLTe83AXG6ro35rLTxvnIl4= -github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= -github.com/prometheus/client_golang v1.10.0 h1:/o0BDeWzLWXNZ+4q5gXltUvaMpJqckTa+jTNoB+z4cg= -github.com/prometheus/client_golang v1.10.0/go.mod h1:WJM3cc3yu7XKBKa/I8WeZm+V3eltZnBwfENSU7mdogU= +github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc h1:6B8wpniGN4FtqzqWhe2OBOGkeZFbhwZpCh+V/pv/oik= +github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc/go.mod h1:ikMPikHu8SMvBGWoKulvvOOZN227amf2E9eMYqyAwAY= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= -github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 h1:gQz4mCbXsO+nc9n1hCxHcGA3Zx3Eo+UHZoInFGUIXNM= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= -github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= +github.com/prometheus/common v0.7.0 h1:L+1lyG48J1zAQXA3RBX/nG/B3gjlHq0zTt2tlbJLyCY= github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA= -github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= -github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= -github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= -github.com/prometheus/common v0.18.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= -github.com/prometheus/common v0.20.0 h1:pfeDeUdQcIxOMutNjCejsEFp7qeP+/iltHSSmLpE+hU= -github.com/prometheus/common v0.20.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= -github.com/prometheus/exporter-toolkit v0.5.1/go.mod h1:OCkM4805mmisBhLmVFw858QYi3v0wKdY6/UxrT0pZVg= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= -github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= +github.com/prometheus/procfs v0.0.11 h1:DhHlBtkHWPYi8O2y31JkK0TF+DGM+51OopZjH/Ia5qI= github.com/prometheus/procfs v0.0.11/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= -github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= -github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4= -github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/prometheus/prometheus v1.8.2-0.20210518124745-6eeded0fdf76 h1:vRfDo7efjlYnfHzotZZfnuhL8vojzf3ZXhah/a89NDo= -github.com/prometheus/prometheus v1.8.2-0.20210518124745-6eeded0fdf76/go.mod h1:sf7j/iAbhZahjeC0s3wwMmp5dksrJ/Za1UKdR+j6Hmw= -github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/prometheus/prometheus v1.8.2-0.20210701133801-b0944590a1c9 h1:If7jYp33vwa8ZQ7GGwrAs0SBjiW0aWeAB/oV1aG7bZ4= +github.com/prometheus/prometheus v1.8.2-0.20210701133801-b0944590a1c9/go.mod h1:A97P+iwS3Ffpxpejz4+ASZl6i9EqSJDzxObq8DjV2SU= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/retailnext/hllpp v1.0.1-0.20180308014038-101a6d2f8b52/go.mod h1:RDpi1RftBQPUCDRw6SmxeaREsAaRKnOclghuzp/WRzc= -github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= -github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= -github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= -github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e h1:hUGyBE/4CXRPThr4b6kt+f1CN90no4Fs5CNrYOKYSIg= github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e/go.mod h1:Sb6li54lXV0yYEjI4wX8cucdQ9gqUJV3+Ngg3l9g30I= github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54 h1:jbchLJWyhKcmOjkbC4zDvT/n5EEd7g6hnnF760rEyRA= github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54/go.mod h1:Vrkh1pnjV9Bl8c3P9zH0/D4NlOHWP5d4/hF4YTULaec= -github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b h1:jUK33OXuZP/l6babJtnLo1qsGvq6G9so9KMflGAm4YA= github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b/go.mod h1:8458kAagoME2+LN5//WxE71ysZ3B7r22fdgb7qVmXSY= github.com/sanathkr/yaml v0.0.0-20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ= @@ -1060,11 +675,8 @@ github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522 h1:39BJIaZIhIBmXAT github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ= github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis= github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4= +github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= -github.com/scaleway/scaleway-sdk-go v1.0.0-beta.7.0.20210223165440-c65ae3540d44/go.mod h1:CJJ5VAbozOl0yEw7nHB9+7BXTJbIn6h7W+f6Gau5IP8= -github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/segmentio/kafka-go v0.1.0/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo= -github.com/segmentio/kafka-go v0.2.0/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= @@ -1072,48 +684,36 @@ github.com/shirou/gopsutil v3.20.12+incompatible h1:6VEGkOXP/eP4o2Ilk8cSsX0PhOEf github.com/shirou/gopsutil v3.20.12+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= -github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg= -github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/shurcooL/vfsgen v0.0.0-20181202132449-6a9ea43bcacd/go.mod h1:TrYk7fJVaAttu97ZZKrO9UbRa8izdowaMIZcxYMbVaw= -github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546/go.mod h1:TrYk7fJVaAttu97ZZKrO9UbRa8izdowaMIZcxYMbVaw= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= -github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= -github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I= -github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a h1:pa8hGb/2YqsZKovtsgrwcDH1RZhVbTKCjLp47XpqCDs= github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= -github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= -github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= -github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI= github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= -github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= -github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= -github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= -github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.2.0/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -1123,41 +723,31 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= -github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= -github.com/tinylib/msgp v1.0.2/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE= -github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b h1:X/8hkb4rQq3+QuOxpJK7gWmAXmZucF0EI1s1BfBLq6U= github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b/go.mod h1:jAqhj/JBVC1PwcLTWd6rjQyGyItxxrhpiBl8LSuAGmw= github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786 h1:B/IVHYiI0d04dudYw+CvCAGqSMq8d0yWy56eD6p85BQ= github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786/go.mod h1:RIkfovP3Y7my19aXEjjbNd9E5TlHozzAyt7B8AaEcwg= -github.com/uber/jaeger-client-go v2.25.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk= -github.com/uber/jaeger-lib v2.4.0+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U= github.com/ugorji/go v1.1.8 h1:/D9x7IRpfMHDlizVOgxrag5Fh+/NY+LtI8bsr+AswRA= github.com/ugorji/go v1.1.8/go.mod h1:0lNM99SwWUIRhCXnigEMClngXBk/EmpTXa7mgiewYWA= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= github.com/ugorji/go/codec v1.1.8 h1:4dryPvxMP9OtkjIbuNeK2nb27M38XMHLGlfNSNph/5s= github.com/ugorji/go/codec v1.1.8/go.mod h1:X00B19HDtwvKbQY2DcYjvZxKQp8mzrJoQ6EgoIY/D2E= github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= -github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= -github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urso/diag v0.0.0-20200210123136-21b3cc8eb797 h1:OHNw/6pXODJAB32NujjdQO/KIYQ3KAbHQfCzH81XdCs= github.com/urso/diag v0.0.0-20200210123136-21b3cc8eb797/go.mod h1:pNWFTeQ+V1OYT/TzWpnWb6eQBdoXpdx+H+lrH97/Oyo= github.com/urso/go-bin v0.0.0-20180220135811-781c575c9f0e h1:NiofbjIUI5gR+ybDsGSVH1fWyjSeDYiYVJHT1+kcsak= github.com/urso/go-bin v0.0.0-20180220135811-781c575c9f0e/go.mod h1:6GfHrdWBQYjFRIznu7XuQH4lYB2w8nO4bnImVKkzPOM= github.com/urso/magetools v0.0.0-20190919040553-290c89e0c230 h1:Ft1EJ6JL0F/RV6o2qJ1Be+wYxjYUSfRA3srfHgSgojc= github.com/urso/magetools v0.0.0-20190919040553-290c89e0c230/go.mod h1:DFxTNgS/ExCGmmjVjSOgS2WjtfjKXgCyDzAFgbtovSA= +github.com/urso/qcgen v0.0.0-20180131103024-0b059e7db4f4 h1:hhA8EBThzz9PztawVTycKvfETVuBqxAQ5keFlAVtbAw= github.com/urso/qcgen v0.0.0-20180131103024-0b059e7db4f4/go.mod h1:RspW+E2Yb7Fs7HclB2tiDaiu6Rp41BiIG4Wo1YaoXGc= github.com/urso/sderr v0.0.0-20210525210834-52b04e8f5c71 h1:CehQeKbysHV8J2V7AD0w8NL2x1h04kmmo/Ft5su4lU0= github.com/urso/sderr v0.0.0-20210525210834-52b04e8f5c71/go.mod h1:Wp40HwmjM59FkDIVFfcCb9LzBbnc0XAMp8++hJuWvSU= github.com/vbatts/tar-split v0.11.1/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g= -github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41 h1:NeNpIvfvaFOh0BH7nMEljE5Rk/VJlxhm58M41SeOD20= github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= -github.com/willf/bitset v1.1.3/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= -github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= github.com/xdg/scram v1.0.3 h1:nTadYh2Fs4BK2xdldEa2g5bbaZp0/+1nJMMPtPxS/to= github.com/xdg/scram v1.0.3/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= -github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= github.com/xdg/stringprep v1.0.3 h1:cmL5Enob4W83ti/ZHuZLuKD/xqJfus4fVPwE+/BDm+4= github.com/xdg/stringprep v1.0.3/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -1165,9 +755,6 @@ github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= github.com/xeipuuv/gojsonschema v0.0.0-20181112162635-ac52e6811b56/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/xlab/treeprint v0.0.0-20180616005107-d6fb6747feb6/go.mod h1:ce1O1j6UtZfjr22oyGxGLbauSBp2YVXpARAosm7dHBg= -github.com/xlab/treeprint v1.0.0/go.mod h1:IoImgRak9i3zJyuxOKUP1v4UZd1tMoKkq/Cimt1uhCg= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7 h1:0gYLpmzecnaDCoeWxSfEJ7J1b6B/67+NV++4HKQXx+Y= github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7/go.mod h1:aEV29XrmTYFr3CiRxZeGHpkvbwq+prZduBqMaascyCU= @@ -1185,82 +772,43 @@ go.elastic.co/fastjson v1.1.0 h1:3MrGBWWVIxe/xvsbpghtkFoPciPhOCmjsR/HfwEeQR4= go.elastic.co/fastjson v1.1.0/go.mod h1:boNGISWMjQsUPy/t6yqt2/1Wx4YNPSe+mZjlyw9vKKI= go.elastic.co/go-licence-detector v0.4.0 h1:it5dP+6LPxLsosdhtbAqk/zJQxzS0QSSpdNkKVuwKMs= go.elastic.co/go-licence-detector v0.4.0/go.mod h1:fSJQU8au4SAgDK+UQFbgUPsXKYNBDv4E/dwWevrMpXU= -go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg= go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= -go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= -go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= -go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= -go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= -go.mongodb.org/mongo-driver v1.3.0/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE= -go.mongodb.org/mongo-driver v1.3.4/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE= -go.mongodb.org/mongo-driver v1.4.3/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= -go.mongodb.org/mongo-driver v1.4.4/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= -go.mongodb.org/mongo-driver v1.4.6/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= -go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= -go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2 h1:75k/FF0Q2YM8QYo07VPddOLBslDt1MZOdEslOHvmzAs= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= -go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= -go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= -go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= -go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/goleak v1.0.0 h1:qsup4IcBdlmsnGfqyLl4Ntn3C2XCCuKAE7DwHpScyUo= go.uber.org/goleak v1.0.0/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= -go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= -go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0 h1:sFPn2GLc3poCkfrpIXGhBD2X0CMIo4Q/zSULXrj/+uc= go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= -go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= go.uber.org/zap v1.14.0 h1:/pduUoebOeeJzTDFuoMgC6nRkiasr1sBCIEorly7m4o= go.uber.org/zap v1.14.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= -golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e h1:gsTQYXdTw2Gq7RBsWvlQ91b+aEQ6bXFUngBGuR8sPpI= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= -golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= -golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299 h1:zQpM52jfKHG6II1ISZY1ZcpygvuSFZpLwfluuF89XOg= golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= -golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -1271,35 +819,22 @@ golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/lint v0.0.0-20200130185559-910be7a94367 h1:0IiAsCRByjO2QjX7ZPkw5oU9x+n1YqRL802rjC0c3Aw= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 h1:2M3HP5CCK1Si9FQhwnzYhXdG6DXeebvUHFpre8QvbyI= -golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -1307,37 +842,18 @@ golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191021144547-ec77196f6094/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200425230154-ff2c4b7c35a0/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210324051636-2c4c8ecb7826/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q= golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1345,133 +861,73 @@ golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558 h1:D7nTwh4J0i+5mW4Zjzn5omvlr6YBcWywE6KOcatyNxY= -golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190412183630-56d357773e84/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180810173357-98c5dad5d1a0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190529164535-6a60838ec259/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191025021431-6c3a3bfe00ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191220142924-d4481acd189f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200107162124-548cf772de50/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210314195730-07df6a141424/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba h1:O8mE0/t419eoIwhTFpKVkHiTs/Igowgfkj25AcZrtiE= -golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0 h1:6txNFSnY+tteYoO+hf01EpdYcYZiurdC9MDIrcUzEu4= golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1479,111 +935,42 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo= -gonum.org/v1/gonum v0.0.0-20181121035319-3f7ecaa7e8ca/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo= -gonum.org/v1/gonum v0.6.0/go.mod h1:9mxDZsDKxgMAuccQkewq682L+0eCu4dCN2yonUJTCLU= -gonum.org/v1/netlib v0.0.0-20181029234149-ec6d1f5cefe6/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= -gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= -gonum.org/v1/plot v0.0.0-20190515093506-e2840ee46a6b/go.mod h1:Wt8AAjI+ypCyYX3nZBvf6cAIx93T+c/OS2HFAYskSZc= -google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.15.0 h1:yzlyyDW/J0w8yNFJIhiAJy4kq74S+1DOLdawELNxFMA= google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= -google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= -google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= -google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= -google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= -google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= -google.golang.org/api v0.42.0 h1:uqATLkpxiBrhrvFoebXUjvyzE9nQf+pVyy0Z0IHE+fc= -google.golang.org/api v0.42.0/go.mod h1:+Oj4s6ch2SEGtPjGqfUfZonBH0GjQH89gTeKKAEGZKI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= -google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190530194941-fb225487d101/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= -google.golang.org/genproto v0.0.0-20190716160619-c506a9f90610/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= -google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200108215221-bd8f9a0ef82f/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= -google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= -google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb h1:hcskBH5qZCOa7WpTUFUFvoebnSFZBYpjykLtjIp9DVk= google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210312152112-fc591d9ea70f h1:YRBxgxUW6GFi+AKsn8WGA9k1SZohK+gGuEqdeT5aoNQ= -google.golang.org/genproto v0.0.0-20210312152112-fc591d9ea70f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= -google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= +google.golang.org/grpc v1.29.1 h1:EC2SB8S04d2r73uptxphDSUG+kTKVgjRPF+N3xpxRB4= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= -google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= -google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= -google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.36.0 h1:o1bcQ6imQMIOpdrO3SWf2z5RV72WbDwdXuK0MDlc8As= -google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1601,13 +988,11 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/fsnotify/fsnotify.v1 v1.4.7/go.mod h1:Fyux9zXlo4rWoMSIzpn9fDAYjalPqJ/K1qJ27s+7ltE= -gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= @@ -1623,67 +1008,51 @@ gopkg.in/jcmturner/rpc.v1 v1.1.0 h1:QHIUxTX1ISuAv9dD2wJ9HWQVuWDX/Zc0PfeC2tjc4rU= gopkg.in/jcmturner/rpc.v1 v1.1.0/go.mod h1:YIdkC4XfD6GXbzje11McwsDuOlZQSb9W4vfLvuNnlv8= gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528 h1:/saqWwm73dLmuzbNhe92F0QsZ/KiFND+esHco2v1hiY= gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA= -gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= -gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/gotestsum v0.6.0 h1:0zIxynXq9gkAcRpboAi3qOQIkZkCt/stfQzd7ab7Czs= gotest.tools/gotestsum v0.6.0/go.mod h1:LEX+ioCVdeWhZc8GYfiBRag360eBhwixWJ62R9eDQtI= -gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= +gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= -honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8= -honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= howett.net/plist v0.0.0-20181124034731-591f970eefbb h1:jhnBjNi9UFpfpl8YZhA9CrOqpnJdvzuiHsl/dnxl11M= howett.net/plist v0.0.0-20181124034731-591f970eefbb/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0= -k8s.io/api v0.20.5 h1:zsMTffV0Le2EiI0aKvlTHEnXGxk1HiqGRhJcCPiI7JI= -k8s.io/api v0.20.5/go.mod h1:FQjAceXnVaWDeov2YUWhOb6Yt+5UjErkp6UO3nczO1Y= -k8s.io/apimachinery v0.20.5 h1:wO/FxMVRn223rAKxnBbwCyuN96bS9MFTIvP0e/V7cps= -k8s.io/apimachinery v0.20.5/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= -k8s.io/client-go v0.20.5 h1:dJGtYUvFrFGjQ+GjXEIby0gZWdlAOc0xJBJqY3VyDxA= -k8s.io/client-go v0.20.5/go.mod h1:Ee5OOMMYvlH8FCZhDsacjMlCBwetbGZETwo1OA+e6Zw= +k8s.io/api v0.19.4 h1:I+1I4cgJYuCDgiLNjKx7SLmIbwgj9w7N7Zr5vSIdwpo= +k8s.io/api v0.19.4/go.mod h1:SbtJ2aHCItirzdJ36YslycFNzWADYH3tgOhvBEFtZAk= +k8s.io/apimachinery v0.19.4 h1:+ZoddM7nbzrDCp0T3SWnyxqf8cbWPT2fkZImoyvHUG0= +k8s.io/apimachinery v0.19.4/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= +k8s.io/client-go v0.19.4 h1:85D3mDNoLF+xqpyE9Dh/OtrJDyJrSRKkHmDXIbEzer8= +k8s.io/client-go v0.19.4/go.mod h1:ZrEy7+wj9PjH5VMBCuu/BDlvtUAku0oVFk4MmnW9mWA= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= -k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= -k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.8.0 h1:Q3gmuM9hKEjefWFFYF0Mat+YyFJvsUyYuwyNNJ5C9Ts= -k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= -k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd h1:sOHNzJIkytDF6qadMNKhhDRpc6ODik8lVC6nOur7B2c= -k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= +k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6 h1:+WnxoVtG8TMiudHBSEtrVL1egv36TkkJm+bA8AxicmQ= +k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= -k8s.io/utils v0.0.0-20201110183641-67b214c5f920 h1:CbnUZsM497iRC5QMVkHwyl8s2tB3g7yaSHkYPkpgelw= -k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20200729134348-d5654de09c73 h1:uJmqzgNWG7XyClnU/mLPBWwfKKF1K8Hf8whTseBgJcg= +k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= -rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= -rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/structured-merge-diff/v4 v4.0.2 h1:YHQV7Dajm86OuqnIR6zAelnDWBRjo+YhYV9PmGrh1s8= -sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.0.1 h1:YXTMot5Qz/X1iBRJhAt+vI+HVttY0WkSqqhKxQ0xVbA= +sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= -sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= From 22af3f75b5ce4cd8acc6447101d1004a12c0a0f9 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Wed, 8 Sep 2021 23:43:02 -0700 Subject: [PATCH 13/63] Remove reference to host --- metricbeat/docs/modules/openmetrics/collector.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metricbeat/docs/modules/openmetrics/collector.asciidoc b/metricbeat/docs/modules/openmetrics/collector.asciidoc index 2b184916aa9..d9025cb1ef9 100644 --- a/metricbeat/docs/modules/openmetrics/collector.asciidoc +++ b/metricbeat/docs/modules/openmetrics/collector.asciidoc @@ -9,7 +9,7 @@ beta[] include::../../../module/openmetrics/collector/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. +This is a default metricset. ==== Fields From 12bf19d0f97854a3ee97033e8d225cb9550861bd Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Wed, 8 Sep 2021 23:48:42 -0700 Subject: [PATCH 14/63] Remove left over comment --- metricbeat/helper/openmetrics/openmetrics.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/metricbeat/helper/openmetrics/openmetrics.go b/metricbeat/helper/openmetrics/openmetrics.go index db2aa964730..9e4abc6428b 100644 --- a/metricbeat/helper/openmetrics/openmetrics.go +++ b/metricbeat/helper/openmetrics/openmetrics.go @@ -959,8 +959,6 @@ func MatchMetricFamily(family string, matchMetrics []*regexp.Regexp) bool { return false } -//type Format string - const ( TextVersion = "0.0.4" OpenMetricsType = `application/openmetrics-text` @@ -972,7 +970,6 @@ const ( const ( hdrContentType = "Content-Type" - hdrAccept = "Accept" ) func getContentType(h http.Header) string { From 9aadfff3191a8a517b0414757528f5626b15317d Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Wed, 8 Sep 2021 23:53:29 -0700 Subject: [PATCH 15/63] Change to uppercase --- metricbeat/docs/fields.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index a554143d1c3..6939fd8a41d 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -50860,7 +50860,7 @@ type: keyword *`openmetrics.type`*:: + -- -metric type +Metric type type: keyword @@ -50870,7 +50870,7 @@ type: keyword *`openmetrics.unit`*:: + -- -metric unit +Metric unit type: keyword @@ -50880,7 +50880,7 @@ type: keyword *`openmetrics.created`*:: + -- -metric creation time in seconds +Metric creation time in seconds type: keyword From 5c31a666b79d2a6956347c756d1e39f4da3971b5 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Wed, 8 Sep 2021 23:59:25 -0700 Subject: [PATCH 16/63] Change to uppercase, add missing word exemplar --- metricbeat/docs/fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index 6939fd8a41d..2c57769dadc 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -50920,7 +50920,7 @@ type: object *`openmetrics.exemplar.labels.*`*:: + -- -Openmetrics metric labels +Openmetrics metric exemplar labels type: object From ff6154275fbdf4fc6737071f96856f13efe4d48a Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 00:21:59 -0700 Subject: [PATCH 17/63] Fix lint error for missing azure-sdk-for-go entry in go.sum --- go.mod | 2 +- go.sum | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 86424943f1f..f7ce75c505b 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( code.cloudfoundry.org/go-loggregator v7.4.0+incompatible code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a // indirect github.com/Azure/azure-event-hubs-go/v3 v3.1.2 - github.com/Azure/azure-sdk-for-go v37.1.0+incompatible + github.com/Azure/azure-sdk-for-go v55.2.0+incompatible github.com/Azure/azure-storage-blob-go v0.8.0 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect github.com/Azure/go-autorest/autorest v0.9.6 diff --git a/go.sum b/go.sum index 36c8653d178..9caee812069 100644 --- a/go.sum +++ b/go.sum @@ -35,6 +35,9 @@ github.com/Azure/azure-pipeline-go v0.2.1 h1:OLBdZJ3yvOn2MezlWvbrBMTEUQC72zAftRZ github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= github.com/Azure/azure-sdk-for-go v37.1.0+incompatible h1:aFlw3lP7ZHQi4m1kWCpcwYtczhDkGhDoRaMTaxcOf68= github.com/Azure/azure-sdk-for-go v37.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v41.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v55.2.0+incompatible h1:TL2/vJWJEPOrmv97nHcbvjXES0Ntlb9P95hqGA1J2dU= +github.com/Azure/azure-sdk-for-go v55.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-storage-blob-go v0.6.0/go.mod h1:oGfmITT1V6x//CswqY2gtAHND+xIP64/qL7a5QJix0Y= github.com/Azure/azure-storage-blob-go v0.8.0 h1:53qhf0Oxa0nOjgbDeeYPUeyiNmafAFEY95rZLK0Tj6o= github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0= From 7449bd7c9913447222ce9c76919d50289e73435f Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 00:44:39 -0700 Subject: [PATCH 18/63] Fix lint error for missing Azure/go-autorest/autorest entry in go.sum --- go.mod | 2 +- go.sum | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index f7ce75c505b..13c15c2e3a4 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/Azure/azure-sdk-for-go v55.2.0+incompatible github.com/Azure/azure-storage-blob-go v0.8.0 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect - github.com/Azure/go-autorest/autorest v0.9.6 + github.com/Azure/go-autorest/autorest v0.11.19 github.com/Azure/go-autorest/autorest/adal v0.9.15 github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 github.com/Azure/go-autorest/autorest/date v0.3.0 diff --git a/go.sum b/go.sum index 9caee812069..2746458419b 100644 --- a/go.sum +++ b/go.sum @@ -51,6 +51,11 @@ github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+B github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= github.com/Azure/go-autorest/autorest v0.9.6 h1:5YWtOnckcudzIw8lPPBcWOnmIFWMtHci1ZWAZulMSx0= github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= +github.com/Azure/go-autorest/autorest v0.10.0/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= +github.com/Azure/go-autorest/autorest v0.10.1/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= +github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= +github.com/Azure/go-autorest/autorest v0.11.19 h1:7/IqD2fEYVha1EPeaiytVKhzmPV223pfkRIQUGOK2IE= +github.com/Azure/go-autorest/autorest v0.11.19/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= From 143cce1a5d9f1209b911a495f4eecb9c7a7d2ad3 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 01:27:34 -0700 Subject: [PATCH 19/63] Fix lint error for missing Azure/go-autorest/autorest/adal entry in go.sum --- go.sum | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go.sum b/go.sum index 2746458419b..cc27cd010b3 100644 --- a/go.sum +++ b/go.sum @@ -60,6 +60,10 @@ github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEg github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.8.3/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= +github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= +github.com/Azure/go-autorest/autorest/adal v0.9.14/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= github.com/Azure/go-autorest/autorest/adal v0.9.15 h1:X+p2GF0GWyOiSmqohIaEeuNFNDY4I4EOlVuUQvFdWMk= github.com/Azure/go-autorest/autorest/adal v0.9.15/go.mod h1:tGMin8I49Yij6AQ+rvV+Xa/zwxYQB5hmsd6DkfAx2+A= github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 h1:iM6UAvjR97ZIeR93qTcwpKNMpV+/FTWjwEbuPD495Tk= From b48de011d6bba7a280b2269698ccc473e488731d Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 08:42:15 -0700 Subject: [PATCH 20/63] Fix lint error for missing Azure/go-autorest/autorest/to entry in go.sum --- go.sum | 3 +++ 1 file changed, 3 insertions(+) diff --git a/go.sum b/go.sum index cc27cd010b3..3c4749197c8 100644 --- a/go.sum +++ b/go.sum @@ -81,8 +81,11 @@ github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPu github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/to v0.3.0 h1:zebkZaadz7+wIQYgC7GXaz3Wb28yKYfVkkBKwc38VF8= github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= +github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= +github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= github.com/Azure/go-autorest/autorest/validation v0.2.0 h1:15vMO4y76dehZSq7pAaOLQxC6dZYsSrj2GQpflyM/L4= github.com/Azure/go-autorest/autorest/validation v0.2.0/go.mod h1:3EEqHnBxQGHXRYq3HT1WyXAvT7LLY3tl70hw6tQIbjI= +github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= From a508ebfe06588ce24bbae4ec7a61888bf2bc8255 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 09:05:49 -0700 Subject: [PATCH 21/63] Fix lint error for missing HdrHistogram/hdrhistogram-go to entry in go.sum --- go.sum | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.sum b/go.sum index 3c4749197c8..b70e27e1d6c 100644 --- a/go.sum +++ b/go.sum @@ -97,6 +97,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/zstd v1.4.1 h1:3oxKN3wbHibqx897utPC2LTQU4J+IHWWJO+glkAkpFM= github.com/DataDog/zstd v1.4.1/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= +github.com/HdrHistogram/hdrhistogram-go v1.0.1 h1:GX8GAYDuhlFQnI2fRDHQhTlkHMz8bEn0jTI6LJU0mpw= +github.com/HdrHistogram/hdrhistogram-go v1.0.1/go.mod h1:BWJ+nMSHY3L41Zj7CA3uXnloDp7xxV0YvstAE7nKTaM= github.com/Masterminds/semver v1.4.2 h1:WBLTQ37jOCzSLtXNdoo8bNM8876KhNqOKvrlGITgsTc= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Microsoft/hcsshim v0.8.7 h1:ptnOoufxGSzauVTsdE+wMYnCWA301PdoN4xg5oRdZpg= From ea797f09e61f19ff59cd48817102e354fdae62e9 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 09:11:11 -0700 Subject: [PATCH 22/63] Merge remote-tracking branch 'beats_upstream/master' into openmetrics-collector --- .ci/packaging.groovy | 1 - CHANGELOG-developer.next.asciidoc | 1 + CHANGELOG.asciidoc | 6 + CHANGELOG.next.asciidoc | 18 +- NOTICE.txt | 75 +- .../module/file_integrity/metricset_test.go | 2 +- auditbeat/module/file_integrity/scanner.go | 5 + deploy/kubernetes/metricbeat-kubernetes.yaml | 3 + .../metricbeat-daemonset-configmap.yaml | 3 + dev-tools/ecs-migration.yml | 160 +- dev-tools/mage/check.go | 9 + dev-tools/mage/common.go | 47 + dev-tools/mage/crossbuild.go | 4 +- dev-tools/mage/modules.go | 70 + dev-tools/mage/pkg.go | 36 + dev-tools/mage/semver.go | 67 + dev-tools/vagrant_scripts/winProvision.ps1 | 4 +- filebeat/autodiscover/builder/hints/logs.go | 2 +- .../autodiscover/builder/hints/logs_test.go | 32 +- filebeat/beater/filebeat.go | 13 + filebeat/docs/fields.asciidoc | 29788 ++++++---------- .../docs/filebeat-modules-options.asciidoc | 4 + filebeat/docs/filebeat-options.asciidoc | 3 + filebeat/docs/getting-started.asciidoc | 5 +- filebeat/docs/inputs/input-journald.asciidoc | 223 + filebeat/docs/modules/aws.asciidoc | 23 + filebeat/docs/modules/cyberark.asciidoc | 79 - filebeat/docs/modules/gsuite.asciidoc | 146 - filebeat/docs/modules/sophos.asciidoc | 8 +- filebeat/docs/modules_list.asciidoc | 4 - filebeat/filebeat.reference.yml | 30 +- filebeat/fileset/compatibility.go | 26 +- filebeat/fileset/compatibility_test.go | 116 +- filebeat/fileset/modules.go | 75 +- filebeat/fileset/modules_integration_test.go | 8 +- filebeat/fileset/modules_test.go | 180 +- filebeat/input/default-inputs/inputs_linux.go | 11 +- filebeat/input/filestream/input.go | 22 +- .../filestream/parsers_integration_test.go | 6 + filebeat/input/journald/input_stub.go | 30 + filebeat/input/v2/simplemanager.go | 6 +- filebeat/magefile.go | 25 +- filebeat/module/apache/_meta/config.yml | 4 +- filebeat/module/apache/_meta/fields.yml | 128 - filebeat/module/apache/fields.go | 2 +- filebeat/module/apache2/module.yml | 1 - filebeat/module/auditd/_meta/config.yml | 2 +- .../module/elasticsearch/_meta/config.yml | 10 +- filebeat/module/haproxy/_meta/config.yml | 2 +- filebeat/module/icinga/_meta/config.yml | 6 +- filebeat/module/iis/_meta/config.yml | 6 +- filebeat/module/kafka/_meta/config.yml | 2 +- filebeat/module/kibana/_meta/config.yml | 4 +- filebeat/module/logstash/_meta/config.yml | 4 +- filebeat/module/mongodb/_meta/config.yml | 2 +- filebeat/module/mysql/_meta/config.yml | 4 +- filebeat/module/nats/_meta/config.yml | 2 +- filebeat/module/nginx/_meta/config.yml | 4 +- .../module/osquery/_meta/config.reference.yml | 6 +- filebeat/module/osquery/_meta/config.yml | 2 +- filebeat/module/pensando/_meta/config.yml | 2 +- filebeat/module/postgresql/_meta/config.yml | 2 +- filebeat/module/redis/_meta/config.yml | 4 +- filebeat/module/santa/_meta/config.yml | 2 +- filebeat/module/system/_meta/config.yml | 4 +- filebeat/module/traefik/_meta/config.yml | 2 +- filebeat/modules.d/apache.yml.disabled | 4 +- filebeat/modules.d/auditd.yml.disabled | 2 +- filebeat/modules.d/elasticsearch.yml.disabled | 10 +- filebeat/modules.d/haproxy.yml.disabled | 2 +- filebeat/modules.d/icinga.yml.disabled | 6 +- filebeat/modules.d/iis.yml.disabled | 6 +- filebeat/modules.d/kafka.yml.disabled | 2 +- filebeat/modules.d/kibana.yml.disabled | 4 +- filebeat/modules.d/logstash.yml.disabled | 4 +- filebeat/modules.d/mongodb.yml.disabled | 2 +- filebeat/modules.d/mysql.yml.disabled | 4 +- filebeat/modules.d/nats.yml.disabled | 2 +- filebeat/modules.d/nginx.yml.disabled | 4 +- filebeat/modules.d/osquery.yml.disabled | 2 +- filebeat/modules.d/pensando.yml.disabled | 2 +- filebeat/modules.d/postgresql.yml.disabled | 2 +- filebeat/modules.d/redis.yml.disabled | 4 +- filebeat/modules.d/santa.yml.disabled | 2 +- filebeat/modules.d/system.yml.disabled | 4 +- filebeat/modules.d/traefik.yml.disabled | 2 +- filebeat/scripts/mage/build.go | 85 + filebeat/tests/system/test_modules.py | 24 +- go.mod | 7 +- go.sum | 30 +- .../docs/monitors/monitor-browser.asciidoc | 6 +- heartbeat/hbtest/hbtestutil.go | 9 + heartbeat/monitors/active/http/http_test.go | 106 + heartbeat/tests/system/test_monitor.py | 82 - libbeat/cmd/instance/beat_test.go | 17 +- libbeat/cmd/instance/metrics/metrics.go | 3 +- libbeat/common/encoding/xml/decode.go | 2 +- libbeat/common/encoding/xml/decode_test.go | 14 +- libbeat/dashboards/decode.go | 46 +- libbeat/dashboards/modify_json.go | 202 +- libbeat/dashboards/modify_json_test.go | 29 +- libbeat/docs/shared-docker.asciidoc | 5 +- .../metric/system/cgroup/cgcommon/metrics.go | 1 - libbeat/metric/system/cgroup/cgstats.go | 8 +- libbeat/metric/system/cpu/cpu.go | 5 +- .../metric/system/diskio/diskstat_linux.go | 6 +- libbeat/metric/system/numcpu/cpu_bsd.go | 55 + libbeat/metric/system/numcpu/cpu_cgo.go | 26 + libbeat/metric/system/numcpu/cpu_linux.go | 93 + .../metric/system/numcpu/cpu_linux_test.go | 49 + libbeat/metric/system/numcpu/cpu_other.go | 26 + libbeat/metric/system/numcpu/cpu_windows.go | 38 + libbeat/metric/system/numcpu/numcpu.go | 46 + libbeat/metric/system/numcpu/numcpu_test.go | 40 + libbeat/metric/system/process/process.go | 3 +- .../processors/decode_xml/decode_xml_test.go | 35 + libbeat/reader/message.go | 19 + libbeat/reader/message_test.go | 66 + libbeat/reader/readfile/bench_test.go | 83 + libbeat/reader/readfile/line.go | 32 +- libbeat/reader/readfile/metafields.go | 4 +- libbeat/reader/readfile/metafields_test.go | 4 +- metricbeat/docs/fields.asciidoc | 137 - metricbeat/mb/module/wrapper.go | 4 +- .../module/docker/diskio/_meta/fields.yml | 21 +- metricbeat/module/docker/diskio/data.go | 3 - metricbeat/module/docker/fields.go | 2 +- .../module/docker/network/_meta/fields.yml | 46 - metricbeat/module/docker/network/data.go | 14 - metricbeat/module/system/load/load.go | 5 +- monitors.d/plaintodos.yml | 12 + testing/environments/docker/kafka/Dockerfile | 8 +- .../environments/docker/kafka/healthcheck.sh | 2 +- x-pack/elastic-agent/CHANGELOG.next.asciidoc | 4 + .../pkg/agent/application/application.go | 3 +- .../handlers/handler_action_settings.go | 5 +- .../handlers/handler_action_upgrade.go | 3 +- .../pkg/agent/application/reexec/manager.go | 15 +- .../pkg/agent/application/upgrade/upgrade.go | 113 +- .../agent/application/upgrade/upgrade_test.go | 56 + x-pack/elastic-agent/pkg/agent/cmd/run.go | 2 +- x-pack/elastic-agent/pkg/agent/cmd/status.go | 9 +- .../pkg/agent/cmd/status_test.go | 125 + .../pkg/agent/control/server/server.go | 6 +- .../pkg/agent/install/perms_unix.go | 3 + .../pkg/agent/install/perms_windows.go | 3 + .../pkg/agent/operation/operator.go | 6 +- .../pkg/agent/program/supported.go | 2 +- .../artifact/download/snapshot/downloader.go | 13 +- x-pack/elastic-agent/pkg/release/version.go | 15 +- x-pack/elastic-agent/spec/filebeat.yml | 1 + .../docs/inputs/input-httpjson.asciidoc | 7 +- x-pack/filebeat/filebeat.reference.yml | 396 +- x-pack/filebeat/include/list.go | 2 - x-pack/filebeat/input/awss3/config.go | 4 +- x-pack/filebeat/input/awss3/config_test.go | 8 +- .../httpjson/internal/v2/config_response.go | 15 +- .../input/httpjson/internal/v2/pagination.go | 2 +- .../input/httpjson/internal/v2/request.go | 2 +- .../input/httpjson/internal/v2/split.go | 77 +- .../input/httpjson/internal/v2/split_test.go | 264 + .../httpjson/internal/v2/transform_set.go | 26 +- .../internal/v2/transform_set_test.go | 52 +- .../httpjson/internal/v2/transform_test.go | 4 +- x-pack/filebeat/magefile.go | 5 +- .../filebeat/module/activemq/_meta/config.yml | 4 +- .../filebeat/module/aws/_meta/docs.asciidoc | 23 + .../0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json | 150 +- .../513a3d70-4482-11ea-ad63-791a5dc86f10.json | 185 +- .../dae24080-739a-11ea-a345-f985c61fe654.json | 144 +- x-pack/filebeat/module/azure/_meta/config.yml | 2 +- .../module/barracuda/_meta/config.yml | 4 +- .../filebeat/module/bluecoat/_meta/config.yml | 2 +- x-pack/filebeat/module/cef/_meta/config.yml | 2 +- .../module/checkpoint/_meta/config.yml | 2 +- x-pack/filebeat/module/cisco/_meta/config.yml | 14 +- .../module/cisco/asa/_meta/fields.yml | 12 + .../cisco/asa/test/additional_messages.log | 9 +- .../additional_messages.log-expected.json | 509 +- .../cisco/asa/test/asa-fix.log-expected.json | 21 +- .../cisco/asa/test/asa.log-expected.json | 268 +- .../cisco/asa/test/filtered.log-expected.json | 1 + .../asa/test/hostnames.log-expected.json | 1 + .../cisco/asa/test/not-ip.log-expected.json | 2 + .../filebeat/module/cisco/asa/test/sample.log | 15 + .../cisco/asa/test/sample.log-expected.json | 1151 +- x-pack/filebeat/module/cisco/fields.go | 2 +- .../module/cisco/ftd/_meta/fields.yml | 6 + .../cisco/ftd/test/asa-fix.log-expected.json | 16 +- .../cisco/ftd/test/asa.log-expected.json | 268 +- .../cisco/ftd/test/dns.log-expected.json | 21 + .../ftd/test/intrusion.log-expected.json | 4 + .../cisco/ftd/test/not-ip.log-expected.json | 2 + .../cisco/ftd/test/sample.log-expected.json | 66 +- .../security-connection.log-expected.json | 10 + .../security-file-malware.log-expected.json | 10 + .../security-malware-site.log-expected.json | 1 + .../cisco/shared/ingest/asa-ftd-pipeline.yml | 125 +- .../filebeat/module/coredns/_meta/config.yml | 2 +- .../module/crowdstrike/_meta/config.yml | 2 +- x-pack/filebeat/module/cyberark/README.md | 7 - .../filebeat/module/cyberark/_meta/config.yml | 21 - .../module/cyberark/_meta/docs.asciidoc | 66 - .../filebeat/module/cyberark/_meta/fields.yml | 5 - .../module/cyberark/corepas/_meta/fields.yml | 2637 -- .../module/cyberark/corepas/config/input.yml | 87 - .../cyberark/corepas/config/liblogparser.js | 2514 -- .../cyberark/corepas/config/pipeline.js | 6239 ---- .../cyberark/corepas/ingest/pipeline.yml | 64 - .../module/cyberark/corepas/manifest.yml | 31 - .../cyberark/corepas/test/generated.log | 100 - .../corepas/test/generated.log-expected.json | 5584 --- x-pack/filebeat/module/cyberark/fields.go | 23 - .../module/cyberarkpas/_meta/config.yml | 2 +- .../dashboard/Filebeat-cyberarkpas-audit.json | 398 +- .../filebeat/module/cylance/_meta/config.yml | 2 +- .../module/envoyproxy/_meta/config.yml | 2 +- x-pack/filebeat/module/f5/_meta/config.yml | 4 +- .../filebeat/module/fortinet/_meta/config.yml | 8 +- x-pack/filebeat/module/gcp/_meta/config.yml | 6 +- .../a97de660-73a5-11ea-a345-f985c61fe654.json | 144 +- .../module/google_workspace/_meta/config.yml | 12 +- .../module/googlecloud/_meta/config.yml | 55 - x-pack/filebeat/module/googlecloud/module.yml | 1 - .../filebeat/module/gsuite/_meta/config.yml | 50 - .../module/gsuite/_meta/docs.asciidoc | 133 - .../filebeat/module/gsuite/_meta/fields.yml | 42 - .../module/gsuite/admin/_meta/fields.yml | 271 - .../module/gsuite/admin/config/config.yml | 54 - .../module/gsuite/admin/config/pipeline.js | 967 - .../filebeat/module/gsuite/admin/manifest.yml | 25 - .../gsuite-admin-application-test.json.log | 9 - ...in-application-test.json.log-expected.json | 499 - .../test/gsuite-admin-calendar-test.json.log | 13 - ...admin-calendar-test.json.log-expected.json | 702 - .../test/gsuite-admin-chat-test.json.log | 4 - ...ite-admin-chat-test.json.log-expected.json | 215 - .../test/gsuite-admin-chromeos-test.json.log | 21 - ...admin-chromeos-test.json.log-expected.json | 1132 - .../test/gsuite-admin-contacts-test.json.log | 1 - ...admin-contacts-test.json.log-expected.json | 58 - .../gsuite-admin-delegatedadmin-test.json.log | 8 - ...delegatedadmin-test.json.log-expected.json | 430 - .../test/gsuite-admin-docs-test.json.log | 3 - ...ite-admin-docs-test.json.log-expected.json | 176 - .../test/gsuite-admin-domain-test.json.log | 85 - ...e-admin-domain-test.json.log-expected.json | 4459 --- .../test/gsuite-admin-gmail-test.json.log | 9 - ...te-admin-gmail-test.json.log-expected.json | 497 - .../test/gsuite-admin-groups-test.json.log | 14 - ...e-admin-groups-test.json.log-expected.json | 798 - .../test/gsuite-admin-licenses-test.json.log | 8 - ...admin-licenses-test.json.log-expected.json | 440 - .../test/gsuite-admin-mobile-test.json.log | 31 - ...e-admin-mobile-test.json.log-expected.json | 1688 - .../admin/test/gsuite-admin-org-test.json.log | 17 - ...uite-admin-org-test.json.log-expected.json | 890 - .../test/gsuite-admin-security-test.json.log | 24 - ...admin-security-test.json.log-expected.json | 1309 - .../test/gsuite-admin-sites-test.json.log | 5 - ...te-admin-sites-test.json.log-expected.json | 275 - .../test/gsuite-admin-user-test.json.log | 74 - ...ite-admin-user-test.json.log-expected.json | 4198 --- .../filebeat/module/gsuite/config/common.js | 86 - .../module/gsuite/drive/_meta/fields.yml | 89 - .../module/gsuite/drive/config/config.yml | 54 - .../module/gsuite/drive/config/pipeline.js | 191 - .../filebeat/module/gsuite/drive/manifest.yml | 25 - .../drive/test/gsuite-drive-test.json.log | 28 - .../gsuite-drive-test.json.log-expected.json | 1801 - x-pack/filebeat/module/gsuite/fields.go | 23 - .../module/gsuite/groups/_meta/fields.yml | 57 - .../module/gsuite/groups/config/config.yml | 54 - .../module/gsuite/groups/config/pipeline.js | 223 - .../module/gsuite/groups/manifest.yml | 25 - .../groups/test/gsuite-groups-test.json.log | 25 - .../gsuite-groups-test.json.log-expected.json | 1476 - .../filebeat/module/gsuite/ingest/common.yml | 33 - .../module/gsuite/login/_meta/fields.yml | 21 - .../module/gsuite/login/config/config.yml | 54 - .../module/gsuite/login/config/pipeline.js | 117 - .../filebeat/module/gsuite/login/manifest.yml | 25 - .../login/test/gsuite-login-test.json.log | 14 - .../gsuite-login-test.json.log-expected.json | 738 - .../module/gsuite/saml/_meta/fields.yml | 27 - .../module/gsuite/saml/config/config.yml | 54 - .../module/gsuite/saml/config/pipeline.js | 53 - .../filebeat/module/gsuite/saml/manifest.yml | 25 - .../saml/test/gsuite-saml-test.json.log | 2 - .../gsuite-saml-test.json.log-expected.json | 116 - .../gsuite/user_accounts/config/config.yml | 54 - .../gsuite/user_accounts/config/pipeline.js | 24 - .../module/gsuite/user_accounts/manifest.yml | 25 - .../test/gsuite-user_accounts-test.json.log | 8 - ...-user_accounts-test.json.log-expected.json | 410 - x-pack/filebeat/module/ibmmq/_meta/config.yml | 2 +- .../filebeat/module/imperva/_meta/config.yml | 2 +- .../filebeat/module/infoblox/_meta/config.yml | 2 +- .../filebeat/module/iptables/_meta/config.yml | 2 +- .../filebeat/module/juniper/_meta/config.yml | 6 +- .../module/microsoft/_meta/config.yml | 6 +- x-pack/filebeat/module/misp/_meta/config.yml | 2 +- x-pack/filebeat/module/mssql/_meta/config.yml | 2 +- .../module/mysqlenterprise/_meta/config.yml | 2 +- .../filebeat/module/netflow/_meta/config.yml | 2 +- .../filebeat/module/netscout/_meta/config.yml | 2 +- x-pack/filebeat/module/o365/_meta/config.yml | 2 +- .../dbae13c0-685c-11ea-8d6a-292ef5d68366.json | 158 +- x-pack/filebeat/module/okta/_meta/config.yml | 2 +- .../281ca660-67b1-11ea-a76f-bf44814e437d.json | 165 +- .../filebeat/module/oracle/_meta/config.yml | 2 +- x-pack/filebeat/module/panw/_meta/config.yml | 2 +- .../module/proofpoint/_meta/config.yml | 2 +- .../filebeat/module/rabbitmq/_meta/config.yml | 2 +- .../filebeat/module/radware/_meta/config.yml | 2 +- x-pack/filebeat/module/snort/_meta/config.yml | 2 +- x-pack/filebeat/module/snyk/_meta/config.yml | 4 +- .../module/sonicwall/_meta/config.yml | 2 +- .../filebeat/module/sophos/_meta/config.yml | 4 +- .../module/sophos/_meta/docs.asciidoc | 8 +- x-pack/filebeat/module/squid/_meta/config.yml | 2 +- .../filebeat/module/suricata/_meta/config.yml | 2 +- .../module/threatintel/_meta/config.yml | 16 +- .../63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json | 180 +- .../ec5aa090-df42-11eb-8f2b-753caedf727d.json | 170 +- .../filebeat/module/tomcat/_meta/config.yml | 2 +- x-pack/filebeat/module/zeek/_meta/config.yml | 78 +- .../module/zookeeper/_meta/config.yml | 4 +- x-pack/filebeat/module/zoom/_meta/config.yml | 2 +- .../filebeat/module/zscaler/_meta/config.yml | 2 +- .../filebeat/modules.d/activemq.yml.disabled | 4 +- x-pack/filebeat/modules.d/azure.yml.disabled | 2 +- .../filebeat/modules.d/barracuda.yml.disabled | 4 +- .../filebeat/modules.d/bluecoat.yml.disabled | 2 +- x-pack/filebeat/modules.d/cef.yml.disabled | 2 +- .../modules.d/checkpoint.yml.disabled | 2 +- x-pack/filebeat/modules.d/cisco.yml.disabled | 14 +- .../filebeat/modules.d/coredns.yml.disabled | 2 +- .../modules.d/crowdstrike.yml.disabled | 2 +- .../filebeat/modules.d/cyberark.yml.disabled | 24 - .../modules.d/cyberarkpas.yml.disabled | 2 +- .../filebeat/modules.d/cylance.yml.disabled | 2 +- .../modules.d/envoyproxy.yml.disabled | 2 +- x-pack/filebeat/modules.d/f5.yml.disabled | 4 +- .../filebeat/modules.d/fortinet.yml.disabled | 8 +- x-pack/filebeat/modules.d/gcp.yml.disabled | 6 +- .../modules.d/google_workspace.yml.disabled | 12 +- .../modules.d/googlecloud.yml.disabled | 58 - x-pack/filebeat/modules.d/gsuite.yml.disabled | 53 - x-pack/filebeat/modules.d/ibmmq.yml.disabled | 2 +- .../filebeat/modules.d/imperva.yml.disabled | 2 +- .../filebeat/modules.d/infoblox.yml.disabled | 2 +- .../filebeat/modules.d/iptables.yml.disabled | 2 +- .../filebeat/modules.d/juniper.yml.disabled | 6 +- .../filebeat/modules.d/microsoft.yml.disabled | 6 +- x-pack/filebeat/modules.d/misp.yml.disabled | 2 +- x-pack/filebeat/modules.d/mssql.yml.disabled | 2 +- .../modules.d/mysqlenterprise.yml.disabled | 2 +- .../filebeat/modules.d/netflow.yml.disabled | 2 +- .../filebeat/modules.d/netscout.yml.disabled | 2 +- x-pack/filebeat/modules.d/o365.yml.disabled | 2 +- x-pack/filebeat/modules.d/okta.yml.disabled | 2 +- x-pack/filebeat/modules.d/oracle.yml.disabled | 2 +- x-pack/filebeat/modules.d/panw.yml.disabled | 2 +- .../modules.d/proofpoint.yml.disabled | 2 +- .../filebeat/modules.d/rabbitmq.yml.disabled | 2 +- .../filebeat/modules.d/radware.yml.disabled | 2 +- x-pack/filebeat/modules.d/snort.yml.disabled | 2 +- x-pack/filebeat/modules.d/snyk.yml.disabled | 4 +- .../filebeat/modules.d/sonicwall.yml.disabled | 2 +- x-pack/filebeat/modules.d/sophos.yml.disabled | 4 +- x-pack/filebeat/modules.d/squid.yml.disabled | 2 +- .../filebeat/modules.d/suricata.yml.disabled | 2 +- .../modules.d/threatintel.yml.disabled | 16 +- x-pack/filebeat/modules.d/tomcat.yml.disabled | 2 +- x-pack/filebeat/modules.d/zeek.yml.disabled | 78 +- .../filebeat/modules.d/zookeeper.yml.disabled | 4 +- x-pack/filebeat/modules.d/zoom.yml.disabled | 2 +- .../filebeat/modules.d/zscaler.yml.disabled | 2 +- .../monitors/browser/source/zipurl.go | 21 +- .../monitors/browser/source/zipurl_test.go | 186 +- x-pack/libbeat/persistentcache/store.go | 2 +- .../module/gcp/billing/_meta/docs.asciidoc | 2 +- .../module/gcp/metrics/_meta/docs.asciidoc | 8 +- x-pack/osquerybeat/beater/logger_plugin.go | 26 +- x-pack/osquerybeat/beater/osquerybeat.go | 14 +- 386 files changed, 19074 insertions(+), 63519 deletions(-) create mode 100644 dev-tools/mage/semver.go create mode 100644 filebeat/docs/inputs/input-journald.asciidoc delete mode 100644 filebeat/docs/modules/cyberark.asciidoc delete mode 100644 filebeat/docs/modules/gsuite.asciidoc create mode 100644 filebeat/input/journald/input_stub.go delete mode 100644 filebeat/module/apache2/module.yml create mode 100644 filebeat/scripts/mage/build.go create mode 100644 libbeat/metric/system/numcpu/cpu_bsd.go create mode 100644 libbeat/metric/system/numcpu/cpu_cgo.go create mode 100644 libbeat/metric/system/numcpu/cpu_linux.go create mode 100644 libbeat/metric/system/numcpu/cpu_linux_test.go create mode 100644 libbeat/metric/system/numcpu/cpu_other.go create mode 100644 libbeat/metric/system/numcpu/cpu_windows.go create mode 100644 libbeat/metric/system/numcpu/numcpu.go create mode 100644 libbeat/metric/system/numcpu/numcpu_test.go create mode 100644 libbeat/reader/message_test.go create mode 100644 libbeat/reader/readfile/bench_test.go create mode 100644 monitors.d/plaintodos.yml create mode 100644 x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade_test.go create mode 100644 x-pack/elastic-agent/pkg/agent/cmd/status_test.go delete mode 100644 x-pack/filebeat/module/cyberark/README.md delete mode 100644 x-pack/filebeat/module/cyberark/_meta/config.yml delete mode 100644 x-pack/filebeat/module/cyberark/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/cyberark/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/cyberark/corepas/config/input.yml delete mode 100644 x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/cyberark/corepas/config/pipeline.js delete mode 100644 x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/cyberark/corepas/manifest.yml delete mode 100644 x-pack/filebeat/module/cyberark/corepas/test/generated.log delete mode 100644 x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/module/cyberark/fields.go delete mode 100644 x-pack/filebeat/module/googlecloud/_meta/config.yml delete mode 100644 x-pack/filebeat/module/googlecloud/module.yml delete mode 100644 x-pack/filebeat/module/gsuite/_meta/config.yml delete mode 100644 x-pack/filebeat/module/gsuite/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/gsuite/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/gsuite/admin/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/gsuite/admin/config/config.yml delete mode 100644 x-pack/filebeat/module/gsuite/admin/config/pipeline.js delete mode 100644 x-pack/filebeat/module/gsuite/admin/manifest.yml delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/config/common.js delete mode 100644 x-pack/filebeat/module/gsuite/drive/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/gsuite/drive/config/config.yml delete mode 100644 x-pack/filebeat/module/gsuite/drive/config/pipeline.js delete mode 100644 x-pack/filebeat/module/gsuite/drive/manifest.yml delete mode 100644 x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/fields.go delete mode 100644 x-pack/filebeat/module/gsuite/groups/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/gsuite/groups/config/config.yml delete mode 100644 x-pack/filebeat/module/gsuite/groups/config/pipeline.js delete mode 100644 x-pack/filebeat/module/gsuite/groups/manifest.yml delete mode 100644 x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/ingest/common.yml delete mode 100644 x-pack/filebeat/module/gsuite/login/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/gsuite/login/config/config.yml delete mode 100644 x-pack/filebeat/module/gsuite/login/config/pipeline.js delete mode 100644 x-pack/filebeat/module/gsuite/login/manifest.yml delete mode 100644 x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/saml/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/gsuite/saml/config/config.yml delete mode 100644 x-pack/filebeat/module/gsuite/saml/config/pipeline.js delete mode 100644 x-pack/filebeat/module/gsuite/saml/manifest.yml delete mode 100644 x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/user_accounts/config/config.yml delete mode 100644 x-pack/filebeat/module/gsuite/user_accounts/config/pipeline.js delete mode 100644 x-pack/filebeat/module/gsuite/user_accounts/manifest.yml delete mode 100644 x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json delete mode 100644 x-pack/filebeat/modules.d/cyberark.yml.disabled delete mode 100644 x-pack/filebeat/modules.d/googlecloud.yml.disabled delete mode 100644 x-pack/filebeat/modules.d/gsuite.yml.disabled diff --git a/.ci/packaging.groovy b/.ci/packaging.groovy index 0e29bdd7ebb..04301526e4d 100644 --- a/.ci/packaging.groovy +++ b/.ci/packaging.groovy @@ -440,7 +440,6 @@ def triggerE2ETests(String suite) { booleanParam(name: 'forceSkipPresubmit', value: true), booleanParam(name: 'notifyOnGreenBuilds', value: !isPR()), string(name: 'BEAT_VERSION', value: beatVersion), - booleanParam(name: 'BEATS_USE_CI_SNAPSHOTS', value: true), string(name: 'runTestsSuites', value: suite), string(name: 'GITHUB_CHECK_NAME', value: env.GITHUB_CHECK_E2E_TESTS_NAME), string(name: 'GITHUB_CHECK_REPO', value: env.REPO), diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 0a8b9b76099..1957c6f0ca7 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -62,6 +62,7 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Metricbeat module builders call host parser only once when instantiating light modules. {pull}20149[20149] - Fix export dashboard command when running against Elastic Cloud hosted Kibana. {pull}22746[22746] - Remove `event.dataset` (ECS) annotion from `libbeat.logp`. {issue}27404[27404] +- Errors should be thrown as errors. Metricsets inside Metricbeat will now throw errors as the `error` log level. {pull}27804[27804] ==== Added diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 5c25d138679..7280d1039b8 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,10 +3,16 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-8.0.0-alpha2]] +=== Beats version 8.0.0-alpha2 + +Changes will be described in a later alpha / beta. + [[release-notes-8.0.0-alpha1]] === Beats version 8.0.0-alpha1 Changes will be described in a later alpha / beta. + [[release-notes-7.14.1]] === Beats version 7.14.1 https://github.com/elastic/beats/compare/v7.14.0...v7.14.1[View commits] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 5083477f18a..c189adabc67 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -84,6 +84,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Remove all alias fields pointing to ECS fields from modules. This affects the Suricata and Traefik modules. {issue}10535[10535] {pull}26627[26627] - Add option for S3 input to work without SQS notification {issue}18205[18205] {pull}27332[27332] - Fix Crowdstrike ingest pipeline that was creating flattened `process` fields. {issue}27622[27622] {pull}27623[27623] +- Rename `log.path` to `log.file.path` in filestream to be consistent with `log` input and ECS. {pull}27761[27761] +- Removes old module aliases for `googlecloud` (moved to gcp) and `apache2` (moved to apache). {pull}27919[27919] +- Removes old module name aliases (gsuite) and removing old cyberark module in favor of the new cyberarkpas{pull}27915[27915] +- Only filesets that are explicitly configured will be enabled. {issue}17256[17256] {pull}27526[27526] +- All filesets are disabled in the default configuration. {issue}17256[17256] {pull}27762[27762] *Heartbeat* - Remove long deprecated `watch_poll` functionality. {pull}27166[27166] @@ -108,6 +113,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add Linux pressure metricset {pull}27355[27355] - Add support for kube-state-metrics v2.0.0 {pull}27552[27552] - Add User-Agent header to HTTP requests. {issue}18160[18160] {pull}27509[27509] +- Errors should be thrown as errors. Metricsets inside Metricbeat will now throw errors as the `error` log level. {pull}27804[27804] +- Remove deprecated fields in Docker module. {issue}11835[11835] {pull}27933[27933] *Packetbeat* @@ -207,7 +214,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Do not try to load ILM policy if `check_exists` is `false`. {pull}27508[27508] {issue}26322[26322] - Fix bug with cgroups hierarchy override path in cgroups {pull}27620[27620] - Beat `setup kibana` command may use the elasticsearch API key defined in `output.elasticsearch.api_key`. {issue}24015[24015] {pull}27540[27540] +- Fix `decode_xml` handling of array merging when using `to_lower: true`. {pull}27922[27922] - Seperate namespaces for V1 and V2 controller paths {pull}27676[27676] +- Beats dashboards use custom index when `setup.dashboards.index` is set. {issue}21232[21232] {pull}27901[27901] *Auditbeat* @@ -217,6 +226,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - system/package: Fix an error that can occur while trying to persist package metadata. {issue}18536[18536] {pull}18887[18887] - system/socket: Fix dataset using 100% CPU and becoming unresponsive in some scenarios. {pull}19033[19033] {pull}19764[19764] - system/socket: Fixed tracking of long-running connections. {pull}19033[19033] +- file_integrity: honor include_files when doing initial scan. {issue}27273[27273] {pull}27722[27722] *Filebeat* @@ -311,6 +321,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Auditd: Fix Top Exec Commands dashboard visualization. {pull}27638[27638] - Store offset in `log.offset` field of events from the filestream input. {pull}27688[27688] - Fix `httpjson` input rate limit processing and documentation. {pull}[] +- Update Filebeat compatibility function to remove processor description field on ES < 7.9.0 {pull}27774[27774] +- Make filestream events ECS compliant. {issue}27776[27776] *Heartbeat* @@ -746,7 +758,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added support for parsing syslog dates containing a leading 0 (e.g. `Sep 01`) rather than a space. {pull}27775[27775] - Add base64 Encode functionality to httpjson input. {pull}27681[27681] - Add `join` and `sprintf` functions to `httpjson` input. {pull}27735[27735] - +- Improve memory usage of line reader of `log` and `filestream` input. {pull}27782[27782] +- Add `ignore_empty_value` flag to `httpjson` `split` processor. {pull}27880[27880] +- Update Cisco ASA/FTD ingest pipeline grok/dissect patterns for multiple message IDs. {issue}26869[26869] {pull}26879[26879] +- Add write access to `url.value` from `request.transforms` in `httpjson` input. {pull}27937[27937] *Heartbeat* @@ -874,6 +889,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Apache: convert status.total_kbytes to status.total_bytes in fleet mode. {pull}23022[23022] - Release MSSQL as GA {pull}23146[23146] - Add AWS Kinesis metricset. {pull}25989[25989] +- Enable `journald` input type in Filebeat. {issue}7955[7955] {pull}27351[27351] - Move openmetrics module to oss. {pull}26561[26561] - Add `gke` metricset collection to `gcp` module {pull}26824[26824] diff --git a/NOTICE.txt b/NOTICE.txt index 1f1cbb8d288..9a9ae8e35f8 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -4440,12 +4440,12 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- -Dependency : github.com/dgraph-io/badger/v2 -Version: v2.2007.3-0.20201012072640-f5a7e0a1c83b +Dependency : github.com/dgraph-io/badger/v3 +Version: v3.2103.1 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/dgraph-io/badger/v2@v2.2007.3-0.20201012072640-f5a7e0a1c83b/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/dgraph-io/badger/v3@v3.2103.1/LICENSE: Apache License Version 2.0, January 2004 @@ -9722,11 +9722,11 @@ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- Dependency : github.com/gogo/protobuf -Version: v1.3.1 +Version: v1.3.2 Licence type (autodetected): BSD-3-Clause -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/gogo/protobuf@v1.3.1/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/gogo/protobuf@v1.3.2/LICENSE: Copyright (c) 2013, The GoGo Authors. All rights reserved. @@ -10241,11 +10241,11 @@ Contents of probable licence file $GOMODCACHE/github.com/gomodule/redigo@v1.8.3/ -------------------------------------------------------------------------------- Dependency : github.com/google/flatbuffers -Version: v1.7.2-0.20170925184458-7a6b2bf521e9 +Version: v1.12.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/google/flatbuffers@v1.7.2-0.20170925184458-7a6b2bf521e9/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/google/flatbuffers@v1.12.0/LICENSE.txt: Apache License @@ -10436,7 +10436,7 @@ Contents of probable licence file $GOMODCACHE/github.com/google/flatbuffers@v1.7 same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright 2014 Google Inc. + Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -21728,43 +21728,6 @@ Contents of probable licence file $GOMODCACHE/github.com/!burnt!sushi/xgb@v0.0.0 // such litigation is filed. --------------------------------------------------------------------------------- -Dependency : github.com/DataDog/zstd -Version: v1.4.1 -Licence type (autodetected): BSD-3-Clause --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/!data!dog/zstd@v1.4.1/LICENSE: - -Simplified BSD License - -Copyright (c) 2016, Datadog -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - - * Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - * Neither the name of the copyright holder nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -------------------------------------------------------------------------------- Dependency : github.com/Microsoft/hcsshim Version: v0.8.7 @@ -26365,11 +26328,11 @@ SOFTWARE. -------------------------------------------------------------------------------- Dependency : github.com/dgraph-io/ristretto -Version: v0.0.3-0.20200630154024-f66de99634de +Version: v0.1.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/dgraph-io/ristretto@v0.0.3-0.20200630154024-f66de99634de/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/dgraph-io/ristretto@v0.1.0/LICENSE: Apache License Version 2.0, January 2004 @@ -29786,12 +29749,12 @@ Contents of probable licence file $GOMODCACHE/github.com/golang-sql/civil@v0.0.0 limitations under the License. -------------------------------------------------------------------------------- -Dependency : github.com/golang/glog -Version: v0.0.0-20160126235308-23def4e6c14b +Dependency : github.com/elastic/glog +Version: v1.0.1-0.20210831205241-7d8b5c89dfc4 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/golang/glog@v0.0.0-20160126235308-23def4e6c14b/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/elastic/glog@v1.0.1-0.20210831205241-7d8b5c89dfc4/LICENSE: Apache License Version 2.0, January 2004 @@ -36071,11 +36034,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Dependency : github.com/kisielk/errcheck -Version: v1.2.0 +Version: v1.5.0 Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/kisielk/errcheck@v1.2.0/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/kisielk/errcheck@v1.5.0/LICENSE: Copyright (c) 2013 Kamil Kisiel @@ -36145,11 +36108,11 @@ match.go, match_test.go: -------------------------------------------------------------------------------- Dependency : github.com/klauspost/compress -Version: v1.12.2 +Version: v1.12.3 Licence type (autodetected): BSD-3-Clause -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/klauspost/compress@v1.12.2/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/klauspost/compress@v1.12.3/LICENSE: Copyright (c) 2012 The Go Authors. All rights reserved. Copyright (c) 2019 Klaus Post. All rights reserved. @@ -41795,11 +41758,11 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI -------------------------------------------------------------------------------- Dependency : go.opencensus.io -Version: v0.22.2 +Version: v0.22.5 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/go.opencensus.io@v0.22.2/LICENSE: +Contents of probable licence file $GOMODCACHE/go.opencensus.io@v0.22.5/LICENSE: Apache License diff --git a/auditbeat/module/file_integrity/metricset_test.go b/auditbeat/module/file_integrity/metricset_test.go index aad49679c49..14522bcd627 100644 --- a/auditbeat/module/file_integrity/metricset_test.go +++ b/auditbeat/module/file_integrity/metricset_test.go @@ -258,7 +258,7 @@ func TestIncludedExcludedFiles(t *testing.T) { } config := getConfig(dir) - config["include_files"] = []string{`\.ssh/`} + config["include_files"] = []string{`\.ssh`} config["recursive"] = true ms := mbtest.NewPushMetricSetV2(t, config) diff --git a/auditbeat/module/file_integrity/scanner.go b/auditbeat/module/file_integrity/scanner.go index 6a960065d1c..a4bf7277633 100644 --- a/auditbeat/module/file_integrity/scanner.go +++ b/auditbeat/module/file_integrity/scanner.go @@ -140,6 +140,11 @@ func (s *scanner) walkDir(dir string, action Action) error { } return nil } + + if !info.IsDir() && !s.config.IsIncludedPath(path) { + return nil + } + defer func() { startTime = time.Now() }() event := s.newScanEvent(path, info, err, action) diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index abbb3baec8d..ae81804a606 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -19,6 +19,9 @@ data: - type: kubernetes scope: cluster node: ${NODE_NAME} + # In large Kubernetes clusters consider setting unique to false + # to avoid using the leader election strategy and + # instead run a dedicated Metricbeat instance using a Deployment in addition to the DaemonSet unique: true templates: - config: diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml index a60395f4490..a51845f4f9a 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml @@ -19,6 +19,9 @@ data: - type: kubernetes scope: cluster node: ${NODE_NAME} + # In large Kubernetes clusters consider setting unique to false + # to avoid using the leader election strategy and + # instead run a dedicated Metricbeat instance using a Deployment in addition to the DaemonSet unique: true templates: - config: diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml index 6d8cea78a21..fba03edb34e 100644 --- a/dev-tools/ecs-migration.yml +++ b/dev-tools/ecs-migration.yml @@ -54,7 +54,7 @@ alias6: true alias: true -- from: docker.container.labels # TODO: How to map these? +- from: docker.container.labels # TODO: How to map these? to: container.labels alias6: false alias: true @@ -115,8 +115,8 @@ - from: source to: - - log.file.path - - log.source.address + - log.file.path + - log.source.address alias: false beat: filebeat @@ -428,7 +428,7 @@ beat: filebeat - from: suricata.eve.timestamp - to: '@timestamp' + to: "@timestamp" alias: true beat: filebeat @@ -476,7 +476,7 @@ beat: filebeat - from: system.auth.timestamp - to: '@timestamp' + to: "@timestamp" alias: true beat: filebeat @@ -560,155 +560,6 @@ alias: true beat: filebeat -## Apache module - -- from: apache2.access.remote_ip - to: source.address - alias: true - beat: filebeat - -- from: apache2.access.user_name - to: user.name - alias: true - beat: filebeat - -- from: apache2.access.method - to: http.request.method - alias: true - beat: filebeat - -- from: apache2.access.url - to: url.original - alias: true - beat: filebeat - -- from: apache2.access.http_version - to: http.version - alias: true - beat: filebeat - -- from: apache2.access.response_code - to: http.response.status_code - alias: true - beat: filebeat - -- from: apache2.access.referrer - to: http.request.referrer - alias: true - beat: filebeat - -- from: apache2.access.agent - to: user_agent.original - alias: true - beat: filebeat - -- from: apache2.access.body_sent.bytes - to: http.response.body.bytes - alias: true - beat: filebeat - -- from: apache2.access.geoip.continent_name - to: source.geo.continent_name - alias: true - beat: filebeat - -- from: apache2.access.geoip.country_iso_code - to: source.geo.country_iso_code - alias: true - beat: filebeat - -- from: apache2.access.geoip.location - to: source.geo.location - alias: true - beat: filebeat - -- from: apache2.access.geoip.region_name - to: source.geo.region_name - alias: true - beat: filebeat - -- from: apache2.access.geoip.city_name - to: source.geo.city_name - alias: true - beat: filebeat - -- from: apache2.access.geoip.region_iso_code - to: source.geo.region_iso_code - alias: true - beat: filebeat - -- from: apache2.access.user_agent.original - to: user_agent.original - alias: true - beat: filebeat -- from: apache2.access.user_agent.device - to: user_agent.device.name - alias: true - beat: filebeat -- from: apache2.access.user_agent.name - to: user_agent.name - alias: true - beat: filebeat -- from: apache2.access.user_agent.os - to: user_agent.os.full_name - alias: true - beat: filebeat -- from: apache2.access.user_agent.os_name - to: user_agent.os.name - alias: true - beat: filebeat - -- from: apache2.access.user_agent.major - to: user_agent.version - alias: false - beat: filebeat -- from: apache2.access.user_agent.minor - to: user_agent.version - alias: false - beat: filebeat -- from: apache2.access.user_agent.patch - to: user_agent.version - alias: false - beat: filebeat -- from: apache2.access.user_agent.os_major - to: user_agent.os.version - alias: false - beat: filebeat -- from: apache2.access.user_agent.os_minor - to: user_agent.os.version - alias: false - beat: filebeat -- from: apache2.access.user_agent.os_patch - to: user_agent.os.version - alias: false - beat: filebeat - -### Error fileset -- from: apache2.error.message - to: message - alias: true - beat: filebeat - -- from: apache2.error.level - to: log.level - alias: true - beat: filebeat - -- from: apache2.error.client - to: source.address - alias: true - beat: filebeat - -- from: apache2.error.pid - to: process.pid - alias: true - beat: filebeat - -- from: apache2.error.tid - to: process.thread.id - alias: true - beat: filebeat - ## Elasticsearch module - from: elasticsearch.audit.origin_address @@ -1748,7 +1599,6 @@ alias: true beat: metricbeat - ### Redis - from: php_fpm.status.pid diff --git a/dev-tools/mage/check.go b/dev-tools/mage/check.go index f61501b06eb..c34255420cd 100644 --- a/dev-tools/mage/check.go +++ b/dev-tools/mage/check.go @@ -36,6 +36,7 @@ import ( "github.com/pkg/errors" "github.com/elastic/beats/v7/dev-tools/mage/gotool" + "github.com/elastic/beats/v7/libbeat/dashboards" "github.com/elastic/beats/v7/libbeat/processors/dissect" ) @@ -260,6 +261,14 @@ func checkDashboardForErrors(file string, d []byte) bool { fmt.Println(" ", err) } + replaced := dashboards.ReplaceIndexInDashboardObject("my-test-index-*", d) + if bytes.Contains(replaced, []byte(BeatName+"-*")) { + hasErrors = true + fmt.Printf(">> Cannot modify all index pattern references in dashboard - %s\n", file) + fmt.Println("Please edit the dashboard override function named ReplaceIndexInDashboardObject in libbeat.") + fmt.Println(string(replaced)) + } + return hasErrors } diff --git a/dev-tools/mage/common.go b/dev-tools/mage/common.go index 208ae02d974..f61dd43e03e 100644 --- a/dev-tools/mage/common.go +++ b/dev-tools/mage/common.go @@ -26,6 +26,7 @@ import ( "context" "crypto/sha256" "crypto/sha512" + "debug/elf" "encoding/hex" "encoding/json" "fmt" @@ -38,6 +39,7 @@ import ( "path/filepath" "regexp" "runtime" + "sort" "strconv" "strings" "sync" @@ -913,3 +915,48 @@ func IntegrationTestEnvVars() []string { } return vars } + +// ReadGLIBCRequirement returns the required glibc version for a dynamically +// linked ELF binary. The target machine must have a version equal to or +// greater than (newer) the returned value. +func ReadGLIBCRequirement(elfFile string) (*SemanticVersion, error) { + e, err := elf.Open(elfFile) + if err != nil { + return nil, err + } + + symbols, err := e.DynamicSymbols() + if err != nil { + return nil, err + } + + versionSet := map[SemanticVersion]struct{}{} + for _, sym := range symbols { + if strings.HasPrefix(sym.Version, "GLIBC_") { + semver, err := NewSemanticVersion(strings.TrimPrefix(sym.Version, "GLIBC_")) + if err != nil { + continue + } + + versionSet[*semver] = struct{}{} + } + } + + if len(versionSet) == 0 { + return nil, errors.New("no GLIBC symbols found in binary (is this a static binary?)") + } + + var versions []SemanticVersion + for ver := range versionSet { + versions = append(versions, ver) + } + + sort.Slice(versions, func(i, j int) bool { + a := versions[i] + b := versions[j] + return a.LessThan(&b) + }) + + max := versions[len(versions)-1] + return &max, nil +} diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go index 10d73c3876c..c2f87784063 100644 --- a/dev-tools/mage/crossbuild.go +++ b/dev-tools/mage/crossbuild.go @@ -129,7 +129,7 @@ type crossBuildParams struct { // CrossBuild executes a given build target once for each target platform. func CrossBuild(options ...CrossBuildOption) error { - params := crossBuildParams{Platforms: Platforms, Target: defaultCrossBuildTarget, ImageSelector: crossBuildImage} + params := crossBuildParams{Platforms: Platforms, Target: defaultCrossBuildTarget, ImageSelector: CrossBuildImage} for _, opt := range options { opt(¶ms) } @@ -193,7 +193,7 @@ func buildMage() error { "-compile", CreateDir(filepath.Join("build", "mage-linux-"+arch))) } -func crossBuildImage(platform string) (string, error) { +func CrossBuildImage(platform string) (string, error) { tagSuffix := "main" switch { diff --git a/dev-tools/mage/modules.go b/dev-tools/mage/modules.go index 80fc4c2f7c5..a65c2c2a121 100644 --- a/dev-tools/mage/modules.go +++ b/dev-tools/mage/modules.go @@ -18,10 +18,15 @@ package mage import ( + "fmt" "io/ioutil" "os" "path/filepath" "strings" + + "github.com/joeshaw/multierror" + "github.com/pkg/errors" + "gopkg.in/yaml.v2" ) var modulesDConfigTemplate = ` @@ -71,3 +76,68 @@ func GenerateDirModulesD() error { } return nil } + +type datasetDefinition struct { + Enabled *bool +} + +type moduleDefinition struct { + Name string `yaml:"module"` + Filesets map[string]datasetDefinition `yaml:",inline"` +} + +// ValidateDirModulesD validates a modules.d directory containing the +// .yml.disabled files. It checks that the files are valid +// yaml and conform to module definitions. +func ValidateDirModulesD() error { + _, err := loadModulesD() + return err +} + +// ValidateDirModulesDDatasetsDisabled ensures that all the datasets +// are disabled by default. +func ValidateDirModulesDDatasetsDisabled() error { + cfgs, err := loadModulesD() + if err != nil { + return err + } + var errs multierror.Errors + for path, cfg := range cfgs { + // A config.yml is a list of module configurations. + for modIdx, mod := range cfg { + // A module config is a map of datasets. + for dsName, ds := range mod.Filesets { + if ds.Enabled == nil || *ds.Enabled { + var entry string + if len(cfg) > 1 { + entry = fmt.Sprintf(" (entry #%d)", modIdx+1) + } + err = fmt.Errorf("in file '%s': %s module%s dataset %s must be explicitly disabled (needs `enabled: false`)", + path, mod.Name, entry, dsName) + errs = append(errs, err) + } + } + } + } + return errs.Err() +} + +func loadModulesD() (modules map[string][]moduleDefinition, err error) { + files, err := filepath.Glob("modules.d/*.disabled") + if err != nil { + return nil, err + } + modules = make(map[string][]moduleDefinition, len(files)) + for _, file := range files { + contents, err := ioutil.ReadFile(file) + if err != nil { + return nil, errors.Wrapf(err, "reading %s", file) + } + var cfg []moduleDefinition + if err = yaml.Unmarshal(contents, &cfg); err != nil { + return nil, errors.Wrapf(err, "parsing %s as YAML", file) + } + modules[file] = cfg + } + return modules, nil +} diff --git a/dev-tools/mage/pkg.go b/dev-tools/mage/pkg.go index 2341724b350..f4381291cfe 100644 --- a/dev-tools/mage/pkg.go +++ b/dev-tools/mage/pkg.go @@ -21,6 +21,7 @@ import ( "fmt" "log" "os" + "path/filepath" "runtime" "strconv" @@ -242,3 +243,38 @@ func TestPackages(options ...TestPackagesOption) error { return nil } + +// TestLinuxForCentosGLIBC checks the GLIBC requirements of linux/amd64 and +// linux/386 binaries to ensure they meet the requirements for RHEL 6 which has +// glibc 2.12. +func TestLinuxForCentosGLIBC() error { + switch Platform.Name { + case "linux/amd64", "linux/386": + return TestBinaryGLIBCVersion(filepath.Join("build/golang-crossbuild", BeatName+"-linux-"+Platform.GOARCH), "2.12") + default: + return nil + } +} + +func TestBinaryGLIBCVersion(elfPath, maxGlibcVersion string) error { + requiredGlibc, err := ReadGLIBCRequirement(elfPath) + if err != nil { + if errors.Is(err, os.ErrNotExist) { + return nil + } + return err + } + + upperBound, err := NewSemanticVersion(maxGlibcVersion) + if err != nil { + return err + } + + if !requiredGlibc.LessThanOrEqual(upperBound) { + return fmt.Errorf("dynamically linked binary %q requires glibc "+ + "%v, but maximum allowed glibc is %v", + elfPath, requiredGlibc, upperBound) + } + fmt.Printf(">> testBinaryGLIBCVersion: %q requires glibc %v or greater\n", elfPath, requiredGlibc) + return nil +} diff --git a/dev-tools/mage/semver.go b/dev-tools/mage/semver.go new file mode 100644 index 00000000000..22801f5b2af --- /dev/null +++ b/dev-tools/mage/semver.go @@ -0,0 +1,67 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package mage + +import ( + "fmt" + "regexp" + "strconv" +) + +var SemanticVersionRegex = regexp.MustCompile(`(?m)^(\d+)\.(\d+)(?:\.(\d+))?`) + +type SemanticVersion struct { + Major, Minor, Patch int +} + +// NewSemanticVersion return a new SemanticVersion parsed from string in the +// format of 'x.y' or 'x.y.z'. +func NewSemanticVersion(s string) (*SemanticVersion, error) { + matches := SemanticVersionRegex.FindStringSubmatch(s) + if len(matches) < 4 { + return nil, fmt.Errorf("invalid version format %q", s) + } + + major, _ := strconv.Atoi(matches[1]) + Minor, _ := strconv.Atoi(matches[2]) + Patch, _ := strconv.Atoi(matches[3]) + return &SemanticVersion{major, Minor, Patch}, nil +} + +// LessThan return true iff s is less than x. +func (s *SemanticVersion) LessThan(x *SemanticVersion) bool { + if s.Major != x.Major { + return s.Major < x.Major + } + if s.Minor != x.Minor { + return s.Minor < x.Minor + } + return s.Patch < x.Patch +} + +// LessThanOrEqual return true iff s is less than or equal to x. +func (s *SemanticVersion) LessThanOrEqual(x *SemanticVersion) bool { + if s.LessThan(x) { + return true + } + return !x.LessThan(s) +} + +func (s SemanticVersion) String() string { + return fmt.Sprintf("%d.%d.%d", s.Major, s.Minor, s.Patch) +} diff --git a/dev-tools/vagrant_scripts/winProvision.ps1 b/dev-tools/vagrant_scripts/winProvision.ps1 index 62b40c34970..1916a1471b7 100644 --- a/dev-tools/vagrant_scripts/winProvision.ps1 +++ b/dev-tools/vagrant_scripts/winProvision.ps1 @@ -7,7 +7,7 @@ if (-Not (Test-Path $gopath_beats)) { echo 'Creating github.com\\elastic in the GOPATH' New-Item -itemtype directory -path "C:\\Gopath\\src\\github.com\\elastic" -force echo "Symlinking C:\\Vagrant to C:\\Gopath\\src\\github.com\\elastic" - cmd /c mklink /d $gopath_beats \\\\vboxsvr\\vagrant + cmd /c mklink /d $gopath_beats \\vboxsvr\vagrant } if (-Not (Get-Command "gvm" -ErrorAction SilentlyContinue)) { @@ -71,4 +71,4 @@ if (-Not (Get-Command "gcc" -ErrorAction SilentlyContinue)) { } echo "Setting PYTHON_ENV in VM to point to C:\\beats-python-env." -[System.Environment]::SetEnvironmentVariable("PYTHON_ENV", "C:\\beats-python-env", [System.EnvironmentVariableTarget]::Machine) \ No newline at end of file +[System.Environment]::SetEnvironmentVariable("PYTHON_ENV", "C:\\beats-python-env", [System.EnvironmentVariableTarget]::Machine) diff --git a/filebeat/autodiscover/builder/hints/logs.go b/filebeat/autodiscover/builder/hints/logs.go index 4fb86cd9e18..5a09bb41780 100644 --- a/filebeat/autodiscover/builder/hints/logs.go +++ b/filebeat/autodiscover/builder/hints/logs.go @@ -201,7 +201,7 @@ func (l *logHints) getFilesets(hints common.MapStr, module string) map[string]*f var configured bool filesets := make(map[string]*filesetConfig) - moduleFilesets, err := l.registry.ModuleFilesets(module) + moduleFilesets, err := l.registry.ModuleAvailableFilesets(module) if err != nil { logp.Err("Error retrieving module filesets: %+v", err) return nil diff --git a/filebeat/autodiscover/builder/hints/logs_test.go b/filebeat/autodiscover/builder/hints/logs_test.go index e00ec39920e..ae1ca208313 100644 --- a/filebeat/autodiscover/builder/hints/logs_test.go +++ b/filebeat/autodiscover/builder/hints/logs_test.go @@ -405,14 +405,14 @@ func TestGenerateHints(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache2", + "module": "apache", }, }, }, len: 1, result: []common.MapStr{ { - "module": "apache2", + "module": "apache", "error": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -455,7 +455,7 @@ func TestGenerateHints(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache2", + "module": "apache", "fileset": "access", }, }, @@ -463,7 +463,7 @@ func TestGenerateHints(t *testing.T) { len: 1, result: []common.MapStr{ { - "module": "apache2", + "module": "apache", "access": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -506,7 +506,7 @@ func TestGenerateHints(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache2", + "module": "apache", "fileset.stdout": "access", "fileset.stderr": "error", }, @@ -515,7 +515,7 @@ func TestGenerateHints(t *testing.T) { len: 1, result: []common.MapStr{ { - "module": "apache2", + "module": "apache", "access": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -558,14 +558,14 @@ func TestGenerateHints(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache2", + "module": "apache", }, }, }, len: 1, result: []common.MapStr{ { - "module": "apache2", + "module": "apache", "error": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -606,7 +606,7 @@ func TestGenerateHints(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache2", + "module": "apache", "fileset": "access", }, }, @@ -614,7 +614,7 @@ func TestGenerateHints(t *testing.T) { len: 1, result: []common.MapStr{ { - "module": "apache2", + "module": "apache", "access": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -655,7 +655,7 @@ func TestGenerateHints(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache2", + "module": "apache", "fileset.stdout": "access", "fileset.stderr": "error", }, @@ -664,7 +664,7 @@ func TestGenerateHints(t *testing.T) { len: 1, result: []common.MapStr{ { - "module": "apache2", + "module": "apache", "access": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -826,14 +826,14 @@ func TestGenerateHintsWithPaths(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache2", + "module": "apache", }, }, }, len: 1, path: "/var/log/pods/${data.kubernetes.pod.uid}/${data.kubernetes.container.name}/*.log", result: common.MapStr{ - "module": "apache2", + "module": "apache", "error": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -878,7 +878,7 @@ func TestGenerateHintsWithPaths(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache2", + "module": "apache", "fileset": "access", }, }, @@ -886,7 +886,7 @@ func TestGenerateHintsWithPaths(t *testing.T) { len: 1, path: "/var/log/pods/${data.kubernetes.pod.uid}/${data.kubernetes.container.name}/*.log", result: common.MapStr{ - "module": "apache2", + "module": "apache", "access": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ diff --git a/filebeat/beater/filebeat.go b/filebeat/beater/filebeat.go index a66a674b525..435161bb9f4 100644 --- a/filebeat/beater/filebeat.go +++ b/filebeat/beater/filebeat.go @@ -113,6 +113,19 @@ func newBeater(b *beat.Beat, plugins PluginFactory, rawConfig *common.Config) (b } if !moduleRegistry.Empty() { logp.Info("Enabled modules/filesets: %s", moduleRegistry.InfoString()) + for _, mod := range moduleRegistry.ModuleNames() { + if mod == "" { + continue + } + filesets, err := moduleRegistry.ModuleConfiguredFilesets(mod) + if err != nil { + logp.Err("Failed listing filesets for module %s", mod) + continue + } + if len(filesets) == 0 { + logp.Warn("Module %s is enabled but has no enabled filesets", mod) + } + } } moduleInputs, err := moduleRegistry.GetInputConfigs() diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 6e40ec0107f..b05f90afa28 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -29,7 +29,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -40,7 +39,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -166,260 +164,6 @@ Apache Module -[float] -=== apache2 - -Aliases for backward compatibility with old apache2 fields - - - - -*`apache2.access.remote_ip`*:: -+ --- -type: alias - -alias to: source.address - --- - -*`apache2.access.ssl.protocol`*:: -+ --- -type: alias - -alias to: apache.access.ssl.protocol - --- - -*`apache2.access.ssl.cipher`*:: -+ --- -type: alias - -alias to: apache.access.ssl.cipher - --- - -*`apache2.access.body_sent.bytes`*:: -+ --- -type: alias - -alias to: http.response.body.bytes - --- - -*`apache2.access.user_name`*:: -+ --- -type: alias - -alias to: user.name - --- - -*`apache2.access.method`*:: -+ --- -type: alias - -alias to: http.request.method - --- - -*`apache2.access.url`*:: -+ --- -type: alias - -alias to: url.original - --- - -*`apache2.access.http_version`*:: -+ --- -type: alias - -alias to: http.version - --- - -*`apache2.access.response_code`*:: -+ --- -type: alias - -alias to: http.response.status_code - --- - -*`apache2.access.referrer`*:: -+ --- -type: alias - -alias to: http.request.referrer - --- - -*`apache2.access.agent`*:: -+ --- -type: alias - -alias to: user_agent.original - --- - - -*`apache2.access.user_agent.device`*:: -+ --- -type: alias - -alias to: user_agent.device.name - --- - -*`apache2.access.user_agent.name`*:: -+ --- -type: alias - -alias to: user_agent.name - --- - -*`apache2.access.user_agent.os`*:: -+ --- -type: alias - -alias to: user_agent.os.full_name - --- - -*`apache2.access.user_agent.os_name`*:: -+ --- -type: alias - -alias to: user_agent.os.name - --- - -*`apache2.access.user_agent.original`*:: -+ --- -type: alias - -alias to: user_agent.original - --- - - -*`apache2.access.geoip.continent_name`*:: -+ --- -type: alias - -alias to: source.geo.continent_name - --- - -*`apache2.access.geoip.country_iso_code`*:: -+ --- -type: alias - -alias to: source.geo.country_iso_code - --- - -*`apache2.access.geoip.location`*:: -+ --- -type: alias - -alias to: source.geo.location - --- - -*`apache2.access.geoip.region_name`*:: -+ --- -type: alias - -alias to: source.geo.region_name - --- - -*`apache2.access.geoip.city_name`*:: -+ --- -type: alias - -alias to: source.geo.city_name - --- - -*`apache2.access.geoip.region_iso_code`*:: -+ --- -type: alias - -alias to: source.geo.region_iso_code - --- - - -*`apache2.error.level`*:: -+ --- -type: alias - -alias to: log.level - --- - -*`apache2.error.message`*:: -+ --- -type: alias - -alias to: message - --- - -*`apache2.error.pid`*:: -+ --- -type: alias - -alias to: process.pid - --- - -*`apache2.error.tid`*:: -+ --- -type: alias - -alias to: process.thread.id - --- - -*`apache2.error.module`*:: -+ --- -type: alias - -alias to: apache.error.module - --- - [float] === apache @@ -21809,6 +21553,26 @@ type: keyword The WebVPN group name the user belongs to +type: keyword + +-- + +*`cisco.asa.termination_initiator`*:: ++ +-- +Interface name of the side that initiated the teardown + + +type: keyword + +-- + +*`cisco.asa.tunnel_type`*:: ++ +-- +SA type (remote access or L2L) + + type: keyword -- @@ -22047,6 +21811,16 @@ type: keyword The WebVPN group name the user belongs to +type: keyword + +-- + +*`cisco.ftd.termination_initiator`*:: ++ +-- +Interface name of the side that initiated the teardown + + type: keyword -- @@ -28760,11671 +28534,13190 @@ type: keyword -- -[[exported-fields-cyberark]] -== Cyber-Ark fields - -cyberark fields. +[[exported-fields-cyberarkpas]] +== CyberArk PAS fields +cyberarkpas fields. -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. -type: keyword +[float] +=== audit --- +Cyberark Privileged Access Security Audit fields. -*`rsa.internal.msg`*:: +*`cyberarkpas.audit.action`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +A description of the audit record. type: keyword -- -*`rsa.internal.messageid`*:: +[float] +=== ca_properties + +Account metadata. + + +*`cyberarkpas.audit.ca_properties.address`*:: + -- type: keyword -- -*`rsa.internal.event_desc`*:: +*`cyberarkpas.audit.ca_properties.cpm_disabled`*:: + -- type: keyword -- -*`rsa.internal.message`*:: +*`cyberarkpas.audit.ca_properties.cpm_error_details`*:: + -- -This key captures the contents of instant messages - type: keyword -- -*`rsa.internal.time`*:: +*`cyberarkpas.audit.ca_properties.cpm_status`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`cyberarkpas.audit.ca_properties.creation_method`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`cyberarkpas.audit.ca_properties.customer`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.msg_vid`*:: +*`cyberarkpas.audit.ca_properties.database`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.data`*:: +*`cyberarkpas.audit.ca_properties.device_type`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_server`*:: +*`cyberarkpas.audit.ca_properties.dual_account_status`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_val`*:: +*`cyberarkpas.audit.ca_properties.group_name`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.resource`*:: +*`cyberarkpas.audit.ca_properties.in_process`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_id`*:: +*`cyberarkpas.audit.ca_properties.index`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.statement`*:: +*`cyberarkpas.audit.ca_properties.last_fail_date`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.audit_class`*:: +*`cyberarkpas.audit.ca_properties.last_success_change`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.entry`*:: +*`cyberarkpas.audit.ca_properties.last_success_reconciliation`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.hcode`*:: +*`cyberarkpas.audit.ca_properties.last_success_verification`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.inode`*:: +*`cyberarkpas.audit.ca_properties.last_task`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`cyberarkpas.audit.ca_properties.logon_domain`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.dead`*:: +*`cyberarkpas.audit.ca_properties.policy_id`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`cyberarkpas.audit.ca_properties.port`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.feed_name`*:: +*`cyberarkpas.audit.ca_properties.privcloud`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.cid`*:: +*`cyberarkpas.audit.ca_properties.reset_immediately`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_class`*:: +*`cyberarkpas.audit.ca_properties.retries_count`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_group`*:: +*`cyberarkpas.audit.ca_properties.sequence_id`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_host`*:: +*`cyberarkpas.audit.ca_properties.tags`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_ip`*:: +*`cyberarkpas.audit.ca_properties.user_dn`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`cyberarkpas.audit.ca_properties.user_name`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`cyberarkpas.audit.ca_properties.virtual_username`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_type_id`*:: +*`cyberarkpas.audit.ca_properties.other`*:: + -- -Deprecated key defined only in table map. - -type: long +type: flattened -- -*`rsa.internal.did`*:: +*`cyberarkpas.audit.category`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The category name (for category-related operations). type: keyword -- -*`rsa.internal.entropy_req`*:: +*`cyberarkpas.audit.desc`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +A static value that displays a description of the audit codes. -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +[float] +=== extra_details -type: long +Specific extra details of the audit records. --- -*`rsa.internal.event_name`*:: +*`cyberarkpas.audit.extra_details.ad_process_id`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`cyberarkpas.audit.extra_details.ad_process_name`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`cyberarkpas.audit.extra_details.application_type`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`cyberarkpas.audit.extra_details.command`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`cyberarkpas.audit.extra_details.connection_component_id`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`cyberarkpas.audit.extra_details.dst_host`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`cyberarkpas.audit.extra_details.logon_account`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`cyberarkpas.audit.extra_details.managed_account`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`cyberarkpas.audit.extra_details.process_id`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`cyberarkpas.audit.extra_details.process_name`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`cyberarkpas.audit.extra_details.protocol`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`cyberarkpas.audit.extra_details.psmid`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`cyberarkpas.audit.extra_details.session_duration`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`cyberarkpas.audit.extra_details.session_id`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`cyberarkpas.audit.extra_details.src_host`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`cyberarkpas.audit.extra_details.username`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`cyberarkpas.audit.extra_details.other`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: flattened -- -*`rsa.internal.process_vid_dst`*:: +*`cyberarkpas.audit.file`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +The name of the target file. type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`cyberarkpas.audit.gateway_station`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +The IP of the web application machine (PVWA). -type: keyword +type: ip -- -*`rsa.internal.rid`*:: +*`cyberarkpas.audit.hostname`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The hostname, in upper case. -type: long +type: keyword + +example: MY-COMPUTER -- -*`rsa.internal.session_split`*:: +*`cyberarkpas.audit.iso_timestamp`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The timestamp, in ISO Timestamp format (RFC 3339). -type: keyword +type: date + +example: 2013-06-25 10:47:19+00:00 -- -*`rsa.internal.site`*:: +*`cyberarkpas.audit.issuer`*:: + -- -Deprecated key defined only in table map. +The Vault user who wrote the audit. This is usually the user who performed the operation. type: keyword -- -*`rsa.internal.size`*:: +*`cyberarkpas.audit.location`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The target Location (for Location operations). -type: long +type: keyword + +Field is not indexed. -- -*`rsa.internal.sourcefile`*:: +*`cyberarkpas.audit.message`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +A description of the audit records (same information as in the Desc field). type: keyword -- -*`rsa.internal.ubc_req`*:: +*`cyberarkpas.audit.message_id`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +The code ID of the audit records. -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`cyberarkpas.audit.product`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +A static value that represents the product. -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`cyberarkpas.audit.pvwa_details`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +Specific details of the PVWA audit records. -type: keyword +type: flattened -- - -*`rsa.time.event_time`*:: +*`cyberarkpas.audit.raw`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +Raw XML for the original audit record. Only present when XSLT file has debugging enabled. -type: date + +type: keyword + +Field is not indexed. -- -*`rsa.time.duration_time`*:: +*`cyberarkpas.audit.reason`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. +The reason entered by the user. -type: double +type: text -- -*`rsa.time.event_time_str`*:: +*`cyberarkpas.audit.rfc5424`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +Whether the syslog format complies with RFC5424. -type: keyword +type: boolean + +example: True -- -*`rsa.time.starttime`*:: +*`cyberarkpas.audit.safe`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form +The name of the target Safe. -type: date +type: keyword -- -*`rsa.time.month`*:: +*`cyberarkpas.audit.severity`*:: + -- +The severity of the audit records. + type: keyword -- -*`rsa.time.day`*:: +*`cyberarkpas.audit.source_user`*:: + -- +The name of the Vault user who performed the operation. + type: keyword -- -*`rsa.time.endtime`*:: +*`cyberarkpas.audit.station`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. -type: date +type: ip -- -*`rsa.time.timezone`*:: +*`cyberarkpas.audit.target_user`*:: + -- -This key is used to capture the timezone of the Event Time +The name of the Vault user on which the operation was performed. type: keyword -- -*`rsa.time.duration_str`*:: +*`cyberarkpas.audit.timestamp`*:: + -- -A text string version of the duration +The timestamp, in MMM DD HH:MM:SS format. type: keyword +example: Jun 25 10:47:19 + -- -*`rsa.time.date`*:: +*`cyberarkpas.audit.vendor`*:: + -- +A static value that represents the vendor. + type: keyword -- -*`rsa.time.year`*:: +*`cyberarkpas.audit.version`*:: + -- -type: keyword +A static value that represents the version of the Vault. --- +type: keyword -*`rsa.time.recorded_time`*:: -+ -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: date +[[exported-fields-cylance]] +== CylanceProtect fields --- +cylance fields. -*`rsa.time.datetime`*:: -+ --- -type: keyword --- -*`rsa.time.effective_time`*:: +*`network.interface.name`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format +Name of the network interface where the traffic has been observed. -type: date --- +type: keyword -*`rsa.time.expire_time`*:: -+ -- -This key is the timestamp that explicitly refers to an expiration. -type: date --- -*`rsa.time.process_time`*:: +*`rsa.internal.msg`*:: + -- -Deprecated, use duration.time +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.time.hour`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.internal.event_desc`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.internal.message`*:: + -- +This key captures the contents of instant messages + type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.internal.time`*:: + -- -This key is the Time that the event was queued. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. type: date -- -*`rsa.time.p_time1`*:: +*`rsa.internal.level`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.time.tzone`*:: +*`rsa.internal.msg_id`*:: + -- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.internal.msg_vid`*:: + -- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.internal.data`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.internal.obj_server`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.internal.obj_val`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.internal.resource`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.internal.obj_id`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.internal.entry`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. +Deprecated key defined only in table map. type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.internal.hcode`*:: + -- Deprecated key defined only in table map. -type: date +type: keyword -- - -*`rsa.misc.action`*:: +*`rsa.internal.inode`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.result`*:: +*`rsa.internal.resource_class`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.internal.dead`*:: + -- -This key is used to capture the severity given the session +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.event_type`*:: +*`rsa.internal.feed_desc`*:: + -- -This key captures the event category type as specified by the event source. +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.internal.feed_name`*:: + -- -This key is used to capture an event id from the session directly +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.version`*:: +*`rsa.internal.cid`*:: + -- -This key captures Version of the application or OS which is generating the event. +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.internal.device_class`*:: + -- -This key captures the The end state of an action. +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.internal.device_group`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.category`*:: +*`rsa.internal.device_host`*:: + -- -This key is used to capture the category of an event given by the vendor in the session +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.internal.device_ip`*:: + -- -This is used to capture name of object +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.obj_type`*:: +*`rsa.internal.device_ipv6`*:: + -- -This is used to capture type of object +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.event_source`*:: +*`rsa.internal.device_type`*:: + -- -This key captures Source of the event that’s not a hostname +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.internal.device_type_id`*:: + -- -This key is used to capture a sessionid from the session directly +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.group`*:: +*`rsa.internal.did`*:: + -- -This key captures the Group Name value +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.internal.entropy_req`*:: + -- -This key is used to capture the Policy Name only. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.misc.rule_name`*:: +*`rsa.internal.entropy_res`*:: + -- -This key captures the Rule Name +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.misc.context`*:: +*`rsa.internal.event_name`*:: + -- -This key captures Information which adds additional context to the event. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.internal.feed_category`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.space`*:: +*`rsa.internal.forward_ip`*:: + -- -type: keyword +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip -- -*`rsa.misc.client`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.internal.header_id`*:: + -- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.internal.lc_cid`*:: + -- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.internal.lc_ctime`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`rsa.misc.operation_id`*:: +*`rsa.internal.mcb_req`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.misc.event_state`*:: +*`rsa.internal.mcb_res`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.misc.group_object`*:: +*`rsa.internal.mcbc_req`*:: + -- -This key captures a collection/grouping of entities. Specific usage +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.misc.node`*:: +*`rsa.internal.mcbc_res`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.misc.rule`*:: +*`rsa.internal.medium`*:: + -- -This key captures the Rule number +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`rsa.misc.device_name`*:: +*`rsa.internal.node_name`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.param`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -This key is the parameters passed as part of a command or application, etc. +This key denotes that event is endpoint related type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.internal.parse_error`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.internal.payload_req`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.misc.reference_id1`*:: +*`rsa.internal.payload_res`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.misc.event_log`*:: +*`rsa.internal.process_vid_dst`*:: + -- -This key captures the Name of the event log +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.internal.process_vid_src`*:: + -- -This key captures the Name of the Operating System +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.internal.rid`*:: + -- -This key captures the Terminal Names only +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.internal.session_split`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.internal.site`*:: + -- -This key captures Filter used to reduce result set +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.internal.size`*:: + -- -This key is the Serial number associated with a physical asset. +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`rsa.misc.checksum`*:: +*`rsa.internal.sourcefile`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.internal.ubc_req`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.misc.virusname`*:: +*`rsa.internal.ubc_res`*:: + -- -This key captures the name of the virus +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.misc.content_type`*:: +*`rsa.internal.word`*:: + -- -This key is used to capture Content Type only. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`rsa.misc.group_id`*:: + +*`rsa.time.event_time`*:: + -- -This key captures Group ID Number (related to the group name) +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`rsa.misc.policy_id`*:: +*`rsa.time.duration_time`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- -*`rsa.misc.vsys`*:: +*`rsa.time.event_time_str`*:: + -- -This key captures Virtual System Name +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.time.starttime`*:: + -- -This key captures the Connection ID +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.misc.reference_id2`*:: +*`rsa.time.month`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.time.day`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.time.endtime`*:: + -- -This key captures IDS/IPS Int Signature ID +This key is used to capture the End time mentioned in a session in a standard form -type: long +type: date -- -*`rsa.misc.port_name`*:: +*`rsa.time.timezone`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). +This key is used to capture the timezone of the Event Time type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.time.duration_str`*:: + -- -This key captures the Rule group name +A text string version of the duration type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.time.date`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.time.year`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.time.recorded_time`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: keyword +type: date -- -*`rsa.misc.comp_version`*:: +*`rsa.time.datetime`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.time.effective_time`*:: + -- -This key captures Version level of a signature or database content. +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: keyword +type: date -- -*`rsa.misc.hardware_id`*:: +*`rsa.time.expire_time`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +This key is the timestamp that explicitly refers to an expiration. -type: keyword +type: date -- -*`rsa.misc.risk`*:: +*`rsa.time.process_time`*:: + -- -This key captures the non-numeric risk value +Deprecated, use duration.time type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`rsa.misc.status`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.time.event_queue_time`*:: + -- -This key is used to capture the mailbox id/name +This key is the Time that the event was queued. -type: keyword +type: date -- -*`rsa.misc.rule_uid`*:: +*`rsa.time.p_time1`*:: + -- -This key is the Unique Identifier for a rule. - type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.time.tzone`*:: + -- -This key captures the Description of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.time.gmtdate`*:: + -- type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.time.gmttime`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.time.p_date`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`rsa.time.p_month`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`rsa.time.p_time`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.time.p_time2`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.time.p_year`*:: + -- type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.time.expire_time_str`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.time.stamp`*:: + -- -This key captures the contents of the policy. This contains details about the policy +Deprecated key defined only in table map. -type: keyword +type: date -- -*`rsa.misc.pool_name`*:: + +*`rsa.misc.action`*:: + -- -This key captures the name of a resource pool - type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.misc.result`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.misc.count`*:: +*`rsa.misc.severity`*:: + -- +This key is used to capture the severity given the session + type: keyword -- -*`rsa.misc.number`*:: +*`rsa.misc.event_type`*:: + -- +This key captures the event category type as specified by the event source. + type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.misc.reference_id`*:: + -- +This key is used to capture an event id from the session directly + type: keyword -- -*`rsa.misc.type`*:: +*`rsa.misc.version`*:: + -- +This key captures Version of the application or OS which is generating the event. + type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.misc.disposition`*:: + -- -Comment information provided in the log message +This key captures the The end state of an action. type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.misc.result_code`*:: + -- -This key captures File Identification number +This key is used to capture the outcome/result numeric value of an action in a session -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.misc.category`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.misc.obj_name`*:: + -- -This key captures the Job Number +This is used to capture name of object type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.misc.obj_type`*:: + -- -Destination SPI Index +This is used to capture type of object type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.misc.event_source`*:: + -- -Source SPI Index +This key captures Source of the event that’s not a hostname type: keyword -- -*`rsa.misc.code`*:: +*`rsa.misc.log_session_id`*:: + -- +This key is used to capture a sessionid from the session directly + type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.misc.group`*:: + -- -This key is used to capture agent id +This key captures the Group Name value type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.misc.policy_name`*:: + -- -This key captures the The contents of the message body. +This key is used to capture the Policy Name only. type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.misc.rule_name`*:: + -- +This key captures the Rule Name + type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.misc.context`*:: + -- -This key captures a string object of the sigid variable. +This key captures Information which adds additional context to the event. type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.misc.change_new`*:: + -- +This key is used to capture the new values of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`rsa.misc.name`*:: +*`rsa.misc.client`*:: + -- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.misc.msgIdPart1`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.misc.msgIdPart2`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.misc.change_old`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +This key is used to capture the old value of the attribute that’s changing in a session -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.misc.operation_id`*:: + -- +An alert number or operation number. The values should be unique and non-repeating. + type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.misc.event_state`*:: + -- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.misc.group_object`*:: + -- +This key captures a collection/grouping of entities. Specific usage + type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.misc.node`*:: + -- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.misc.rule`*:: + -- +This key captures the Rule number + type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.misc.device_name`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.misc.param`*:: + -- +This key is the parameters passed as part of a command or application, etc. + type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.misc.change_attrib`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.misc.event_computer`*:: + -- -This key captures Filter Category Number. Legacy Usage +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.reference_id1`*:: + -- -This key is used to capture library information in mainframe devices +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.event_log`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. +This key captures the Name of the event log type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.OS`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key captures the Name of the Operating System type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.terminal`*:: + -- -This key is captures the TCP flags set in any packet of session +This key captures the Terminal Names only -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.msgIdPart3`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.filter`*:: + -- -VMWare Target **VMWARE** only varaible. +This key captures Filter used to reduce result set type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.serial_number`*:: + -- -This key captures Workspace Description +This key is the Serial number associated with a physical asset. type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.checksum`*:: + -- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.event_user`*:: + -- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.virusname`*:: + -- +This key captures the name of the virus + type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.content_type`*:: + -- +This key is used to capture Content Type only. + type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.group_id`*:: + -- +This key captures Group ID Number (related to the group name) + type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.policy_id`*:: + -- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.sensor`*:: + -- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.sig_id`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID + +type: long -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.port_name`*:: + -- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.rule_group`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key captures the Rule group name type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.risk_num`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. +This key captures a Numeric Risk value -type: keyword +type: double -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.trigger_val`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.log_session_id1`*:: + -- -This key captures the Filter Result +This key is used to capture a Linked (Related) Session ID from the session directly -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.comp_version`*:: + -- -This key is used to capture destination payload +This key captures the Version level of a sub-component of a product. type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.content_version`*:: + -- -This key is used to capture source payload +This key captures Version level of a signature or database content. type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.hardware_id`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.risk`*:: + -- -This key is a failure key for Process ID when it is not an integer value +This key captures the non-numeric risk value type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.event_id`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.reason`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.status`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.mail_id`*:: + -- -This key captures Risk Number Static +This key is used to capture the mailbox id/name -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.rule_uid`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is the Unique Identifier for a rule. type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.trigger_desc`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.inout`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.p_msgid`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.data_type`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.listnum`*:: + -- +This key is used to capture listname or listnumber, primarily for collecting access-list + type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.observed_val`*:: + -- +This key captures the Value observed (from the perspective of the device generating the log). + type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.policy_value`*:: + -- +This key captures the contents of the policy. This contains details about the policy + type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.pool_name`*:: + -- +This key captures the name of a resource pool + type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.rule_template`*:: + -- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.count`*:: + -- type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.comments`*:: + -- +Comment information provided in the log message + type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.doc_number`*:: + -- -type: keyword +This key captures File Identification number + +type: long -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.expected_val`*:: + -- +This key captures the Value expected (from the perspective of the device generating the log). + type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.job_num`*:: + -- +This key captures the Job Number + type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.spi_dst`*:: + -- +Destination SPI Index + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.spi_src`*:: + -- +Source SPI Index + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.agent_id`*:: + -- +This key is used to capture agent id + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.message_body`*:: + -- +This key captures the The contents of the message body. + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.sig_id_str`*:: + -- +This key captures a string object of the sigid variable. + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.cmd`*:: + -- type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.name`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.cpu`*:: + -- -type: keyword +This key is the CPU time used in the execution of the event being recorded. + +type: long -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.event_desc`*:: + -- +This key is used to capture a description of an event available directly or inferred + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.sig_id1`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.im_client`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.priority`*:: + -- type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.context_subject`*:: + -- +This key is to be used in an audit context where the subject is the object being identified + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.context_target`*:: + -- type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.cve`*:: + -- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.fcatnum`*:: + -- +This key captures Filter Category Number. Legacy Usage + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.library`*:: + -- +This key is used to capture library information in mainframe devices + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.misc.parent_node`*:: + -- +This key captures the Parent Node Name. Must be related to node variable. + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.misc.risk_info`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: keyword +This key is captures the TCP flags set in any packet of session + +type: long -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.misc.tos`*:: + -- -type: keyword +This key describes the type of service + +type: long -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.vm_target`*:: + -- +VMWare Target **VMWARE** only varaible. + type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.misc.workspace`*:: + -- +This key captures Workspace Description + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.alert_id`*:: + -- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.checksum_dst`*:: + -- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.checksum_src`*:: + -- +This key is used to capture the checksum or hash of the source entity such as a file or process. + type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.misc.fresult`*:: + -- -type: keyword +This key captures the Filter Result + +type: long -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.misc.payload_dst`*:: + -- +This key is used to capture destination payload + type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.misc.payload_src`*:: + -- +This key is used to capture source payload + type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.misc.pool_id`*:: + -- +This key captures the identifier (typically numeric field) of a resource pool + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.misc.process_id_val`*:: + -- +This key is a failure key for Process ID when it is not an integer value + type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.misc.risk_num_comm`*:: + -- -type: keyword +This key captures Risk Number Community + +type: double -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.misc.risk_num_next`*:: + -- -type: keyword +This key captures Risk Number NextGen + +type: double -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: keyword +This key captures Risk Number SandBox + +type: double -- -*`rsa.misc.cn_template_id`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: keyword +This key captures Risk Number Static + +type: double -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.risk_suspicious`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.misc.risk_warning`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.snmp_oid`*:: + -- +SNMP Object Identifier + type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.sql`*:: + -- +This key captures the SQL query + type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.vuln_ref`*:: + -- +This key captures the Vulnerability Reference details + type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.misc.cn_asn_src`*:: + -- type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.misc.cn_engine_id`*:: + -- type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.misc.cn_l_switch`*:: + -- type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`rsa.misc.description`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.misc.dstburb`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.misc.flags`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.misc.cn_template_id`*:: + -- type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.misc.criticality`*:: + -- type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.misc.cs_agency_dst`*:: + -- type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.misc.cs_analyzedby`*:: + -- type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.misc.cs_av_other`*:: + -- type: keyword -- -*`rsa.misc.num`*:: +*`rsa.misc.cs_av_primary`*:: + -- type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.misc.cs_av_secondary`*:: + -- type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.misc.cs_bit9status`*:: + -- type: keyword -- -*`rsa.misc.object`*:: +*`rsa.misc.cs_context`*:: + -- type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.misc.cs_control`*:: + -- type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.misc.cs_datecret`*:: + -- type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.misc.cs_dst_tld`*:: + -- type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.misc.cs_event_uuid`*:: + -- type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.misc.cs_fld`*:: + -- type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- type: keyword -- -*`rsa.misc.password_expire`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.misc.cs_lifetime`*:: + -- type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.misc.cs_log_medium`*:: + -- type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.misc.cs_loginname`*:: + -- type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.misc.cs_modulescore`*:: + -- type: keyword -- -*`rsa.misc.program`*:: +*`rsa.misc.cs_modulesign`*:: + -- type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.misc.cs_payload`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.misc.cs_registrant`*:: + -- type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.misc.cs_registrar`*:: + -- type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.misc.cs_represult`*:: + -- type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.misc.cs_rpayload`*:: + -- type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`rsa.misc.session`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.misc.cs_yararesult`*:: + -- type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.misc.description`*:: + -- type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.misc.devvendor`*:: + -- type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.misc.edomain`*:: + -- type: keyword -- -*`rsa.misc.state`*:: +*`rsa.misc.edomaub`*:: + -- type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.misc.euid`*:: + -- type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.misc.finterface`*:: + -- type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.misc.load_data`*:: + -- -This is used to capture Auto Run type - type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.misc.location_floor`*:: + -- -Valid Credit Card Numbers only - -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.misc.location_mark`*:: + -- -This key captures the content type from protocol headers - type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.misc.log_id`*:: + -- -Employee Identification Numbers only - -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.misc.log_type`*:: + -- -This is used to capture the results of regex match - type: keyword -- -*`rsa.misc.language`*:: +*`rsa.misc.logid`*:: + -- -This is used to capture list of languages the client support and what it prefers - type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.misc.logip`*:: + -- -This key is used to capture the session lifetime in seconds. - -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.misc.logname`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.misc.match`*:: +*`rsa.misc.longitude`*:: + -- -This key is for regex match name from search.ini - type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.misc.lport`*:: + -- -This key captures the command line/launch argument of the target process or file - type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.misc.mbug_data`*:: + -- -This key captures source parameter - type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.misc.misc_name`*:: + -- -This key captures the Search Text used - type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.misc.msg_type`*:: + -- -This key is used to capture the Signature Name only. - type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.misc.msgid`*:: + -- -SNMP set request value - type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.misc.netsessid`*:: + -- -This key captures number of streams in session - -type: long +type: keyword -- - -*`rsa.db.index`*:: +*`rsa.misc.num`*:: + -- -This key captures IndexID of the index. - type: keyword -- -*`rsa.db.instance`*:: +*`rsa.misc.number1`*:: + -- -This key is used to capture the database server instance name - type: keyword -- -*`rsa.db.database`*:: +*`rsa.misc.number2`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session - type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.misc.nwwn`*:: + -- -This key captures the SQL transantion ID of the current session - type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.misc.object`*:: + -- -This key captures permission or privilege level assigned to a resource. - type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.misc.operation`*:: + -- -This key is used to capture the table name - type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.misc.opkt`*:: + -- -This key is used to capture the unique identifier for a database - type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.misc.orig_from`*:: + -- -This key captures the process id of a connection with database server - -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`rsa.misc.owner_id`*:: + -- -This key is used for the number of logical reads - -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.misc.p_action`*:: + -- -This key is used for the number of logical writes - -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.misc.p_filter`*:: + -- -This key is used for the number of physical writes - -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.misc.p_group_object`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - type: keyword -- -*`rsa.network.domain`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.misc.p_msgid1`*:: + -- -This key should only be used when it’s a Destination Hostname - type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.misc.p_msgid2`*:: + -- -This is used to capture layer 7 protocols/service names - type: keyword -- -*`rsa.network.interface`*:: +*`rsa.misc.p_result1`*:: + -- -This key should be used when the source or destination context of an interface is not clear - type: keyword -- -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: +*`rsa.misc.password_chg`*:: + -- -Deprecated, use alias.mac - type: keyword -- -*`rsa.network.sinterface`*:: +*`rsa.misc.password_expire`*:: + -- -This key should only be used when it’s a Source Interface - type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.misc.permgranted`*:: + -- -This key should only be used when it’s a Destination Interface - type: keyword -- -*`rsa.network.vlan`*:: +*`rsa.misc.permwanted`*:: + -- -This key should only be used to capture the ID of the Virtual LAN - -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.misc.pgid`*:: + -- -This key should only be used when it’s a Source Zone. - type: keyword -- -*`rsa.network.zone`*:: +*`rsa.misc.policyUUID`*:: + -- -This key should be used when the source or destination context of a Zone is not clear - type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.misc.prog_asp_num`*:: + -- -This key should only be used when it’s a Destination Zone. - type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.misc.program`*:: + -- -This key is used to capture the IP Address of the gateway - type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.misc.real_data`*:: + -- -This key is used to capture the ICMP type only - -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.misc.rec_asp_device`*:: + -- -This key is used to capture the device network IPmask. - type: keyword -- -*`rsa.network.icmp_code`*:: +*`rsa.misc.rec_asp_num`*:: + -- -This key is used to capture the ICMP code only - -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.misc.rec_library`*:: + -- -This key should be used to capture additional protocol information - type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.misc.recordnum`*:: + -- -This key is used for Destionation Device network mask - type: keyword -- -*`rsa.network.port`*:: +*`rsa.misc.ruid`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.misc.sburb`*:: + -- -This key is used for capturing source Network Mask - type: keyword -- -*`rsa.network.netname`*:: +*`rsa.misc.sdomain_fld`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.misc.sec`*:: + -- -Deprecated - -type: ip +type: keyword -- -*`rsa.network.faddr`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`rsa.network.origin`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`rsa.network.addr`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`rsa.network.fport`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`rsa.network.phost`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.misc.system`*:: + -- -Deprecated, use host.dst - type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.misc.tbdstr1`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.misc.tgtdom`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`rsa.network.dns_id`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`rsa.network.domain1`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.misc.utcstamp`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.misc.v_instafname`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - type: keyword -- -*`rsa.network.vlan_name`*:: +*`rsa.misc.virt_data`*:: + -- -This key should only be used to capture the name of the Virtual LAN - type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.misc.vpnid`*:: + -- -This key captures the particular event activity(Ex:Logoff) - type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.misc.autorun_type`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +This is used to capture Auto Run type type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.misc.cc_number`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +Valid Credit Card Numbers only -type: keyword +type: long -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.misc.content`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +This key captures the content type from protocol headers type: keyword -- -*`rsa.investigations.event_cat`*:: +*`rsa.misc.ein_number`*:: + -- -This key captures the Event category number +Employee Identification Numbers only type: long -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.misc.found`*:: + -- -This key captures the event category name corresponding to the event cat code +This is used to capture the results of regex match type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.misc.language`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.misc.lifetime`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +This key is used to capture the session lifetime in seconds. -type: keyword +type: long -- -*`rsa.investigations.analysis_service`*:: +*`rsa.misc.link`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.misc.match`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +This key is for regex match name from search.ini type: keyword -- -*`rsa.investigations.boc`*:: +*`rsa.misc.param_dst`*:: + -- -This is used to capture behaviour of compromise +This key captures the command line/launch argument of the target process or file type: keyword -- -*`rsa.investigations.eoc`*:: +*`rsa.misc.param_src`*:: + -- -This is used to capture Enablers of Compromise +This key captures source parameter type: keyword -- -*`rsa.investigations.inv_category`*:: +*`rsa.misc.search_text`*:: + -- -This used to capture investigation category +This key captures the Search Text used type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.misc.sig_name`*:: + -- -This used to capture investigation context +This key is used to capture the Signature Name only. type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.misc.snmp_value`*:: + -- -This is key capture indicator of compromise +SNMP set request value type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.misc.streams`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +This key captures number of streams in session type: long -- -*`rsa.counters.dclass_c2`*:: + +*`rsa.db.index`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +This key captures IndexID of the index. -type: long +type: keyword -- -*`rsa.counters.event_counter`*:: +*`rsa.db.instance`*:: + -- -This is used to capture the number of times an event repeated +This key is used to capture the database server instance name -type: long +type: keyword -- -*`rsa.counters.dclass_r1`*:: +*`rsa.db.database`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.db.transact_id`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +This key captures the SQL transantion ID of the current session -type: long +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.db.permissions`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +This key captures permission or privilege level assigned to a resource. type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.db.table_name`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +This key is used to capture the table name type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.db.db_id`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +This key is used to capture the unique identifier for a database type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.db.db_pid`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +This key captures the process id of a connection with database server -type: keyword +type: long -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.db.lread`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +This key is used for the number of logical reads -type: keyword +type: long -- -*`rsa.counters.dclass_r3`*:: +*`rsa.db.lwrite`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +This key is used for the number of logical writes -type: keyword +type: long -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.db.pread`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +This key is used for the number of physical writes -type: keyword +type: long -- -*`rsa.counters.dclass_r3_str`*:: + +*`rsa.network.alias_host`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -- - -*`rsa.identity.auth_method`*:: +*`rsa.network.domain`*:: + -- -This key is used to capture authentication methods used only - type: keyword -- -*`rsa.identity.user_role`*:: +*`rsa.network.host_dst`*:: + -- -This key is used to capture the Role of a user only +This key should only be used when it’s a Destination Hostname type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.network.network_service`*:: + -- -X.500 (LDAP) Distinguished Name +This is used to capture layer 7 protocols/service names type: keyword -- -*`rsa.identity.logon_type`*:: +*`rsa.network.interface`*:: + -- -This key is used to capture the type of logon method used. +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`rsa.identity.profile`*:: +*`rsa.network.network_port`*:: + -- -This key is used to capture the user profile +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`rsa.identity.accesses`*:: +*`rsa.network.eth_host`*:: + -- -This key is used to capture actual privileges used in accessing an object +Deprecated, use alias.mac type: keyword -- -*`rsa.identity.realm`*:: +*`rsa.network.sinterface`*:: + -- -Radius realm or similar grouping of accounts +This key should only be used when it’s a Source Interface type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.network.dinterface`*:: + -- -This key captures Destination User Session ID +This key should only be used when it’s a Destination Interface type: keyword -- -*`rsa.identity.dn_src`*:: +*`rsa.network.vlan`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`rsa.identity.org`*:: +*`rsa.network.zone_src`*:: + -- -This key captures the User organization +This key should only be used when it’s a Source Zone. type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.network.zone`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.network.zone_dst`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This key should only be used when it’s a Destination Zone. type: keyword -- -*`rsa.identity.lastname`*:: +*`rsa.network.gateway`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key is used to capture the IP Address of the gateway type: keyword -- -*`rsa.identity.user_dept`*:: +*`rsa.network.icmp_type`*:: + -- -User's Department Names only +This key is used to capture the ICMP type only -type: keyword +type: long -- -*`rsa.identity.user_sid_src`*:: +*`rsa.network.mask`*:: + -- -This key captures Source User Session ID +This key is used to capture the device network IPmask. type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.network.icmp_code`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +This key is used to capture the ICMP code only -type: keyword +type: long -- -*`rsa.identity.federated_idp`*:: +*`rsa.network.protocol_detail`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +This key should be used to capture additional protocol information type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.network.dmask`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +This key is used for Destionation Device network mask type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.network.port`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key should only be used to capture a Network Port when the directionality is not clear -type: keyword +type: long -- -*`rsa.identity.password`*:: +*`rsa.network.smask`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +This key is used for capturing source Network Mask type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.network.netname`*:: + -- -This key should only be used to capture the role of a Host Machine +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -- -*`rsa.identity.ldap`*:: +*`rsa.network.paddr`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +Deprecated -type: keyword +type: ip -- -*`rsa.identity.ldap_query`*:: +*`rsa.network.faddr`*:: + -- -This key is the Search criteria from an LDAP search - type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.network.lhost`*:: + -- -This key is to capture Results from an LDAP search - type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.network.origin`*:: + -- -This is used to capture username the process or service is running as, the author of the task - type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.network.remote_domain_id`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - type: keyword -- - -*`rsa.email.email_dst`*:: +*`rsa.network.addr`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.network.dns_a_record`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email - type: keyword -- -*`rsa.email.subject`*:: +*`rsa.network.dns_ptr_record`*:: + -- -This key is used to capture the subject string from an Email only. - type: keyword -- -*`rsa.email.email`*:: +*`rsa.network.fhost`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear - type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.network.fport`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.network.laddr`*:: + -- -Deprecated key defined only in table map. - type: keyword -- - -*`rsa.file.privilege`*:: +*`rsa.network.linterface`*:: + -- -Deprecated, use permissions - type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.network.phost`*:: + -- -This key captures the attachment file name - type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.file.binary`*:: +*`rsa.network.eth_type`*:: + -- -Deprecated key defined only in table map. +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only -type: keyword +type: long -- -*`rsa.file.filename_dst`*:: +*`rsa.network.ip_proto`*:: + -- -This is used to capture name of the file targeted by the action +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: keyword +type: long -- -*`rsa.file.filename_src`*:: +*`rsa.network.dns_cname_record`*:: + -- -This is used to capture name of the parent filename, the file which performed the action - type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.file.directory_dst`*:: +*`rsa.network.dns_opcode`*:: + -- -This key is used to capture the directory of the target process or file - type: keyword -- -*`rsa.file.directory_src`*:: +*`rsa.network.dns_resp`*:: + -- -This key is used to capture the directory of the source process or file - type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.network.dns_type`*:: + -- -This is used to capture entropy vale of a file - -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`rsa.network.domain1`*:: + -- -This is used to capture Company name of file located in version_info - type: keyword -- -*`rsa.file.task_name`*:: +*`rsa.network.host_type`*:: + -- -This is used to capture name of the task - type: keyword -- - -*`rsa.web.fqdn`*:: +*`rsa.network.packet_length`*:: + -- -Fully Qualified Domain Names - type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.network.host_orig`*:: + -- -This key is used to capture the Web cookies specifically. +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.network.vlan_name`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +This key should only be used to capture the name of the Virtual LAN -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: + +*`rsa.investigations.ec_activity`*:: + -- -Web referer's domain +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.investigations.ec_theme`*:: + -- -This key captures Web referer's query portion of the URL +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`rsa.web.remote_domain`*:: +*`rsa.investigations.ec_subject`*:: + -- +This key captures the Subject of a particular Event(Ex:User) + type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.investigations.ec_outcome`*:: + -- -This key captures Web referer's page information +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.investigations.event_cat`*:: + -- -Web referer's root URL path +This key captures the Event category number -type: keyword +type: long -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.web.p_user_agent`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.web.p_web_method`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.web.p_web_referer`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.web.web_page`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only --- +type: long +-- -*`rsa.threat.threat_category`*:: +*`rsa.counters.dclass_c2`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +This is a generic counter key that should be used with the label dclass.c2.str only -type: keyword +type: long -- -*`rsa.threat.threat_desc`*:: +*`rsa.counters.event_counter`*:: + -- -This key is used to capture the threat description from the session directly or inferred +This is used to capture the number of times an event repeated -type: keyword +type: long -- -*`rsa.threat.alert`*:: +*`rsa.counters.dclass_r1`*:: + -- -This key is used to capture name of the alert +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.counters.dclass_c3`*:: + -- -This key is used to capture source of the threat +This is a generic counter key that should be used with the label dclass.c3.str only -type: keyword +type: long -- - -*`rsa.crypto.crypto`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -This key is for Source (Client) Cipher +This is a generic counter string key that should be used with the label dclass.c2 only type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -This key is used to capture the Certificate organization only +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.counters.dclass_r2`*:: + -- -This key is for Encryption peer's IP Address +This is a generic ratio key that should be used with the label dclass.r2.str only type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -This key captures Source (Client) Cipher Size +This is a generic counter string key that should be used with the label dclass.c3 only -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.counters.dclass_r3`*:: + -- -IKE negotiation phase. +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -This key captures the Encryption scheme used +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -This key is for Encryption peer’s identity +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -*`rsa.crypto.sig_type`*:: + +*`rsa.identity.auth_method`*:: + -- -This key captures the Signature Type +This key is used to capture authentication methods used only type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.identity.dn`*:: + -- -Deprecated key defined only in table map. +X.500 (LDAP) Distinguished Name type: keyword -- -*`rsa.crypto.cert_error`*:: +*`rsa.identity.logon_type`*:: + -- -This key captures the Certificate Error String +This key is used to capture the type of logon method used. type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.identity.profile`*:: + -- -This key is for Destination (Server) Cipher +This key is used to capture the user profile type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.identity.accesses`*:: + -- -This key captures Destination (Server) Cipher Size +This key is used to capture actual privileges used in accessing an object -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.identity.realm`*:: + -- -Deprecated, use version +Radius realm or similar grouping of accounts type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.identity.org`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +This key captures the User organization type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.identity.dn_dst`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.identity.lastname`*:: + -- -This key is used for the hostname category value of a certificate +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.identity.user_dept`*:: + -- -This key is used to capture the Certificate serial number only +User's Department Names only type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.identity.user_sid_src`*:: + -- -This key captures Certificate validation status +This key captures Source User Session ID type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.identity.federated_sp`*:: + -- -Deprecated, use version +This key is the Federated Service Provider. This is the application requesting authentication. type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.identity.host_role`*:: + -- -This key is used to capture the Certificate signing authority only +This key should only be used to capture the role of a Host Machine type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.identity.ldap`*:: + -- -This key is used to capture the Certificate common name only +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.identity.ldap_query`*:: + -- -This key is used to capture the ssid of a Wireless Session +This key is the Search criteria from an LDAP search type: keyword -- -*`rsa.wireless.access_point`*:: +*`rsa.identity.ldap_response`*:: + -- -This key is used to capture the access point name. +This key is to capture Results from an LDAP search type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.identity.owner`*:: + -- -This is used to capture the channel names +This is used to capture username the process or service is running as, the author of the task -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.identity.service_account`*:: + -- -This key captures either WLAN number/name +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage type: keyword -- -*`rsa.storage.disk_volume`*:: +*`rsa.email.email_dst`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.email.email_src`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.email.subject`*:: + -- -This uniquely identifies a port on a HBA. +This key is used to capture the subject string from an Email only. type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.email.email`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.email.trans_from`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +Deprecated key defined only in table map. type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.email.trans_to`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +Deprecated key defined only in table map. type: keyword -- -*`rsa.healthcare.patient_id`*:: + +*`rsa.file.privilege`*:: + -- -This key captures the unique ID for a patient +Deprecated, use permissions type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.file.attachment`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key captures the attachment file name type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.file.filesystem`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.file.binary`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +Deprecated key defined only in table map. type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.file.filename_dst`*:: + -- -This key captures the path to the registry key +This is used to capture name of the file targeted by the action type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.file.filename_src`*:: + -- -This key captures values or decorators used within a registry entry +This is used to capture name of the parent filename, the file which performed the action type: keyword -- -[[exported-fields-cyberarkpas]] -== CyberArk PAS fields - -cyberarkpas fields. - - - - -[float] -=== audit - -Cyberark Privileged Access Security Audit fields. - +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword +-- -*`cyberarkpas.audit.action`*:: +*`rsa.file.directory_dst`*:: + -- -A description of the audit record. +This key is used to capture the directory of the target process or file type: keyword -- -[float] -=== ca_properties +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file -Account metadata. +type: keyword +-- -*`cyberarkpas.audit.ca_properties.address`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`cyberarkpas.audit.ca_properties.cpm_disabled`*:: +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`cyberarkpas.audit.ca_properties.cpm_error_details`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`cyberarkpas.audit.ca_properties.cpm_status`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`cyberarkpas.audit.ca_properties.creation_method`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`cyberarkpas.audit.ca_properties.customer`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.database`*:: +*`rsa.web.reputation_num`*:: + -- -type: keyword +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`cyberarkpas.audit.ca_properties.device_type`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`cyberarkpas.audit.ca_properties.dual_account_status`*:: +*`rsa.web.web_ref_query`*:: + -- +This key captures Web referer's query portion of the URL + type: keyword -- -*`cyberarkpas.audit.ca_properties.group_name`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.in_process`*:: +*`rsa.web.web_ref_page`*:: + -- +This key captures Web referer's page information + type: keyword -- -*`cyberarkpas.audit.ca_properties.index`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`cyberarkpas.audit.ca_properties.last_fail_date`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.last_success_change`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.last_success_reconciliation`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.last_success_verification`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.last_task`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.logon_domain`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.policy_id`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.port`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.privcloud`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.reset_immediately`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.retries_count`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.sequence_id`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`cyberarkpas.audit.ca_properties.tags`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`cyberarkpas.audit.ca_properties.user_dn`*:: +*`rsa.threat.alert`*:: + -- +This key is used to capture name of the alert + type: keyword -- -*`cyberarkpas.audit.ca_properties.user_name`*:: +*`rsa.threat.threat_source`*:: + -- +This key is used to capture source of the threat + type: keyword -- -*`cyberarkpas.audit.ca_properties.virtual_username`*:: + +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`cyberarkpas.audit.ca_properties.other`*:: +*`rsa.crypto.cipher_src`*:: + -- -type: flattened +This key is for Source (Client) Cipher + +type: keyword -- -*`cyberarkpas.audit.category`*:: +*`rsa.crypto.cert_subject`*:: + -- -The category name (for category-related operations). +This key is used to capture the Certificate organization only type: keyword -- -*`cyberarkpas.audit.desc`*:: +*`rsa.crypto.peer`*:: + -- -A static value that displays a description of the audit codes. +This key is for Encryption peer's IP Address type: keyword -- -[float] -=== extra_details +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size -Specific extra details of the audit records. +type: long +-- -*`cyberarkpas.audit.extra_details.ad_process_id`*:: +*`rsa.crypto.ike`*:: + -- +IKE negotiation phase. + type: keyword -- -*`cyberarkpas.audit.extra_details.ad_process_name`*:: +*`rsa.crypto.scheme`*:: + -- +This key captures the Encryption scheme used + type: keyword -- -*`cyberarkpas.audit.extra_details.application_type`*:: +*`rsa.crypto.peer_id`*:: + -- +This key is for Encryption peer’s identity + type: keyword -- -*`cyberarkpas.audit.extra_details.command`*:: +*`rsa.crypto.sig_type`*:: + -- +This key captures the Signature Type + type: keyword -- -*`cyberarkpas.audit.extra_details.connection_component_id`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`cyberarkpas.audit.extra_details.dst_host`*:: +*`rsa.crypto.cert_host_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.extra_details.logon_account`*:: +*`rsa.crypto.cert_error`*:: + -- +This key captures the Certificate Error String + type: keyword -- -*`cyberarkpas.audit.extra_details.managed_account`*:: +*`rsa.crypto.cipher_dst`*:: + -- +This key is for Destination (Server) Cipher + type: keyword -- -*`cyberarkpas.audit.extra_details.process_id`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -type: keyword +This key captures Destination (Server) Cipher Size + +type: long -- -*`cyberarkpas.audit.extra_details.process_name`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`cyberarkpas.audit.extra_details.protocol`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`cyberarkpas.audit.extra_details.psmid`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`cyberarkpas.audit.extra_details.session_duration`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`cyberarkpas.audit.extra_details.session_id`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`cyberarkpas.audit.extra_details.src_host`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`cyberarkpas.audit.extra_details.username`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`cyberarkpas.audit.extra_details.other`*:: +*`rsa.crypto.cert_serial`*:: + -- -type: flattened +This key is used to capture the Certificate serial number only + +type: keyword -- -*`cyberarkpas.audit.file`*:: +*`rsa.crypto.cert_status`*:: + -- -The name of the target file. +This key captures Certificate validation status type: keyword -- -*`cyberarkpas.audit.gateway_station`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -The IP of the web application machine (PVWA). +Deprecated, use version -type: ip +type: keyword -- -*`cyberarkpas.audit.hostname`*:: +*`rsa.crypto.cert_keysize`*:: + -- -The hostname, in upper case. - type: keyword -example: MY-COMPUTER - -- -*`cyberarkpas.audit.iso_timestamp`*:: +*`rsa.crypto.cert_username`*:: + -- -The timestamp, in ISO Timestamp format (RFC 3339). +type: keyword -type: date +-- -example: 2013-06-25 10:47:19+00:00 +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword -- -*`cyberarkpas.audit.issuer`*:: +*`rsa.crypto.https_valid`*:: + -- -The Vault user who wrote the audit. This is usually the user who performed the operation. - type: keyword -- -*`cyberarkpas.audit.location`*:: +*`rsa.crypto.cert_ca`*:: + -- -The target Location (for Location operations). +This key is used to capture the Certificate signing authority only type: keyword -Field is not indexed. - -- -*`cyberarkpas.audit.message`*:: +*`rsa.crypto.cert_common`*:: + -- -A description of the audit records (same information as in the Desc field). +This key is used to capture the Certificate common name only type: keyword -- -*`cyberarkpas.audit.message_id`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -The code ID of the audit records. +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`cyberarkpas.audit.product`*:: +*`rsa.wireless.access_point`*:: + -- -A static value that represents the product. +This key is used to capture the access point name. type: keyword -- -*`cyberarkpas.audit.pvwa_details`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Specific details of the PVWA audit records. +This is used to capture the channel names -type: flattened +type: long -- -*`cyberarkpas.audit.raw`*:: +*`rsa.wireless.wlan_name`*:: + -- -Raw XML for the original audit record. Only present when XSLT file has debugging enabled. - +This key captures either WLAN number/name type: keyword -Field is not indexed. - -- -*`cyberarkpas.audit.reason`*:: + +*`rsa.storage.disk_volume`*:: + -- -The reason entered by the user. +A unique name assigned to logical units (volumes) within a physical disk -type: text +type: keyword -- -*`cyberarkpas.audit.rfc5424`*:: +*`rsa.storage.lun`*:: + -- -Whether the syslog format complies with RFC5424. - -type: boolean +Logical Unit Number.This key is a very useful concept in Storage. -example: True +type: keyword -- -*`cyberarkpas.audit.safe`*:: +*`rsa.storage.pwwn`*:: + -- -The name of the target Safe. +This uniquely identifies a port on a HBA. type: keyword -- -*`cyberarkpas.audit.severity`*:: + +*`rsa.physical.org_dst`*:: + -- -The severity of the audit records. +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`cyberarkpas.audit.source_user`*:: +*`rsa.physical.org_src`*:: + -- -The name of the Vault user who performed the operation. +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`cyberarkpas.audit.station`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: ip +type: keyword -- -*`cyberarkpas.audit.target_user`*:: +*`rsa.healthcare.patient_id`*:: + -- -The name of the Vault user on which the operation was performed. +This key captures the unique ID for a patient type: keyword -- -*`cyberarkpas.audit.timestamp`*:: +*`rsa.healthcare.patient_lname`*:: + -- -The timestamp, in MMM DD HH:MM:SS format. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: Jun 25 10:47:19 - -- -*`cyberarkpas.audit.vendor`*:: +*`rsa.healthcare.patient_mname`*:: + -- -A static value that represents the vendor. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`cyberarkpas.audit.version`*:: + +*`rsa.endpoint.host_state`*:: + -- -A static value that represents the version of the Vault. +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -[[exported-fields-cylance]] -== CylanceProtect fields - -cylance fields. +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key +type: keyword +-- -*`network.interface.name`*:: +*`rsa.endpoint.registry_value`*:: + -- -Name of the network interface where the traffic has been observed. - +This key captures values or decorators used within a registry entry type: keyword -- +[[exported-fields-docker-processor]] +== Docker fields +Docker stats collected from Docker. -*`rsa.internal.msg`*:: + + + +*`docker.container.id`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +type: alias -type: keyword +alias to: container.id -- -*`rsa.internal.messageid`*:: +*`docker.container.image`*:: + -- -type: keyword +type: alias + +alias to: container.image.name -- -*`rsa.internal.event_desc`*:: +*`docker.container.name`*:: + -- -type: keyword +type: alias + +alias to: container.name -- -*`rsa.internal.message`*:: +*`docker.container.labels`*:: + -- -This key captures the contents of instant messages +Image labels. -type: keyword + +type: object -- -*`rsa.internal.time`*:: +[[exported-fields-ecs]] +== ECS fields + + +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {es}. + +This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. +The goal of ECS is to enable and encourage users of {es} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. + +See the {ecs-ref}[ECS reference] for more information. + +*`@timestamp`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. type: date +example: 2016-05-23T08:05:34.853Z + +required: True + -- -*`rsa.internal.level`*:: +*`labels`*:: + -- -Deprecated key defined only in table map. +Custom key/value pairs. +Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. +Example: `docker` and `k8s` labels. -type: long +type: object + +example: {"application": "foo-bar", "env": "production"} -- -*`rsa.internal.msg_id`*:: +*`message`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +For log events the message field contains the log message, optimized for viewing in a log viewer. +For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. +If multiple messages exist, they can be combined into one message. -type: keyword +type: text + +example: Hello World -- -*`rsa.internal.msg_vid`*:: +*`tags`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of keywords used to tag each event. type: keyword --- +example: ["production", "env2"] -*`rsa.internal.data`*:: -+ -- -Deprecated key defined only in table map. -type: keyword +[float] +=== agent --- +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. -*`rsa.internal.obj_server`*:: + +*`agent.build.original`*:: + -- -Deprecated key defined only in table map. +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. type: keyword +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + -- -*`rsa.internal.obj_val`*:: +*`agent.ephemeral_id`*:: + -- -Deprecated key defined only in table map. +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. type: keyword +example: 8a4f500f + -- -*`rsa.internal.resource`*:: +*`agent.id`*:: + -- -Deprecated key defined only in table map. +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. type: keyword +example: 8a4f500d + -- -*`rsa.internal.obj_id`*:: +*`agent.name`*:: + -- -Deprecated key defined only in table map. +Custom name of the agent. +This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. +If no name is given, the name is often left empty. type: keyword +example: foo + -- -*`rsa.internal.statement`*:: +*`agent.type`*:: + -- -Deprecated key defined only in table map. +Type of the agent. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword +example: filebeat + -- -*`rsa.internal.audit_class`*:: +*`agent.version`*:: + -- -Deprecated key defined only in table map. +Version of the agent. type: keyword +example: 6.0.0-rc2 + -- -*`rsa.internal.entry`*:: +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: + -- -Deprecated key defined only in table map. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long + +example: 15169 -- -*`rsa.internal.hcode`*:: +*`as.organization.name`*:: + -- -Deprecated key defined only in table map. +Organization name. type: keyword +example: Google LLC + -- -*`rsa.internal.inode`*:: +*`as.organization.name.text`*:: + -- -Deprecated key defined only in table map. - -type: long +type: text -- -*`rsa.internal.resource_class`*:: +[float] +=== client + +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + + +*`client.address`*:: + -- -Deprecated key defined only in table map. +Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -- -*`rsa.internal.dead`*:: +*`client.as.number`*:: + -- -Deprecated key defined only in table map. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. type: long +example: 15169 + -- -*`rsa.internal.feed_desc`*:: +*`client.as.organization.name`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Organization name. type: keyword +example: Google LLC + -- -*`rsa.internal.feed_name`*:: +*`client.as.organization.name.text`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: text -- -*`rsa.internal.cid`*:: +*`client.bytes`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Bytes sent from the client to the server. -type: keyword +type: long + +example: 184 + +format: bytes -- -*`rsa.internal.device_class`*:: +*`client.domain`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Client domain. type: keyword -- -*`rsa.internal.device_group`*:: +*`client.geo.city_name`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +City name. type: keyword +example: Montreal + -- -*`rsa.internal.device_host`*:: +*`client.geo.continent_code`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Two-letter code representing continent's name. type: keyword +example: NA + -- -*`rsa.internal.device_ip`*:: +*`client.geo.continent_name`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Name of the continent. -type: ip +type: keyword + +example: North America -- -*`rsa.internal.device_ipv6`*:: +*`client.geo.country_iso_code`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Country ISO code. -type: ip +type: keyword + +example: CA -- -*`rsa.internal.device_type`*:: +*`client.geo.country_name`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Country name. type: keyword +example: Canada + -- -*`rsa.internal.device_type_id`*:: +*`client.geo.location`*:: + -- -Deprecated key defined only in table map. +Longitude and latitude. -type: long +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.internal.did`*:: +*`client.geo.name`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +example: boston-dc -- -*`rsa.internal.entropy_res`*:: +*`client.geo.postal_code`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. -type: long +type: keyword + +example: 94040 -- -*`rsa.internal.event_name`*:: +*`client.geo.region_iso_code`*:: + -- -Deprecated key defined only in table map. +Region ISO code. type: keyword +example: CA-QC + -- -*`rsa.internal.feed_category`*:: +*`client.geo.region_name`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Region name. type: keyword +example: Quebec + -- -*`rsa.internal.forward_ip`*:: +*`client.geo.timezone`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. +The time zone of the location, such as IANA time zone name. -type: ip +type: keyword + +example: America/Argentina/Buenos_Aires -- -*`rsa.internal.forward_ipv6`*:: +*`client.ip`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +IP address of the client (IPv4 or IPv6). type: ip -- -*`rsa.internal.header_id`*:: +*`client.mac`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +MAC address of the client. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: keyword +example: 00-00-5E-00-53-23 + -- -*`rsa.internal.lc_cid`*:: +*`client.nat.ip`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. -type: keyword +type: ip -- -*`rsa.internal.lc_ctime`*:: +*`client.nat.port`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. -type: date +type: long + +format: string -- -*`rsa.internal.mcb_req`*:: +*`client.packets`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +Packets sent from the client to the server. type: long +example: 12 + -- -*`rsa.internal.mcb_res`*:: +*`client.port`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +Port of the client. type: long +format: string + -- -*`rsa.internal.mcbc_req`*:: +*`client.registered_domain`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +The highest registered client domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: long +type: keyword + +example: example.com -- -*`rsa.internal.mcbc_res`*:: +*`client.subdomain`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. -type: long +type: keyword + +example: east -- -*`rsa.internal.medium`*:: +*`client.top_level_domain`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". -type: long +type: keyword + +example: co.uk -- -*`rsa.internal.node_name`*:: +*`client.user.domain`*:: + -- -Deprecated key defined only in table map. +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`client.user.email`*:: + -- -This key denotes that event is endpoint related +User email address. type: keyword -- -*`rsa.internal.parse_error`*:: +*`client.user.full_name`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +User's full name, if available. type: keyword +example: Albert Einstein + -- -*`rsa.internal.payload_req`*:: +*`client.user.full_name.text`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: text -- -*`rsa.internal.payload_res`*:: +*`client.user.group.domain`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`client.user.group.id`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +Unique identifier for the group on the system/platform. type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`client.user.group.name`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +Name of the group. type: keyword -- -*`rsa.internal.rid`*:: +*`client.user.hash`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`client.user.id`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Unique identifier of the user. type: keyword -- -*`rsa.internal.site`*:: +*`client.user.name`*:: + -- -Deprecated key defined only in table map. +Short name or login of the user. type: keyword +example: albert + -- -*`rsa.internal.size`*:: +*`client.user.name.text`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: text -- -*`rsa.internal.sourcefile`*:: +*`client.user.roles`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Array of user roles at the time of the event. type: keyword --- +example: ["kibana_admin", "reporting_user"] -*`rsa.internal.ubc_req`*:: -+ -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: long +[float] +=== cloud --- +Fields related to the cloud or infrastructure the events are coming from. -*`rsa.internal.ubc_res`*:: + +*`cloud.account.id`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. -type: long +type: keyword + +example: 666777888999 -- -*`rsa.internal.word`*:: +*`cloud.account.name`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. type: keyword --- +example: elastic-dev +-- -*`rsa.time.event_time`*:: +*`cloud.availability_zone`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +Availability zone in which this host, resource, or service is located. -type: date +type: keyword + +example: us-east-1c -- -*`rsa.time.duration_time`*:: +*`cloud.instance.id`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. +Instance ID of the host machine. -type: double +type: keyword + +example: i-1234567890abcdef0 -- -*`rsa.time.event_time_str`*:: +*`cloud.instance.name`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +Instance name of the host machine. type: keyword -- -*`rsa.time.starttime`*:: +*`cloud.machine.type`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form +Machine type of the host machine. -type: date +type: keyword + +example: t2.medium -- -*`rsa.time.month`*:: +*`cloud.project.id`*:: + -- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + type: keyword +example: my-project + -- -*`rsa.time.day`*:: +*`cloud.project.name`*:: + -- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + type: keyword +example: my project + -- -*`rsa.time.endtime`*:: +*`cloud.provider`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. -type: date +type: keyword + +example: aws -- -*`rsa.time.timezone`*:: +*`cloud.region`*:: + -- -This key is used to capture the timezone of the Event Time +Region in which this host, resource, or service is located. type: keyword +example: us-east-1 + -- -*`rsa.time.duration_str`*:: +*`cloud.service.name`*:: + -- -A text string version of the duration +The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. +Examples: app engine, app service, cloud run, fargate, lambda. type: keyword --- +example: lambda -*`rsa.time.date`*:: -+ -- -type: keyword --- +[float] +=== code_signature -*`rsa.time.year`*:: -+ --- -type: keyword +These fields contain information about binary code signatures. --- -*`rsa.time.recorded_time`*:: +*`code_signature.exists`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. +Boolean to capture if a signature is present. -type: date +type: boolean + +example: true -- -*`rsa.time.datetime`*:: +*`code_signature.signing_id`*:: + -- +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + type: keyword +example: com.apple.xpc.proxy + -- -*`rsa.time.effective_time`*:: +*`code_signature.status`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. -type: date +type: keyword + +example: ERROR_UNTRUSTED_ROOT -- -*`rsa.time.expire_time`*:: +*`code_signature.subject_name`*:: + -- -This key is the timestamp that explicitly refers to an expiration. +Subject name of the code signer -type: date +type: keyword + +example: Microsoft Corporation -- -*`rsa.time.process_time`*:: +*`code_signature.team_id`*:: + -- -Deprecated, use duration.time +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. type: keyword +example: EQHXZ8M8AV + -- -*`rsa.time.hour`*:: +*`code_signature.trusted`*:: + -- -type: keyword +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. --- +type: boolean -*`rsa.time.min`*:: -+ --- -type: keyword +example: true -- -*`rsa.time.timestamp`*:: +*`code_signature.valid`*:: + -- -type: keyword +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. --- +type: boolean + +example: true -*`rsa.time.event_queue_time`*:: -+ -- -This key is the Time that the event was queued. -type: date +[float] +=== container --- +Container fields are used for meta information about the specific container that is the source of information. +These fields help correlate data based containers from any runtime. -*`rsa.time.p_time1`*:: + +*`container.id`*:: + -- +Unique container id. + type: keyword -- -*`rsa.time.tzone`*:: +*`container.image.name`*:: + -- +Name of the image the container was built on. + type: keyword -- -*`rsa.time.eventtime`*:: +*`container.image.tag`*:: + -- +Container image tags. + type: keyword -- -*`rsa.time.gmtdate`*:: +*`container.labels`*:: + -- -type: keyword +Image labels. + +type: object -- -*`rsa.time.gmttime`*:: +*`container.name`*:: + -- +Container name. + type: keyword -- -*`rsa.time.p_date`*:: +*`container.runtime`*:: + -- +Runtime managing this container. + type: keyword --- +example: docker -*`rsa.time.p_month`*:: -+ -- -type: keyword --- +[float] +=== data_stream -*`rsa.time.p_time`*:: -+ --- -type: keyword +The data_stream fields take part in defining the new data stream naming scheme. +In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. +An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. --- -*`rsa.time.p_time2`*:: +*`data_stream.dataset`*:: + -- -type: keyword +The field can contain anything that makes sense to signify the source of the data. +Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. +Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: + * Must not contain `-` + * No longer than 100 characters --- +type: constant_keyword -*`rsa.time.p_year`*:: -+ --- -type: keyword +example: nginx.access -- -*`rsa.time.expire_time_str`*:: +*`data_stream.namespace`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. +A user defined namespace. Namespaces are useful to allow grouping of data. +Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. +Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: + * Must not contain `-` + * No longer than 100 characters -type: keyword +type: constant_keyword + +example: production -- -*`rsa.time.stamp`*:: +*`data_stream.type`*:: + -- -Deprecated key defined only in table map. +An overarching type for the data stream. +Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. -type: date +type: constant_keyword + +example: logs -- +[float] +=== destination + +Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. + -*`rsa.misc.action`*:: +*`destination.address`*:: + -- +Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + type: keyword -- -*`rsa.misc.result`*:: +*`destination.as.number`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long + +example: 15169 -- -*`rsa.misc.severity`*:: +*`destination.as.organization.name`*:: + -- -This key is used to capture the severity given the session +Organization name. type: keyword +example: Google LLC + -- -*`rsa.misc.event_type`*:: +*`destination.as.organization.name.text`*:: + -- -This key captures the event category type as specified by the event source. - -type: keyword +type: text -- -*`rsa.misc.reference_id`*:: +*`destination.bytes`*:: + -- -This key is used to capture an event id from the session directly +Bytes sent from the destination to the source. -type: keyword +type: long + +example: 184 + +format: bytes -- -*`rsa.misc.version`*:: +*`destination.domain`*:: + -- -This key captures Version of the application or OS which is generating the event. +Destination domain. type: keyword -- -*`rsa.misc.disposition`*:: +*`destination.geo.city_name`*:: + -- -This key captures the The end state of an action. +City name. type: keyword +example: Montreal + -- -*`rsa.misc.result_code`*:: +*`destination.geo.continent_code`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session +Two-letter code representing continent's name. type: keyword +example: NA + -- -*`rsa.misc.category`*:: +*`destination.geo.continent_name`*:: + -- -This key is used to capture the category of an event given by the vendor in the session +Name of the continent. type: keyword +example: North America + -- -*`rsa.misc.obj_name`*:: +*`destination.geo.country_iso_code`*:: + -- -This is used to capture name of object +Country ISO code. type: keyword +example: CA + -- -*`rsa.misc.obj_type`*:: +*`destination.geo.country_name`*:: + -- -This is used to capture type of object +Country name. type: keyword +example: Canada + -- -*`rsa.misc.event_source`*:: +*`destination.geo.location`*:: + -- -This key captures Source of the event that’s not a hostname +Longitude and latitude. -type: keyword +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.misc.log_session_id`*:: +*`destination.geo.name`*:: + -- -This key is used to capture a sessionid from the session directly +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword +example: boston-dc + -- -*`rsa.misc.group`*:: +*`destination.geo.postal_code`*:: + -- -This key captures the Group Name value +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. type: keyword +example: 94040 + -- -*`rsa.misc.policy_name`*:: +*`destination.geo.region_iso_code`*:: + -- -This key is used to capture the Policy Name only. +Region ISO code. type: keyword +example: CA-QC + -- -*`rsa.misc.rule_name`*:: +*`destination.geo.region_name`*:: + -- -This key captures the Rule Name +Region name. type: keyword +example: Quebec + -- -*`rsa.misc.context`*:: +*`destination.geo.timezone`*:: + -- -This key captures Information which adds additional context to the event. +The time zone of the location, such as IANA time zone name. type: keyword +example: America/Argentina/Buenos_Aires + -- -*`rsa.misc.change_new`*:: +*`destination.ip`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session +IP address of the destination (IPv4 or IPv6). -type: keyword +type: ip -- -*`rsa.misc.space`*:: +*`destination.mac`*:: + -- +MAC address of the destination. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + type: keyword +example: 00-00-5E-00-53-23 + -- -*`rsa.misc.client`*:: +*`destination.nat.ip`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. -type: keyword +type: ip -- -*`rsa.misc.msgIdPart1`*:: +*`destination.nat.port`*:: + -- -type: keyword +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string -- -*`rsa.misc.msgIdPart2`*:: +*`destination.packets`*:: + -- -type: keyword +Packets sent from the destination to the source. + +type: long + +example: 12 -- -*`rsa.misc.change_old`*:: +*`destination.port`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session +Port of the destination. -type: keyword +type: long + +format: string -- -*`rsa.misc.operation_id`*:: +*`destination.registered_domain`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. +The highest registered destination domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword +example: example.com + -- -*`rsa.misc.event_state`*:: +*`destination.subdomain`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. type: keyword +example: east + -- -*`rsa.misc.group_object`*:: +*`destination.top_level_domain`*:: + -- -This key captures a collection/grouping of entities. Specific usage +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword +example: co.uk + -- -*`rsa.misc.node`*:: +*`destination.user.domain`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`rsa.misc.rule`*:: +*`destination.user.email`*:: + -- -This key captures the Rule number +User email address. type: keyword -- -*`rsa.misc.device_name`*:: +*`destination.user.full_name`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc +User's full name, if available. type: keyword +example: Albert Einstein + -- -*`rsa.misc.param`*:: +*`destination.user.full_name.text`*:: + -- -This key is the parameters passed as part of a command or application, etc. - -type: keyword +type: text -- -*`rsa.misc.change_attrib`*:: +*`destination.user.group.domain`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`rsa.misc.event_computer`*:: +*`destination.user.group.id`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +Unique identifier for the group on the system/platform. type: keyword -- -*`rsa.misc.reference_id1`*:: +*`destination.user.group.name`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +Name of the group. type: keyword -- -*`rsa.misc.event_log`*:: +*`destination.user.hash`*:: + -- -This key captures the Name of the event log +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -- -*`rsa.misc.OS`*:: +*`destination.user.id`*:: + -- -This key captures the Name of the Operating System +Unique identifier of the user. type: keyword -- -*`rsa.misc.terminal`*:: +*`destination.user.name`*:: + -- -This key captures the Terminal Names only +Short name or login of the user. type: keyword +example: albert + -- -*`rsa.misc.msgIdPart3`*:: +*`destination.user.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.filter`*:: +*`destination.user.roles`*:: + -- -This key captures Filter used to reduce result set +Array of user roles at the time of the event. type: keyword --- +example: ["kibana_admin", "reporting_user"] -*`rsa.misc.serial_number`*:: -+ -- -This key is the Serial number associated with a physical asset. -type: keyword +[float] +=== dll --- +These fields contain information about code libraries dynamically loaded into processes. -*`rsa.misc.checksum`*:: +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. +Boolean to capture if a signature is present. -type: keyword +type: boolean + +example: true -- -*`rsa.misc.event_user`*:: +*`dll.code_signature.signing_id`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword +example: com.apple.xpc.proxy + -- -*`rsa.misc.virusname`*:: +*`dll.code_signature.status`*:: + -- -This key captures the name of the virus +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.misc.content_type`*:: +*`dll.code_signature.subject_name`*:: + -- -This key is used to capture Content Type only. +Subject name of the code signer type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.group_id`*:: +*`dll.code_signature.team_id`*:: + -- -This key captures Group ID Number (related to the group name) +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. type: keyword +example: EQHXZ8M8AV + -- -*`rsa.misc.policy_id`*:: +*`dll.code_signature.trusted`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean + +example: true -- -*`rsa.misc.vsys`*:: +*`dll.code_signature.valid`*:: + -- -This key captures Virtual System Name +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: keyword +type: boolean + +example: true -- -*`rsa.misc.connection_id`*:: +*`dll.hash.md5`*:: + -- -This key captures the Connection ID +MD5 hash. type: keyword -- -*`rsa.misc.reference_id2`*:: +*`dll.hash.sha1`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. +SHA1 hash. type: keyword -- -*`rsa.misc.sensor`*:: +*`dll.hash.sha256`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices +SHA256 hash. type: keyword -- -*`rsa.misc.sig_id`*:: +*`dll.hash.sha512`*:: + -- -This key captures IDS/IPS Int Signature ID +SHA512 hash. -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`dll.hash.ssdeep`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). +SSDEEP hash. type: keyword -- -*`rsa.misc.rule_group`*:: +*`dll.name`*:: + -- -This key captures the Rule group name +Name of the library. +This generally maps to the name of the file on disk. type: keyword +example: kernel32.dll + -- -*`rsa.misc.risk_num`*:: +*`dll.path`*:: + -- -This key captures a Numeric Risk value +Full file path of the library. -type: double +type: keyword + +example: C:\Windows\System32\kernel32.dll -- -*`rsa.misc.trigger_val`*:: +*`dll.pe.architecture`*:: + -- -This key captures the Value of the trigger or threshold condition. +CPU architecture target for the file. type: keyword +example: x64 + -- -*`rsa.misc.log_session_id1`*:: +*`dll.pe.company`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +Internal company name of the file, provided at compile-time. type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.comp_version`*:: +*`dll.pe.description`*:: + -- -This key captures the Version level of a sub-component of a product. +Internal description of the file, provided at compile-time. type: keyword +example: Paint + -- -*`rsa.misc.content_version`*:: +*`dll.pe.file_version`*:: + -- -This key captures Version level of a signature or database content. +Internal version of the file, provided at compile-time. type: keyword +example: 6.3.9600.17415 + -- -*`rsa.misc.hardware_id`*:: +*`dll.pe.imphash`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`rsa.misc.risk`*:: +*`dll.pe.original_file_name`*:: + -- -This key captures the non-numeric risk value +Internal name of the file, provided at compile-time. type: keyword +example: MSPAINT.EXE + -- -*`rsa.misc.event_id`*:: +*`dll.pe.product`*:: + -- +Internal product name of the file, provided at compile-time. + type: keyword --- +example: Microsoft® Windows® Operating System -*`rsa.misc.reason`*:: -+ -- -type: keyword --- +[float] +=== dns -*`rsa.misc.status`*:: -+ --- -type: keyword +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). --- -*`rsa.misc.mail_id`*:: +*`dns.answers`*:: + -- -This key is used to capture the mailbox id/name +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. -type: keyword +type: object -- -*`rsa.misc.rule_uid`*:: +*`dns.answers.class`*:: + -- -This key is the Unique Identifier for a rule. +The class of DNS data contained in this resource record. type: keyword +example: IN + -- -*`rsa.misc.trigger_desc`*:: +*`dns.answers.data`*:: + -- -This key captures the Description of the trigger or threshold condition. +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. type: keyword +example: 10.10.10.10 + -- -*`rsa.misc.inout`*:: +*`dns.answers.name`*:: + -- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + type: keyword +example: www.example.com + -- -*`rsa.misc.p_msgid`*:: +*`dns.answers.ttl`*:: + -- -type: keyword +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. --- +type: long -*`rsa.misc.data_type`*:: -+ --- -type: keyword +example: 180 -- -*`rsa.misc.msgIdPart4`*:: +*`dns.answers.type`*:: + -- +The type of data contained in this resource record. + type: keyword +example: CNAME + -- -*`rsa.misc.error`*:: +*`dns.header_flags`*:: + -- -This key captures All non successful Error codes or responses +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. type: keyword +example: ["RD", "RA"] + -- -*`rsa.misc.index`*:: +*`dns.id`*:: + -- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + type: keyword +example: 62111 + -- -*`rsa.misc.listnum`*:: +*`dns.op_code`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. type: keyword +example: QUERY + -- -*`rsa.misc.ntype`*:: +*`dns.question.class`*:: + -- +The class of records being queried. + type: keyword +example: IN + -- -*`rsa.misc.observed_val`*:: +*`dns.question.name`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. type: keyword +example: www.example.com + -- -*`rsa.misc.policy_value`*:: +*`dns.question.registered_domain`*:: + -- -This key captures the contents of the policy. This contains details about the policy +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword +example: example.com + -- -*`rsa.misc.pool_name`*:: +*`dns.question.subdomain`*:: + -- -This key captures the name of a resource pool +The subdomain is all of the labels under the registered_domain. +If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. type: keyword +example: www + -- -*`rsa.misc.rule_template`*:: +*`dns.question.top_level_domain`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword +example: co.uk + -- -*`rsa.misc.count`*:: +*`dns.question.type`*:: + -- +The type of record being queried. + type: keyword +example: AAAA + -- -*`rsa.misc.number`*:: +*`dns.resolved_ip`*:: + -- -type: keyword +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ["10.10.10.10", "10.10.10.11"] -- -*`rsa.misc.sigcat`*:: +*`dns.response_code`*:: + -- +The DNS response code. + type: keyword +example: NOERROR + -- -*`rsa.misc.type`*:: +*`dns.type`*:: + -- +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + type: keyword +example: answer + -- -*`rsa.misc.comments`*:: +[float] +=== ecs + +Meta-information specific to ECS. + + +*`ecs.version`*:: + -- -Comment information provided in the log message +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. type: keyword +example: 1.0.0 + +required: True + -- -*`rsa.misc.doc_number`*:: +[float] +=== elf + +These fields contain Linux Executable Linkable Format (ELF) metadata. + + +*`elf.architecture`*:: + -- -This key captures File Identification number +Machine architecture of the ELF file. -type: long +type: keyword + +example: x86-64 -- -*`rsa.misc.expected_val`*:: +*`elf.byte_order`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +Byte sequence of ELF file. type: keyword +example: Little Endian + -- -*`rsa.misc.job_num`*:: +*`elf.cpu_type`*:: + -- -This key captures the Job Number +CPU type of the ELF file. type: keyword +example: Intel + -- -*`rsa.misc.spi_dst`*:: +*`elf.creation_date`*:: + -- -Destination SPI Index +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. -type: keyword +type: date -- -*`rsa.misc.spi_src`*:: +*`elf.exports`*:: + -- -Source SPI Index +List of exported element names and types. -type: keyword +type: flattened -- -*`rsa.misc.code`*:: +*`elf.header.abi_version`*:: + -- +Version of the ELF Application Binary Interface (ABI). + type: keyword -- -*`rsa.misc.agent_id`*:: +*`elf.header.class`*:: + -- -This key is used to capture agent id +Header class of the ELF file. type: keyword -- -*`rsa.misc.message_body`*:: +*`elf.header.data`*:: + -- -This key captures the The contents of the message body. +Data table of the ELF header. type: keyword -- -*`rsa.misc.phone`*:: +*`elf.header.entrypoint`*:: + -- -type: keyword +Header entrypoint of the ELF file. + +type: long + +format: string -- -*`rsa.misc.sig_id_str`*:: +*`elf.header.object_version`*:: + -- -This key captures a string object of the sigid variable. +"0x1" for original ELF files. type: keyword -- -*`rsa.misc.cmd`*:: +*`elf.header.os_abi`*:: + -- +Application Binary Interface (ABI) of the Linux OS. + type: keyword -- -*`rsa.misc.misc`*:: +*`elf.header.type`*:: + -- +Header type of the ELF file. + type: keyword -- -*`rsa.misc.name`*:: +*`elf.header.version`*:: + -- +Version of the ELF header. + type: keyword -- -*`rsa.misc.cpu`*:: +*`elf.imports`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +List of imported element names and types. -type: long +type: flattened -- -*`rsa.misc.event_desc`*:: +*`elf.sections`*:: + -- -This key is used to capture a description of an event available directly or inferred +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. -type: keyword +type: nested -- -*`rsa.misc.sig_id1`*:: +*`elf.sections.chi2`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +Chi-square probability distribution of the section. type: long +format: number + -- -*`rsa.misc.im_buddyid`*:: +*`elf.sections.entropy`*:: + -- -type: keyword +Shannon entropy calculation from the section. + +type: long + +format: number -- -*`rsa.misc.im_client`*:: +*`elf.sections.flags`*:: + -- +ELF Section List flags. + type: keyword -- -*`rsa.misc.im_userid`*:: +*`elf.sections.name`*:: + -- +ELF Section List name. + type: keyword -- -*`rsa.misc.pid`*:: +*`elf.sections.physical_offset`*:: + -- +ELF Section List offset. + type: keyword -- -*`rsa.misc.priority`*:: +*`elf.sections.physical_size`*:: + -- -type: keyword +ELF Section List physical size. + +type: long + +format: bytes -- -*`rsa.misc.context_subject`*:: +*`elf.sections.type`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +ELF Section List type. type: keyword -- -*`rsa.misc.context_target`*:: +*`elf.sections.virtual_address`*:: + -- -type: keyword +ELF Section List virtual address. + +type: long + +format: string -- -*`rsa.misc.cve`*:: +*`elf.sections.virtual_size`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +ELF Section List virtual size. -type: keyword +type: long + +format: string -- -*`rsa.misc.fcatnum`*:: +*`elf.segments`*:: + -- -This key captures Filter Category Number. Legacy Usage +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. -type: keyword +type: nested -- -*`rsa.misc.library`*:: +*`elf.segments.sections`*:: + -- -This key is used to capture library information in mainframe devices +ELF object segment sections. type: keyword -- -*`rsa.misc.parent_node`*:: +*`elf.segments.type`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. +ELF object segment type. type: keyword -- -*`rsa.misc.risk_info`*:: +*`elf.shared_libraries`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +List of shared libraries used by this ELF object. type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`elf.telfhash`*:: + -- -This key is captures the TCP flags set in any packet of session +telfhash symbol hash for ELF file. -type: long +type: keyword -- -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service +[float] +=== error -type: long +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. --- -*`rsa.misc.vm_target`*:: +*`error.code`*:: + -- -VMWare Target **VMWARE** only varaible. +Error code describing the error. type: keyword -- -*`rsa.misc.workspace`*:: +*`error.id`*:: + -- -This key captures Workspace Description +Unique identifier for the error. type: keyword -- -*`rsa.misc.command`*:: +*`error.message`*:: + -- -type: keyword +Error message. + +type: text -- -*`rsa.misc.event_category`*:: +*`error.stack_trace`*:: + -- +The stack trace of this error in plain text. + type: keyword +Field is not indexed. + -- -*`rsa.misc.facilityname`*:: +*`error.stack_trace.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.forensic_info`*:: +*`error.type`*:: + -- +The type of the error, for example the class name of the exception. + type: keyword --- +example: java.lang.NullPointerException -*`rsa.misc.jobname`*:: -+ -- -type: keyword --- +[float] +=== event -*`rsa.misc.mode`*:: +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. + + +*`event.action`*:: + -- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + type: keyword +example: user-password-change + -- -*`rsa.misc.policy`*:: +*`event.agent_id_status`*:: + -- +Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. +For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. +If no validation is performed then the field should be omitted. +The allowed values are: +`verified` - The `agent.id` field value matches expected value obtained from auth metadata. +`mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. +`missing` - There was no `agent.id` field in the event to validate. +`auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. + type: keyword +example: verified + -- -*`rsa.misc.policy_waiver`*:: +*`event.category`*:: + -- +This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. +`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. +This field is an array. This will allow proper categorization of some events that fall in multiple categories. + type: keyword +example: authentication + -- -*`rsa.misc.second`*:: +*`event.code`*:: + -- +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + type: keyword +example: 4648 + -- -*`rsa.misc.space1`*:: +*`event.created`*:: + -- -type: keyword +event.created contains the date/time when the event was first read by an agent, or by your pipeline. +This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. +In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. +In case the two timestamps are identical, @timestamp should be used. + +type: date + +example: 2016-05-23T08:05:34.857Z -- -*`rsa.misc.subcategory`*:: +*`event.dataset`*:: + -- +Name of the dataset. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + type: keyword +example: apache.access + -- -*`rsa.misc.tbdstr2`*:: +*`event.duration`*:: + -- -type: keyword +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. + +type: long + +format: duration -- -*`rsa.misc.alert_id`*:: +*`event.end`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +event.end contains the date when the event ended or when the activity was last observed. -type: keyword +type: date -- -*`rsa.misc.checksum_dst`*:: +*`event.hash`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword +example: 123456789012345678901234567890ABCD + -- -*`rsa.misc.checksum_src`*:: +*`event.id`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. +Unique ID to describe the event. type: keyword +example: 8a4f500d + -- -*`rsa.misc.fresult`*:: +*`event.ingested`*:: + -- -This key captures the Filter Result +Timestamp when an event arrived in the central data store. +This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. +In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. -type: long +type: date + +example: 2016-05-23T08:05:35.101Z -- -*`rsa.misc.payload_dst`*:: +*`event.kind`*:: + -- -This key is used to capture destination payload +This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. +`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. +The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. type: keyword +example: alert + -- -*`rsa.misc.payload_src`*:: +*`event.module`*:: + -- -This key is used to capture source payload +Name of the module this data is coming from. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword +example: apache + -- -*`rsa.misc.pool_id`*:: +*`event.original`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool +Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. type: keyword +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + +Field is not indexed. + -- -*`rsa.misc.process_id_val`*:: +*`event.outcome`*:: + -- -This key is a failure key for Process ID when it is not an integer value +This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword +example: success + -- -*`rsa.misc.risk_num_comm`*:: +*`event.provider`*:: + -- -This key captures Risk Number Community +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). -type: double +type: keyword + +example: kernel -- -*`rsa.misc.risk_num_next`*:: +*`event.reason`*:: + -- -This key captures Risk Number NextGen +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). -type: double +type: keyword + +example: Terminated an unexpected process -- -*`rsa.misc.risk_num_sand`*:: +*`event.reference`*:: + -- -This key captures Risk Number SandBox +Reference URL linking to additional information about this event. +This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. -type: double +type: keyword + +example: https://system.example.com/event/#0001234 -- -*`rsa.misc.risk_num_static`*:: +*`event.risk_score`*:: + -- -This key captures Risk Number Static +Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -type: double +type: float -- -*`rsa.misc.risk_suspicious`*:: +*`event.risk_score_norm`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +Normalized risk score or priority of the event, on a scale of 0 to 100. +This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. -type: keyword +type: float -- -*`rsa.misc.risk_warning`*:: +*`event.sequence`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. -type: keyword +type: long + +format: string -- -*`rsa.misc.snmp_oid`*:: +*`event.severity`*:: + -- -SNMP Object Identifier +The numeric severity of the event according to your event source. +What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. +The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. -type: keyword +type: long + +example: 7 + +format: string -- -*`rsa.misc.sql`*:: +*`event.start`*:: + -- -This key captures the SQL query +event.start contains the date when the event started or when the activity was first observed. -type: keyword +type: date -- -*`rsa.misc.vuln_ref`*:: +*`event.timezone`*:: + -- -This key captures the Vulnerability Reference details +This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. +Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). type: keyword -- -*`rsa.misc.acl_id`*:: +*`event.type`*:: + -- +This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. +`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. +This field is an array. This will allow proper categorization of some events that fall in multiple event types. + type: keyword -- -*`rsa.misc.acl_op`*:: +*`event.url`*:: + -- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + type: keyword +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + -- -*`rsa.misc.acl_pos`*:: +[float] +=== file + +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + + +*`file.accessed`*:: + -- -type: keyword +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date -- -*`rsa.misc.acl_table`*:: +*`file.attributes`*:: + -- +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + type: keyword +example: ["readonly", "system"] + -- -*`rsa.misc.admin`*:: +*`file.code_signature.exists`*:: + -- -type: keyword +Boolean to capture if a signature is present. + +type: boolean + +example: true -- -*`rsa.misc.alarm_id`*:: +*`file.code_signature.signing_id`*:: + -- +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + type: keyword +example: com.apple.xpc.proxy + -- -*`rsa.misc.alarmname`*:: +*`file.code_signature.status`*:: + -- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.misc.app_id`*:: +*`file.code_signature.subject_name`*:: + -- +Subject name of the code signer + type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.audit`*:: +*`file.code_signature.team_id`*:: + -- +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + type: keyword +example: EQHXZ8M8AV + -- -*`rsa.misc.audit_object`*:: +*`file.code_signature.trusted`*:: + -- -type: keyword +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true -- -*`rsa.misc.auditdata`*:: +*`file.code_signature.valid`*:: + -- -type: keyword +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true -- -*`rsa.misc.benchmark`*:: +*`file.created`*:: + -- -type: keyword +File creation time. +Note that not all filesystems store the creation time. + +type: date -- -*`rsa.misc.bypass`*:: +*`file.ctime`*:: + -- -type: keyword +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date -- -*`rsa.misc.cache`*:: +*`file.device`*:: + -- +Device that is the source of the file. + type: keyword +example: sda + -- -*`rsa.misc.cache_hit`*:: +*`file.directory`*:: + -- +Directory where the file is located. It should include the drive letter, when appropriate. + type: keyword +example: /home/alice + -- -*`rsa.misc.cefversion`*:: +*`file.drive_letter`*:: + -- +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. + type: keyword +example: C + -- -*`rsa.misc.cfg_attr`*:: +*`file.elf.architecture`*:: + -- +Machine architecture of the ELF file. + type: keyword +example: x86-64 + -- -*`rsa.misc.cfg_obj`*:: +*`file.elf.byte_order`*:: + -- +Byte sequence of ELF file. + type: keyword +example: Little Endian + -- -*`rsa.misc.cfg_path`*:: +*`file.elf.cpu_type`*:: + -- +CPU type of the ELF file. + type: keyword +example: Intel + -- -*`rsa.misc.changes`*:: +*`file.elf.creation_date`*:: + -- -type: keyword +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + +type: date -- -*`rsa.misc.client_ip`*:: +*`file.elf.exports`*:: + -- -type: keyword +List of exported element names and types. + +type: flattened -- -*`rsa.misc.clustermembers`*:: +*`file.elf.header.abi_version`*:: + -- +Version of the ELF Application Binary Interface (ABI). + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`file.elf.header.class`*:: + -- +Header class of the ELF file. + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`file.elf.header.data`*:: + -- +Data table of the ELF header. + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`file.elf.header.entrypoint`*:: + -- -type: keyword +Header entrypoint of the ELF file. + +type: long + +format: string -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`file.elf.header.object_version`*:: + -- +"0x1" for original ELF files. + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`file.elf.header.os_abi`*:: + -- +Application Binary Interface (ABI) of the Linux OS. + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`file.elf.header.type`*:: + -- +Header type of the ELF file. + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`file.elf.header.version`*:: + -- +Version of the ELF header. + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`file.elf.imports`*:: + -- -type: keyword +List of imported element names and types. + +type: flattened -- -*`rsa.misc.cn_f_switch`*:: +*`file.elf.sections`*:: + -- -type: keyword +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + +type: nested -- -*`rsa.misc.cn_flowsampid`*:: +*`file.elf.sections.chi2`*:: + -- -type: keyword +Chi-square probability distribution of the section. + +type: long + +format: number -- -*`rsa.misc.cn_flowsampintv`*:: +*`file.elf.sections.entropy`*:: + -- -type: keyword +Shannon entropy calculation from the section. + +type: long + +format: number -- -*`rsa.misc.cn_flowsampmode`*:: +*`file.elf.sections.flags`*:: + -- +ELF Section List flags. + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`file.elf.sections.name`*:: + -- +ELF Section List name. + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`file.elf.sections.physical_offset`*:: + -- +ELF Section List offset. + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`file.elf.sections.physical_size`*:: + -- -type: keyword +ELF Section List physical size. + +type: long + +format: bytes -- -*`rsa.misc.cn_invalid`*:: +*`file.elf.sections.type`*:: + -- +ELF Section List type. + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`file.elf.sections.virtual_address`*:: + -- -type: keyword +ELF Section List virtual address. + +type: long + +format: string -- -*`rsa.misc.cn_ipv4_ident`*:: +*`file.elf.sections.virtual_size`*:: + -- -type: keyword +ELF Section List virtual size. + +type: long + +format: string -- -*`rsa.misc.cn_l_switch`*:: +*`file.elf.segments`*:: + -- -type: keyword +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. + +type: nested -- -*`rsa.misc.cn_log_did`*:: +*`file.elf.segments.sections`*:: + -- +ELF object segment sections. + type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`file.elf.segments.type`*:: + -- +ELF object segment type. + type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`file.elf.shared_libraries`*:: + -- +List of shared libraries used by this ELF object. + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`file.elf.telfhash`*:: + -- +telfhash symbol hash for ELF file. + type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`file.extension`*:: + -- +File extension, excluding the leading dot. +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + type: keyword +example: png + -- -*`rsa.misc.cn_minpcktlen`*:: +*`file.gid`*:: + -- +Primary group ID (GID) of the file. + type: keyword +example: 1001 + -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`file.group`*:: + -- +Primary group name of the file. + type: keyword +example: alice + -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`file.hash.md5`*:: + -- +MD5 hash. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`file.hash.sha1`*:: + -- +SHA1 hash. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`file.hash.sha256`*:: + -- +SHA256 hash. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`file.hash.sha512`*:: + -- +SHA512 hash. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`file.hash.ssdeep`*:: + -- +SSDEEP hash. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`file.inode`*:: + -- +Inode representing the file in the filesystem. + type: keyword +example: 256383 + -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`file.mime_type`*:: + -- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`file.mode`*:: + -- +Mode of the file in octal representation. + type: keyword +example: 0640 + -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`file.mtime`*:: + -- -type: keyword +Last time the file content was modified. + +type: date -- -*`rsa.misc.cn_mplstoplabel`*:: +*`file.name`*:: + -- +Name of the file including the extension, without the directory. + type: keyword +example: example.png + -- -*`rsa.misc.cn_mplstoplabip`*:: +*`file.owner`*:: + -- +File owner's username. + type: keyword +example: alice + -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`file.path`*:: + -- +Full path to the file, including the file name. It should include the drive letter, when appropriate. + type: keyword +example: /home/alice/example.png + -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`file.path.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cn_muligmptype`*:: +*`file.pe.architecture`*:: + -- +CPU architecture target for the file. + type: keyword +example: x64 + -- -*`rsa.misc.cn_sampalgo`*:: +*`file.pe.company`*:: + -- +Internal company name of the file, provided at compile-time. + type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.cn_sampint`*:: +*`file.pe.description`*:: + -- +Internal description of the file, provided at compile-time. + type: keyword +example: Paint + -- -*`rsa.misc.cn_seqctr`*:: +*`file.pe.file_version`*:: + -- +Internal version of the file, provided at compile-time. + type: keyword +example: 6.3.9600.17415 + -- -*`rsa.misc.cn_spackets`*:: +*`file.pe.imphash`*:: + -- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`rsa.misc.cn_src_tos`*:: +*`file.pe.original_file_name`*:: + -- +Internal name of the file, provided at compile-time. + type: keyword +example: MSPAINT.EXE + -- -*`rsa.misc.cn_src_vlan`*:: +*`file.pe.product`*:: + -- +Internal product name of the file, provided at compile-time. + type: keyword +example: Microsoft® Windows® Operating System + -- -*`rsa.misc.cn_sysuptime`*:: +*`file.size`*:: + -- -type: keyword +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 -- -*`rsa.misc.cn_template_id`*:: +*`file.target_path`*:: + -- +Target path for symlinks. + type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`file.target_path.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cn_totflowexp`*:: +*`file.type`*:: + -- +File type (file, dir, or symlink). + type: keyword +example: file + -- -*`rsa.misc.cn_totpcktsexp`*:: +*`file.uid`*:: + -- +The user ID (UID) or security identifier (SID) of the file owner. + type: keyword +example: 1001 + -- -*`rsa.misc.cn_unixnanosecs`*:: +*`file.x509.alternative_names`*:: + -- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + type: keyword +example: *.elastic.co + -- -*`rsa.misc.cn_v6flowlabel`*:: +*`file.x509.issuer.common_name`*:: + -- +List of common name (CN) of issuing certificate authority. + type: keyword +example: Example SHA2 High Assurance Server CA + -- -*`rsa.misc.cn_v6optheaders`*:: +*`file.x509.issuer.country`*:: + -- +List of country (C) codes + type: keyword +example: US + -- -*`rsa.misc.comp_class`*:: +*`file.x509.issuer.distinguished_name`*:: + -- +Distinguished name (DN) of issuing certificate authority. + type: keyword +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + -- -*`rsa.misc.comp_name`*:: +*`file.x509.issuer.locality`*:: + -- +List of locality names (L) + type: keyword +example: Mountain View + -- -*`rsa.misc.comp_rbytes`*:: +*`file.x509.issuer.organization`*:: + -- +List of organizations (O) of issuing certificate authority. + type: keyword +example: Example Inc + -- -*`rsa.misc.comp_sbytes`*:: +*`file.x509.issuer.organizational_unit`*:: + -- +List of organizational units (OU) of issuing certificate authority. + type: keyword +example: www.example.com + -- -*`rsa.misc.cpu_data`*:: +*`file.x509.issuer.state_or_province`*:: + -- +List of state or province names (ST, S, or P) + type: keyword +example: California + -- -*`rsa.misc.criticality`*:: +*`file.x509.not_after`*:: + -- -type: keyword +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`rsa.misc.cs_agency_dst`*:: +*`file.x509.not_before`*:: + -- -type: keyword +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`rsa.misc.cs_analyzedby`*:: +*`file.x509.public_key_algorithm`*:: + -- +Algorithm used to generate the public key. + type: keyword +example: RSA + -- -*`rsa.misc.cs_av_other`*:: +*`file.x509.public_key_curve`*:: + -- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + type: keyword +example: nistp521 + -- -*`rsa.misc.cs_av_primary`*:: +*`file.x509.public_key_exponent`*:: + -- -type: keyword +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. -- -*`rsa.misc.cs_av_secondary`*:: +*`file.x509.public_key_size`*:: + -- -type: keyword +The size of the public key space in bits. + +type: long + +example: 2048 -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`file.x509.serial_number`*:: + -- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -*`rsa.misc.cs_bit9status`*:: +*`file.x509.signature_algorithm`*:: + -- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + type: keyword +example: SHA256-RSA + -- -*`rsa.misc.cs_context`*:: +*`file.x509.subject.common_name`*:: + -- +List of common names (CN) of subject. + type: keyword +example: shared.global.example.net + -- -*`rsa.misc.cs_control`*:: +*`file.x509.subject.country`*:: + -- +List of country (C) code + type: keyword +example: US + -- -*`rsa.misc.cs_data`*:: +*`file.x509.subject.distinguished_name`*:: + -- +Distinguished name (DN) of the certificate subject entity. + type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`rsa.misc.cs_datecret`*:: +*`file.x509.subject.locality`*:: + -- +List of locality names (L) + type: keyword +example: San Francisco + -- -*`rsa.misc.cs_dst_tld`*:: +*`file.x509.subject.organization`*:: + -- +List of organizations (O) of subject. + type: keyword +example: Example, Inc. + -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`file.x509.subject.organizational_unit`*:: + -- +List of organizational units (OU) of subject. + type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`file.x509.subject.state_or_province`*:: + -- +List of state or province names (ST, S, or P) + type: keyword +example: California + -- -*`rsa.misc.cs_event_uuid`*:: +*`file.x509.version_number`*:: + -- +Version of x509 format. + type: keyword +example: 3 + -- -*`rsa.misc.cs_filetype`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- +City name. + type: keyword +example: Montreal + -- -*`rsa.misc.cs_fld`*:: +*`geo.continent_code`*:: + -- +Two-letter code representing continent's name. + type: keyword +example: NA + -- -*`rsa.misc.cs_if_desc`*:: +*`geo.continent_name`*:: + -- +Name of the continent. + type: keyword +example: North America + -- -*`rsa.misc.cs_if_name`*:: +*`geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword +example: CA + -- -*`rsa.misc.cs_ip_next_hop`*:: +*`geo.country_name`*:: + -- +Country name. + type: keyword +example: Canada + -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`geo.location`*:: + -- -type: keyword +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`geo.name`*:: + -- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + type: keyword +example: boston-dc + -- -*`rsa.misc.cs_lifetime`*:: +*`geo.postal_code`*:: + -- +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + type: keyword +example: 94040 + -- -*`rsa.misc.cs_log_medium`*:: +*`geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword +example: CA-QC + -- -*`rsa.misc.cs_loginname`*:: +*`geo.region_name`*:: + -- +Region name. + type: keyword +example: Quebec + -- -*`rsa.misc.cs_modulescore`*:: +*`geo.timezone`*:: + -- +The time zone of the location, such as IANA time zone name. + type: keyword +example: America/Argentina/Buenos_Aires + -- -*`rsa.misc.cs_modulesign`*:: +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: + -- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`group.id`*:: + -- +Unique identifier for the group on the system/platform. + type: keyword -- -*`rsa.misc.cs_payload`*:: +*`group.name`*:: + -- +Name of the group. + type: keyword -- -*`rsa.misc.cs_registrant`*:: +[float] +=== hash + +The hash fields represent different bitwise hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). + + +*`hash.md5`*:: + -- +MD5 hash. + type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`hash.sha1`*:: + -- +SHA1 hash. + type: keyword -- -*`rsa.misc.cs_represult`*:: +*`hash.sha256`*:: + -- +SHA256 hash. + type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`hash.sha512`*:: + -- +SHA512 hash. + type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`hash.ssdeep`*:: + -- +SSDEEP hash. + type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: + -- +Operating system architecture. + type: keyword +example: x86_64 + -- -*`rsa.misc.cs_streams`*:: +*`host.cpu.usage`*:: + -- -type: keyword +Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. +Scaling factor: 1000. +For example: For a two core host, this value should be the average of the two cores, between 0 and 1. + +type: scaled_float -- -*`rsa.misc.cs_targetmodule`*:: +*`host.disk.read.bytes`*:: + -- -type: keyword +The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. + +type: long -- -*`rsa.misc.cs_v6nxthop`*:: +*`host.disk.write.bytes`*:: + -- -type: keyword +The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. + +type: long -- -*`rsa.misc.cs_whois_server`*:: +*`host.domain`*:: + -- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + type: keyword +example: CONTOSO + -- -*`rsa.misc.cs_yararesult`*:: +*`host.geo.city_name`*:: + -- +City name. + type: keyword +example: Montreal + -- -*`rsa.misc.description`*:: +*`host.geo.continent_code`*:: + -- +Two-letter code representing continent's name. + type: keyword +example: NA + -- -*`rsa.misc.devvendor`*:: +*`host.geo.continent_name`*:: + -- +Name of the continent. + type: keyword +example: North America + -- -*`rsa.misc.distance`*:: +*`host.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword +example: CA + -- -*`rsa.misc.dstburb`*:: +*`host.geo.country_name`*:: + -- +Country name. + type: keyword +example: Canada + -- -*`rsa.misc.edomain`*:: +*`host.geo.location`*:: + -- -type: keyword +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.misc.edomaub`*:: +*`host.geo.name`*:: + -- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + type: keyword +example: boston-dc + -- -*`rsa.misc.euid`*:: +*`host.geo.postal_code`*:: + -- +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + type: keyword +example: 94040 + -- -*`rsa.misc.facility`*:: +*`host.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword +example: CA-QC + -- -*`rsa.misc.finterface`*:: +*`host.geo.region_name`*:: + -- +Region name. + type: keyword +example: Quebec + -- -*`rsa.misc.flags`*:: +*`host.geo.timezone`*:: + -- +The time zone of the location, such as IANA time zone name. + type: keyword +example: America/Argentina/Buenos_Aires + -- -*`rsa.misc.gaddr`*:: +*`host.hostname`*:: + -- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + type: keyword -- -*`rsa.misc.id3`*:: +*`host.id`*:: + -- +Unique host id. +As hostname is not always unique, use values that are meaningful in your environment. +Example: The current usage of `beat.name`. + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`host.ip`*:: + -- -type: keyword +Host ip addresses. + +type: ip -- -*`rsa.misc.im_croomid`*:: +*`host.mac`*:: + -- +Host MAC addresses. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + type: keyword +example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] + -- -*`rsa.misc.im_croomtype`*:: +*`host.name`*:: + -- +Name of the host. +It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + type: keyword -- -*`rsa.misc.im_members`*:: +*`host.network.egress.bytes`*:: + -- -type: keyword +The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. + +type: long -- -*`rsa.misc.im_username`*:: +*`host.network.egress.packets`*:: + -- -type: keyword +The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. + +type: long -- -*`rsa.misc.ipkt`*:: +*`host.network.ingress.bytes`*:: + -- -type: keyword +The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. + +type: long -- -*`rsa.misc.ipscat`*:: +*`host.network.ingress.packets`*:: + -- -type: keyword +The number of packets (gauge) received on all network interfaces by the host since the last metric collection. + +type: long -- -*`rsa.misc.ipspri`*:: +*`host.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword +example: debian + -- -*`rsa.misc.latitude`*:: +*`host.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword +example: Mac OS Mojave + -- -*`rsa.misc.linenum`*:: +*`host.os.full.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.list_name`*:: +*`host.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword +example: 4.4.0-112-generic + -- -*`rsa.misc.load_data`*:: +*`host.os.name`*:: + -- +Operating system name, without the version. + type: keyword +example: Mac OS X + -- -*`rsa.misc.location_floor`*:: +*`host.os.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.location_mark`*:: +*`host.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword +example: darwin + -- -*`rsa.misc.log_id`*:: +*`host.os.type`*:: + -- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + type: keyword +example: macos + -- -*`rsa.misc.log_type`*:: +*`host.os.version`*:: + -- +Operating system version as a raw string. + type: keyword +example: 10.14.1 + -- -*`rsa.misc.logid`*:: +*`host.type`*:: + -- +Type of host. +For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword -- -*`rsa.misc.logip`*:: +*`host.uptime`*:: + -- -type: keyword +Seconds the host has been up. --- +type: long -*`rsa.misc.logname`*:: -+ --- -type: keyword +example: 1325 -- -*`rsa.misc.longitude`*:: +*`host.user.domain`*:: + -- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + type: keyword -- -*`rsa.misc.lport`*:: +*`host.user.email`*:: + -- +User email address. + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`host.user.full_name`*:: + -- +User's full name, if available. + type: keyword +example: Albert Einstein + -- -*`rsa.misc.misc_name`*:: +*`host.user.full_name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.msg_type`*:: +*`host.user.group.domain`*:: + -- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + type: keyword -- -*`rsa.misc.msgid`*:: +*`host.user.group.id`*:: + -- +Unique identifier for the group on the system/platform. + type: keyword -- -*`rsa.misc.netsessid`*:: +*`host.user.group.name`*:: + -- +Name of the group. + type: keyword -- -*`rsa.misc.num`*:: +*`host.user.hash`*:: + -- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + type: keyword -- -*`rsa.misc.number1`*:: +*`host.user.id`*:: + -- +Unique identifier of the user. + type: keyword -- -*`rsa.misc.number2`*:: +*`host.user.name`*:: + -- +Short name or login of the user. + type: keyword +example: albert + -- -*`rsa.misc.nwwn`*:: +*`host.user.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.object`*:: +*`host.user.roles`*:: + -- +Array of user roles at the time of the event. + type: keyword --- +example: ["kibana_admin", "reporting_user"] -*`rsa.misc.operation`*:: -+ -- -type: keyword --- +[float] +=== http -*`rsa.misc.opkt`*:: -+ --- -type: keyword +Fields related to HTTP activity. Use the `url` field set to store the url of the request. --- -*`rsa.misc.orig_from`*:: +*`http.request.body.bytes`*:: + -- -type: keyword +Size in bytes of the request body. --- +type: long -*`rsa.misc.owner_id`*:: -+ --- -type: keyword +example: 887 + +format: bytes -- -*`rsa.misc.p_action`*:: +*`http.request.body.content`*:: + -- +The full HTTP request body. + type: keyword +example: Hello world + -- -*`rsa.misc.p_filter`*:: +*`http.request.body.content.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.p_group_object`*:: +*`http.request.bytes`*:: + -- -type: keyword +Total size in bytes of the request (body and headers). --- +type: long -*`rsa.misc.p_id`*:: -+ --- -type: keyword +example: 1437 + +format: bytes -- -*`rsa.misc.p_msgid1`*:: +*`http.request.id`*:: + -- +A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. +The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. + type: keyword +example: 123e4567-e89b-12d3-a456-426614174000 + -- -*`rsa.misc.p_msgid2`*:: +*`http.request.method`*:: + -- +HTTP request method. +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 + type: keyword +example: GET, POST, PUT, PoST + -- -*`rsa.misc.p_result1`*:: +*`http.request.mime_type`*:: + -- +Mime type of the body of the request. +This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. + type: keyword +example: image/gif + -- -*`rsa.misc.password_chg`*:: +*`http.request.referrer`*:: + -- +Referrer for this HTTP request. + type: keyword +example: https://blog.example.com/ + -- -*`rsa.misc.password_expire`*:: +*`http.response.body.bytes`*:: + -- -type: keyword +Size in bytes of the response body. --- +type: long -*`rsa.misc.permgranted`*:: -+ --- -type: keyword +example: 887 + +format: bytes -- -*`rsa.misc.permwanted`*:: +*`http.response.body.content`*:: + -- +The full HTTP response body. + type: keyword +example: Hello world + -- -*`rsa.misc.pgid`*:: +*`http.response.body.content.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.policyUUID`*:: +*`http.response.bytes`*:: + -- -type: keyword +Total size in bytes of the response (body and headers). --- +type: long -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword +example: 1437 + +format: bytes -- -*`rsa.misc.program`*:: +*`http.response.mime_type`*:: + -- +Mime type of the body of the response. +This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. + type: keyword +example: image/gif + -- -*`rsa.misc.real_data`*:: +*`http.response.status_code`*:: + -- -type: keyword +HTTP response status code. --- +type: long -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword +example: 404 + +format: string -- -*`rsa.misc.rec_asp_num`*:: +*`http.version`*:: + -- +HTTP version. + type: keyword --- +example: 1.1 -*`rsa.misc.rec_library`*:: -+ -- -type: keyword --- +[float] +=== interface -*`rsa.misc.recordnum`*:: -+ --- -type: keyword +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. --- -*`rsa.misc.ruid`*:: +*`interface.alias`*:: + -- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + type: keyword +example: outside + -- -*`rsa.misc.sburb`*:: +*`interface.id`*:: + -- +Interface ID as reported by an observer (typically SNMP interface ID). + type: keyword +example: 10 + -- -*`rsa.misc.sdomain_fld`*:: +*`interface.name`*:: + -- +Interface name as reported by the system. + type: keyword --- +example: eth0 -*`rsa.misc.sec`*:: -+ -- -type: keyword --- +[float] +=== log -*`rsa.misc.sensorname`*:: -+ --- -type: keyword +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. --- -*`rsa.misc.seqnum`*:: +*`log.file.path`*:: + -- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + type: keyword +example: /var/log/fun-times.log + -- -*`rsa.misc.session`*:: +*`log.level`*:: + -- +Original log level of the log event. +If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). +Some examples are `warn`, `err`, `i`, `informational`. + type: keyword +example: error + -- -*`rsa.misc.sessiontype`*:: +*`log.logger`*:: + -- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + type: keyword +example: org.elasticsearch.bootstrap.Bootstrap + -- -*`rsa.misc.sigUUID`*:: +*`log.origin.file.line`*:: + -- -type: keyword +The line number of the file containing the source code which originated the log event. --- +type: integer -*`rsa.misc.spi`*:: -+ --- -type: keyword +example: 42 -- -*`rsa.misc.srcburb`*:: +*`log.origin.file.name`*:: + -- +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. + type: keyword +example: Bootstrap.java + -- -*`rsa.misc.srcdom`*:: +*`log.origin.function`*:: + -- +The name of the function or method which originated the log event. + type: keyword +example: init + -- -*`rsa.misc.srcservice`*:: +*`log.original`*:: + -- +Deprecated for removal in next major version release. This field is superseded by `event.original`. +This is the original log message and contains the full log message before splitting it up in multiple parts. +In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. +This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. + type: keyword --- +example: Sep 19 08:26:10 localhost My log -*`rsa.misc.state`*:: -+ --- -type: keyword +Field is not indexed. -- -*`rsa.misc.status1`*:: +*`log.syslog`*:: + -- -type: keyword +The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + +type: object -- -*`rsa.misc.svcno`*:: +*`log.syslog.facility.code`*:: + -- -type: keyword +The Syslog numeric facility of the log event, if available. +According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. --- +type: long -*`rsa.misc.system`*:: -+ --- -type: keyword +example: 23 + +format: string -- -*`rsa.misc.tbdstr1`*:: +*`log.syslog.facility.name`*:: + -- +The Syslog text-based facility of the log event, if available. + type: keyword +example: local7 + -- -*`rsa.misc.tgtdom`*:: +*`log.syslog.priority`*:: + -- -type: keyword +Syslog numeric priority of the event, if available. +According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. --- +type: long -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword +example: 135 + +format: string -- -*`rsa.misc.threshold`*:: +*`log.syslog.severity.code`*:: + -- -type: keyword +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + +type: long + +example: 3 -- -*`rsa.misc.type1`*:: +*`log.syslog.severity.name`*:: + -- +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + type: keyword +example: Error + -- -*`rsa.misc.udb_class`*:: +[float] +=== network + +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. + + +*`network.application`*:: + -- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword +example: aim + -- -*`rsa.misc.url_fld`*:: +*`network.bytes`*:: + -- -type: keyword +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + +type: long + +example: 368 + +format: bytes -- -*`rsa.misc.user_div`*:: +*`network.community_id`*:: + -- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + type: keyword +example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + -- -*`rsa.misc.userid`*:: +*`network.direction`*:: + -- -type: keyword +Direction of the network traffic. +Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown --- +When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". +When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". +Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. -*`rsa.misc.username_fld`*:: -+ --- type: keyword +example: inbound + -- -*`rsa.misc.utcstamp`*:: +*`network.forwarded_ip`*:: + -- -type: keyword +Host IP address when the source IP address is the proxy. --- +type: ip -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword +example: 192.1.1.2 -- -*`rsa.misc.virt_data`*:: +*`network.iana_number`*:: + -- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + type: keyword +example: 6 + -- -*`rsa.misc.vpnid`*:: +*`network.inner`*:: + -- -type: keyword +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object -- -*`rsa.misc.autorun_type`*:: +*`network.inner.vlan.id`*:: + -- -This is used to capture Auto Run type +VLAN ID as reported by the observer. type: keyword +example: 10 + -- -*`rsa.misc.cc_number`*:: +*`network.inner.vlan.name`*:: + -- -Valid Credit Card Numbers only +Optional VLAN name as reported by the observer. -type: long +type: keyword + +example: outside -- -*`rsa.misc.content`*:: +*`network.name`*:: + -- -This key captures the content type from protocol headers +Name given by operators to sections of their network. type: keyword +example: Guest Wifi + -- -*`rsa.misc.ein_number`*:: +*`network.packets`*:: + -- -Employee Identification Numbers only +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. type: long +example: 24 + -- -*`rsa.misc.found`*:: +*`network.protocol`*:: + -- -This is used to capture the results of regex match +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword +example: http + -- -*`rsa.misc.language`*:: +*`network.transport`*:: + -- -This is used to capture list of languages the client support and what it prefers +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long +example: tcp -- -*`rsa.misc.link`*:: +*`network.type`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword +example: ipv4 + -- -*`rsa.misc.match`*:: +*`network.vlan.id`*:: + -- -This key is for regex match name from search.ini +VLAN ID as reported by the observer. type: keyword +example: 10 + -- -*`rsa.misc.param_dst`*:: +*`network.vlan.name`*:: + -- -This key captures the command line/launch argument of the target process or file +Optional VLAN name as reported by the observer. type: keyword --- +example: outside -*`rsa.misc.param_src`*:: -+ -- -This key captures source parameter -type: keyword +[float] +=== observer --- +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. -*`rsa.misc.search_text`*:: + +*`observer.egress`*:: + -- -This key captures the Search Text used +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. -type: keyword +type: object -- -*`rsa.misc.sig_name`*:: +*`observer.egress.interface.alias`*:: + -- -This key is used to capture the Signature Name only. +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. type: keyword +example: outside + -- -*`rsa.misc.snmp_value`*:: +*`observer.egress.interface.id`*:: + -- -SNMP set request value +Interface ID as reported by an observer (typically SNMP interface ID). type: keyword +example: 10 + -- -*`rsa.misc.streams`*:: +*`observer.egress.interface.name`*:: + -- -This key captures number of streams in session +Interface name as reported by the system. -type: long +type: keyword --- +example: eth0 +-- -*`rsa.db.index`*:: +*`observer.egress.vlan.id`*:: + -- -This key captures IndexID of the index. +VLAN ID as reported by the observer. type: keyword +example: 10 + -- -*`rsa.db.instance`*:: +*`observer.egress.vlan.name`*:: + -- -This key is used to capture the database server instance name +Optional VLAN name as reported by the observer. type: keyword +example: outside + -- -*`rsa.db.database`*:: +*`observer.egress.zone`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. type: keyword +example: Public_Internet + -- -*`rsa.db.transact_id`*:: +*`observer.geo.city_name`*:: + -- -This key captures the SQL transantion ID of the current session +City name. type: keyword +example: Montreal + -- -*`rsa.db.permissions`*:: +*`observer.geo.continent_code`*:: + -- -This key captures permission or privilege level assigned to a resource. +Two-letter code representing continent's name. type: keyword +example: NA + -- -*`rsa.db.table_name`*:: +*`observer.geo.continent_name`*:: + -- -This key is used to capture the table name +Name of the continent. type: keyword +example: North America + -- -*`rsa.db.db_id`*:: +*`observer.geo.country_iso_code`*:: + -- -This key is used to capture the unique identifier for a database +Country ISO code. type: keyword +example: CA + -- -*`rsa.db.db_pid`*:: +*`observer.geo.country_name`*:: + -- -This key captures the process id of a connection with database server +Country name. -type: long +type: keyword + +example: Canada -- -*`rsa.db.lread`*:: +*`observer.geo.location`*:: + -- -This key is used for the number of logical reads +Longitude and latitude. -type: long +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.db.lwrite`*:: +*`observer.geo.name`*:: + -- -This key is used for the number of logical writes +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. -type: long +type: keyword + +example: boston-dc -- -*`rsa.db.pread`*:: +*`observer.geo.postal_code`*:: + -- -This key is used for the number of physical writes +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. -type: long +type: keyword --- +example: 94040 +-- -*`rsa.network.alias_host`*:: +*`observer.geo.region_iso_code`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +Region ISO code. type: keyword +example: CA-QC + -- -*`rsa.network.domain`*:: +*`observer.geo.region_name`*:: + -- +Region name. + type: keyword +example: Quebec + -- -*`rsa.network.host_dst`*:: +*`observer.geo.timezone`*:: + -- -This key should only be used when it’s a Destination Hostname +The time zone of the location, such as IANA time zone name. type: keyword +example: America/Argentina/Buenos_Aires + -- -*`rsa.network.network_service`*:: +*`observer.hostname`*:: + -- -This is used to capture layer 7 protocols/service names +Hostname of the observer. type: keyword -- -*`rsa.network.interface`*:: +*`observer.ingress`*:: + -- -This key should be used when the source or destination context of an interface is not clear +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. -type: keyword +type: object -- -*`rsa.network.network_port`*:: +*`observer.ingress.interface.alias`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. -type: long +type: keyword + +example: outside -- -*`rsa.network.eth_host`*:: +*`observer.ingress.interface.id`*:: + -- -Deprecated, use alias.mac +Interface ID as reported by an observer (typically SNMP interface ID). type: keyword +example: 10 + -- -*`rsa.network.sinterface`*:: +*`observer.ingress.interface.name`*:: + -- -This key should only be used when it’s a Source Interface +Interface name as reported by the system. type: keyword +example: eth0 + -- -*`rsa.network.dinterface`*:: +*`observer.ingress.vlan.id`*:: + -- -This key should only be used when it’s a Destination Interface +VLAN ID as reported by the observer. type: keyword +example: 10 + -- -*`rsa.network.vlan`*:: +*`observer.ingress.vlan.name`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +Optional VLAN name as reported by the observer. -type: long +type: keyword + +example: outside -- -*`rsa.network.zone_src`*:: +*`observer.ingress.zone`*:: + -- -This key should only be used when it’s a Source Zone. +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. type: keyword +example: DMZ + -- -*`rsa.network.zone`*:: +*`observer.ip`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +IP addresses of the observer. -type: keyword +type: ip -- -*`rsa.network.zone_dst`*:: +*`observer.mac`*:: + -- -This key should only be used when it’s a Destination Zone. +MAC addresses of the observer. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: keyword +example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] + -- -*`rsa.network.gateway`*:: +*`observer.name`*:: + -- -This key is used to capture the IP Address of the gateway +Custom name of the observer. +This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. +If no custom name is needed, the field can be left empty. type: keyword +example: 1_proxySG + -- -*`rsa.network.icmp_type`*:: +*`observer.os.family`*:: + -- -This key is used to capture the ICMP type only +OS family (such as redhat, debian, freebsd, windows). -type: long +type: keyword + +example: debian -- -*`rsa.network.mask`*:: +*`observer.os.full`*:: + -- -This key is used to capture the device network IPmask. +Operating system name, including the version or code name. type: keyword +example: Mac OS Mojave + -- -*`rsa.network.icmp_code`*:: +*`observer.os.full.text`*:: + -- -This key is used to capture the ICMP code only - -type: long +type: text -- -*`rsa.network.protocol_detail`*:: +*`observer.os.kernel`*:: + -- -This key should be used to capture additional protocol information +Operating system kernel version as a raw string. type: keyword +example: 4.4.0-112-generic + -- -*`rsa.network.dmask`*:: +*`observer.os.name`*:: + -- -This key is used for Destionation Device network mask +Operating system name, without the version. type: keyword +example: Mac OS X + -- -*`rsa.network.port`*:: +*`observer.os.name.text`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long +type: text -- -*`rsa.network.smask`*:: +*`observer.os.platform`*:: + -- -This key is used for capturing source Network Mask +Operating system platform (such centos, ubuntu, windows). type: keyword +example: darwin + -- -*`rsa.network.netname`*:: +*`observer.os.type`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword +example: macos + -- -*`rsa.network.paddr`*:: +*`observer.os.version`*:: + -- -Deprecated +Operating system version as a raw string. -type: ip +type: keyword + +example: 10.14.1 -- -*`rsa.network.faddr`*:: +*`observer.product`*:: + -- +The product name of the observer. + type: keyword +example: s200 + -- -*`rsa.network.lhost`*:: +*`observer.serial_number`*:: + -- +Observer serial number. + type: keyword -- -*`rsa.network.origin`*:: +*`observer.type`*:: + -- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + type: keyword +example: firewall + -- -*`rsa.network.remote_domain_id`*:: +*`observer.vendor`*:: + -- +Vendor name of the observer. + type: keyword +example: Symantec + -- -*`rsa.network.addr`*:: +*`observer.version`*:: + -- +Observer version. + type: keyword -- -*`rsa.network.dns_a_record`*:: +[float] +=== orchestrator + +Fields that describe the resources which container orchestrators manage or act upon. + + +*`orchestrator.api_version`*:: + -- +API version being used to carry out the action + type: keyword +example: v1beta1 + -- -*`rsa.network.dns_ptr_record`*:: +*`orchestrator.cluster.name`*:: + -- +Name of the cluster. + type: keyword -- -*`rsa.network.fhost`*:: +*`orchestrator.cluster.url`*:: + -- +URL of the API used to manage the cluster. + type: keyword -- -*`rsa.network.fport`*:: +*`orchestrator.cluster.version`*:: + -- +The version of the cluster. + type: keyword -- -*`rsa.network.laddr`*:: +*`orchestrator.namespace`*:: + -- +Namespace in which the action is taking place. + type: keyword +example: kube-system + -- -*`rsa.network.linterface`*:: +*`orchestrator.organization`*:: + -- +Organization affected by the event (for multi-tenant orchestrator setups). + type: keyword +example: elastic + -- -*`rsa.network.phost`*:: +*`orchestrator.resource.name`*:: + -- +Name of the resource being acted upon. + type: keyword +example: test-pod-cdcws + -- -*`rsa.network.ad_computer_dst`*:: +*`orchestrator.resource.type`*:: + -- -Deprecated, use host.dst +Type of resource being acted upon. type: keyword +example: service + -- -*`rsa.network.eth_type`*:: +*`orchestrator.type`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). -type: long +type: keyword --- +example: kubernetes -*`rsa.network.ip_proto`*:: -+ -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: long +[float] +=== organization --- +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. -*`rsa.network.dns_cname_record`*:: + +*`organization.id`*:: + -- +Unique identifier for the organization. + type: keyword -- -*`rsa.network.dns_id`*:: +*`organization.name`*:: + -- +Organization name. + type: keyword -- -*`rsa.network.dns_opcode`*:: +*`organization.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.network.dns_resp`*:: +[float] +=== os + +The OS fields contain information about the operating system. + + +*`os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword +example: debian + -- -*`rsa.network.dns_type`*:: +*`os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword +example: Mac OS Mojave + -- -*`rsa.network.domain1`*:: +*`os.full.text`*:: + -- -type: keyword +type: text -- -*`rsa.network.host_type`*:: +*`os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword +example: 4.4.0-112-generic + -- -*`rsa.network.packet_length`*:: +*`os.name`*:: + -- +Operating system name, without the version. + type: keyword +example: Mac OS X + -- -*`rsa.network.host_orig`*:: +*`os.name.text`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword +type: text -- -*`rsa.network.rpayload`*:: +*`os.platform`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +Operating system platform (such centos, ubuntu, windows). type: keyword +example: darwin + -- -*`rsa.network.vlan_name`*:: +*`os.type`*:: + -- -This key should only be used to capture the name of the Virtual LAN +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword --- +example: macos +-- -*`rsa.investigations.ec_activity`*:: +*`os.version`*:: + -- -This key captures the particular event activity(Ex:Logoff) +Operating system version as a raw string. type: keyword --- +example: 10.14.1 -*`rsa.investigations.ec_theme`*:: -+ -- -This key captures the Theme of a particular Event(Ex:Authentication) -type: keyword +[float] +=== package --- +These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. -*`rsa.investigations.ec_subject`*:: + +*`package.architecture`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +Package architecture. type: keyword +example: x86_64 + -- -*`rsa.investigations.ec_outcome`*:: +*`package.build_version`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +Additional information about the build version of the installed package. +For example use the commit SHA of a non-released package. type: keyword +example: 36f4f7e89dd61b0988b12ee000b98966867710cd + -- -*`rsa.investigations.event_cat`*:: +*`package.checksum`*:: + -- -This key captures the Event category number +Checksum of the installed package for verification. -type: long +type: keyword + +example: 68b329da9893e34099c7d8ad5cb9c940 -- -*`rsa.investigations.event_cat_name`*:: +*`package.description`*:: + -- -This key captures the event category name corresponding to the event cat code +Description of the package. type: keyword +example: Open source programming language to build simple/reliable/efficient software. + -- -*`rsa.investigations.event_vcat`*:: +*`package.install_scope`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +Indicating how the package was installed, e.g. user-local, global. type: keyword +example: global + -- -*`rsa.investigations.analysis_file`*:: +*`package.installed`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +Time when package was installed. -type: keyword +type: date -- -*`rsa.investigations.analysis_service`*:: +*`package.license`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +License under which the package was released. +Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). type: keyword +example: Apache License 2.0 + -- -*`rsa.investigations.analysis_session`*:: +*`package.name`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +Package name type: keyword +example: go + -- -*`rsa.investigations.boc`*:: +*`package.path`*:: + -- -This is used to capture behaviour of compromise +Path where the package is installed. type: keyword +example: /usr/local/Cellar/go/1.12.9/ + -- -*`rsa.investigations.eoc`*:: +*`package.reference`*:: + -- -This is used to capture Enablers of Compromise +Home page or reference URL of the software in this package, if available. type: keyword +example: https://golang.org + -- -*`rsa.investigations.inv_category`*:: +*`package.size`*:: + -- -This used to capture investigation category +Package size in bytes. -type: keyword +type: long + +example: 62231 + +format: string -- -*`rsa.investigations.inv_context`*:: +*`package.type`*:: + -- -This used to capture investigation context +Type of package. +This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. type: keyword +example: rpm + -- -*`rsa.investigations.ioc`*:: +*`package.version`*:: + -- -This is key capture indicator of compromise +Package version type: keyword --- - +example: 1.12.9 -*`rsa.counters.dclass_c1`*:: -+ -- -This is a generic counter key that should be used with the label dclass.c1.str only -type: long +[float] +=== pe --- +These fields contain Windows Portable Executable (PE) metadata. -*`rsa.counters.dclass_c2`*:: + +*`pe.architecture`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +CPU architecture target for the file. -type: long +type: keyword + +example: x64 -- -*`rsa.counters.event_counter`*:: +*`pe.company`*:: + -- -This is used to capture the number of times an event repeated +Internal company name of the file, provided at compile-time. -type: long +type: keyword + +example: Microsoft Corporation -- -*`rsa.counters.dclass_r1`*:: +*`pe.description`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +Internal description of the file, provided at compile-time. type: keyword +example: Paint + -- -*`rsa.counters.dclass_c3`*:: +*`pe.file_version`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +Internal version of the file, provided at compile-time. -type: long +type: keyword + +example: 6.3.9600.17415 -- -*`rsa.counters.dclass_c1_str`*:: +*`pe.imphash`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`rsa.counters.dclass_c2_str`*:: +*`pe.original_file_name`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +Internal name of the file, provided at compile-time. type: keyword +example: MSPAINT.EXE + -- -*`rsa.counters.dclass_r1_str`*:: +*`pe.product`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +Internal product name of the file, provided at compile-time. type: keyword --- +example: Microsoft® Windows® Operating System -*`rsa.counters.dclass_r2`*:: -+ -- -This is a generic ratio key that should be used with the label dclass.r2.str only -type: keyword +[float] +=== process --- +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. -*`rsa.counters.dclass_c3_str`*:: + +*`process.args`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. type: keyword +example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] + -- -*`rsa.counters.dclass_r3`*:: +*`process.args_count`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. -type: keyword +type: long + +example: 4 -- -*`rsa.counters.dclass_r2_str`*:: +*`process.code_signature.exists`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +Boolean to capture if a signature is present. -type: keyword +type: boolean + +example: true -- -*`rsa.counters.dclass_r3_str`*:: +*`process.code_signature.signing_id`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword --- +example: com.apple.xpc.proxy +-- -*`rsa.identity.auth_method`*:: +*`process.code_signature.status`*:: + -- -This key is used to capture authentication methods used only +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.identity.user_role`*:: +*`process.code_signature.subject_name`*:: + -- -This key is used to capture the Role of a user only +Subject name of the code signer type: keyword +example: Microsoft Corporation + -- -*`rsa.identity.dn`*:: +*`process.code_signature.team_id`*:: + -- -X.500 (LDAP) Distinguished Name +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. type: keyword +example: EQHXZ8M8AV + -- -*`rsa.identity.logon_type`*:: +*`process.code_signature.trusted`*:: + -- -This key is used to capture the type of logon method used. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean + +example: true -- -*`rsa.identity.profile`*:: +*`process.code_signature.valid`*:: + -- -This key is used to capture the user profile +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: keyword +type: boolean + +example: true -- -*`rsa.identity.accesses`*:: +*`process.command_line`*:: + -- -This key is used to capture actual privileges used in accessing an object +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. type: keyword +example: /usr/bin/ssh -l user 10.0.0.16 + -- -*`rsa.identity.realm`*:: +*`process.command_line.text`*:: + -- -Radius realm or similar grouping of accounts - -type: keyword +type: text -- -*`rsa.identity.user_sid_dst`*:: +*`process.elf.architecture`*:: + -- -This key captures Destination User Session ID +Machine architecture of the ELF file. type: keyword +example: x86-64 + -- -*`rsa.identity.dn_src`*:: +*`process.elf.byte_order`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +Byte sequence of ELF file. type: keyword +example: Little Endian + -- -*`rsa.identity.org`*:: +*`process.elf.cpu_type`*:: + -- -This key captures the User organization +CPU type of the ELF file. type: keyword +example: Intel + -- -*`rsa.identity.dn_dst`*:: +*`process.elf.creation_date`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. -type: keyword +type: date -- -*`rsa.identity.firstname`*:: +*`process.elf.exports`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +List of exported element names and types. -type: keyword +type: flattened -- -*`rsa.identity.lastname`*:: +*`process.elf.header.abi_version`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +Version of the ELF Application Binary Interface (ABI). type: keyword -- -*`rsa.identity.user_dept`*:: +*`process.elf.header.class`*:: + -- -User's Department Names only +Header class of the ELF file. type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`process.elf.header.data`*:: + -- -This key captures Source User Session ID +Data table of the ELF header. type: keyword -- -*`rsa.identity.federated_sp`*:: +*`process.elf.header.entrypoint`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +Header entrypoint of the ELF file. -type: keyword +type: long + +format: string -- -*`rsa.identity.federated_idp`*:: +*`process.elf.header.object_version`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +"0x1" for original ELF files. type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`process.elf.header.os_abi`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +Application Binary Interface (ABI) of the Linux OS. type: keyword -- -*`rsa.identity.middlename`*:: +*`process.elf.header.type`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +Header type of the ELF file. type: keyword -- -*`rsa.identity.password`*:: +*`process.elf.header.version`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +Version of the ELF header. type: keyword -- -*`rsa.identity.host_role`*:: +*`process.elf.imports`*:: + -- -This key should only be used to capture the role of a Host Machine +List of imported element names and types. -type: keyword +type: flattened -- -*`rsa.identity.ldap`*:: +*`process.elf.sections`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. -type: keyword +type: nested -- -*`rsa.identity.ldap_query`*:: +*`process.elf.sections.chi2`*:: + -- -This key is the Search criteria from an LDAP search +Chi-square probability distribution of the section. -type: keyword +type: long + +format: number -- -*`rsa.identity.ldap_response`*:: +*`process.elf.sections.entropy`*:: + -- -This key is to capture Results from an LDAP search +Shannon entropy calculation from the section. -type: keyword +type: long + +format: number -- -*`rsa.identity.owner`*:: +*`process.elf.sections.flags`*:: + -- -This is used to capture username the process or service is running as, the author of the task +ELF Section List flags. type: keyword -- -*`rsa.identity.service_account`*:: +*`process.elf.sections.name`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage +ELF Section List name. type: keyword -- - -*`rsa.email.email_dst`*:: +*`process.elf.sections.physical_offset`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email +ELF Section List offset. type: keyword -- -*`rsa.email.email_src`*:: +*`process.elf.sections.physical_size`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +ELF Section List physical size. -type: keyword +type: long + +format: bytes -- -*`rsa.email.subject`*:: +*`process.elf.sections.type`*:: + -- -This key is used to capture the subject string from an Email only. +ELF Section List type. type: keyword -- -*`rsa.email.email`*:: +*`process.elf.sections.virtual_address`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +ELF Section List virtual address. -type: keyword +type: long + +format: string -- -*`rsa.email.trans_from`*:: +*`process.elf.sections.virtual_size`*:: + -- -Deprecated key defined only in table map. +ELF Section List virtual size. -type: keyword +type: long + +format: string -- -*`rsa.email.trans_to`*:: +*`process.elf.segments`*:: + -- -Deprecated key defined only in table map. +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. -type: keyword +type: nested -- - -*`rsa.file.privilege`*:: +*`process.elf.segments.sections`*:: + -- -Deprecated, use permissions +ELF object segment sections. type: keyword -- -*`rsa.file.attachment`*:: +*`process.elf.segments.type`*:: + -- -This key captures the attachment file name +ELF object segment type. type: keyword -- -*`rsa.file.filesystem`*:: +*`process.elf.shared_libraries`*:: + -- +List of shared libraries used by this ELF object. + type: keyword -- -*`rsa.file.binary`*:: +*`process.elf.telfhash`*:: + -- -Deprecated key defined only in table map. +telfhash symbol hash for ELF file. type: keyword -- -*`rsa.file.filename_dst`*:: +*`process.entity_id`*:: + -- -This is used to capture name of the file targeted by the action +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. type: keyword +example: c2c455d9f99375d + -- -*`rsa.file.filename_src`*:: +*`process.executable`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +Absolute path to the process executable. type: keyword +example: /usr/bin/ssh + -- -*`rsa.file.filename_tmp`*:: +*`process.executable.text`*:: + -- -type: keyword +type: text -- -*`rsa.file.directory_dst`*:: +*`process.exit_code`*:: + -- -This key is used to capture the directory of the target process or file +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). -type: keyword +type: long + +example: 137 -- -*`rsa.file.directory_src`*:: +*`process.hash.md5`*:: + -- -This key is used to capture the directory of the source process or file +MD5 hash. type: keyword -- -*`rsa.file.file_entropy`*:: +*`process.hash.sha1`*:: + -- -This is used to capture entropy vale of a file +SHA1 hash. -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`process.hash.sha256`*:: + -- -This is used to capture Company name of file located in version_info +SHA256 hash. type: keyword -- -*`rsa.file.task_name`*:: +*`process.hash.sha512`*:: + -- -This is used to capture name of the task +SHA512 hash. type: keyword -- - -*`rsa.web.fqdn`*:: +*`process.hash.ssdeep`*:: + -- -Fully Qualified Domain Names +SSDEEP hash. type: keyword -- -*`rsa.web.web_cookie`*:: +*`process.name`*:: + -- -This key is used to capture the Web cookies specifically. +Process name. +Sometimes called program name or similar. type: keyword --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword +example: ssh -- -*`rsa.web.reputation_num`*:: +*`process.name.text`*:: + -- -Reputation Number of an entity. Typically used for Web Domains - -type: double +type: text -- -*`rsa.web.web_ref_domain`*:: +*`process.parent.args`*:: + -- -Web referer's domain +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. type: keyword +example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] + -- -*`rsa.web.web_ref_query`*:: +*`process.parent.args_count`*:: + -- -This key captures Web referer's query portion of the URL +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. -type: keyword +type: long + +example: 4 -- -*`rsa.web.remote_domain`*:: +*`process.parent.code_signature.exists`*:: + -- -type: keyword +Boolean to capture if a signature is present. + +type: boolean + +example: true -- -*`rsa.web.web_ref_page`*:: +*`process.parent.code_signature.signing_id`*:: + -- -This key captures Web referer's page information +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword +example: com.apple.xpc.proxy + -- -*`rsa.web.web_ref_root`*:: +*`process.parent.code_signature.status`*:: + -- -Web referer's root URL path +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.web.cn_asn_dst`*:: +*`process.parent.code_signature.subject_name`*:: + -- +Subject name of the code signer + type: keyword +example: Microsoft Corporation + -- -*`rsa.web.cn_rpackets`*:: +*`process.parent.code_signature.team_id`*:: + -- +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + type: keyword +example: EQHXZ8M8AV + -- -*`rsa.web.urlpage`*:: +*`process.parent.code_signature.trusted`*:: + -- -type: keyword +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. --- +type: boolean -*`rsa.web.urlroot`*:: -+ --- -type: keyword +example: true -- -*`rsa.web.p_url`*:: +*`process.parent.code_signature.valid`*:: + -- -type: keyword +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. --- +type: boolean -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword +example: true -- -*`rsa.web.p_web_cookie`*:: +*`process.parent.command_line`*:: + -- +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. + type: keyword +example: /usr/bin/ssh -l user 10.0.0.16 + -- -*`rsa.web.p_web_method`*:: +*`process.parent.command_line.text`*:: + -- -type: keyword +type: text -- -*`rsa.web.p_web_referer`*:: +*`process.parent.elf.architecture`*:: + -- +Machine architecture of the ELF file. + type: keyword +example: x86-64 + -- -*`rsa.web.web_extension_tmp`*:: +*`process.parent.elf.byte_order`*:: + -- +Byte sequence of ELF file. + type: keyword +example: Little Endian + -- -*`rsa.web.web_page`*:: +*`process.parent.elf.cpu_type`*:: + -- +CPU type of the ELF file. + type: keyword --- +example: Intel +-- -*`rsa.threat.threat_category`*:: +*`process.parent.elf.creation_date`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. -type: keyword +type: date -- -*`rsa.threat.threat_desc`*:: +*`process.parent.elf.exports`*:: + -- -This key is used to capture the threat description from the session directly or inferred +List of exported element names and types. -type: keyword +type: flattened -- -*`rsa.threat.alert`*:: +*`process.parent.elf.header.abi_version`*:: + -- -This key is used to capture name of the alert +Version of the ELF Application Binary Interface (ABI). type: keyword -- -*`rsa.threat.threat_source`*:: +*`process.parent.elf.header.class`*:: + -- -This key is used to capture source of the threat +Header class of the ELF file. type: keyword -- - -*`rsa.crypto.crypto`*:: +*`process.parent.elf.header.data`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +Data table of the ELF header. type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`process.parent.elf.header.entrypoint`*:: + -- -This key is for Source (Client) Cipher +Header entrypoint of the ELF file. -type: keyword +type: long + +format: string -- -*`rsa.crypto.cert_subject`*:: +*`process.parent.elf.header.object_version`*:: + -- -This key is used to capture the Certificate organization only +"0x1" for original ELF files. type: keyword -- -*`rsa.crypto.peer`*:: +*`process.parent.elf.header.os_abi`*:: + -- -This key is for Encryption peer's IP Address +Application Binary Interface (ABI) of the Linux OS. type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`process.parent.elf.header.type`*:: + -- -This key captures Source (Client) Cipher Size +Header type of the ELF file. -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`process.parent.elf.header.version`*:: + -- -IKE negotiation phase. +Version of the ELF header. type: keyword -- -*`rsa.crypto.scheme`*:: +*`process.parent.elf.imports`*:: + -- -This key captures the Encryption scheme used +List of imported element names and types. -type: keyword +type: flattened -- -*`rsa.crypto.peer_id`*:: +*`process.parent.elf.sections`*:: + -- -This key is for Encryption peer’s identity +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. -type: keyword +type: nested -- -*`rsa.crypto.sig_type`*:: +*`process.parent.elf.sections.chi2`*:: + -- -This key captures the Signature Type +Chi-square probability distribution of the section. -type: keyword +type: long + +format: number -- -*`rsa.crypto.cert_issuer`*:: +*`process.parent.elf.sections.entropy`*:: + -- -type: keyword +Shannon entropy calculation from the section. + +type: long + +format: number -- -*`rsa.crypto.cert_host_name`*:: +*`process.parent.elf.sections.flags`*:: + -- -Deprecated key defined only in table map. +ELF Section List flags. type: keyword -- -*`rsa.crypto.cert_error`*:: +*`process.parent.elf.sections.name`*:: + -- -This key captures the Certificate Error String +ELF Section List name. type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`process.parent.elf.sections.physical_offset`*:: + -- -This key is for Destination (Server) Cipher +ELF Section List offset. type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`process.parent.elf.sections.physical_size`*:: + -- -This key captures Destination (Server) Cipher Size +ELF Section List physical size. type: long +format: bytes + -- -*`rsa.crypto.ssl_ver_src`*:: +*`process.parent.elf.sections.type`*:: + -- -Deprecated, use version +ELF Section List type. type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`process.parent.elf.sections.virtual_address`*:: + -- -type: keyword +ELF Section List virtual address. --- +type: long -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword +format: string -- -*`rsa.crypto.ike_cookie1`*:: +*`process.parent.elf.sections.virtual_size`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +ELF Section List virtual size. -type: keyword +type: long + +format: string -- -*`rsa.crypto.ike_cookie2`*:: +*`process.parent.elf.segments`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. -type: keyword +type: nested -- -*`rsa.crypto.cert_checksum`*:: +*`process.parent.elf.segments.sections`*:: + -- +ELF object segment sections. + type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`process.parent.elf.segments.type`*:: + -- -This key is used for the hostname category value of a certificate +ELF object segment type. type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`process.parent.elf.shared_libraries`*:: + -- -This key is used to capture the Certificate serial number only +List of shared libraries used by this ELF object. type: keyword -- -*`rsa.crypto.cert_status`*:: +*`process.parent.elf.telfhash`*:: + -- -This key captures Certificate validation status +telfhash symbol hash for ELF file. type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`process.parent.entity_id`*:: + -- -Deprecated, use version +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. type: keyword +example: c2c455d9f99375d + -- -*`rsa.crypto.cert_keysize`*:: +*`process.parent.executable`*:: + -- +Absolute path to the process executable. + type: keyword +example: /usr/bin/ssh + -- -*`rsa.crypto.cert_username`*:: +*`process.parent.executable.text`*:: + -- -type: keyword +type: text -- -*`rsa.crypto.https_insact`*:: +*`process.parent.exit_code`*:: + -- -type: keyword +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). --- +type: long -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword +example: 137 -- -*`rsa.crypto.cert_ca`*:: +*`process.parent.hash.md5`*:: + -- -This key is used to capture the Certificate signing authority only +MD5 hash. type: keyword -- -*`rsa.crypto.cert_common`*:: +*`process.parent.hash.sha1`*:: + -- -This key is used to capture the Certificate common name only +SHA1 hash. type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`process.parent.hash.sha256`*:: + -- -This key is used to capture the ssid of a Wireless Session +SHA256 hash. type: keyword -- -*`rsa.wireless.access_point`*:: +*`process.parent.hash.sha512`*:: + -- -This key is used to capture the access point name. +SHA512 hash. type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`process.parent.hash.ssdeep`*:: + -- -This is used to capture the channel names +SSDEEP hash. -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`process.parent.name`*:: + -- -This key captures either WLAN number/name +Process name. +Sometimes called program name or similar. type: keyword --- +example: ssh +-- -*`rsa.storage.disk_volume`*:: +*`process.parent.name.text`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword +type: text -- -*`rsa.storage.lun`*:: +*`process.parent.pe.architecture`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +CPU architecture target for the file. type: keyword +example: x64 + -- -*`rsa.storage.pwwn`*:: +*`process.parent.pe.company`*:: + -- -This uniquely identifies a port on a HBA. +Internal company name of the file, provided at compile-time. type: keyword --- +example: Microsoft Corporation +-- -*`rsa.physical.org_dst`*:: +*`process.parent.pe.description`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +Internal description of the file, provided at compile-time. type: keyword +example: Paint + -- -*`rsa.physical.org_src`*:: +*`process.parent.pe.file_version`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +Internal version of the file, provided at compile-time. type: keyword --- +example: 6.3.9600.17415 +-- -*`rsa.healthcare.patient_fname`*:: +*`process.parent.pe.imphash`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`rsa.healthcare.patient_id`*:: +*`process.parent.pe.original_file_name`*:: + -- -This key captures the unique ID for a patient +Internal name of the file, provided at compile-time. type: keyword +example: MSPAINT.EXE + -- -*`rsa.healthcare.patient_lname`*:: +*`process.parent.pe.product`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +Internal product name of the file, provided at compile-time. type: keyword +example: Microsoft® Windows® Operating System + -- -*`rsa.healthcare.patient_mname`*:: +*`process.parent.pgid`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +Identifier of the group of processes the process belongs to. -type: keyword +type: long --- +format: string +-- -*`rsa.endpoint.host_state`*:: +*`process.parent.pid`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +Process id. -type: keyword +type: long + +example: 4242 + +format: string -- -*`rsa.endpoint.registry_key`*:: +*`process.parent.ppid`*:: + -- -This key captures the path to the registry key +Parent process' pid. -type: keyword +type: long + +example: 4241 + +format: string -- -*`rsa.endpoint.registry_value`*:: +*`process.parent.start`*:: + -- -This key captures values or decorators used within a registry entry +The time the process started. -type: keyword +type: date + +example: 2016-05-23T08:05:34.853Z -- -[[exported-fields-docker-processor]] -== Docker fields +*`process.parent.thread.id`*:: ++ +-- +Thread ID. -Docker stats collected from Docker. +type: long +example: 4242 +format: string +-- -*`docker.container.id`*:: +*`process.parent.thread.name`*:: + -- -type: alias +Thread name. -alias to: container.id +type: keyword + +example: thread-0 -- -*`docker.container.image`*:: +*`process.parent.title`*:: + -- -type: alias +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -alias to: container.image.name +type: keyword -- -*`docker.container.name`*:: +*`process.parent.title.text`*:: + -- -type: alias - -alias to: container.name +type: text -- -*`docker.container.labels`*:: +*`process.parent.uptime`*:: + -- -Image labels. +Seconds the process has been up. +type: long -type: object +example: 1325 -- -[[exported-fields-ecs]] -== ECS fields - +*`process.parent.working_directory`*:: ++ +-- +The working directory of the process. -This section defines Elastic Common Schema (ECS) fields—a common set of fields -to be used when storing event data in {es}. +type: keyword -This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. -The goal of ECS is to enable and encourage users of {es} to normalize their event data, -so that they can better analyze, visualize, and correlate the data represented in their events. +example: /home/alice -See the {ecs-ref}[ECS reference] for more information. +-- -*`@timestamp`*:: +*`process.parent.working_directory.text`*:: + -- -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -type: date - -example: 2016-05-23T08:05:34.853Z - -required: True +type: text -- -*`labels`*:: +*`process.pe.architecture`*:: + -- -Custom key/value pairs. -Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. -Example: `docker` and `k8s` labels. +CPU architecture target for the file. -type: object +type: keyword -example: {"application": "foo-bar", "env": "production"} +example: x64 -- -*`message`*:: +*`process.pe.company`*:: + -- -For log events the message field contains the log message, optimized for viewing in a log viewer. -For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. -If multiple messages exist, they can be combined into one message. +Internal company name of the file, provided at compile-time. -type: text +type: keyword -example: Hello World +example: Microsoft Corporation -- -*`tags`*:: +*`process.pe.description`*:: + -- -List of keywords used to tag each event. +Internal description of the file, provided at compile-time. type: keyword -example: ["production", "env2"] +example: Paint -- -[float] -=== agent - -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. -Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. - - -*`agent.build.original`*:: +*`process.pe.file_version`*:: + -- -Extended build information for the agent. -This field is intended to contain any build information that a data source may provide, no specific formatting is required. +Internal version of the file, provided at compile-time. type: keyword -example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] +example: 6.3.9600.17415 -- -*`agent.ephemeral_id`*:: +*`process.pe.imphash`*:: + -- -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword -example: 8a4f500f +example: 0c6803c4e922103c4dca5963aad36ddf -- -*`agent.id`*:: +*`process.pe.original_file_name`*:: + -- -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. +Internal name of the file, provided at compile-time. type: keyword -example: 8a4f500d +example: MSPAINT.EXE -- -*`agent.name`*:: +*`process.pe.product`*:: + -- -Custom name of the agent. -This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. -If no name is given, the name is often left empty. +Internal product name of the file, provided at compile-time. type: keyword -example: foo +example: Microsoft® Windows® Operating System -- -*`agent.type`*:: +*`process.pgid`*:: + -- -Type of the agent. -The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +Identifier of the group of processes the process belongs to. -type: keyword +type: long -example: filebeat +format: string -- -*`agent.version`*:: +*`process.pid`*:: + -- -Version of the agent. +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.start`*:: ++ +-- +The time the process started. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + +*`process.thread.id`*:: ++ +-- +Thread ID. + +type: long + +example: 4242 + +format: string + +-- + +*`process.thread.name`*:: ++ +-- +Thread name. type: keyword -example: 6.0.0-rc2 +example: thread-0 -- -[float] -=== as +*`process.title`*:: ++ +-- +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. +type: keyword +-- -*`as.number`*:: +*`process.title.text`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +type: text + +-- + +*`process.uptime`*:: ++ +-- +Seconds the process has been up. type: long -example: 15169 +example: 1325 -- -*`as.organization.name`*:: +*`process.working_directory`*:: + -- -Organization name. +The working directory of the process. type: keyword -example: Google LLC +example: /home/alice -- -*`as.organization.name.text`*:: +*`process.working_directory.text`*:: + -- type: text @@ -40432,24 +41725,271 @@ type: text -- [float] -=== client +=== registry -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Fields related to Windows Registry operations. + + +*`registry.data.bytes`*:: ++ +-- +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + +type: keyword + +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + +-- + +*`registry.data.strings`*:: ++ +-- +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + +type: keyword + +example: ["C:\rta\red_ttp\bin\myapp.exe"] + +-- + +*`registry.data.type`*:: ++ +-- +Standard registry type for encoding contents + +type: keyword + +example: REG_SZ + +-- + +*`registry.hive`*:: ++ +-- +Abbreviated name for the hive. + +type: keyword + +example: HKLM + +-- + +*`registry.key`*:: ++ +-- +Hive-relative path of keys. + +type: keyword + +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + +-- + +*`registry.path`*:: ++ +-- +Full path, including hive, key and value + +type: keyword + +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + +-- + +*`registry.value`*:: ++ +-- +Name of the value written. + +type: keyword + +example: Debugger + +-- + +[float] +=== related + +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword + +-- + +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + +*`related.ip`*:: ++ +-- +All of the IPs seen on your event. + +type: ip + +-- + +*`related.user`*:: ++ +-- +All the user names or other user identifiers seen on the event. + +type: keyword + +-- + +[float] +=== rule + +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. + + +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ["Star-Lord"] + +-- + +*`rule.category`*:: ++ +-- +A categorization value keyword used by the entity using the rule for detection of this event. + +type: keyword + +example: Attempted Information Leak + +-- + +*`rule.description`*:: ++ +-- +The description of the rule generating the event. + +type: keyword + +example: Block requests to public DNS over HTTPS / TLS protocols + +-- + +*`rule.id`*:: ++ +-- +A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + +type: keyword + +example: 101 + +-- + +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + +*`rule.name`*:: ++ +-- +The name of the rule or signature generating the event. + +type: keyword + +example: BLOCK_DNS_over_TLS + +-- + +*`rule.reference`*:: ++ +-- +Reference URL to additional information about the rule used to generate this event. +The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. + +type: keyword + +example: https://en.wikipedia.org/wiki/DNS_over_TLS + +-- + +*`rule.ruleset`*:: ++ +-- +Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + +type: keyword + +example: Standard_Protocol_Filters + +-- + +*`rule.uuid`*:: ++ +-- +A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + +type: keyword + +example: 1100110011 + +-- + +*`rule.version`*:: ++ +-- +The version / revision of the rule being used for analysis. + +type: keyword + +example: 1.1 + +-- + +[float] +=== server + +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. -*`client.address`*:: +*`server.address`*:: + -- -Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -- -*`client.as.number`*:: +*`server.as.number`*:: + -- Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. @@ -40460,7 +42000,7 @@ example: 15169 -- -*`client.as.organization.name`*:: +*`server.as.organization.name`*:: + -- Organization name. @@ -40471,17 +42011,17 @@ example: Google LLC -- -*`client.as.organization.name.text`*:: +*`server.as.organization.name.text`*:: + -- type: text -- -*`client.bytes`*:: +*`server.bytes`*:: + -- -Bytes sent from the client to the server. +Bytes sent from the server to the client. type: long @@ -40491,16 +42031,16 @@ format: bytes -- -*`client.domain`*:: +*`server.domain`*:: + -- -Client domain. +Server domain. type: keyword -- -*`client.geo.city_name`*:: +*`server.geo.city_name`*:: + -- City name. @@ -40511,7 +42051,7 @@ example: Montreal -- -*`client.geo.continent_code`*:: +*`server.geo.continent_code`*:: + -- Two-letter code representing continent's name. @@ -40522,7 +42062,7 @@ example: NA -- -*`client.geo.continent_name`*:: +*`server.geo.continent_name`*:: + -- Name of the continent. @@ -40533,7 +42073,7 @@ example: North America -- -*`client.geo.country_iso_code`*:: +*`server.geo.country_iso_code`*:: + -- Country ISO code. @@ -40544,7 +42084,7 @@ example: CA -- -*`client.geo.country_name`*:: +*`server.geo.country_name`*:: + -- Country name. @@ -40555,7 +42095,7 @@ example: Canada -- -*`client.geo.location`*:: +*`server.geo.location`*:: + -- Longitude and latitude. @@ -40566,7 +42106,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`client.geo.name`*:: +*`server.geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -40579,7 +42119,7 @@ example: boston-dc -- -*`client.geo.postal_code`*:: +*`server.geo.postal_code`*:: + -- Postal code associated with the location. @@ -40591,7 +42131,7 @@ example: 94040 -- -*`client.geo.region_iso_code`*:: +*`server.geo.region_iso_code`*:: + -- Region ISO code. @@ -40602,7 +42142,7 @@ example: CA-QC -- -*`client.geo.region_name`*:: +*`server.geo.region_name`*:: + -- Region name. @@ -40613,7 +42153,7 @@ example: Quebec -- -*`client.geo.timezone`*:: +*`server.geo.timezone`*:: + -- The time zone of the location, such as IANA time zone name. @@ -40624,19 +42164,19 @@ example: America/Argentina/Buenos_Aires -- -*`client.ip`*:: +*`server.ip`*:: + -- -IP address of the client (IPv4 or IPv6). +IP address of the server (IPv4 or IPv6). type: ip -- -*`client.mac`*:: +*`server.mac`*:: + -- -MAC address of the client. +MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: keyword @@ -40645,21 +42185,21 @@ example: 00-00-5E-00-53-23 -- -*`client.nat.ip`*:: +*`server.nat.ip`*:: + -- -Translated IP of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. type: ip -- -*`client.nat.port`*:: +*`server.nat.port`*:: + -- -Translated port of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. type: long @@ -40667,10 +42207,10 @@ format: string -- -*`client.packets`*:: +*`server.packets`*:: + -- -Packets sent from the client to the server. +Packets sent from the server to the client. type: long @@ -40678,10 +42218,10 @@ example: 12 -- -*`client.port`*:: +*`server.port`*:: + -- -Port of the client. +Port of the server. type: long @@ -40689,10 +42229,10 @@ format: string -- -*`client.registered_domain`*:: +*`server.registered_domain`*:: + -- -The highest registered client domain, stripped of the subdomain. +The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". @@ -40702,7 +42242,7 @@ example: example.com -- -*`client.subdomain`*:: +*`server.subdomain`*:: + -- The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. @@ -40714,7 +42254,7 @@ example: east -- -*`client.top_level_domain`*:: +*`server.top_level_domain`*:: + -- The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -40726,7 +42266,7 @@ example: co.uk -- -*`client.user.domain`*:: +*`server.user.domain`*:: + -- Name of the directory the user is a member of. @@ -40736,7 +42276,7 @@ type: keyword -- -*`client.user.email`*:: +*`server.user.email`*:: + -- User email address. @@ -40745,7 +42285,7 @@ type: keyword -- -*`client.user.full_name`*:: +*`server.user.full_name`*:: + -- User's full name, if available. @@ -40756,14 +42296,14 @@ example: Albert Einstein -- -*`client.user.full_name.text`*:: +*`server.user.full_name.text`*:: + -- type: text -- -*`client.user.group.domain`*:: +*`server.user.group.domain`*:: + -- Name of the directory the group is a member of. @@ -40773,7 +42313,7 @@ type: keyword -- -*`client.user.group.id`*:: +*`server.user.group.id`*:: + -- Unique identifier for the group on the system/platform. @@ -40782,7 +42322,7 @@ type: keyword -- -*`client.user.group.name`*:: +*`server.user.group.name`*:: + -- Name of the group. @@ -40791,7 +42331,7 @@ type: keyword -- -*`client.user.hash`*:: +*`server.user.hash`*:: + -- Unique user hash to correlate information for a user in anonymized form. @@ -40801,7 +42341,7 @@ type: keyword -- -*`client.user.id`*:: +*`server.user.id`*:: + -- Unique identifier of the user. @@ -40810,7 +42350,7 @@ type: keyword -- -*`client.user.name`*:: +*`server.user.name`*:: + -- Short name or login of the user. @@ -40821,14 +42361,14 @@ example: albert -- -*`client.user.name.text`*:: +*`server.user.name.text`*:: + -- type: text -- -*`client.user.roles`*:: +*`server.user.roles`*:: + -- Array of user roles at the time of the event. @@ -40840,354 +42380,115 @@ example: ["kibana_admin", "reporting_user"] -- [float] -=== cloud +=== service -Fields related to the cloud or infrastructure the events are coming from. +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. -*`cloud.account.id`*:: +*`service.ephemeral_id`*:: + -- -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. type: keyword -example: 666777888999 +example: 8a4f500f -- -*`cloud.account.name`*:: +*`service.id`*:: + -- -The cloud account name or alias used to identify different entities in a multi-tenant environment. -Examples: AWS account name, Google Cloud ORG display name. +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. type: keyword -example: elastic-dev +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 -- -*`cloud.availability_zone`*:: +*`service.name`*:: + -- -Availability zone in which this host, resource, or service is located. +Name of the service data is collected from. +The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. +In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. type: keyword -example: us-east-1c +example: elasticsearch-metrics -- -*`cloud.instance.id`*:: +*`service.node.name`*:: + -- -Instance ID of the host machine. +Name of a service node. +This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. +In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword -example: i-1234567890abcdef0 +example: instance-0000000016 -- -*`cloud.instance.name`*:: +*`service.state`*:: + -- -Instance name of the host machine. +Current state of the service. type: keyword -- -*`cloud.machine.type`*:: +*`service.type`*:: + -- -Machine type of the host machine. +The type of the service data is collected from. +The type can be used to group and correlate logs and metrics from one service type. +Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. type: keyword -example: t2.medium +example: elasticsearch -- -*`cloud.project.id`*:: +*`service.version`*:: + -- -The cloud project identifier. -Examples: Google Cloud Project id, Azure Project id. - -type: keyword - -example: my-project - --- - -*`cloud.project.name`*:: -+ --- -The cloud project name. -Examples: Google Cloud Project name, Azure Project name. - -type: keyword - -example: my project - --- - -*`cloud.provider`*:: -+ --- -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - -type: keyword - -example: aws - --- - -*`cloud.region`*:: -+ --- -Region in which this host, resource, or service is located. - -type: keyword - -example: us-east-1 - --- - -*`cloud.service.name`*:: -+ --- -The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. -Examples: app engine, app service, cloud run, fargate, lambda. - -type: keyword - -example: lambda - --- - -[float] -=== code_signature - -These fields contain information about binary code signatures. - - -*`code_signature.exists`*:: -+ --- -Boolean to capture if a signature is present. - -type: boolean - -example: true - --- - -*`code_signature.signing_id`*:: -+ --- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - -type: keyword - -example: com.apple.xpc.proxy - --- - -*`code_signature.status`*:: -+ --- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - -type: keyword - -example: ERROR_UNTRUSTED_ROOT - --- - -*`code_signature.subject_name`*:: -+ --- -Subject name of the code signer - -type: keyword - -example: Microsoft Corporation - --- - -*`code_signature.team_id`*:: -+ --- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. - -type: keyword - -example: EQHXZ8M8AV - --- - -*`code_signature.trusted`*:: -+ --- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true - --- - -*`code_signature.valid`*:: -+ --- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean - -example: true - --- - -[float] -=== container - -Container fields are used for meta information about the specific container that is the source of information. -These fields help correlate data based containers from any runtime. - - -*`container.id`*:: -+ --- -Unique container id. - -type: keyword - --- - -*`container.image.name`*:: -+ --- -Name of the image the container was built on. - -type: keyword - --- - -*`container.image.tag`*:: -+ --- -Container image tags. - -type: keyword - --- - -*`container.labels`*:: -+ --- -Image labels. - -type: object - --- - -*`container.name`*:: -+ --- -Container name. - -type: keyword - --- - -*`container.runtime`*:: -+ --- -Runtime managing this container. +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. type: keyword -example: docker - --- - -[float] -=== data_stream - -The data_stream fields take part in defining the new data stream naming scheme. -In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. -An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. - - -*`data_stream.dataset`*:: -+ --- -The field can contain anything that makes sense to signify the source of the data. -Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. -Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: - * Must not contain `-` - * No longer than 100 characters - -type: constant_keyword - -example: nginx.access - --- - -*`data_stream.namespace`*:: -+ --- -A user defined namespace. Namespaces are useful to allow grouping of data. -Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. -Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: - * Must not contain `-` - * No longer than 100 characters - -type: constant_keyword - -example: production - --- - -*`data_stream.type`*:: -+ --- -An overarching type for the data stream. -Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. - -type: constant_keyword - -example: logs +example: 3.2.4 -- [float] -=== destination +=== source -Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. -Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. -*`destination.address`*:: +*`source.address`*:: + -- -Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -- -*`destination.as.number`*:: +*`source.as.number`*:: + -- Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. @@ -41198,7 +42499,7 @@ example: 15169 -- -*`destination.as.organization.name`*:: +*`source.as.organization.name`*:: + -- Organization name. @@ -41209,17 +42510,17 @@ example: Google LLC -- -*`destination.as.organization.name.text`*:: +*`source.as.organization.name.text`*:: + -- type: text -- -*`destination.bytes`*:: +*`source.bytes`*:: + -- -Bytes sent from the destination to the source. +Bytes sent from the source to the destination. type: long @@ -41229,16 +42530,16 @@ format: bytes -- -*`destination.domain`*:: +*`source.domain`*:: + -- -Destination domain. +Source domain. type: keyword -- -*`destination.geo.city_name`*:: +*`source.geo.city_name`*:: + -- City name. @@ -41249,7 +42550,7 @@ example: Montreal -- -*`destination.geo.continent_code`*:: +*`source.geo.continent_code`*:: + -- Two-letter code representing continent's name. @@ -41260,7 +42561,7 @@ example: NA -- -*`destination.geo.continent_name`*:: +*`source.geo.continent_name`*:: + -- Name of the continent. @@ -41271,7 +42572,7 @@ example: North America -- -*`destination.geo.country_iso_code`*:: +*`source.geo.country_iso_code`*:: + -- Country ISO code. @@ -41282,7 +42583,7 @@ example: CA -- -*`destination.geo.country_name`*:: +*`source.geo.country_name`*:: + -- Country name. @@ -41293,7 +42594,7 @@ example: Canada -- -*`destination.geo.location`*:: +*`source.geo.location`*:: + -- Longitude and latitude. @@ -41304,7 +42605,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`destination.geo.name`*:: +*`source.geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -41317,7 +42618,7 @@ example: boston-dc -- -*`destination.geo.postal_code`*:: +*`source.geo.postal_code`*:: + -- Postal code associated with the location. @@ -41329,7 +42630,7 @@ example: 94040 -- -*`destination.geo.region_iso_code`*:: +*`source.geo.region_iso_code`*:: + -- Region ISO code. @@ -41340,7 +42641,7 @@ example: CA-QC -- -*`destination.geo.region_name`*:: +*`source.geo.region_name`*:: + -- Region name. @@ -41351,7 +42652,7 @@ example: Quebec -- -*`destination.geo.timezone`*:: +*`source.geo.timezone`*:: + -- The time zone of the location, such as IANA time zone name. @@ -41362,19 +42663,19 @@ example: America/Argentina/Buenos_Aires -- -*`destination.ip`*:: +*`source.ip`*:: + -- -IP address of the destination (IPv4 or IPv6). +IP address of the source (IPv4 or IPv6). type: ip -- -*`destination.mac`*:: +*`source.mac`*:: + -- -MAC address of the destination. +MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: keyword @@ -41383,20 +42684,20 @@ example: 00-00-5E-00-53-23 -- -*`destination.nat.ip`*:: +*`source.nat.ip`*:: + -- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. type: ip -- -*`destination.nat.port`*:: +*`source.nat.port`*:: + -- -Port the source session is translated to by NAT Device. +Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. type: long @@ -41405,10 +42706,10 @@ format: string -- -*`destination.packets`*:: +*`source.packets`*:: + -- -Packets sent from the destination to the source. +Packets sent from the source to the destination. type: long @@ -41416,10 +42717,10 @@ example: 12 -- -*`destination.port`*:: +*`source.port`*:: + -- -Port of the destination. +Port of the source. type: long @@ -41427,10 +42728,10 @@ format: string -- -*`destination.registered_domain`*:: +*`source.registered_domain`*:: + -- -The highest registered destination domain, stripped of the subdomain. +The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". @@ -41440,7 +42741,7 @@ example: example.com -- -*`destination.subdomain`*:: +*`source.subdomain`*:: + -- The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. @@ -41452,7 +42753,7 @@ example: east -- -*`destination.top_level_domain`*:: +*`source.top_level_domain`*:: + -- The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -41464,7 +42765,7 @@ example: co.uk -- -*`destination.user.domain`*:: +*`source.user.domain`*:: + -- Name of the directory the user is a member of. @@ -41474,7 +42775,7 @@ type: keyword -- -*`destination.user.email`*:: +*`source.user.email`*:: + -- User email address. @@ -41483,7 +42784,7 @@ type: keyword -- -*`destination.user.full_name`*:: +*`source.user.full_name`*:: + -- User's full name, if available. @@ -41494,14 +42795,14 @@ example: Albert Einstein -- -*`destination.user.full_name.text`*:: +*`source.user.full_name.text`*:: + -- type: text -- -*`destination.user.group.domain`*:: +*`source.user.group.domain`*:: + -- Name of the directory the group is a member of. @@ -41511,7 +42812,7 @@ type: keyword -- -*`destination.user.group.id`*:: +*`source.user.group.id`*:: + -- Unique identifier for the group on the system/platform. @@ -41520,7 +42821,7 @@ type: keyword -- -*`destination.user.group.name`*:: +*`source.user.group.name`*:: + -- Name of the group. @@ -41529,7 +42830,7 @@ type: keyword -- -*`destination.user.hash`*:: +*`source.user.hash`*:: + -- Unique user hash to correlate information for a user in anonymized form. @@ -41539,7 +42840,7 @@ type: keyword -- -*`destination.user.id`*:: +*`source.user.id`*:: + -- Unique identifier of the user. @@ -41548,7 +42849,7 @@ type: keyword -- -*`destination.user.name`*:: +*`source.user.name`*:: + -- Short name or login of the user. @@ -41559,14 +42860,14 @@ example: albert -- -*`destination.user.name.text`*:: +*`source.user.name.text`*:: + -- type: text -- -*`destination.user.roles`*:: +*`source.user.roles`*:: + -- Array of user roles at the time of the event. @@ -41578,487 +42879,256 @@ example: ["kibana_admin", "reporting_user"] -- [float] -=== dll - -These fields contain information about code libraries dynamically loaded into processes. +=== threat -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: -* Dynamic-link library (`.dll`) commonly used on Windows -* Shared Object (`.so`) commonly used on Unix-like operating systems -* Dynamic library (`.dylib`) commonly used on macOS +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). -*`dll.code_signature.exists`*:: +*`threat.enrichments`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +A list of associated indicators objects enriching the event, and the context of that association/enrichment. -example: true +type: nested -- -*`dll.code_signature.signing_id`*:: +*`threat.enrichments.indicator`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - -type: keyword +Object containing associated indicators enriching the event. -example: com.apple.xpc.proxy +type: object -- -*`dll.code_signature.status`*:: +*`threat.enrichments.indicator.as.number`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long -example: ERROR_UNTRUSTED_ROOT +example: 15169 -- -*`dll.code_signature.subject_name`*:: +*`threat.enrichments.indicator.as.organization.name`*:: + -- -Subject name of the code signer +Organization name. type: keyword -example: Microsoft Corporation +example: Google LLC -- -*`dll.code_signature.team_id`*:: +*`threat.enrichments.indicator.as.organization.name.text`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. - -type: keyword - -example: EQHXZ8M8AV +type: text -- -*`dll.code_signature.trusted`*:: +*`threat.enrichments.indicator.confidence`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values: + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) -type: boolean +type: keyword -example: true +example: High -- -*`dll.code_signature.valid`*:: +*`threat.enrichments.indicator.description`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +Describes the type of action conducted by the threat. -type: boolean +type: keyword -example: true +example: IP x.x.x.x was observed delivering the Angler EK. -- -*`dll.hash.md5`*:: +*`threat.enrichments.indicator.email.address`*:: + -- -MD5 hash. +Identifies a threat indicator as an email address (irrespective of direction). type: keyword +example: phish@example.com + -- -*`dll.hash.sha1`*:: +*`threat.enrichments.indicator.file.accessed`*:: + -- -SHA1 hash. +Last time the file was accessed. +Note that not all filesystems keep track of access time. -type: keyword +type: date -- -*`dll.hash.sha256`*:: +*`threat.enrichments.indicator.file.attributes`*:: + -- -SHA256 hash. +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword +example: ["readonly", "system"] + -- -*`dll.hash.sha512`*:: +*`threat.enrichments.indicator.file.code_signature.exists`*:: + -- -SHA512 hash. +Boolean to capture if a signature is present. -type: keyword +type: boolean + +example: true -- -*`dll.hash.ssdeep`*:: +*`threat.enrichments.indicator.file.code_signature.signing_id`*:: + -- -SSDEEP hash. +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword +example: com.apple.xpc.proxy + -- -*`dll.name`*:: +*`threat.enrichments.indicator.file.code_signature.status`*:: + -- -Name of the library. -This generally maps to the name of the file on disk. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword -example: kernel32.dll +example: ERROR_UNTRUSTED_ROOT -- -*`dll.path`*:: +*`threat.enrichments.indicator.file.code_signature.subject_name`*:: + -- -Full file path of the library. +Subject name of the code signer type: keyword -example: C:\Windows\System32\kernel32.dll +example: Microsoft Corporation -- -*`dll.pe.architecture`*:: +*`threat.enrichments.indicator.file.code_signature.team_id`*:: + -- -CPU architecture target for the file. +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. type: keyword -example: x64 +example: EQHXZ8M8AV -- -*`dll.pe.company`*:: +*`threat.enrichments.indicator.file.code_signature.trusted`*:: + -- -Internal company name of the file, provided at compile-time. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean -example: Microsoft Corporation +example: true -- -*`dll.pe.description`*:: +*`threat.enrichments.indicator.file.code_signature.valid`*:: + -- -Internal description of the file, provided at compile-time. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: keyword +type: boolean -example: Paint +example: true -- -*`dll.pe.file_version`*:: +*`threat.enrichments.indicator.file.created`*:: + -- -Internal version of the file, provided at compile-time. - -type: keyword +File creation time. +Note that not all filesystems store the creation time. -example: 6.3.9600.17415 +type: date -- -*`dll.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`dll.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`dll.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - -[float] -=== dns - -Fields describing DNS queries and answers. -DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). - - -*`dns.answers`*:: -+ --- -An array containing an object for each answer section returned by the server. -The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. -Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - -type: object - --- - -*`dns.answers.class`*:: -+ --- -The class of DNS data contained in this resource record. - -type: keyword - -example: IN - --- - -*`dns.answers.data`*:: -+ --- -The data describing the resource. -The meaning of this data depends on the type and class of the resource record. - -type: keyword - -example: 10.10.10.10 - --- - -*`dns.answers.name`*:: -+ --- -The domain name to which this resource record pertains. -If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - -type: keyword - -example: www.example.com - --- - -*`dns.answers.ttl`*:: -+ --- -The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - -type: long - -example: 180 - --- - -*`dns.answers.type`*:: -+ --- -The type of data contained in this resource record. - -type: keyword - -example: CNAME - --- - -*`dns.header_flags`*:: -+ --- -Array of 2 letter DNS header flags. -Expected values are: AA, TC, RD, RA, AD, CD, DO. - -type: keyword - -example: ["RD", "RA"] - --- - -*`dns.id`*:: -+ --- -The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - -type: keyword - -example: 62111 - --- - -*`dns.op_code`*:: -+ --- -The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - -type: keyword - -example: QUERY - --- - -*`dns.question.class`*:: -+ --- -The class of records being queried. - -type: keyword - -example: IN - --- - -*`dns.question.name`*:: -+ --- -The name being queried. -If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - -type: keyword - -example: www.example.com - --- - -*`dns.question.registered_domain`*:: -+ --- -The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword - -example: example.com - --- - -*`dns.question.subdomain`*:: -+ --- -The subdomain is all of the labels under the registered_domain. -If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - -type: keyword - -example: www - --- - -*`dns.question.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword - -example: co.uk - --- - -*`dns.question.type`*:: -+ --- -The type of record being queried. - -type: keyword - -example: AAAA - --- - -*`dns.resolved_ip`*:: +*`threat.enrichments.indicator.file.ctime`*:: + -- -Array containing all IPs seen in `answers.data`. -The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - -type: ip +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. -example: ["10.10.10.10", "10.10.10.11"] +type: date -- -*`dns.response_code`*:: +*`threat.enrichments.indicator.file.device`*:: + -- -The DNS response code. +Device that is the source of the file. type: keyword -example: NOERROR +example: sda -- -*`dns.type`*:: +*`threat.enrichments.indicator.file.directory`*:: + -- -The type of DNS event captured, query or answer. -If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. -If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. +Directory where the file is located. It should include the drive letter, when appropriate. type: keyword -example: answer +example: /home/alice -- -[float] -=== ecs - -Meta-information specific to ECS. - - -*`ecs.version`*:: +*`threat.enrichments.indicator.file.drive_letter`*:: + -- -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. type: keyword -example: 1.0.0 - -required: True +example: C -- -[float] -=== elf - -These fields contain Linux Executable Linkable Format (ELF) metadata. - - -*`elf.architecture`*:: +*`threat.enrichments.indicator.file.elf.architecture`*:: + -- Machine architecture of the ELF file. @@ -42069,7 +43139,7 @@ example: x86-64 -- -*`elf.byte_order`*:: +*`threat.enrichments.indicator.file.elf.byte_order`*:: + -- Byte sequence of ELF file. @@ -42080,7 +43150,7 @@ example: Little Endian -- -*`elf.cpu_type`*:: +*`threat.enrichments.indicator.file.elf.cpu_type`*:: + -- CPU type of the ELF file. @@ -42091,7 +43161,7 @@ example: Intel -- -*`elf.creation_date`*:: +*`threat.enrichments.indicator.file.elf.creation_date`*:: + -- Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. @@ -42100,7 +43170,7 @@ type: date -- -*`elf.exports`*:: +*`threat.enrichments.indicator.file.elf.exports`*:: + -- List of exported element names and types. @@ -42109,7 +43179,7 @@ type: flattened -- -*`elf.header.abi_version`*:: +*`threat.enrichments.indicator.file.elf.header.abi_version`*:: + -- Version of the ELF Application Binary Interface (ABI). @@ -42118,7 +43188,7 @@ type: keyword -- -*`elf.header.class`*:: +*`threat.enrichments.indicator.file.elf.header.class`*:: + -- Header class of the ELF file. @@ -42127,7 +43197,7 @@ type: keyword -- -*`elf.header.data`*:: +*`threat.enrichments.indicator.file.elf.header.data`*:: + -- Data table of the ELF header. @@ -42136,7 +43206,7 @@ type: keyword -- -*`elf.header.entrypoint`*:: +*`threat.enrichments.indicator.file.elf.header.entrypoint`*:: + -- Header entrypoint of the ELF file. @@ -42147,7 +43217,7 @@ format: string -- -*`elf.header.object_version`*:: +*`threat.enrichments.indicator.file.elf.header.object_version`*:: + -- "0x1" for original ELF files. @@ -42156,7 +43226,7 @@ type: keyword -- -*`elf.header.os_abi`*:: +*`threat.enrichments.indicator.file.elf.header.os_abi`*:: + -- Application Binary Interface (ABI) of the Linux OS. @@ -42165,7 +43235,7 @@ type: keyword -- -*`elf.header.type`*:: +*`threat.enrichments.indicator.file.elf.header.type`*:: + -- Header type of the ELF file. @@ -42174,7 +43244,7 @@ type: keyword -- -*`elf.header.version`*:: +*`threat.enrichments.indicator.file.elf.header.version`*:: + -- Version of the ELF header. @@ -42183,7 +43253,7 @@ type: keyword -- -*`elf.imports`*:: +*`threat.enrichments.indicator.file.elf.imports`*:: + -- List of imported element names and types. @@ -42192,7 +43262,7 @@ type: flattened -- -*`elf.sections`*:: +*`threat.enrichments.indicator.file.elf.sections`*:: + -- An array containing an object for each section of the ELF file. @@ -42202,7 +43272,7 @@ type: nested -- -*`elf.sections.chi2`*:: +*`threat.enrichments.indicator.file.elf.sections.chi2`*:: + -- Chi-square probability distribution of the section. @@ -42213,7 +43283,7 @@ format: number -- -*`elf.sections.entropy`*:: +*`threat.enrichments.indicator.file.elf.sections.entropy`*:: + -- Shannon entropy calculation from the section. @@ -42224,7 +43294,7 @@ format: number -- -*`elf.sections.flags`*:: +*`threat.enrichments.indicator.file.elf.sections.flags`*:: + -- ELF Section List flags. @@ -42233,7 +43303,7 @@ type: keyword -- -*`elf.sections.name`*:: +*`threat.enrichments.indicator.file.elf.sections.name`*:: + -- ELF Section List name. @@ -42242,7 +43312,7 @@ type: keyword -- -*`elf.sections.physical_offset`*:: +*`threat.enrichments.indicator.file.elf.sections.physical_offset`*:: + -- ELF Section List offset. @@ -42251,7 +43321,7 @@ type: keyword -- -*`elf.sections.physical_size`*:: +*`threat.enrichments.indicator.file.elf.sections.physical_size`*:: + -- ELF Section List physical size. @@ -42262,7 +43332,7 @@ format: bytes -- -*`elf.sections.type`*:: +*`threat.enrichments.indicator.file.elf.sections.type`*:: + -- ELF Section List type. @@ -42271,7 +43341,7 @@ type: keyword -- -*`elf.sections.virtual_address`*:: +*`threat.enrichments.indicator.file.elf.sections.virtual_address`*:: + -- ELF Section List virtual address. @@ -42282,7 +43352,7 @@ format: string -- -*`elf.sections.virtual_size`*:: +*`threat.enrichments.indicator.file.elf.sections.virtual_size`*:: + -- ELF Section List virtual size. @@ -42293,7 +43363,7 @@ format: string -- -*`elf.segments`*:: +*`threat.enrichments.indicator.file.elf.segments`*:: + -- An array containing an object for each segment of the ELF file. @@ -42303,7 +43373,7 @@ type: nested -- -*`elf.segments.sections`*:: +*`threat.enrichments.indicator.file.elf.segments.sections`*:: + -- ELF object segment sections. @@ -42312,7 +43382,7 @@ type: keyword -- -*`elf.segments.type`*:: +*`threat.enrichments.indicator.file.elf.segments.type`*:: + -- ELF object segment type. @@ -42321,7 +43391,7 @@ type: keyword -- -*`elf.shared_libraries`*:: +*`threat.enrichments.indicator.file.elf.shared_libraries`*:: + -- List of shared libraries used by this ELF object. @@ -42330,7 +43400,7 @@ type: keyword -- -*`elf.telfhash`*:: +*`threat.enrichments.indicator.file.elf.telfhash`*:: + -- telfhash symbol hash for ELF file. @@ -42339,18588 +43409,10638 @@ type: keyword -- -[float] -=== error - -These fields can represent errors of any kind. -Use them for errors that happen while fetching events or in cases where the event itself contains an error. - - -*`error.code`*:: +*`threat.enrichments.indicator.file.extension`*:: + -- -Error code describing the error. +File extension, excluding the leading dot. +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: keyword +example: png + -- -*`error.id`*:: +*`threat.enrichments.indicator.file.gid`*:: + -- -Unique identifier for the error. +Primary group ID (GID) of the file. type: keyword +example: 1001 + -- -*`error.message`*:: +*`threat.enrichments.indicator.file.group`*:: + -- -Error message. +Primary group name of the file. -type: text +type: keyword + +example: alice -- -*`error.stack_trace`*:: +*`threat.enrichments.indicator.file.inode`*:: + -- -The stack trace of this error in plain text. +Inode representing the file in the filesystem. type: keyword -Field is not indexed. +example: 256383 -- -*`error.stack_trace.text`*:: +*`threat.enrichments.indicator.file.mime_type`*:: + -- -type: text +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword -- -*`error.type`*:: +*`threat.enrichments.indicator.file.mode`*:: + -- -The type of the error, for example the class name of the exception. +Mode of the file in octal representation. type: keyword -example: java.lang.NullPointerException +example: 0640 -- -[float] -=== event - -The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. - - -*`event.action`*:: +*`threat.enrichments.indicator.file.mtime`*:: + -- -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - -type: keyword +Last time the file content was modified. -example: user-password-change +type: date -- -*`event.agent_id_status`*:: +*`threat.enrichments.indicator.file.name`*:: + -- -Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. -For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. -If no validation is performed then the field should be omitted. -The allowed values are: -`verified` - The `agent.id` field value matches expected value obtained from auth metadata. -`mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. -`missing` - There was no `agent.id` field in the event to validate. -`auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. +Name of the file including the extension, without the directory. type: keyword -example: verified +example: example.png -- -*`event.category`*:: +*`threat.enrichments.indicator.file.owner`*:: + -- -This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. -`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. -This field is an array. This will allow proper categorization of some events that fall in multiple categories. +File owner's username. type: keyword -example: authentication +example: alice -- -*`event.code`*:: +*`threat.enrichments.indicator.file.path`*:: + -- -Identification code for this event, if one exists. -Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. +Full path to the file, including the file name. It should include the drive letter, when appropriate. type: keyword -example: 4648 +example: /home/alice/example.png -- -*`event.created`*:: +*`threat.enrichments.indicator.file.path.text`*:: + -- -event.created contains the date/time when the event was first read by an agent, or by your pipeline. -This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. -In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. -In case the two timestamps are identical, @timestamp should be used. - -type: date - -example: 2016-05-23T08:05:34.857Z +type: text -- -*`event.dataset`*:: +*`threat.enrichments.indicator.file.size`*:: + -- -Name of the dataset. -If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. -It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. +File size in bytes. +Only relevant when `file.type` is "file". -type: keyword +type: long -example: apache.access +example: 16384 -- -*`event.duration`*:: +*`threat.enrichments.indicator.file.target_path`*:: + -- -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. - -type: long +Target path for symlinks. -format: duration +type: keyword -- -*`event.end`*:: +*`threat.enrichments.indicator.file.target_path.text`*:: + -- -event.end contains the date when the event ended or when the activity was last observed. - -type: date +type: text -- -*`event.hash`*:: +*`threat.enrichments.indicator.file.type`*:: + -- -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +File type (file, dir, or symlink). type: keyword -example: 123456789012345678901234567890ABCD +example: file -- -*`event.id`*:: +*`threat.enrichments.indicator.file.uid`*:: + -- -Unique ID to describe the event. +The user ID (UID) or security identifier (SID) of the file owner. type: keyword -example: 8a4f500d +example: 1001 -- -*`event.ingested`*:: +*`threat.enrichments.indicator.first_seen`*:: + -- -Timestamp when an event arrived in the central data store. -This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. -In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. +The date and time when intelligence source first reported sighting this indicator. type: date -example: 2016-05-23T08:05:35.101Z +example: 2020-11-05T17:25:47.000Z -- -*`event.kind`*:: +*`threat.enrichments.indicator.geo.city_name`*:: + -- -This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. -`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. -The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. +City name. type: keyword -example: alert +example: Montreal -- -*`event.module`*:: +*`threat.enrichments.indicator.geo.continent_code`*:: + -- -Name of the module this data is coming from. -If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. +Two-letter code representing continent's name. type: keyword -example: apache +example: NA -- -*`event.original`*:: +*`threat.enrichments.indicator.geo.continent_name`*:: + -- -Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. +Name of the continent. type: keyword -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - -Field is not indexed. +example: North America -- -*`event.outcome`*:: +*`threat.enrichments.indicator.geo.country_iso_code`*:: + -- -This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. -Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. -Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. -Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. +Country ISO code. type: keyword -example: success +example: CA -- -*`event.provider`*:: +*`threat.enrichments.indicator.geo.country_name`*:: + -- -Source of the event. -Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). +Country name. type: keyword -example: kernel +example: Canada -- -*`event.reason`*:: +*`threat.enrichments.indicator.geo.location`*:: + -- -Reason why this event happened, according to the source. -This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). +Longitude and latitude. -type: keyword +type: geo_point -example: Terminated an unexpected process +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`event.reference`*:: +*`threat.enrichments.indicator.geo.name`*:: + -- -Reference URL linking to additional information about this event. -This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: https://system.example.com/event/#0001234 +example: boston-dc -- -*`event.risk_score`*:: +*`threat.enrichments.indicator.geo.postal_code`*:: + -- -Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. -type: float +type: keyword + +example: 94040 -- -*`event.risk_score_norm`*:: +*`threat.enrichments.indicator.geo.region_iso_code`*:: + -- -Normalized risk score or priority of the event, on a scale of 0 to 100. -This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. +Region ISO code. -type: float +type: keyword + +example: CA-QC -- -*`event.sequence`*:: +*`threat.enrichments.indicator.geo.region_name`*:: + -- -Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. +Region name. -type: long +type: keyword -format: string +example: Quebec -- -*`event.severity`*:: +*`threat.enrichments.indicator.geo.timezone`*:: + -- -The numeric severity of the event according to your event source. -What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. -The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - -type: long +The time zone of the location, such as IANA time zone name. -example: 7 +type: keyword -format: string +example: America/Argentina/Buenos_Aires -- -*`event.start`*:: +*`threat.enrichments.indicator.hash.md5`*:: + -- -event.start contains the date when the event started or when the activity was first observed. +MD5 hash. -type: date +type: keyword -- -*`event.timezone`*:: +*`threat.enrichments.indicator.hash.sha1`*:: + -- -This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. -Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +SHA1 hash. type: keyword -- -*`event.type`*:: +*`threat.enrichments.indicator.hash.sha256`*:: + -- -This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. -`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. -This field is an array. This will allow proper categorization of some events that fall in multiple event types. +SHA256 hash. type: keyword -- -*`event.url`*:: +*`threat.enrichments.indicator.hash.sha512`*:: + -- -URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +SHA512 hash. type: keyword -example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe - -- -[float] -=== file - -A file is defined as a set of information that has been created on, or has existed on a filesystem. -File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. - - -*`file.accessed`*:: +*`threat.enrichments.indicator.hash.ssdeep`*:: + -- -Last time the file was accessed. -Note that not all filesystems keep track of access time. +SSDEEP hash. -type: date +type: keyword -- -*`file.attributes`*:: +*`threat.enrichments.indicator.ip`*:: + -- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +Identifies a threat indicator as an IP address (irrespective of direction). -type: keyword +type: ip -example: ["readonly", "system"] +example: 1.2.3.4 -- -*`file.code_signature.exists`*:: +*`threat.enrichments.indicator.last_seen`*:: + -- -Boolean to capture if a signature is present. +The date and time when intelligence source last reported sighting this indicator. -type: boolean +type: date -example: true +example: 2020-11-05T17:25:47.000Z -- -*`file.code_signature.signing_id`*:: +*`threat.enrichments.indicator.marking.tlp`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. +Traffic Light Protocol sharing markings. Recommended values are: + * WHITE + * GREEN + * AMBER + * RED type: keyword -example: com.apple.xpc.proxy +example: White -- -*`file.code_signature.status`*:: +*`threat.enrichments.indicator.modified_at`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +The date and time when intelligence source last modified information for this indicator. -type: keyword +type: date -example: ERROR_UNTRUSTED_ROOT +example: 2020-11-05T17:25:47.000Z -- -*`file.code_signature.subject_name`*:: +*`threat.enrichments.indicator.pe.architecture`*:: + -- -Subject name of the code signer +CPU architecture target for the file. type: keyword -example: Microsoft Corporation +example: x64 -- -*`file.code_signature.team_id`*:: +*`threat.enrichments.indicator.pe.company`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +Internal company name of the file, provided at compile-time. type: keyword -example: EQHXZ8M8AV +example: Microsoft Corporation -- -*`file.code_signature.trusted`*:: +*`threat.enrichments.indicator.pe.description`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +Internal description of the file, provided at compile-time. -type: boolean +type: keyword -example: true +example: Paint -- -*`file.code_signature.valid`*:: +*`threat.enrichments.indicator.pe.file_version`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +Internal version of the file, provided at compile-time. -type: boolean +type: keyword -example: true +example: 6.3.9600.17415 -- -*`file.created`*:: +*`threat.enrichments.indicator.pe.imphash`*:: + -- -File creation time. -Note that not all filesystems store the creation time. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. -type: date +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf -- -*`file.ctime`*:: +*`threat.enrichments.indicator.pe.original_file_name`*:: + -- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. +Internal name of the file, provided at compile-time. -type: date +type: keyword + +example: MSPAINT.EXE -- -*`file.device`*:: +*`threat.enrichments.indicator.pe.product`*:: + -- -Device that is the source of the file. +Internal product name of the file, provided at compile-time. type: keyword -example: sda +example: Microsoft® Windows® Operating System -- -*`file.directory`*:: +*`threat.enrichments.indicator.port`*:: + -- -Directory where the file is located. It should include the drive letter, when appropriate. +Identifies a threat indicator as a port number (irrespective of direction). -type: keyword +type: long -example: /home/alice +example: 443 -- -*`file.drive_letter`*:: +*`threat.enrichments.indicator.provider`*:: + -- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. +The name of the indicator's provider. type: keyword -example: C +example: lrz_urlhaus -- -*`file.elf.architecture`*:: +*`threat.enrichments.indicator.reference`*:: + -- -Machine architecture of the ELF file. +Reference URL linking to additional information about this indicator. type: keyword -example: x86-64 +example: https://system.example.com/indicator/0001234 -- -*`file.elf.byte_order`*:: +*`threat.enrichments.indicator.registry.data.bytes`*:: + -- -Byte sequence of ELF file. +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. type: keyword -example: Little Endian +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= -- -*`file.elf.cpu_type`*:: +*`threat.enrichments.indicator.registry.data.strings`*:: + -- -CPU type of the ELF file. +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). type: keyword -example: Intel +example: ["C:\rta\red_ttp\bin\myapp.exe"] -- -*`file.elf.creation_date`*:: +*`threat.enrichments.indicator.registry.data.type`*:: + -- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +Standard registry type for encoding contents -type: date +type: keyword + +example: REG_SZ -- -*`file.elf.exports`*:: +*`threat.enrichments.indicator.registry.hive`*:: + -- -List of exported element names and types. +Abbreviated name for the hive. -type: flattened +type: keyword + +example: HKLM -- -*`file.elf.header.abi_version`*:: +*`threat.enrichments.indicator.registry.key`*:: + -- -Version of the ELF Application Binary Interface (ABI). +Hive-relative path of keys. type: keyword +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + -- -*`file.elf.header.class`*:: +*`threat.enrichments.indicator.registry.path`*:: + -- -Header class of the ELF file. +Full path, including hive, key and value type: keyword +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + -- -*`file.elf.header.data`*:: +*`threat.enrichments.indicator.registry.value`*:: + -- -Data table of the ELF header. +Name of the value written. type: keyword +example: Debugger + -- -*`file.elf.header.entrypoint`*:: +*`threat.enrichments.indicator.scanner_stats`*:: + -- -Header entrypoint of the ELF file. +Count of AV/EDR vendors that successfully detected malicious file or URL. type: long -format: string +example: 4 -- -*`file.elf.header.object_version`*:: +*`threat.enrichments.indicator.sightings`*:: + -- -"0x1" for original ELF files. +Number of times this indicator was observed conducting threat activity. -type: keyword +type: long + +example: 20 -- -*`file.elf.header.os_abi`*:: +*`threat.enrichments.indicator.type`*:: + -- -Application Binary Interface (ABI) of the Linux OS. +Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate type: keyword +example: ipv4-addr + -- -*`file.elf.header.type`*:: +*`threat.enrichments.indicator.url.domain`*:: + -- -Header type of the ELF file. +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword +example: www.elastic.co + -- -*`file.elf.header.version`*:: +*`threat.enrichments.indicator.url.extension`*:: + -- -Version of the ELF header. +The field contains the file extension from the original request url, excluding the leading dot. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: keyword +example: png + -- -*`file.elf.imports`*:: +*`threat.enrichments.indicator.url.fragment`*:: + -- -List of imported element names and types. +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. -type: flattened +type: keyword -- -*`file.elf.sections`*:: +*`threat.enrichments.indicator.url.full`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: nested +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top -- -*`file.elf.sections.chi2`*:: +*`threat.enrichments.indicator.url.full.text`*:: + -- -Chi-square probability distribution of the section. - -type: long - -format: number +type: text -- -*`file.elf.sections.entropy`*:: +*`threat.enrichments.indicator.url.original`*:: + -- -Shannon entropy calculation from the section. +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. -type: long +type: keyword -format: number +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch -- -*`file.elf.sections.flags`*:: +*`threat.enrichments.indicator.url.original.text`*:: + -- -ELF Section List flags. - -type: keyword +type: text -- -*`file.elf.sections.name`*:: +*`threat.enrichments.indicator.url.password`*:: + -- -ELF Section List name. +Password of the request. type: keyword -- -*`file.elf.sections.physical_offset`*:: +*`threat.enrichments.indicator.url.path`*:: + -- -ELF Section List offset. +Path of the request, such as "/search". type: keyword -- -*`file.elf.sections.physical_size`*:: +*`threat.enrichments.indicator.url.port`*:: + -- -ELF Section List physical size. +Port of the request, such as 443. type: long -format: bytes +example: 443 + +format: string -- -*`file.elf.sections.type`*:: +*`threat.enrichments.indicator.url.query`*:: + -- -ELF Section List type. +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. type: keyword -- -*`file.elf.sections.virtual_address`*:: +*`threat.enrichments.indicator.url.registered_domain`*:: + -- -ELF Section List virtual address. +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: long +type: keyword -format: string +example: example.com -- -*`file.elf.sections.virtual_size`*:: +*`threat.enrichments.indicator.url.scheme`*:: + -- -ELF Section List virtual size. +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. -type: long +type: keyword -format: string +example: https -- -*`file.elf.segments`*:: +*`threat.enrichments.indicator.url.subdomain`*:: + -- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. -type: nested +type: keyword + +example: east -- -*`file.elf.segments.sections`*:: +*`threat.enrichments.indicator.url.top_level_domain`*:: + -- -ELF object segment sections. +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword +example: co.uk + -- -*`file.elf.segments.type`*:: +*`threat.enrichments.indicator.url.username`*:: + -- -ELF object segment type. +Username of the request. type: keyword -- -*`file.elf.shared_libraries`*:: +*`threat.enrichments.indicator.x509.alternative_names`*:: + -- -List of shared libraries used by this ELF object. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword +example: *.elastic.co + -- -*`file.elf.telfhash`*:: +*`threat.enrichments.indicator.x509.issuer.common_name`*:: + -- -telfhash symbol hash for ELF file. +List of common name (CN) of issuing certificate authority. type: keyword +example: Example SHA2 High Assurance Server CA + -- -*`file.extension`*:: +*`threat.enrichments.indicator.x509.issuer.country`*:: + -- -File extension, excluding the leading dot. -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). +List of country (C) codes type: keyword -example: png +example: US -- -*`file.gid`*:: +*`threat.enrichments.indicator.x509.issuer.distinguished_name`*:: + -- -Primary group ID (GID) of the file. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: 1001 +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`file.group`*:: +*`threat.enrichments.indicator.x509.issuer.locality`*:: + -- -Primary group name of the file. +List of locality names (L) type: keyword -example: alice +example: Mountain View -- -*`file.hash.md5`*:: +*`threat.enrichments.indicator.x509.issuer.organization`*:: + -- -MD5 hash. +List of organizations (O) of issuing certificate authority. type: keyword +example: Example Inc + -- -*`file.hash.sha1`*:: +*`threat.enrichments.indicator.x509.issuer.organizational_unit`*:: + -- -SHA1 hash. +List of organizational units (OU) of issuing certificate authority. type: keyword +example: www.example.com + -- -*`file.hash.sha256`*:: +*`threat.enrichments.indicator.x509.issuer.state_or_province`*:: + -- -SHA256 hash. +List of state or province names (ST, S, or P) type: keyword +example: California + -- -*`file.hash.sha512`*:: +*`threat.enrichments.indicator.x509.not_after`*:: + -- -SHA512 hash. +Time at which the certificate is no longer considered valid. -type: keyword +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`file.hash.ssdeep`*:: +*`threat.enrichments.indicator.x509.not_before`*:: + -- -SSDEEP hash. +Time at which the certificate is first considered valid. -type: keyword +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`file.inode`*:: +*`threat.enrichments.indicator.x509.public_key_algorithm`*:: + -- -Inode representing the file in the filesystem. +Algorithm used to generate the public key. type: keyword -example: 256383 +example: RSA -- -*`file.mime_type`*:: +*`threat.enrichments.indicator.x509.public_key_curve`*:: + -- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`file.mode`*:: +*`threat.enrichments.indicator.x509.public_key_exponent`*:: + -- -Mode of the file in octal representation. +Exponent used to derive the public key. This is algorithm specific. -type: keyword +type: long -example: 0640 +example: 65537 + +Field is not indexed. -- -*`file.mtime`*:: +*`threat.enrichments.indicator.x509.public_key_size`*:: + -- -Last time the file content was modified. +The size of the public key space in bits. -type: date +type: long + +example: 2048 -- -*`file.name`*:: +*`threat.enrichments.indicator.x509.serial_number`*:: + -- -Name of the file including the extension, without the directory. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: example.png +example: 55FBB9C7DEBF09809D12CCAA -- -*`file.owner`*:: +*`threat.enrichments.indicator.x509.signature_algorithm`*:: + -- -File owner's username. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: alice +example: SHA256-RSA -- -*`file.path`*:: +*`threat.enrichments.indicator.x509.subject.common_name`*:: + -- -Full path to the file, including the file name. It should include the drive letter, when appropriate. +List of common names (CN) of subject. type: keyword -example: /home/alice/example.png +example: shared.global.example.net -- -*`file.path.text`*:: +*`threat.enrichments.indicator.x509.subject.country`*:: + -- -type: text +List of country (C) code + +type: keyword + +example: US -- -*`file.pe.architecture`*:: +*`threat.enrichments.indicator.x509.subject.distinguished_name`*:: + -- -CPU architecture target for the file. +Distinguished name (DN) of the certificate subject entity. type: keyword -example: x64 +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`file.pe.company`*:: +*`threat.enrichments.indicator.x509.subject.locality`*:: + -- -Internal company name of the file, provided at compile-time. +List of locality names (L) type: keyword -example: Microsoft Corporation +example: San Francisco -- -*`file.pe.description`*:: +*`threat.enrichments.indicator.x509.subject.organization`*:: + -- -Internal description of the file, provided at compile-time. +List of organizations (O) of subject. type: keyword -example: Paint +example: Example, Inc. -- -*`file.pe.file_version`*:: +*`threat.enrichments.indicator.x509.subject.organizational_unit`*:: + -- -Internal version of the file, provided at compile-time. +List of organizational units (OU) of subject. type: keyword -example: 6.3.9600.17415 - -- -*`file.pe.imphash`*:: +*`threat.enrichments.indicator.x509.subject.state_or_province`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. +List of state or province names (ST, S, or P) type: keyword -example: 0c6803c4e922103c4dca5963aad36ddf +example: California -- -*`file.pe.original_file_name`*:: +*`threat.enrichments.indicator.x509.version_number`*:: + -- -Internal name of the file, provided at compile-time. +Version of x509 format. type: keyword -example: MSPAINT.EXE +example: 3 -- -*`file.pe.product`*:: +*`threat.enrichments.matched.atomic`*:: + -- -Internal product name of the file, provided at compile-time. +Identifies the atomic indicator value that matched a local environment endpoint or network event. type: keyword -example: Microsoft® Windows® Operating System +example: bad-domain.com -- -*`file.size`*:: +*`threat.enrichments.matched.field`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +Identifies the field of the atomic indicator that matched a local environment endpoint or network event. -type: long +type: keyword -example: 16384 +example: file.hash.sha256 -- -*`file.target_path`*:: +*`threat.enrichments.matched.id`*:: + -- -Target path for symlinks. +Identifies the _id of the indicator document enriching the event. type: keyword --- - -*`file.target_path.text`*:: -+ --- -type: text +example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 -- -*`file.type`*:: +*`threat.enrichments.matched.index`*:: + -- -File type (file, dir, or symlink). +Identifies the _index of the indicator document enriching the event. type: keyword -example: file +example: filebeat-8.0.0-2021.05.23-000011 -- -*`file.uid`*:: +*`threat.enrichments.matched.type`*:: + -- -The user ID (UID) or security identifier (SID) of the file owner. +Identifies the type of match that caused the event to be enriched with the given indicator type: keyword -example: 1001 +example: indicator_match_rule -- -*`file.x509.alternative_names`*:: +*`threat.framework`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. +Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. type: keyword -example: *.elastic.co +example: MITRE ATT&CK -- -*`file.x509.issuer.common_name`*:: +*`threat.group.alias`*:: + -- -List of common name (CN) of issuing certificate authority. +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). type: keyword -example: Example SHA2 High Assurance Server CA +example: [ "Magecart Group 6" ] -- -*`file.x509.issuer.country`*:: +*`threat.group.id`*:: + -- -List of country (C) codes +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. type: keyword -example: US +example: G0037 -- -*`file.x509.issuer.distinguished_name`*:: +*`threat.group.name`*:: + -- -Distinguished name (DN) of issuing certificate authority. +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. type: keyword -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA +example: FIN6 -- -*`file.x509.issuer.locality`*:: +*`threat.group.reference`*:: + -- -List of locality names (L) +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword -example: Mountain View +example: https://attack.mitre.org/groups/G0037/ -- -*`file.x509.issuer.organization`*:: +*`threat.indicator.as.number`*:: + -- -List of organizations (O) of issuing certificate authority. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long -example: Example Inc +example: 15169 -- -*`file.x509.issuer.organizational_unit`*:: +*`threat.indicator.as.organization.name`*:: + -- -List of organizational units (OU) of issuing certificate authority. +Organization name. type: keyword -example: www.example.com +example: Google LLC -- -*`file.x509.issuer.state_or_province`*:: +*`threat.indicator.as.organization.name.text`*:: + -- -List of state or province names (ST, S, or P) - -type: keyword - -example: California +type: text -- -*`file.x509.not_after`*:: +*`threat.indicator.confidence`*:: + -- -Time at which the certificate is no longer considered valid. +Identifies the confidence rating assigned by the provider using STIX confidence scales. +Recommended values: + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) -type: date +type: keyword -example: 2020-07-16 03:15:39+00:00 +example: High -- -*`file.x509.not_before`*:: +*`threat.indicator.description`*:: + -- -Time at which the certificate is first considered valid. +Describes the type of action conducted by the threat. -type: date +type: keyword -example: 2019-08-16 01:40:25+00:00 +example: IP x.x.x.x was observed delivering the Angler EK. -- -*`file.x509.public_key_algorithm`*:: +*`threat.indicator.email.address`*:: + -- -Algorithm used to generate the public key. +Identifies a threat indicator as an email address (irrespective of direction). type: keyword -example: RSA +example: phish@example.com -- -*`file.x509.public_key_curve`*:: +*`threat.indicator.file.accessed`*:: + -- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword +Last time the file was accessed. +Note that not all filesystems keep track of access time. -example: nistp521 +type: date -- -*`file.x509.public_key_exponent`*:: +*`threat.indicator.file.attributes`*:: + -- -Exponent used to derive the public key. This is algorithm specific. - -type: long +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. -example: 65537 +type: keyword -Field is not indexed. +example: ["readonly", "system"] -- -*`file.x509.public_key_size`*:: +*`threat.indicator.file.code_signature.exists`*:: + -- -The size of the public key space in bits. +Boolean to capture if a signature is present. -type: long +type: boolean -example: 2048 +example: true -- -*`file.x509.serial_number`*:: +*`threat.indicator.file.code_signature.signing_id`*:: + -- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword -example: 55FBB9C7DEBF09809D12CCAA +example: com.apple.xpc.proxy -- -*`file.x509.signature_algorithm`*:: +*`threat.indicator.file.code_signature.status`*:: + -- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword -example: SHA256-RSA +example: ERROR_UNTRUSTED_ROOT -- -*`file.x509.subject.common_name`*:: +*`threat.indicator.file.code_signature.subject_name`*:: + -- -List of common names (CN) of subject. +Subject name of the code signer type: keyword -example: shared.global.example.net +example: Microsoft Corporation -- -*`file.x509.subject.country`*:: +*`threat.indicator.file.code_signature.team_id`*:: + -- -List of country (C) code +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. type: keyword -example: US +example: EQHXZ8M8AV -- -*`file.x509.subject.distinguished_name`*:: +*`threat.indicator.file.code_signature.trusted`*:: + -- -Distinguished name (DN) of the certificate subject entity. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net +example: true -- -*`file.x509.subject.locality`*:: +*`threat.indicator.file.code_signature.valid`*:: + -- -List of locality names (L) +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: keyword +type: boolean -example: San Francisco +example: true -- -*`file.x509.subject.organization`*:: +*`threat.indicator.file.created`*:: + -- -List of organizations (O) of subject. - -type: keyword +File creation time. +Note that not all filesystems store the creation time. -example: Example, Inc. +type: date -- -*`file.x509.subject.organizational_unit`*:: +*`threat.indicator.file.ctime`*:: + -- -List of organizational units (OU) of subject. +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. -type: keyword +type: date -- -*`file.x509.subject.state_or_province`*:: +*`threat.indicator.file.device`*:: + -- -List of state or province names (ST, S, or P) +Device that is the source of the file. type: keyword -example: California +example: sda -- -*`file.x509.version_number`*:: +*`threat.indicator.file.directory`*:: + -- -Version of x509 format. +Directory where the file is located. It should include the drive letter, when appropriate. type: keyword -example: 3 +example: /home/alice -- -[float] -=== geo - -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. - - -*`geo.city_name`*:: +*`threat.indicator.file.drive_letter`*:: + -- -City name. +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. type: keyword -example: Montreal +example: C -- -*`geo.continent_code`*:: +*`threat.indicator.file.elf.architecture`*:: + -- -Two-letter code representing continent's name. +Machine architecture of the ELF file. type: keyword -example: NA +example: x86-64 -- -*`geo.continent_name`*:: +*`threat.indicator.file.elf.byte_order`*:: + -- -Name of the continent. +Byte sequence of ELF file. type: keyword -example: North America +example: Little Endian -- -*`geo.country_iso_code`*:: +*`threat.indicator.file.elf.cpu_type`*:: + -- -Country ISO code. +CPU type of the ELF file. type: keyword -example: CA +example: Intel -- -*`geo.country_name`*:: +*`threat.indicator.file.elf.creation_date`*:: + -- -Country name. - -type: keyword +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. -example: Canada +type: date -- -*`geo.location`*:: +*`threat.indicator.file.elf.exports`*:: + -- -Longitude and latitude. - -type: geo_point +List of exported element names and types. -example: { "lon": -73.614830, "lat": 45.505918 } +type: flattened -- -*`geo.name`*:: +*`threat.indicator.file.elf.header.abi_version`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +Version of the ELF Application Binary Interface (ABI). type: keyword -example: boston-dc - -- -*`geo.postal_code`*:: +*`threat.indicator.file.elf.header.class`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. +Header class of the ELF file. type: keyword -example: 94040 - -- -*`geo.region_iso_code`*:: +*`threat.indicator.file.elf.header.data`*:: + -- -Region ISO code. +Data table of the ELF header. type: keyword -example: CA-QC - -- -*`geo.region_name`*:: +*`threat.indicator.file.elf.header.entrypoint`*:: + -- -Region name. +Header entrypoint of the ELF file. -type: keyword +type: long -example: Quebec +format: string -- -*`geo.timezone`*:: +*`threat.indicator.file.elf.header.object_version`*:: + -- -The time zone of the location, such as IANA time zone name. +"0x1" for original ELF files. type: keyword -example: America/Argentina/Buenos_Aires - -- -[float] -=== group +*`threat.indicator.file.elf.header.os_abi`*:: ++ +-- +Application Binary Interface (ABI) of the Linux OS. -The group fields are meant to represent groups that are relevant to the event. +type: keyword +-- -*`group.domain`*:: +*`threat.indicator.file.elf.header.type`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Header type of the ELF file. type: keyword -- -*`group.id`*:: +*`threat.indicator.file.elf.header.version`*:: + -- -Unique identifier for the group on the system/platform. +Version of the ELF header. type: keyword -- -*`group.name`*:: +*`threat.indicator.file.elf.imports`*:: + -- -Name of the group. +List of imported element names and types. -type: keyword +type: flattened -- -[float] -=== hash +*`threat.indicator.file.elf.sections`*:: ++ +-- +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. -The hash fields represent different bitwise hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). -Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). +type: nested +-- -*`hash.md5`*:: +*`threat.indicator.file.elf.sections.chi2`*:: + -- -MD5 hash. +Chi-square probability distribution of the section. -type: keyword +type: long + +format: number -- -*`hash.sha1`*:: +*`threat.indicator.file.elf.sections.entropy`*:: + -- -SHA1 hash. +Shannon entropy calculation from the section. -type: keyword +type: long + +format: number -- -*`hash.sha256`*:: +*`threat.indicator.file.elf.sections.flags`*:: + -- -SHA256 hash. +ELF Section List flags. type: keyword -- -*`hash.sha512`*:: +*`threat.indicator.file.elf.sections.name`*:: + -- -SHA512 hash. +ELF Section List name. type: keyword -- -*`hash.ssdeep`*:: +*`threat.indicator.file.elf.sections.physical_offset`*:: + -- -SSDEEP hash. +ELF Section List offset. type: keyword -- -[float] -=== host +*`threat.indicator.file.elf.sections.physical_size`*:: ++ +-- +ELF Section List physical size. -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +type: long +format: bytes -*`host.architecture`*:: +-- + +*`threat.indicator.file.elf.sections.type`*:: + -- -Operating system architecture. +ELF Section List type. type: keyword -example: x86_64 - -- -*`host.cpu.usage`*:: +*`threat.indicator.file.elf.sections.virtual_address`*:: + -- -Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. -Scaling factor: 1000. -For example: For a two core host, this value should be the average of the two cores, between 0 and 1. +ELF Section List virtual address. -type: scaled_float +type: long + +format: string -- -*`host.disk.read.bytes`*:: +*`threat.indicator.file.elf.sections.virtual_size`*:: + -- -The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. +ELF Section List virtual size. type: long +format: string + -- -*`host.disk.write.bytes`*:: +*`threat.indicator.file.elf.segments`*:: + -- -The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. -type: long +type: nested -- -*`host.domain`*:: +*`threat.indicator.file.elf.segments.sections`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +ELF object segment sections. type: keyword -example: CONTOSO - -- -*`host.geo.city_name`*:: +*`threat.indicator.file.elf.segments.type`*:: + -- -City name. +ELF object segment type. type: keyword -example: Montreal - -- -*`host.geo.continent_code`*:: +*`threat.indicator.file.elf.shared_libraries`*:: + -- -Two-letter code representing continent's name. +List of shared libraries used by this ELF object. type: keyword -example: NA - -- -*`host.geo.continent_name`*:: +*`threat.indicator.file.elf.telfhash`*:: + -- -Name of the continent. +telfhash symbol hash for ELF file. type: keyword -example: North America - -- -*`host.geo.country_iso_code`*:: +*`threat.indicator.file.extension`*:: + -- -Country ISO code. +File extension, excluding the leading dot. +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: keyword -example: CA +example: png -- -*`host.geo.country_name`*:: +*`threat.indicator.file.gid`*:: + -- -Country name. +Primary group ID (GID) of the file. type: keyword -example: Canada +example: 1001 -- -*`host.geo.location`*:: +*`threat.indicator.file.group`*:: + -- -Longitude and latitude. +Primary group name of the file. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: alice -- -*`host.geo.name`*:: +*`threat.indicator.file.inode`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +Inode representing the file in the filesystem. type: keyword -example: boston-dc +example: 256383 -- -*`host.geo.postal_code`*:: +*`threat.indicator.file.mime_type`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword -example: 94040 - -- -*`host.geo.region_iso_code`*:: +*`threat.indicator.file.mode`*:: + -- -Region ISO code. +Mode of the file in octal representation. type: keyword -example: CA-QC +example: 0640 -- -*`host.geo.region_name`*:: +*`threat.indicator.file.mtime`*:: + -- -Region name. - -type: keyword +Last time the file content was modified. -example: Quebec +type: date -- -*`host.geo.timezone`*:: +*`threat.indicator.file.name`*:: + -- -The time zone of the location, such as IANA time zone name. +Name of the file including the extension, without the directory. type: keyword -example: America/Argentina/Buenos_Aires +example: example.png -- -*`host.hostname`*:: +*`threat.indicator.file.owner`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +File owner's username. type: keyword +example: alice + -- -*`host.id`*:: +*`threat.indicator.file.path`*:: + -- -Unique host id. -As hostname is not always unique, use values that are meaningful in your environment. -Example: The current usage of `beat.name`. +Full path to the file, including the file name. It should include the drive letter, when appropriate. type: keyword +example: /home/alice/example.png + -- -*`host.ip`*:: +*`threat.indicator.file.path.text`*:: + -- -Host ip addresses. - -type: ip +type: text -- -*`host.mac`*:: +*`threat.indicator.file.size`*:: + -- -Host MAC addresses. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. +File size in bytes. +Only relevant when `file.type` is "file". -type: keyword +type: long -example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] +example: 16384 -- -*`host.name`*:: +*`threat.indicator.file.target_path`*:: + -- -Name of the host. -It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +Target path for symlinks. type: keyword -- -*`host.network.egress.bytes`*:: +*`threat.indicator.file.target_path.text`*:: + -- -The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. - -type: long +type: text -- -*`host.network.egress.packets`*:: +*`threat.indicator.file.type`*:: + -- -The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. +File type (file, dir, or symlink). -type: long +type: keyword + +example: file -- -*`host.network.ingress.bytes`*:: +*`threat.indicator.file.uid`*:: + -- -The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. +The user ID (UID) or security identifier (SID) of the file owner. -type: long +type: keyword + +example: 1001 -- -*`host.network.ingress.packets`*:: +*`threat.indicator.first_seen`*:: + -- -The number of packets (gauge) received on all network interfaces by the host since the last metric collection. +The date and time when intelligence source first reported sighting this indicator. -type: long +type: date + +example: 2020-11-05T17:25:47.000Z -- -*`host.os.family`*:: +*`threat.indicator.geo.city_name`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +City name. type: keyword -example: debian +example: Montreal -- -*`host.os.full`*:: +*`threat.indicator.geo.continent_code`*:: + -- -Operating system name, including the version or code name. +Two-letter code representing continent's name. type: keyword -example: Mac OS Mojave +example: NA -- -*`host.os.full.text`*:: +*`threat.indicator.geo.continent_name`*:: + -- -type: text +Name of the continent. + +type: keyword + +example: North America -- -*`host.os.kernel`*:: +*`threat.indicator.geo.country_iso_code`*:: + -- -Operating system kernel version as a raw string. +Country ISO code. type: keyword -example: 4.4.0-112-generic +example: CA -- -*`host.os.name`*:: +*`threat.indicator.geo.country_name`*:: + -- -Operating system name, without the version. +Country name. type: keyword -example: Mac OS X +example: Canada -- -*`host.os.name.text`*:: +*`threat.indicator.geo.location`*:: + -- -type: text +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`host.os.platform`*:: +*`threat.indicator.geo.name`*:: + -- -Operating system platform (such centos, ubuntu, windows). +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: darwin +example: boston-dc -- -*`host.os.type`*:: +*`threat.indicator.geo.postal_code`*:: + -- -Use the `os.type` field to categorize the operating system into one of the broad commercial families. -One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. type: keyword -example: macos +example: 94040 -- -*`host.os.version`*:: +*`threat.indicator.geo.region_iso_code`*:: + -- -Operating system version as a raw string. +Region ISO code. type: keyword -example: 10.14.1 +example: CA-QC -- -*`host.type`*:: +*`threat.indicator.geo.region_name`*:: + -- -Type of host. -For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. +Region name. type: keyword +example: Quebec + -- -*`host.uptime`*:: +*`threat.indicator.geo.timezone`*:: + -- -Seconds the host has been up. +The time zone of the location, such as IANA time zone name. -type: long +type: keyword -example: 1325 +example: America/Argentina/Buenos_Aires -- -*`host.user.domain`*:: +*`threat.indicator.hash.md5`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +MD5 hash. type: keyword -- -*`host.user.email`*:: +*`threat.indicator.hash.sha1`*:: + -- -User email address. +SHA1 hash. type: keyword -- -*`host.user.full_name`*:: +*`threat.indicator.hash.sha256`*:: + -- -User's full name, if available. +SHA256 hash. type: keyword -example: Albert Einstein - -- -*`host.user.full_name.text`*:: +*`threat.indicator.hash.sha512`*:: + -- -type: text +SHA512 hash. + +type: keyword -- -*`host.user.group.domain`*:: +*`threat.indicator.hash.ssdeep`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +SSDEEP hash. type: keyword -- -*`host.user.group.id`*:: +*`threat.indicator.ip`*:: + -- -Unique identifier for the group on the system/platform. +Identifies a threat indicator as an IP address (irrespective of direction). -type: keyword +type: ip + +example: 1.2.3.4 -- -*`host.user.group.name`*:: +*`threat.indicator.last_seen`*:: + -- -Name of the group. +The date and time when intelligence source last reported sighting this indicator. -type: keyword +type: date + +example: 2020-11-05T17:25:47.000Z -- -*`host.user.hash`*:: +*`threat.indicator.marking.tlp`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +Traffic Light Protocol sharing markings. +Recommended values are: + * WHITE + * GREEN + * AMBER + * RED type: keyword +example: WHITE + -- -*`host.user.id`*:: +*`threat.indicator.modified_at`*:: + -- -Unique identifier of the user. +The date and time when intelligence source last modified information for this indicator. -type: keyword +type: date + +example: 2020-11-05T17:25:47.000Z -- -*`host.user.name`*:: +*`threat.indicator.pe.architecture`*:: + -- -Short name or login of the user. +CPU architecture target for the file. type: keyword -example: albert +example: x64 -- -*`host.user.name.text`*:: +*`threat.indicator.pe.company`*:: + -- -type: text +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation -- -*`host.user.roles`*:: +*`threat.indicator.pe.description`*:: + -- -Array of user roles at the time of the event. +Internal description of the file, provided at compile-time. type: keyword -example: ["kibana_admin", "reporting_user"] +example: Paint -- -[float] -=== http +*`threat.indicator.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. -Fields related to HTTP activity. Use the `url` field set to store the url of the request. +type: keyword +example: 6.3.9600.17415 -*`http.request.body.bytes`*:: -+ -- -Size in bytes of the request body. -type: long +*`threat.indicator.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. -example: 887 +type: keyword -format: bytes +example: 0c6803c4e922103c4dca5963aad36ddf -- -*`http.request.body.content`*:: +*`threat.indicator.pe.original_file_name`*:: + -- -The full HTTP request body. +Internal name of the file, provided at compile-time. type: keyword -example: Hello world +example: MSPAINT.EXE -- -*`http.request.body.content.text`*:: +*`threat.indicator.pe.product`*:: + -- -type: text +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System -- -*`http.request.bytes`*:: +*`threat.indicator.port`*:: + -- -Total size in bytes of the request (body and headers). +Identifies a threat indicator as a port number (irrespective of direction). type: long -example: 1437 - -format: bytes +example: 443 -- -*`http.request.id`*:: +*`threat.indicator.provider`*:: + -- -A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. -The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. +The name of the indicator's provider. type: keyword -example: 123e4567-e89b-12d3-a456-426614174000 +example: lrz_urlhaus -- -*`http.request.method`*:: +*`threat.indicator.reference`*:: + -- -HTTP request method. -Prior to ECS 1.6.0 the following guidance was provided: -"The field value must be normalized to lowercase for querying." -As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 +Reference URL linking to additional information about this indicator. type: keyword -example: GET, POST, PUT, PoST +example: https://system.example.com/indicator/0001234 -- -*`http.request.mime_type`*:: +*`threat.indicator.registry.data.bytes`*:: + -- -Mime type of the body of the request. -This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. type: keyword -example: image/gif +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= -- -*`http.request.referrer`*:: +*`threat.indicator.registry.data.strings`*:: + -- -Referrer for this HTTP request. +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). type: keyword -example: https://blog.example.com/ +example: ["C:\rta\red_ttp\bin\myapp.exe"] -- -*`http.response.body.bytes`*:: +*`threat.indicator.registry.data.type`*:: + -- -Size in bytes of the response body. - -type: long +Standard registry type for encoding contents -example: 887 +type: keyword -format: bytes +example: REG_SZ -- -*`http.response.body.content`*:: +*`threat.indicator.registry.hive`*:: + -- -The full HTTP response body. +Abbreviated name for the hive. type: keyword -example: Hello world +example: HKLM -- -*`http.response.body.content.text`*:: +*`threat.indicator.registry.key`*:: + -- -type: text +Hive-relative path of keys. + +type: keyword + +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe -- -*`http.response.bytes`*:: +*`threat.indicator.registry.path`*:: + -- -Total size in bytes of the response (body and headers). - -type: long +Full path, including hive, key and value -example: 1437 +type: keyword -format: bytes +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger -- -*`http.response.mime_type`*:: +*`threat.indicator.registry.value`*:: + -- -Mime type of the body of the response. -This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. +Name of the value written. type: keyword -example: image/gif +example: Debugger -- -*`http.response.status_code`*:: +*`threat.indicator.scanner_stats`*:: + -- -HTTP response status code. +Count of AV/EDR vendors that successfully detected malicious file or URL. type: long -example: 404 - -format: string +example: 4 -- -*`http.version`*:: +*`threat.indicator.sightings`*:: + -- -HTTP version. +Number of times this indicator was observed conducting threat activity. -type: keyword +type: long -example: 1.1 +example: 20 -- -[float] -=== interface - -The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. - - -*`interface.alias`*:: +*`threat.indicator.type`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +Type of indicator as represented by Cyber Observable in STIX 2.0. +Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate type: keyword -example: outside +example: ipv4-addr -- -*`interface.id`*:: +*`threat.indicator.url.domain`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword -example: 10 +example: www.elastic.co -- -*`interface.name`*:: +*`threat.indicator.url.extension`*:: + -- -Interface name as reported by the system. +The field contains the file extension from the original request url, excluding the leading dot. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: keyword -example: eth0 +example: png -- -[float] -=== log +*`threat.indicator.url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. -Details about the event's logging mechanism or logging transport. -The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. -The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +type: keyword +-- -*`log.file.path`*:: +*`threat.indicator.url.full`*:: + -- -Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. -If the event wasn't read from a log file, do not populate this field. +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. type: keyword -example: /var/log/fun-times.log +example: https://www.elastic.co:443/search?q=elasticsearch#top -- -*`log.level`*:: +*`threat.indicator.url.full.text`*:: + -- -Original log level of the log event. -If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). -Some examples are `warn`, `err`, `i`, `informational`. - -type: keyword - -example: error +type: text -- -*`log.logger`*:: +*`threat.indicator.url.original`*:: + -- -The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. type: keyword -example: org.elasticsearch.bootstrap.Bootstrap +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch -- -*`log.origin.file.line`*:: +*`threat.indicator.url.original.text`*:: + -- -The line number of the file containing the source code which originated the log event. - -type: integer - -example: 42 +type: text -- -*`log.origin.file.name`*:: +*`threat.indicator.url.password`*:: + -- -The name of the file containing the source code which originated the log event. -Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. +Password of the request. type: keyword -example: Bootstrap.java - -- -*`log.origin.function`*:: +*`threat.indicator.url.path`*:: + -- -The name of the function or method which originated the log event. +Path of the request, such as "/search". type: keyword -example: init - -- -*`log.original`*:: +*`threat.indicator.url.port`*:: + -- -Deprecated for removal in next major version release. This field is superseded by `event.original`. -This is the original log message and contains the full log message before splitting it up in multiple parts. -In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. -This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +Port of the request, such as 443. -type: keyword +type: long -example: Sep 19 08:26:10 localhost My log +example: 443 -Field is not indexed. +format: string -- -*`log.syslog`*:: +*`threat.indicator.url.query`*:: + -- -The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. -type: object +type: keyword -- -*`log.syslog.facility.code`*:: +*`threat.indicator.url.registered_domain`*:: + -- -The Syslog numeric facility of the log event, if available. -According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - -type: long +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -example: 23 +type: keyword -format: string +example: example.com -- -*`log.syslog.facility.name`*:: +*`threat.indicator.url.scheme`*:: + -- -The Syslog text-based facility of the log event, if available. +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. type: keyword -example: local7 +example: https -- -*`log.syslog.priority`*:: +*`threat.indicator.url.subdomain`*:: + -- -Syslog numeric priority of the event, if available. -According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - -type: long +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. -example: 135 +type: keyword -format: string +example: east -- -*`log.syslog.severity.code`*:: +*`threat.indicator.url.top_level_domain`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". -type: long +type: keyword -example: 3 +example: co.uk -- -*`log.syslog.severity.name`*:: +*`threat.indicator.url.username`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. +Username of the request. type: keyword -example: Error +-- +*`threat.indicator.x509.alternative_names`*:: ++ -- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -[float] -=== network +type: keyword -The network is defined as the communication path over which a host or network event happens. -The network.* fields should be populated with details about the network activity associated with an event. +example: *.elastic.co +-- -*`network.application`*:: +*`threat.indicator.x509.issuer.common_name`*:: + -- -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +List of common name (CN) of issuing certificate authority. type: keyword -example: aim +example: Example SHA2 High Assurance Server CA -- -*`network.bytes`*:: +*`threat.indicator.x509.issuer.country`*:: + -- -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -type: long +List of country (C) codes -example: 368 +type: keyword -format: bytes +example: US -- -*`network.community_id`*:: +*`threat.indicator.x509.issuer.distinguished_name`*:: + -- -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`network.direction`*:: +*`threat.indicator.x509.issuer.locality`*:: + -- -Direction of the network traffic. -Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown +List of locality names (L) -When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". -When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". -Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. +type: keyword + +example: Mountain View + +-- + +*`threat.indicator.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. type: keyword -example: inbound +example: Example Inc -- -*`network.forwarded_ip`*:: +*`threat.indicator.x509.issuer.organizational_unit`*:: + -- -Host IP address when the source IP address is the proxy. +List of organizational units (OU) of issuing certificate authority. -type: ip +type: keyword -example: 192.1.1.2 +example: www.example.com -- -*`network.iana_number`*:: +*`threat.indicator.x509.issuer.state_or_province`*:: + -- -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +List of state or province names (ST, S, or P) type: keyword -example: 6 +example: California -- -*`network.inner`*:: +*`threat.indicator.x509.not_after`*:: + -- -Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) +Time at which the certificate is no longer considered valid. -type: object +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`network.inner.vlan.id`*:: +*`threat.indicator.x509.not_before`*:: + -- -VLAN ID as reported by the observer. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: 10 +example: 2019-08-16 01:40:25+00:00 -- -*`network.inner.vlan.name`*:: +*`threat.indicator.x509.public_key_algorithm`*:: + -- -Optional VLAN name as reported by the observer. +Algorithm used to generate the public key. type: keyword -example: outside +example: RSA -- -*`network.name`*:: +*`threat.indicator.x509.public_key_curve`*:: + -- -Name given by operators to sections of their network. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword -example: Guest Wifi +example: nistp521 -- -*`network.packets`*:: +*`threat.indicator.x509.public_key_exponent`*:: + -- -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. +Exponent used to derive the public key. This is algorithm specific. type: long -example: 24 +example: 65537 + +Field is not indexed. -- -*`network.protocol`*:: +*`threat.indicator.x509.public_key_size`*:: + -- -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +The size of the public key space in bits. -type: keyword +type: long -example: http +example: 2048 -- -*`network.transport`*:: +*`threat.indicator.x509.serial_number`*:: + -- -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: tcp +example: 55FBB9C7DEBF09809D12CCAA -- -*`network.type`*:: +*`threat.indicator.x509.signature_algorithm`*:: + -- -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: ipv4 +example: SHA256-RSA -- -*`network.vlan.id`*:: +*`threat.indicator.x509.subject.common_name`*:: + -- -VLAN ID as reported by the observer. +List of common names (CN) of subject. type: keyword -example: 10 +example: shared.global.example.net -- -*`network.vlan.name`*:: +*`threat.indicator.x509.subject.country`*:: + -- -Optional VLAN name as reported by the observer. +List of country (C) code type: keyword -example: outside +example: US -- -[float] -=== observer - -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. -This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. - - -*`observer.egress`*:: +*`threat.indicator.x509.subject.distinguished_name`*:: + -- -Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. +Distinguished name (DN) of the certificate subject entity. -type: object +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`observer.egress.interface.alias`*:: +*`threat.indicator.x509.subject.locality`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +List of locality names (L) type: keyword -example: outside +example: San Francisco -- -*`observer.egress.interface.id`*:: +*`threat.indicator.x509.subject.organization`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +List of organizations (O) of subject. type: keyword -example: 10 +example: Example, Inc. -- -*`observer.egress.interface.name`*:: +*`threat.indicator.x509.subject.organizational_unit`*:: + -- -Interface name as reported by the system. +List of organizational units (OU) of subject. type: keyword -example: eth0 - -- -*`observer.egress.vlan.id`*:: +*`threat.indicator.x509.subject.state_or_province`*:: + -- -VLAN ID as reported by the observer. +List of state or province names (ST, S, or P) type: keyword -example: 10 +example: California -- -*`observer.egress.vlan.name`*:: +*`threat.indicator.x509.version_number`*:: + -- -Optional VLAN name as reported by the observer. +Version of x509 format. type: keyword -example: outside +example: 3 -- -*`observer.egress.zone`*:: +*`threat.software.id`*:: + -- -Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. type: keyword -example: Public_Internet +example: S0552 -- -*`observer.geo.city_name`*:: +*`threat.software.name`*:: + -- -City name. +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. type: keyword -example: Montreal +example: AdFind -- -*`observer.geo.continent_code`*:: +*`threat.software.platforms`*:: + -- -Two-letter code representing continent's name. +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. +Recommended Values: + * AWS + * Azure + * Azure AD + * GCP + * Linux + * macOS + * Network + * Office 365 + * SaaS + * Windows type: keyword -example: NA +example: [ "Windows" ] -- -*`observer.geo.continent_name`*:: +*`threat.software.reference`*:: + -- -Name of the continent. +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword -example: North America +example: https://attack.mitre.org/software/S0552/ -- -*`observer.geo.country_iso_code`*:: +*`threat.software.type`*:: + -- -Country ISO code. +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. +Recommended values + * Malware + * Tool type: keyword -example: CA +example: Tool -- -*`observer.geo.country_name`*:: +*`threat.tactic.id`*:: + -- -Country name. +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword -example: Canada +example: TA0002 -- -*`observer.geo.location`*:: +*`threat.tactic.name`*:: + -- -Longitude and latitude. +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Execution -- -*`observer.geo.name`*:: +*`threat.tactic.reference`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword -example: boston-dc +example: https://attack.mitre.org/tactics/TA0002/ -- -*`observer.geo.postal_code`*:: +*`threat.technique.id`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword -example: 94040 +example: T1059 -- -*`observer.geo.region_iso_code`*:: +*`threat.technique.name`*:: + -- -Region ISO code. +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword -example: CA-QC +example: Command and Scripting Interpreter -- -*`observer.geo.region_name`*:: +*`threat.technique.name.text`*:: + -- -Region name. +type: text + +-- + +*`threat.technique.reference`*:: ++ +-- +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword -example: Quebec +example: https://attack.mitre.org/techniques/T1059/ -- -*`observer.geo.timezone`*:: +*`threat.technique.subtechnique.id`*:: + -- -The time zone of the location, such as IANA time zone name. +The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword -example: America/Argentina/Buenos_Aires +example: T1059.001 -- -*`observer.hostname`*:: +*`threat.technique.subtechnique.name`*:: + -- -Hostname of the observer. +The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword +example: PowerShell + -- -*`observer.ingress`*:: +*`threat.technique.subtechnique.name.text`*:: + -- -Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - -type: object +type: text -- -*`observer.ingress.interface.alias`*:: +*`threat.technique.subtechnique.reference`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword -example: outside +example: https://attack.mitre.org/techniques/T1059/001/ -- -*`observer.ingress.interface.id`*:: +[float] +=== tls + +Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. + + +*`tls.cipher`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +String indicating the cipher used during the current connection. type: keyword -example: 10 +example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 -- -*`observer.ingress.interface.name`*:: +*`tls.client.certificate`*:: + -- -Interface name as reported by the system. +PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. type: keyword -example: eth0 +example: MII... -- -*`observer.ingress.vlan.id`*:: +*`tls.client.certificate_chain`*:: + -- -VLAN ID as reported by the observer. +Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. type: keyword -example: 10 +example: ["MII...", "MII..."] -- -*`observer.ingress.vlan.name`*:: +*`tls.client.hash.md5`*:: + -- -Optional VLAN name as reported by the observer. +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: outside +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC -- -*`observer.ingress.zone`*:: +*`tls.client.hash.sha1`*:: + -- -Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: DMZ +example: 9E393D93138888D288266C2D915214D1D1CCEB2A -- -*`observer.ip`*:: +*`tls.client.hash.sha256`*:: + -- -IP addresses of the observer. +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. -type: ip +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- -*`observer.mac`*:: +*`tls.client.issuer`*:: + -- -MAC addresses of the observer. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. +Distinguished name of subject of the issuer of the x.509 certificate presented by the client. type: keyword -example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- -*`observer.name`*:: +*`tls.client.ja3`*:: + -- -Custom name of the observer. -This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. -If no custom name is needed, the field can be left empty. +A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword -example: 1_proxySG +example: d4e5b18d6b55c71272893221c96ba240 -- -*`observer.os.family`*:: +*`tls.client.not_after`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +Date/Time indicating when client certificate is no longer considered valid. -type: keyword +type: date -example: debian +example: 2021-01-01T00:00:00.000Z -- -*`observer.os.full`*:: +*`tls.client.not_before`*:: + -- -Operating system name, including the version or code name. +Date/Time indicating when client certificate is first considered valid. -type: keyword +type: date -example: Mac OS Mojave +example: 1970-01-01T00:00:00.000Z -- -*`observer.os.full.text`*:: +*`tls.client.server_name`*:: + -- -type: text +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + +type: keyword + +example: www.elastic.co -- -*`observer.os.kernel`*:: +*`tls.client.subject`*:: + -- -Operating system kernel version as a raw string. +Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: 4.4.0-112-generic +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- -*`observer.os.name`*:: +*`tls.client.supported_ciphers`*:: + -- -Operating system name, without the version. +Array of ciphers offered by the client during the client hello. type: keyword -example: Mac OS X +example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] -- -*`observer.os.name.text`*:: +*`tls.client.x509.alternative_names`*:: + -- -type: text +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co -- -*`observer.os.platform`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Operating system platform (such centos, ubuntu, windows). +List of common name (CN) of issuing certificate authority. type: keyword -example: darwin +example: Example SHA2 High Assurance Server CA -- -*`observer.os.type`*:: +*`tls.client.x509.issuer.country`*:: + -- -Use the `os.type` field to categorize the operating system into one of the broad commercial families. -One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +List of country (C) codes type: keyword -example: macos +example: US -- -*`observer.os.version`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Operating system version as a raw string. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: 10.14.1 +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`observer.product`*:: +*`tls.client.x509.issuer.locality`*:: + -- -The product name of the observer. +List of locality names (L) type: keyword -example: s200 +example: Mountain View -- -*`observer.serial_number`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Observer serial number. +List of organizations (O) of issuing certificate authority. type: keyword +example: Example Inc + -- -*`observer.type`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: firewall +example: www.example.com -- -*`observer.vendor`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Vendor name of the observer. +List of state or province names (ST, S, or P) type: keyword -example: Symantec +example: California -- -*`observer.version`*:: +*`tls.client.x509.not_after`*:: + -- -Observer version. +Time at which the certificate is no longer considered valid. -type: keyword +type: date + +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== orchestrator +*`tls.client.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -Fields that describe the resources which container orchestrators manage or act upon. +type: date +example: 2019-08-16 01:40:25+00:00 -*`orchestrator.api_version`*:: +-- + +*`tls.client.x509.public_key_algorithm`*:: + -- -API version being used to carry out the action +Algorithm used to generate the public key. type: keyword -example: v1beta1 +example: RSA -- -*`orchestrator.cluster.name`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Name of the cluster. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`orchestrator.cluster.url`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -URL of the API used to manage the cluster. +Exponent used to derive the public key. This is algorithm specific. -type: keyword +type: long + +example: 65537 + +Field is not indexed. -- -*`orchestrator.cluster.version`*:: +*`tls.client.x509.public_key_size`*:: + -- -The version of the cluster. +The size of the public key space in bits. -type: keyword +type: long + +example: 2048 -- -*`orchestrator.namespace`*:: +*`tls.client.x509.serial_number`*:: + -- -Namespace in which the action is taking place. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: kube-system +example: 55FBB9C7DEBF09809D12CCAA -- -*`orchestrator.organization`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Organization affected by the event (for multi-tenant orchestrator setups). +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: elastic +example: SHA256-RSA -- -*`orchestrator.resource.name`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Name of the resource being acted upon. +List of common names (CN) of subject. type: keyword -example: test-pod-cdcws +example: shared.global.example.net -- -*`orchestrator.resource.type`*:: +*`tls.client.x509.subject.country`*:: + -- -Type of resource being acted upon. +List of country (C) code type: keyword -example: service +example: US -- -*`orchestrator.type`*:: +*`tls.client.x509.subject.distinguished_name`*:: + -- -Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). +Distinguished name (DN) of the certificate subject entity. type: keyword -example: kubernetes +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -[float] -=== organization - -The organization fields enrich data with information about the company or entity the data is associated with. -These fields help you arrange or filter data stored in an index by one or multiple organizations. - - -*`organization.id`*:: +*`tls.client.x509.subject.locality`*:: + -- -Unique identifier for the organization. +List of locality names (L) type: keyword +example: San Francisco + -- -*`organization.name`*:: +*`tls.client.x509.subject.organization`*:: + -- -Organization name. +List of organizations (O) of subject. type: keyword --- +example: Example, Inc. -*`organization.name.text`*:: -+ -- -type: text +*`tls.client.x509.subject.organizational_unit`*:: ++ -- +List of organizational units (OU) of subject. -[float] -=== os - -The OS fields contain information about the operating system. +type: keyword +-- -*`os.family`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +List of state or province names (ST, S, or P) type: keyword -example: debian +example: California -- -*`os.full`*:: +*`tls.client.x509.version_number`*:: + -- -Operating system name, including the version or code name. +Version of x509 format. type: keyword -example: Mac OS Mojave +example: 3 -- -*`os.full.text`*:: +*`tls.curve`*:: + -- -type: text +String indicating the curve used for the given cipher, when applicable. + +type: keyword + +example: secp256r1 -- -*`os.kernel`*:: +*`tls.established`*:: + -- -Operating system kernel version as a raw string. - -type: keyword +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -example: 4.4.0-112-generic +type: boolean -- -*`os.name`*:: +*`tls.next_protocol`*:: + -- -Operating system name, without the version. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword -example: Mac OS X +example: http/1.1 -- -*`os.name.text`*:: +*`tls.resumed`*:: + -- -type: text +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. + +type: boolean -- -*`os.platform`*:: +*`tls.server.certificate`*:: + -- -Operating system platform (such centos, ubuntu, windows). +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. type: keyword -example: darwin +example: MII... -- -*`os.type`*:: +*`tls.server.certificate_chain`*:: + -- -Use the `os.type` field to categorize the operating system into one of the broad commercial families. -One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. type: keyword -example: macos +example: ["MII...", "MII..."] -- -*`os.version`*:: +*`tls.server.hash.md5`*:: + -- -Operating system version as a raw string. +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: 10.14.1 +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC -- -[float] -=== package - -These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. - - -*`package.architecture`*:: +*`tls.server.hash.sha1`*:: + -- -Package architecture. +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: x86_64 +example: 9E393D93138888D288266C2D915214D1D1CCEB2A -- -*`package.build_version`*:: +*`tls.server.hash.sha256`*:: + -- -Additional information about the build version of the installed package. -For example use the commit SHA of a non-released package. +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: 36f4f7e89dd61b0988b12ee000b98966867710cd +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- -*`package.checksum`*:: +*`tls.server.issuer`*:: + -- -Checksum of the installed package for verification. +Subject of the issuer of the x.509 certificate presented by the server. type: keyword -example: 68b329da9893e34099c7d8ad5cb9c940 +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- -*`package.description`*:: +*`tls.server.ja3s`*:: + -- -Description of the package. +A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword -example: Open source programming language to build simple/reliable/efficient software. +example: 394441ab65754e2207b1e1b457b3641d -- -*`package.install_scope`*:: +*`tls.server.not_after`*:: + -- -Indicating how the package was installed, e.g. user-local, global. +Timestamp indicating when server certificate is no longer considered valid. -type: keyword +type: date -example: global +example: 2021-01-01T00:00:00.000Z -- -*`package.installed`*:: +*`tls.server.not_before`*:: + -- -Time when package was installed. +Timestamp indicating when server certificate is first considered valid. type: date +example: 1970-01-01T00:00:00.000Z + -- -*`package.license`*:: +*`tls.server.subject`*:: + -- -License under which the package was released. -Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). +Subject of the x.509 certificate presented by the server. type: keyword -example: Apache License 2.0 +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com -- -*`package.name`*:: +*`tls.server.x509.alternative_names`*:: + -- -Package name +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: go +example: *.elastic.co -- -*`package.path`*:: +*`tls.server.x509.issuer.common_name`*:: + -- -Path where the package is installed. +List of common name (CN) of issuing certificate authority. type: keyword -example: /usr/local/Cellar/go/1.12.9/ +example: Example SHA2 High Assurance Server CA -- -*`package.reference`*:: +*`tls.server.x509.issuer.country`*:: + -- -Home page or reference URL of the software in this package, if available. +List of country (C) codes type: keyword -example: https://golang.org +example: US -- -*`package.size`*:: +*`tls.server.x509.issuer.distinguished_name`*:: + -- -Package size in bytes. - -type: long +Distinguished name (DN) of issuing certificate authority. -example: 62231 +type: keyword -format: string +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`package.type`*:: +*`tls.server.x509.issuer.locality`*:: + -- -Type of package. -This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. +List of locality names (L) type: keyword -example: rpm +example: Mountain View -- -*`package.version`*:: +*`tls.server.x509.issuer.organization`*:: + -- -Package version +List of organizations (O) of issuing certificate authority. type: keyword -example: 1.12.9 +example: Example Inc -- -[float] -=== pe - -These fields contain Windows Portable Executable (PE) metadata. - - -*`pe.architecture`*:: +*`tls.server.x509.issuer.organizational_unit`*:: + -- -CPU architecture target for the file. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: x64 +example: www.example.com -- -*`pe.company`*:: +*`tls.server.x509.issuer.state_or_province`*:: + -- -Internal company name of the file, provided at compile-time. +List of state or province names (ST, S, or P) type: keyword -example: Microsoft Corporation +example: California -- -*`pe.description`*:: +*`tls.server.x509.not_after`*:: + -- -Internal description of the file, provided at compile-time. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: Paint +example: 2020-07-16 03:15:39+00:00 -- -*`pe.file_version`*:: +*`tls.server.x509.not_before`*:: + -- -Internal version of the file, provided at compile-time. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: 6.3.9600.17415 +example: 2019-08-16 01:40:25+00:00 -- -*`pe.imphash`*:: +*`tls.server.x509.public_key_algorithm`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. +Algorithm used to generate the public key. type: keyword -example: 0c6803c4e922103c4dca5963aad36ddf +example: RSA -- -*`pe.original_file_name`*:: +*`tls.server.x509.public_key_curve`*:: + -- -Internal name of the file, provided at compile-time. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword -example: MSPAINT.EXE +example: nistp521 -- -*`pe.product`*:: +*`tls.server.x509.public_key_exponent`*:: + -- -Internal product name of the file, provided at compile-time. +Exponent used to derive the public key. This is algorithm specific. -type: keyword +type: long -example: Microsoft® Windows® Operating System +example: 65537 + +Field is not indexed. -- -[float] -=== process +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. -These fields contain information about a process. -These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +type: long +example: 2048 -*`process.args`*:: +-- + +*`tls.server.x509.serial_number`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] +example: 55FBB9C7DEBF09809D12CCAA -- -*`process.args_count`*:: +*`tls.server.x509.signature_algorithm`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. -type: long +type: keyword -example: 4 +example: SHA256-RSA -- -*`process.code_signature.exists`*:: +*`tls.server.x509.subject.common_name`*:: + -- -Boolean to capture if a signature is present. +List of common names (CN) of subject. -type: boolean +type: keyword -example: true +example: shared.global.example.net -- -*`process.code_signature.signing_id`*:: +*`tls.server.x509.subject.country`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. +List of country (C) code type: keyword -example: com.apple.xpc.proxy +example: US -- -*`process.code_signature.status`*:: +*`tls.server.x509.subject.distinguished_name`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +Distinguished name (DN) of the certificate subject entity. type: keyword -example: ERROR_UNTRUSTED_ROOT +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`process.code_signature.subject_name`*:: +*`tls.server.x509.subject.locality`*:: + -- -Subject name of the code signer +List of locality names (L) type: keyword -example: Microsoft Corporation +example: San Francisco -- -*`process.code_signature.team_id`*:: +*`tls.server.x509.subject.organization`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +List of organizations (O) of subject. type: keyword -example: EQHXZ8M8AV +example: Example, Inc. -- -*`process.code_signature.trusted`*:: +*`tls.server.x509.subject.organizational_unit`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean +List of organizational units (OU) of subject. -example: true +type: keyword -- -*`process.code_signature.valid`*:: +*`tls.server.x509.subject.state_or_province`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +List of state or province names (ST, S, or P) -type: boolean +type: keyword -example: true +example: California -- -*`process.command_line`*:: +*`tls.server.x509.version_number`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +Version of x509 format. type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 +example: 3 -- -*`process.command_line.text`*:: +*`tls.version`*:: + -- -type: text +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 -- -*`process.elf.architecture`*:: +*`tls.version_protocol`*:: + -- -Machine architecture of the ELF file. +Normalized lowercase protocol name parsed from original string. type: keyword -example: x86-64 +example: tls -- -*`process.elf.byte_order`*:: +*`span.id`*:: + -- -Byte sequence of ELF file. +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. type: keyword -example: Little Endian +example: 3ff9a8981b7ccd5a -- -*`process.elf.cpu_type`*:: +*`trace.id`*:: + -- -CPU type of the ELF file. +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. type: keyword -example: Intel +example: 4bf92f3577b34da6a3ce929d0e0e4736 -- -*`process.elf.creation_date`*:: +*`transaction.id`*:: + -- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. -type: date +type: keyword --- +example: 00f067aa0ba902b7 -*`process.elf.exports`*:: -+ -- -List of exported element names and types. -type: flattened +[float] +=== url --- +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. -*`process.elf.header.abi_version`*:: + +*`url.domain`*:: + -- -Version of the ELF Application Binary Interface (ABI). +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword +example: www.elastic.co + -- -*`process.elf.header.class`*:: +*`url.extension`*:: + -- -Header class of the ELF file. +The field contains the file extension from the original request url, excluding the leading dot. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: keyword +example: png + -- -*`process.elf.header.data`*:: +*`url.fragment`*:: + -- -Data table of the ELF header. +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. type: keyword -- -*`process.elf.header.entrypoint`*:: +*`url.full`*:: + -- -Header entrypoint of the ELF file. +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: long +type: keyword -format: string +example: https://www.elastic.co:443/search?q=elasticsearch#top -- -*`process.elf.header.object_version`*:: +*`url.full.text`*:: + -- -"0x1" for original ELF files. - -type: keyword +type: text -- -*`process.elf.header.os_abi`*:: +*`url.original`*:: + -- -Application Binary Interface (ABI) of the Linux OS. +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. type: keyword +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + -- -*`process.elf.header.type`*:: +*`url.original.text`*:: + -- -Header type of the ELF file. - -type: keyword +type: text -- -*`process.elf.header.version`*:: +*`url.password`*:: + -- -Version of the ELF header. +Password of the request. type: keyword -- -*`process.elf.imports`*:: +*`url.path`*:: + -- -List of imported element names and types. +Path of the request, such as "/search". -type: flattened +type: keyword -- -*`process.elf.sections`*:: +*`url.port`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. - -type: nested - --- - -*`process.elf.sections.chi2`*:: -+ --- -Chi-square probability distribution of the section. - -type: long - -format: number - --- - -*`process.elf.sections.entropy`*:: -+ --- -Shannon entropy calculation from the section. +Port of the request, such as 443. type: long -format: number - --- - -*`process.elf.sections.flags`*:: -+ --- -ELF Section List flags. +example: 443 -type: keyword +format: string -- -*`process.elf.sections.name`*:: +*`url.query`*:: + -- -ELF Section List name. +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. type: keyword -- -*`process.elf.sections.physical_offset`*:: +*`url.registered_domain`*:: + -- -ELF Section List offset. +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword --- - -*`process.elf.sections.physical_size`*:: -+ --- -ELF Section List physical size. - -type: long - -format: bytes +example: example.com -- -*`process.elf.sections.type`*:: +*`url.scheme`*:: + -- -ELF Section List type. +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. type: keyword --- - -*`process.elf.sections.virtual_address`*:: -+ --- -ELF Section List virtual address. - -type: long - -format: string +example: https -- -*`process.elf.sections.virtual_size`*:: +*`url.subdomain`*:: + -- -ELF Section List virtual size. - -type: long - -format: string - --- +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. -*`process.elf.segments`*:: -+ --- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. +type: keyword -type: nested +example: east -- -*`process.elf.segments.sections`*:: +*`url.top_level_domain`*:: + -- -ELF object segment sections. +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword +example: co.uk + -- -*`process.elf.segments.type`*:: +*`url.username`*:: + -- -ELF object segment type. +Username of the request. type: keyword -- -*`process.elf.shared_libraries`*:: -+ --- -List of shared libraries used by this ELF object. +[float] +=== user -type: keyword +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. --- -*`process.elf.telfhash`*:: +*`user.changes.domain`*:: + -- -telfhash symbol hash for ELF file. +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`process.entity_id`*:: +*`user.changes.email`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +User email address. type: keyword -example: c2c455d9f99375d - -- -*`process.executable`*:: +*`user.changes.full_name`*:: + -- -Absolute path to the process executable. +User's full name, if available. type: keyword -example: /usr/bin/ssh +example: Albert Einstein -- -*`process.executable.text`*:: +*`user.changes.full_name.text`*:: + -- type: text -- -*`process.exit_code`*:: -+ --- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). - -type: long - -example: 137 - --- - -*`process.hash.md5`*:: +*`user.changes.group.domain`*:: + -- -MD5 hash. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`process.hash.sha1`*:: +*`user.changes.group.id`*:: + -- -SHA1 hash. +Unique identifier for the group on the system/platform. type: keyword -- -*`process.hash.sha256`*:: +*`user.changes.group.name`*:: + -- -SHA256 hash. +Name of the group. type: keyword -- -*`process.hash.sha512`*:: +*`user.changes.hash`*:: + -- -SHA512 hash. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -- -*`process.hash.ssdeep`*:: +*`user.changes.id`*:: + -- -SSDEEP hash. +Unique identifier of the user. type: keyword -- -*`process.name`*:: +*`user.changes.name`*:: + -- -Process name. -Sometimes called program name or similar. +Short name or login of the user. type: keyword -example: ssh +example: albert -- -*`process.name.text`*:: +*`user.changes.name.text`*:: + -- type: text -- -*`process.parent.args`*:: +*`user.changes.roles`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +Array of user roles at the time of the event. type: keyword -example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] - --- - -*`process.parent.args_count`*:: -+ --- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - -type: long - -example: 4 - --- - -*`process.parent.code_signature.exists`*:: -+ --- -Boolean to capture if a signature is present. - -type: boolean - -example: true +example: ["kibana_admin", "reporting_user"] -- -*`process.parent.code_signature.signing_id`*:: +*`user.domain`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: com.apple.xpc.proxy - -- -*`process.parent.code_signature.status`*:: +*`user.effective.domain`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`process.parent.code_signature.subject_name`*:: +*`user.effective.email`*:: + -- -Subject name of the code signer +User email address. type: keyword -example: Microsoft Corporation - -- -*`process.parent.code_signature.team_id`*:: +*`user.effective.full_name`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +User's full name, if available. type: keyword -example: EQHXZ8M8AV +example: Albert Einstein -- -*`process.parent.code_signature.trusted`*:: +*`user.effective.full_name.text`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true +type: text -- -*`process.parent.code_signature.valid`*:: +*`user.effective.group.domain`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. -example: true +type: keyword -- -*`process.parent.command_line`*:: +*`user.effective.group.id`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +Unique identifier for the group on the system/platform. type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 - --- - -*`process.parent.command_line.text`*:: -+ --- -type: text - -- -*`process.parent.elf.architecture`*:: +*`user.effective.group.name`*:: + -- -Machine architecture of the ELF file. +Name of the group. type: keyword -example: x86-64 - -- -*`process.parent.elf.byte_order`*:: +*`user.effective.hash`*:: + -- -Byte sequence of ELF file. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -example: Little Endian - -- -*`process.parent.elf.cpu_type`*:: +*`user.effective.id`*:: + -- -CPU type of the ELF file. +Unique identifier of the user. type: keyword -example: Intel - -- -*`process.parent.elf.creation_date`*:: +*`user.effective.name`*:: + -- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - -type: date - --- +Short name or login of the user. -*`process.parent.elf.exports`*:: -+ --- -List of exported element names and types. +type: keyword -type: flattened +example: albert -- -*`process.parent.elf.header.abi_version`*:: +*`user.effective.name.text`*:: + -- -Version of the ELF Application Binary Interface (ABI). - -type: keyword +type: text -- -*`process.parent.elf.header.class`*:: +*`user.effective.roles`*:: + -- -Header class of the ELF file. +Array of user roles at the time of the event. type: keyword +example: ["kibana_admin", "reporting_user"] + -- -*`process.parent.elf.header.data`*:: +*`user.email`*:: + -- -Data table of the ELF header. +User email address. type: keyword -- -*`process.parent.elf.header.entrypoint`*:: +*`user.full_name`*:: + -- -Header entrypoint of the ELF file. +User's full name, if available. -type: long +type: keyword -format: string +example: Albert Einstein -- -*`process.parent.elf.header.object_version`*:: +*`user.full_name.text`*:: + -- -"0x1" for original ELF files. - -type: keyword +type: text -- -*`process.parent.elf.header.os_abi`*:: +*`user.group.domain`*:: + -- -Application Binary Interface (ABI) of the Linux OS. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`process.parent.elf.header.type`*:: +*`user.group.id`*:: + -- -Header type of the ELF file. +Unique identifier for the group on the system/platform. type: keyword -- -*`process.parent.elf.header.version`*:: +*`user.group.name`*:: + -- -Version of the ELF header. +Name of the group. type: keyword -- -*`process.parent.elf.imports`*:: +*`user.hash`*:: + -- -List of imported element names and types. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. -type: flattened +type: keyword -- -*`process.parent.elf.sections`*:: +*`user.id`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. +Unique identifier of the user. -type: nested +type: keyword -- -*`process.parent.elf.sections.chi2`*:: +*`user.name`*:: + -- -Chi-square probability distribution of the section. +Short name or login of the user. -type: long +type: keyword -format: number +example: albert -- -*`process.parent.elf.sections.entropy`*:: +*`user.name.text`*:: + -- -Shannon entropy calculation from the section. - -type: long - -format: number +type: text -- -*`process.parent.elf.sections.flags`*:: +*`user.roles`*:: + -- -ELF Section List flags. +Array of user roles at the time of the event. type: keyword --- - -*`process.parent.elf.sections.name`*:: -+ --- -ELF Section List name. - -type: keyword +example: ["kibana_admin", "reporting_user"] -- -*`process.parent.elf.sections.physical_offset`*:: +*`user.target.domain`*:: + -- -ELF Section List offset. +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`process.parent.elf.sections.physical_size`*:: -+ --- -ELF Section List physical size. - -type: long - -format: bytes - --- - -*`process.parent.elf.sections.type`*:: +*`user.target.email`*:: + -- -ELF Section List type. +User email address. type: keyword -- -*`process.parent.elf.sections.virtual_address`*:: -+ --- -ELF Section List virtual address. - -type: long - -format: string - --- - -*`process.parent.elf.sections.virtual_size`*:: +*`user.target.full_name`*:: + -- -ELF Section List virtual size. +User's full name, if available. -type: long +type: keyword -format: string +example: Albert Einstein -- -*`process.parent.elf.segments`*:: +*`user.target.full_name.text`*:: + -- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. - -type: nested +type: text -- -*`process.parent.elf.segments.sections`*:: +*`user.target.group.domain`*:: + -- -ELF object segment sections. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`process.parent.elf.segments.type`*:: +*`user.target.group.id`*:: + -- -ELF object segment type. +Unique identifier for the group on the system/platform. type: keyword -- -*`process.parent.elf.shared_libraries`*:: +*`user.target.group.name`*:: + -- -List of shared libraries used by this ELF object. +Name of the group. type: keyword -- -*`process.parent.elf.telfhash`*:: +*`user.target.hash`*:: + -- -telfhash symbol hash for ELF file. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -- -*`process.parent.entity_id`*:: +*`user.target.id`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +Unique identifier of the user. type: keyword -example: c2c455d9f99375d - -- -*`process.parent.executable`*:: +*`user.target.name`*:: + -- -Absolute path to the process executable. +Short name or login of the user. type: keyword -example: /usr/bin/ssh +example: albert -- -*`process.parent.executable.text`*:: +*`user.target.name.text`*:: + -- type: text -- -*`process.parent.exit_code`*:: +*`user.target.roles`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). +Array of user roles at the time of the event. -type: long +type: keyword -example: 137 +example: ["kibana_admin", "reporting_user"] -- -*`process.parent.hash.md5`*:: +[float] +=== user_agent + +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. + + +*`user_agent.device.name`*:: + -- -MD5 hash. +Name of the device. type: keyword +example: iPhone + -- -*`process.parent.hash.sha1`*:: +*`user_agent.name`*:: + -- -SHA1 hash. +Name of the user agent. type: keyword +example: Safari + -- -*`process.parent.hash.sha256`*:: +*`user_agent.original`*:: + -- -SHA256 hash. +Unparsed user_agent string. type: keyword +example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + -- -*`process.parent.hash.sha512`*:: +*`user_agent.original.text`*:: + -- -SHA512 hash. - -type: keyword +type: text -- -*`process.parent.hash.ssdeep`*:: +*`user_agent.os.family`*:: + -- -SSDEEP hash. +OS family (such as redhat, debian, freebsd, windows). type: keyword +example: debian + -- -*`process.parent.name`*:: +*`user_agent.os.full`*:: + -- -Process name. -Sometimes called program name or similar. - -type: keyword - -example: ssh - --- - -*`process.parent.name.text`*:: -+ --- -type: text - --- - -*`process.parent.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`process.parent.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`process.parent.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`process.parent.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`process.parent.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`process.parent.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`process.parent.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - -*`process.parent.pgid`*:: -+ --- -Identifier of the group of processes the process belongs to. - -type: long - -format: string - --- - -*`process.parent.pid`*:: -+ --- -Process id. - -type: long - -example: 4242 - -format: string - --- - -*`process.parent.ppid`*:: -+ --- -Parent process' pid. - -type: long - -example: 4241 - -format: string - --- - -*`process.parent.start`*:: -+ --- -The time the process started. - -type: date - -example: 2016-05-23T08:05:34.853Z - --- - -*`process.parent.thread.id`*:: -+ --- -Thread ID. - -type: long - -example: 4242 - -format: string - --- - -*`process.parent.thread.name`*:: -+ --- -Thread name. - -type: keyword - -example: thread-0 - --- - -*`process.parent.title`*:: -+ --- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - -type: keyword - --- - -*`process.parent.title.text`*:: -+ --- -type: text - --- - -*`process.parent.uptime`*:: -+ --- -Seconds the process has been up. - -type: long - -example: 1325 - --- - -*`process.parent.working_directory`*:: -+ --- -The working directory of the process. - -type: keyword - -example: /home/alice - --- - -*`process.parent.working_directory.text`*:: -+ --- -type: text - --- - -*`process.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`process.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`process.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`process.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`process.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`process.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`process.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - -*`process.pgid`*:: -+ --- -Identifier of the group of processes the process belongs to. - -type: long - -format: string - --- - -*`process.pid`*:: -+ --- -Process id. - -type: long - -example: 4242 - -format: string - --- - -*`process.ppid`*:: -+ --- -Parent process' pid. - -type: long - -example: 4241 - -format: string - --- - -*`process.start`*:: -+ --- -The time the process started. - -type: date - -example: 2016-05-23T08:05:34.853Z - --- - -*`process.thread.id`*:: -+ --- -Thread ID. - -type: long - -example: 4242 - -format: string - --- - -*`process.thread.name`*:: -+ --- -Thread name. - -type: keyword - -example: thread-0 - --- - -*`process.title`*:: -+ --- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - -type: keyword - --- - -*`process.title.text`*:: -+ --- -type: text - --- - -*`process.uptime`*:: -+ --- -Seconds the process has been up. - -type: long - -example: 1325 - --- - -*`process.working_directory`*:: -+ --- -The working directory of the process. - -type: keyword - -example: /home/alice - --- - -*`process.working_directory.text`*:: -+ --- -type: text - --- - -[float] -=== registry - -Fields related to Windows Registry operations. - - -*`registry.data.bytes`*:: -+ --- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. - -type: keyword - -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - --- - -*`registry.data.strings`*:: -+ --- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - -type: keyword - -example: ["C:\rta\red_ttp\bin\myapp.exe"] - --- - -*`registry.data.type`*:: -+ --- -Standard registry type for encoding contents - -type: keyword - -example: REG_SZ - --- - -*`registry.hive`*:: -+ --- -Abbreviated name for the hive. - -type: keyword - -example: HKLM - --- - -*`registry.key`*:: -+ --- -Hive-relative path of keys. - -type: keyword - -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - --- - -*`registry.path`*:: -+ --- -Full path, including hive, key and value - -type: keyword - -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - --- - -*`registry.value`*:: -+ --- -Name of the value written. - -type: keyword - -example: Debugger - --- - -[float] -=== related - -This field set is meant to facilitate pivoting around a piece of data. -Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. - - -*`related.hash`*:: -+ --- -All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - -type: keyword - --- - -*`related.hosts`*:: -+ --- -All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - -type: keyword - --- - -*`related.ip`*:: -+ --- -All of the IPs seen on your event. - -type: ip - --- - -*`related.user`*:: -+ --- -All the user names or other user identifiers seen on the event. - -type: keyword - --- - -[float] -=== rule - -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. -Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. - - -*`rule.author`*:: -+ --- -Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - -type: keyword - -example: ["Star-Lord"] - --- - -*`rule.category`*:: -+ --- -A categorization value keyword used by the entity using the rule for detection of this event. - -type: keyword - -example: Attempted Information Leak - --- - -*`rule.description`*:: -+ --- -The description of the rule generating the event. - -type: keyword - -example: Block requests to public DNS over HTTPS / TLS protocols - --- - -*`rule.id`*:: -+ --- -A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - -type: keyword - -example: 101 - --- - -*`rule.license`*:: -+ --- -Name of the license under which the rule used to generate this event is made available. - -type: keyword - -example: Apache 2.0 - --- - -*`rule.name`*:: -+ --- -The name of the rule or signature generating the event. - -type: keyword - -example: BLOCK_DNS_over_TLS - --- - -*`rule.reference`*:: -+ --- -Reference URL to additional information about the rule used to generate this event. -The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. - -type: keyword - -example: https://en.wikipedia.org/wiki/DNS_over_TLS - --- - -*`rule.ruleset`*:: -+ --- -Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - -type: keyword - -example: Standard_Protocol_Filters - --- - -*`rule.uuid`*:: -+ --- -A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - -type: keyword - -example: 1100110011 - --- - -*`rule.version`*:: -+ --- -The version / revision of the rule being used for analysis. - -type: keyword - -example: 1.1 - --- - -[float] -=== server - -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. - - -*`server.address`*:: -+ --- -Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - -type: keyword - --- - -*`server.as.number`*:: -+ --- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long - -example: 15169 - --- - -*`server.as.organization.name`*:: -+ --- -Organization name. - -type: keyword - -example: Google LLC - --- - -*`server.as.organization.name.text`*:: -+ --- -type: text - --- - -*`server.bytes`*:: -+ --- -Bytes sent from the server to the client. - -type: long - -example: 184 - -format: bytes - --- - -*`server.domain`*:: -+ --- -Server domain. - -type: keyword - --- - -*`server.geo.city_name`*:: -+ --- -City name. - -type: keyword - -example: Montreal - --- - -*`server.geo.continent_code`*:: -+ --- -Two-letter code representing continent's name. - -type: keyword - -example: NA - --- - -*`server.geo.continent_name`*:: -+ --- -Name of the continent. - -type: keyword - -example: North America - --- - -*`server.geo.country_iso_code`*:: -+ --- -Country ISO code. - -type: keyword - -example: CA - --- - -*`server.geo.country_name`*:: -+ --- -Country name. - -type: keyword - -example: Canada - --- - -*`server.geo.location`*:: -+ --- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } - --- - -*`server.geo.name`*:: -+ --- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - -type: keyword - -example: boston-dc - --- - -*`server.geo.postal_code`*:: -+ --- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - -type: keyword - -example: 94040 - --- - -*`server.geo.region_iso_code`*:: -+ --- -Region ISO code. - -type: keyword - -example: CA-QC - --- - -*`server.geo.region_name`*:: -+ --- -Region name. - -type: keyword - -example: Quebec - --- - -*`server.geo.timezone`*:: -+ --- -The time zone of the location, such as IANA time zone name. - -type: keyword - -example: America/Argentina/Buenos_Aires - --- - -*`server.ip`*:: -+ --- -IP address of the server (IPv4 or IPv6). - -type: ip - --- - -*`server.mac`*:: -+ --- -MAC address of the server. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - -type: keyword - -example: 00-00-5E-00-53-23 - --- - -*`server.nat.ip`*:: -+ --- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. - -type: ip - --- - -*`server.nat.port`*:: -+ --- -Translated port of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. - -type: long - -format: string - --- - -*`server.packets`*:: -+ --- -Packets sent from the server to the client. - -type: long - -example: 12 - --- - -*`server.port`*:: -+ --- -Port of the server. - -type: long - -format: string - --- - -*`server.registered_domain`*:: -+ --- -The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword - -example: example.com - --- - -*`server.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - -type: keyword - -example: east - --- - -*`server.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword - -example: co.uk - --- - -*`server.user.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`server.user.email`*:: -+ --- -User email address. - -type: keyword - --- - -*`server.user.full_name`*:: -+ --- -User's full name, if available. - -type: keyword - -example: Albert Einstein - --- - -*`server.user.full_name.text`*:: -+ --- -type: text - --- - -*`server.user.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`server.user.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`server.user.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`server.user.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`server.user.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`server.user.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- - -*`server.user.name.text`*:: -+ --- -type: text - --- - -*`server.user.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - -[float] -=== service - -The service fields describe the service for or from which the data was collected. -These fields help you find and correlate logs for a specific service and version. - - -*`service.ephemeral_id`*:: -+ --- -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -type: keyword - -example: 8a4f500f - --- - -*`service.id`*:: -+ --- -Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. -This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. -Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. - -type: keyword - -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - --- - -*`service.name`*:: -+ --- -Name of the service data is collected from. -The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. -In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - -type: keyword - -example: elasticsearch-metrics - --- - -*`service.node.name`*:: -+ --- -Name of a service node. -This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. -In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. - -type: keyword - -example: instance-0000000016 - --- - -*`service.state`*:: -+ --- -Current state of the service. - -type: keyword - --- - -*`service.type`*:: -+ --- -The type of the service data is collected from. -The type can be used to group and correlate logs and metrics from one service type. -Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - -type: keyword - -example: elasticsearch - --- - -*`service.version`*:: -+ --- -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. - -type: keyword - -example: 3.2.4 - --- - -[float] -=== source - -Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. -Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. - - -*`source.address`*:: -+ --- -Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - -type: keyword - --- - -*`source.as.number`*:: -+ --- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long - -example: 15169 - --- - -*`source.as.organization.name`*:: -+ --- -Organization name. - -type: keyword - -example: Google LLC - --- - -*`source.as.organization.name.text`*:: -+ --- -type: text - --- - -*`source.bytes`*:: -+ --- -Bytes sent from the source to the destination. - -type: long - -example: 184 - -format: bytes - --- - -*`source.domain`*:: -+ --- -Source domain. - -type: keyword - --- - -*`source.geo.city_name`*:: -+ --- -City name. - -type: keyword - -example: Montreal - --- - -*`source.geo.continent_code`*:: -+ --- -Two-letter code representing continent's name. - -type: keyword - -example: NA - --- - -*`source.geo.continent_name`*:: -+ --- -Name of the continent. - -type: keyword - -example: North America - --- - -*`source.geo.country_iso_code`*:: -+ --- -Country ISO code. - -type: keyword - -example: CA - --- - -*`source.geo.country_name`*:: -+ --- -Country name. - -type: keyword - -example: Canada - --- - -*`source.geo.location`*:: -+ --- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } - --- - -*`source.geo.name`*:: -+ --- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - -type: keyword - -example: boston-dc - --- - -*`source.geo.postal_code`*:: -+ --- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - -type: keyword - -example: 94040 - --- - -*`source.geo.region_iso_code`*:: -+ --- -Region ISO code. - -type: keyword - -example: CA-QC - --- - -*`source.geo.region_name`*:: -+ --- -Region name. - -type: keyword - -example: Quebec - --- - -*`source.geo.timezone`*:: -+ --- -The time zone of the location, such as IANA time zone name. - -type: keyword - -example: America/Argentina/Buenos_Aires - --- - -*`source.ip`*:: -+ --- -IP address of the source (IPv4 or IPv6). - -type: ip - --- - -*`source.mac`*:: -+ --- -MAC address of the source. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - -type: keyword - -example: 00-00-5E-00-53-23 - --- - -*`source.nat.ip`*:: -+ --- -Translated ip of source based NAT sessions (e.g. internal client to internet) -Typically connections traversing load balancers, firewalls, or routers. - -type: ip - --- - -*`source.nat.port`*:: -+ --- -Translated port of source based NAT sessions. (e.g. internal client to internet) -Typically used with load balancers, firewalls, or routers. - -type: long - -format: string - --- - -*`source.packets`*:: -+ --- -Packets sent from the source to the destination. - -type: long - -example: 12 - --- - -*`source.port`*:: -+ --- -Port of the source. - -type: long - -format: string - --- - -*`source.registered_domain`*:: -+ --- -The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword - -example: example.com - --- - -*`source.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - -type: keyword - -example: east - --- - -*`source.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword - -example: co.uk - --- - -*`source.user.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`source.user.email`*:: -+ --- -User email address. - -type: keyword - --- - -*`source.user.full_name`*:: -+ --- -User's full name, if available. - -type: keyword - -example: Albert Einstein - --- - -*`source.user.full_name.text`*:: -+ --- -type: text - --- - -*`source.user.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`source.user.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`source.user.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`source.user.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`source.user.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`source.user.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- - -*`source.user.name.text`*:: -+ --- -type: text - --- - -*`source.user.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - -[float] -=== threat - -Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. -These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). - - -*`threat.enrichments`*:: -+ --- -A list of associated indicators objects enriching the event, and the context of that association/enrichment. - -type: nested - --- - -*`threat.enrichments.indicator`*:: -+ --- -Object containing associated indicators enriching the event. - -type: object - --- - -*`threat.enrichments.indicator.as.number`*:: -+ --- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long - -example: 15169 - --- - -*`threat.enrichments.indicator.as.organization.name`*:: -+ --- -Organization name. - -type: keyword - -example: Google LLC - --- - -*`threat.enrichments.indicator.as.organization.name.text`*:: -+ --- -type: text - --- - -*`threat.enrichments.indicator.confidence`*:: -+ --- -Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values: - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) - -type: keyword - -example: High - --- - -*`threat.enrichments.indicator.description`*:: -+ --- -Describes the type of action conducted by the threat. - -type: keyword - -example: IP x.x.x.x was observed delivering the Angler EK. - --- - -*`threat.enrichments.indicator.email.address`*:: -+ --- -Identifies a threat indicator as an email address (irrespective of direction). - -type: keyword - -example: phish@example.com - --- - -*`threat.enrichments.indicator.file.accessed`*:: -+ --- -Last time the file was accessed. -Note that not all filesystems keep track of access time. - -type: date - --- - -*`threat.enrichments.indicator.file.attributes`*:: -+ --- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - -type: keyword - -example: ["readonly", "system"] - --- - -*`threat.enrichments.indicator.file.code_signature.exists`*:: -+ --- -Boolean to capture if a signature is present. - -type: boolean - -example: true - --- - -*`threat.enrichments.indicator.file.code_signature.signing_id`*:: -+ --- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - -type: keyword - -example: com.apple.xpc.proxy - --- - -*`threat.enrichments.indicator.file.code_signature.status`*:: -+ --- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - -type: keyword - -example: ERROR_UNTRUSTED_ROOT - --- - -*`threat.enrichments.indicator.file.code_signature.subject_name`*:: -+ --- -Subject name of the code signer - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.file.code_signature.team_id`*:: -+ --- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. - -type: keyword - -example: EQHXZ8M8AV - --- - -*`threat.enrichments.indicator.file.code_signature.trusted`*:: -+ --- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true - --- - -*`threat.enrichments.indicator.file.code_signature.valid`*:: -+ --- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean - -example: true - --- - -*`threat.enrichments.indicator.file.created`*:: -+ --- -File creation time. -Note that not all filesystems store the creation time. - -type: date - --- - -*`threat.enrichments.indicator.file.ctime`*:: -+ --- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - -type: date - --- - -*`threat.enrichments.indicator.file.device`*:: -+ --- -Device that is the source of the file. - -type: keyword - -example: sda - --- - -*`threat.enrichments.indicator.file.directory`*:: -+ --- -Directory where the file is located. It should include the drive letter, when appropriate. - -type: keyword - -example: /home/alice - --- - -*`threat.enrichments.indicator.file.drive_letter`*:: -+ --- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. - -type: keyword - -example: C - --- - -*`threat.enrichments.indicator.file.elf.architecture`*:: -+ --- -Machine architecture of the ELF file. - -type: keyword - -example: x86-64 - --- - -*`threat.enrichments.indicator.file.elf.byte_order`*:: -+ --- -Byte sequence of ELF file. - -type: keyword - -example: Little Endian - --- - -*`threat.enrichments.indicator.file.elf.cpu_type`*:: -+ --- -CPU type of the ELF file. - -type: keyword - -example: Intel - --- - -*`threat.enrichments.indicator.file.elf.creation_date`*:: -+ --- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - -type: date - --- - -*`threat.enrichments.indicator.file.elf.exports`*:: -+ --- -List of exported element names and types. - -type: flattened - --- - -*`threat.enrichments.indicator.file.elf.header.abi_version`*:: -+ --- -Version of the ELF Application Binary Interface (ABI). - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.header.class`*:: -+ --- -Header class of the ELF file. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.header.data`*:: -+ --- -Data table of the ELF header. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.header.entrypoint`*:: -+ --- -Header entrypoint of the ELF file. - -type: long - -format: string - --- - -*`threat.enrichments.indicator.file.elf.header.object_version`*:: -+ --- -"0x1" for original ELF files. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.header.os_abi`*:: -+ --- -Application Binary Interface (ABI) of the Linux OS. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.header.type`*:: -+ --- -Header type of the ELF file. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.header.version`*:: -+ --- -Version of the ELF header. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.imports`*:: -+ --- -List of imported element names and types. - -type: flattened - --- - -*`threat.enrichments.indicator.file.elf.sections`*:: -+ --- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. - -type: nested - --- - -*`threat.enrichments.indicator.file.elf.sections.chi2`*:: -+ --- -Chi-square probability distribution of the section. - -type: long - -format: number - --- - -*`threat.enrichments.indicator.file.elf.sections.entropy`*:: -+ --- -Shannon entropy calculation from the section. - -type: long - -format: number - --- - -*`threat.enrichments.indicator.file.elf.sections.flags`*:: -+ --- -ELF Section List flags. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.sections.name`*:: -+ --- -ELF Section List name. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.sections.physical_offset`*:: -+ --- -ELF Section List offset. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.sections.physical_size`*:: -+ --- -ELF Section List physical size. - -type: long - -format: bytes - --- - -*`threat.enrichments.indicator.file.elf.sections.type`*:: -+ --- -ELF Section List type. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.sections.virtual_address`*:: -+ --- -ELF Section List virtual address. - -type: long - -format: string - --- - -*`threat.enrichments.indicator.file.elf.sections.virtual_size`*:: -+ --- -ELF Section List virtual size. - -type: long - -format: string - --- - -*`threat.enrichments.indicator.file.elf.segments`*:: -+ --- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. - -type: nested - --- - -*`threat.enrichments.indicator.file.elf.segments.sections`*:: -+ --- -ELF object segment sections. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.segments.type`*:: -+ --- -ELF object segment type. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.shared_libraries`*:: -+ --- -List of shared libraries used by this ELF object. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.telfhash`*:: -+ --- -telfhash symbol hash for ELF file. - -type: keyword - --- - -*`threat.enrichments.indicator.file.extension`*:: -+ --- -File extension, excluding the leading dot. -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - -type: keyword - -example: png - --- - -*`threat.enrichments.indicator.file.gid`*:: -+ --- -Primary group ID (GID) of the file. - -type: keyword - -example: 1001 - --- - -*`threat.enrichments.indicator.file.group`*:: -+ --- -Primary group name of the file. - -type: keyword - -example: alice - --- - -*`threat.enrichments.indicator.file.inode`*:: -+ --- -Inode representing the file in the filesystem. - -type: keyword - -example: 256383 - --- - -*`threat.enrichments.indicator.file.mime_type`*:: -+ --- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - -type: keyword - --- - -*`threat.enrichments.indicator.file.mode`*:: -+ --- -Mode of the file in octal representation. - -type: keyword - -example: 0640 - --- - -*`threat.enrichments.indicator.file.mtime`*:: -+ --- -Last time the file content was modified. - -type: date - --- - -*`threat.enrichments.indicator.file.name`*:: -+ --- -Name of the file including the extension, without the directory. - -type: keyword - -example: example.png - --- - -*`threat.enrichments.indicator.file.owner`*:: -+ --- -File owner's username. - -type: keyword - -example: alice - --- - -*`threat.enrichments.indicator.file.path`*:: -+ --- -Full path to the file, including the file name. It should include the drive letter, when appropriate. - -type: keyword - -example: /home/alice/example.png - --- - -*`threat.enrichments.indicator.file.path.text`*:: -+ --- -type: text - --- - -*`threat.enrichments.indicator.file.size`*:: -+ --- -File size in bytes. -Only relevant when `file.type` is "file". - -type: long - -example: 16384 - --- - -*`threat.enrichments.indicator.file.target_path`*:: -+ --- -Target path for symlinks. - -type: keyword - --- - -*`threat.enrichments.indicator.file.target_path.text`*:: -+ --- -type: text - --- - -*`threat.enrichments.indicator.file.type`*:: -+ --- -File type (file, dir, or symlink). - -type: keyword - -example: file - --- - -*`threat.enrichments.indicator.file.uid`*:: -+ --- -The user ID (UID) or security identifier (SID) of the file owner. - -type: keyword - -example: 1001 - --- - -*`threat.enrichments.indicator.first_seen`*:: -+ --- -The date and time when intelligence source first reported sighting this indicator. - -type: date - -example: 2020-11-05T17:25:47.000Z - --- - -*`threat.enrichments.indicator.geo.city_name`*:: -+ --- -City name. - -type: keyword - -example: Montreal - --- - -*`threat.enrichments.indicator.geo.continent_code`*:: -+ --- -Two-letter code representing continent's name. - -type: keyword - -example: NA - --- - -*`threat.enrichments.indicator.geo.continent_name`*:: -+ --- -Name of the continent. - -type: keyword - -example: North America - --- - -*`threat.enrichments.indicator.geo.country_iso_code`*:: -+ --- -Country ISO code. - -type: keyword - -example: CA - --- - -*`threat.enrichments.indicator.geo.country_name`*:: -+ --- -Country name. - -type: keyword - -example: Canada - --- - -*`threat.enrichments.indicator.geo.location`*:: -+ --- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } - --- - -*`threat.enrichments.indicator.geo.name`*:: -+ --- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - -type: keyword - -example: boston-dc - --- - -*`threat.enrichments.indicator.geo.postal_code`*:: -+ --- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - -type: keyword - -example: 94040 - --- - -*`threat.enrichments.indicator.geo.region_iso_code`*:: -+ --- -Region ISO code. - -type: keyword - -example: CA-QC - --- - -*`threat.enrichments.indicator.geo.region_name`*:: -+ --- -Region name. - -type: keyword - -example: Quebec - --- - -*`threat.enrichments.indicator.geo.timezone`*:: -+ --- -The time zone of the location, such as IANA time zone name. - -type: keyword - -example: America/Argentina/Buenos_Aires - --- - -*`threat.enrichments.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - -*`threat.enrichments.indicator.ip`*:: -+ --- -Identifies a threat indicator as an IP address (irrespective of direction). - -type: ip - -example: 1.2.3.4 - --- - -*`threat.enrichments.indicator.last_seen`*:: -+ --- -The date and time when intelligence source last reported sighting this indicator. - -type: date - -example: 2020-11-05T17:25:47.000Z - --- - -*`threat.enrichments.indicator.marking.tlp`*:: -+ --- -Traffic Light Protocol sharing markings. Recommended values are: - * WHITE - * GREEN - * AMBER - * RED - -type: keyword - -example: White - --- - -*`threat.enrichments.indicator.modified_at`*:: -+ --- -The date and time when intelligence source last modified information for this indicator. - -type: date - -example: 2020-11-05T17:25:47.000Z - --- - -*`threat.enrichments.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.enrichments.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.enrichments.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.enrichments.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.enrichments.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.enrichments.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - -*`threat.enrichments.indicator.port`*:: -+ --- -Identifies a threat indicator as a port number (irrespective of direction). - -type: long - -example: 443 - --- - -*`threat.enrichments.indicator.provider`*:: -+ --- -The name of the indicator's provider. - -type: keyword - -example: lrz_urlhaus - --- - -*`threat.enrichments.indicator.reference`*:: -+ --- -Reference URL linking to additional information about this indicator. - -type: keyword - -example: https://system.example.com/indicator/0001234 - --- - -*`threat.enrichments.indicator.registry.data.bytes`*:: -+ --- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. - -type: keyword - -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - --- - -*`threat.enrichments.indicator.registry.data.strings`*:: -+ --- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - -type: keyword - -example: ["C:\rta\red_ttp\bin\myapp.exe"] - --- - -*`threat.enrichments.indicator.registry.data.type`*:: -+ --- -Standard registry type for encoding contents - -type: keyword - -example: REG_SZ - --- - -*`threat.enrichments.indicator.registry.hive`*:: -+ --- -Abbreviated name for the hive. - -type: keyword - -example: HKLM - --- - -*`threat.enrichments.indicator.registry.key`*:: -+ --- -Hive-relative path of keys. - -type: keyword - -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - --- - -*`threat.enrichments.indicator.registry.path`*:: -+ --- -Full path, including hive, key and value - -type: keyword - -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - --- - -*`threat.enrichments.indicator.registry.value`*:: -+ --- -Name of the value written. - -type: keyword - -example: Debugger - --- - -*`threat.enrichments.indicator.scanner_stats`*:: -+ --- -Count of AV/EDR vendors that successfully detected malicious file or URL. - -type: long - -example: 4 - --- - -*`threat.enrichments.indicator.sightings`*:: -+ --- -Number of times this indicator was observed conducting threat activity. - -type: long - -example: 20 - --- - -*`threat.enrichments.indicator.type`*:: -+ --- -Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - -type: keyword - -example: ipv4-addr - --- - -*`threat.enrichments.indicator.url.domain`*:: -+ --- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - -type: keyword - -example: www.elastic.co - --- - -*`threat.enrichments.indicator.url.extension`*:: -+ --- -The field contains the file extension from the original request url, excluding the leading dot. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - -type: keyword - -example: png - --- - -*`threat.enrichments.indicator.url.fragment`*:: -+ --- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. - -type: keyword - --- - -*`threat.enrichments.indicator.url.full`*:: -+ --- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top - --- - -*`threat.enrichments.indicator.url.full.text`*:: -+ --- -type: text - --- - -*`threat.enrichments.indicator.url.original`*:: -+ --- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. - -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - --- - -*`threat.enrichments.indicator.url.original.text`*:: -+ --- -type: text - --- - -*`threat.enrichments.indicator.url.password`*:: -+ --- -Password of the request. - -type: keyword - --- - -*`threat.enrichments.indicator.url.path`*:: -+ --- -Path of the request, such as "/search". - -type: keyword - --- - -*`threat.enrichments.indicator.url.port`*:: -+ --- -Port of the request, such as 443. - -type: long - -example: 443 - -format: string - --- - -*`threat.enrichments.indicator.url.query`*:: -+ --- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - -type: keyword - --- - -*`threat.enrichments.indicator.url.registered_domain`*:: -+ --- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword - -example: example.com - --- - -*`threat.enrichments.indicator.url.scheme`*:: -+ --- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -type: keyword - -example: https - --- - -*`threat.enrichments.indicator.url.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - -type: keyword - -example: east - --- - -*`threat.enrichments.indicator.url.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword - -example: co.uk - --- - -*`threat.enrichments.indicator.url.username`*:: -+ --- -Username of the request. - -type: keyword - --- - -*`threat.enrichments.indicator.x509.alternative_names`*:: -+ --- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co - --- - -*`threat.enrichments.indicator.x509.issuer.common_name`*:: -+ --- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: Example SHA2 High Assurance Server CA - --- - -*`threat.enrichments.indicator.x509.issuer.country`*:: -+ --- -List of country (C) codes - -type: keyword - -example: US - --- - -*`threat.enrichments.indicator.x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`threat.enrichments.indicator.x509.issuer.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: Mountain View - --- - -*`threat.enrichments.indicator.x509.issuer.organization`*:: -+ --- -List of organizations (O) of issuing certificate authority. - -type: keyword - -example: Example Inc - --- - -*`threat.enrichments.indicator.x509.issuer.organizational_unit`*:: -+ --- -List of organizational units (OU) of issuing certificate authority. - -type: keyword - -example: www.example.com - --- - -*`threat.enrichments.indicator.x509.issuer.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`threat.enrichments.indicator.x509.not_after`*:: -+ --- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39+00:00 - --- - -*`threat.enrichments.indicator.x509.not_before`*:: -+ --- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25+00:00 - --- - -*`threat.enrichments.indicator.x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. - -type: keyword - -example: RSA - --- - -*`threat.enrichments.indicator.x509.public_key_curve`*:: -+ --- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword - -example: nistp521 - --- - -*`threat.enrichments.indicator.x509.public_key_exponent`*:: -+ --- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - -Field is not indexed. - --- - -*`threat.enrichments.indicator.x509.public_key_size`*:: -+ --- -The size of the public key space in bits. - -type: long - -example: 2048 - --- - -*`threat.enrichments.indicator.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`threat.enrichments.indicator.x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - -type: keyword - -example: SHA256-RSA - --- - -*`threat.enrichments.indicator.x509.subject.common_name`*:: -+ --- -List of common names (CN) of subject. - -type: keyword - -example: shared.global.example.net - --- - -*`threat.enrichments.indicator.x509.subject.country`*:: -+ --- -List of country (C) code - -type: keyword - -example: US - --- - -*`threat.enrichments.indicator.x509.subject.distinguished_name`*:: -+ --- -Distinguished name (DN) of the certificate subject entity. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`threat.enrichments.indicator.x509.subject.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: San Francisco - --- - -*`threat.enrichments.indicator.x509.subject.organization`*:: -+ --- -List of organizations (O) of subject. - -type: keyword - -example: Example, Inc. - --- - -*`threat.enrichments.indicator.x509.subject.organizational_unit`*:: -+ --- -List of organizational units (OU) of subject. - -type: keyword - --- - -*`threat.enrichments.indicator.x509.subject.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`threat.enrichments.indicator.x509.version_number`*:: -+ --- -Version of x509 format. - -type: keyword - -example: 3 - --- - -*`threat.enrichments.matched.atomic`*:: -+ --- -Identifies the atomic indicator value that matched a local environment endpoint or network event. - -type: keyword - -example: bad-domain.com - --- - -*`threat.enrichments.matched.field`*:: -+ --- -Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - -type: keyword - -example: file.hash.sha256 - --- - -*`threat.enrichments.matched.id`*:: -+ --- -Identifies the _id of the indicator document enriching the event. - -type: keyword - -example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - --- - -*`threat.enrichments.matched.index`*:: -+ --- -Identifies the _index of the indicator document enriching the event. - -type: keyword - -example: filebeat-8.0.0-2021.05.23-000011 - --- - -*`threat.enrichments.matched.type`*:: -+ --- -Identifies the type of match that caused the event to be enriched with the given indicator - -type: keyword - -example: indicator_match_rule - --- - -*`threat.framework`*:: -+ --- -Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - -type: keyword - -example: MITRE ATT&CK - --- - -*`threat.group.alias`*:: -+ --- -The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). - -type: keyword - -example: [ "Magecart Group 6" ] - --- - -*`threat.group.id`*:: -+ --- -The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. - -type: keyword - -example: G0037 - --- - -*`threat.group.name`*:: -+ --- -The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. - -type: keyword - -example: FIN6 - --- - -*`threat.group.reference`*:: -+ --- -The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. - -type: keyword - -example: https://attack.mitre.org/groups/G0037/ - --- - -*`threat.indicator.as.number`*:: -+ --- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long - -example: 15169 - --- - -*`threat.indicator.as.organization.name`*:: -+ --- -Organization name. - -type: keyword - -example: Google LLC - --- - -*`threat.indicator.as.organization.name.text`*:: -+ --- -type: text - --- - -*`threat.indicator.confidence`*:: -+ --- -Identifies the confidence rating assigned by the provider using STIX confidence scales. -Recommended values: - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) - -type: keyword - -example: High - --- - -*`threat.indicator.description`*:: -+ --- -Describes the type of action conducted by the threat. - -type: keyword - -example: IP x.x.x.x was observed delivering the Angler EK. - --- - -*`threat.indicator.email.address`*:: -+ --- -Identifies a threat indicator as an email address (irrespective of direction). - -type: keyword - -example: phish@example.com - --- - -*`threat.indicator.file.accessed`*:: -+ --- -Last time the file was accessed. -Note that not all filesystems keep track of access time. - -type: date - --- - -*`threat.indicator.file.attributes`*:: -+ --- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - -type: keyword - -example: ["readonly", "system"] - --- - -*`threat.indicator.file.code_signature.exists`*:: -+ --- -Boolean to capture if a signature is present. - -type: boolean - -example: true - --- - -*`threat.indicator.file.code_signature.signing_id`*:: -+ --- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - -type: keyword - -example: com.apple.xpc.proxy - --- - -*`threat.indicator.file.code_signature.status`*:: -+ --- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - -type: keyword - -example: ERROR_UNTRUSTED_ROOT - --- - -*`threat.indicator.file.code_signature.subject_name`*:: -+ --- -Subject name of the code signer - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.file.code_signature.team_id`*:: -+ --- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. - -type: keyword - -example: EQHXZ8M8AV - --- - -*`threat.indicator.file.code_signature.trusted`*:: -+ --- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true - --- - -*`threat.indicator.file.code_signature.valid`*:: -+ --- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean - -example: true - --- - -*`threat.indicator.file.created`*:: -+ --- -File creation time. -Note that not all filesystems store the creation time. - -type: date - --- - -*`threat.indicator.file.ctime`*:: -+ --- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - -type: date - --- - -*`threat.indicator.file.device`*:: -+ --- -Device that is the source of the file. - -type: keyword - -example: sda - --- - -*`threat.indicator.file.directory`*:: -+ --- -Directory where the file is located. It should include the drive letter, when appropriate. - -type: keyword - -example: /home/alice - --- - -*`threat.indicator.file.drive_letter`*:: -+ --- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. - -type: keyword - -example: C - --- - -*`threat.indicator.file.elf.architecture`*:: -+ --- -Machine architecture of the ELF file. - -type: keyword - -example: x86-64 - --- - -*`threat.indicator.file.elf.byte_order`*:: -+ --- -Byte sequence of ELF file. - -type: keyword - -example: Little Endian - --- - -*`threat.indicator.file.elf.cpu_type`*:: -+ --- -CPU type of the ELF file. - -type: keyword - -example: Intel - --- - -*`threat.indicator.file.elf.creation_date`*:: -+ --- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - -type: date - --- - -*`threat.indicator.file.elf.exports`*:: -+ --- -List of exported element names and types. - -type: flattened - --- - -*`threat.indicator.file.elf.header.abi_version`*:: -+ --- -Version of the ELF Application Binary Interface (ABI). - -type: keyword - --- - -*`threat.indicator.file.elf.header.class`*:: -+ --- -Header class of the ELF file. - -type: keyword - --- - -*`threat.indicator.file.elf.header.data`*:: -+ --- -Data table of the ELF header. - -type: keyword - --- - -*`threat.indicator.file.elf.header.entrypoint`*:: -+ --- -Header entrypoint of the ELF file. - -type: long - -format: string - --- - -*`threat.indicator.file.elf.header.object_version`*:: -+ --- -"0x1" for original ELF files. - -type: keyword - --- - -*`threat.indicator.file.elf.header.os_abi`*:: -+ --- -Application Binary Interface (ABI) of the Linux OS. - -type: keyword - --- - -*`threat.indicator.file.elf.header.type`*:: -+ --- -Header type of the ELF file. - -type: keyword - --- - -*`threat.indicator.file.elf.header.version`*:: -+ --- -Version of the ELF header. - -type: keyword - --- - -*`threat.indicator.file.elf.imports`*:: -+ --- -List of imported element names and types. - -type: flattened - --- - -*`threat.indicator.file.elf.sections`*:: -+ --- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. - -type: nested - --- - -*`threat.indicator.file.elf.sections.chi2`*:: -+ --- -Chi-square probability distribution of the section. - -type: long - -format: number - --- - -*`threat.indicator.file.elf.sections.entropy`*:: -+ --- -Shannon entropy calculation from the section. - -type: long - -format: number - --- - -*`threat.indicator.file.elf.sections.flags`*:: -+ --- -ELF Section List flags. - -type: keyword - --- - -*`threat.indicator.file.elf.sections.name`*:: -+ --- -ELF Section List name. - -type: keyword - --- - -*`threat.indicator.file.elf.sections.physical_offset`*:: -+ --- -ELF Section List offset. - -type: keyword - --- - -*`threat.indicator.file.elf.sections.physical_size`*:: -+ --- -ELF Section List physical size. - -type: long - -format: bytes - --- - -*`threat.indicator.file.elf.sections.type`*:: -+ --- -ELF Section List type. - -type: keyword - --- - -*`threat.indicator.file.elf.sections.virtual_address`*:: -+ --- -ELF Section List virtual address. - -type: long - -format: string - --- - -*`threat.indicator.file.elf.sections.virtual_size`*:: -+ --- -ELF Section List virtual size. - -type: long - -format: string - --- - -*`threat.indicator.file.elf.segments`*:: -+ --- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. - -type: nested - --- - -*`threat.indicator.file.elf.segments.sections`*:: -+ --- -ELF object segment sections. - -type: keyword - --- - -*`threat.indicator.file.elf.segments.type`*:: -+ --- -ELF object segment type. - -type: keyword - --- - -*`threat.indicator.file.elf.shared_libraries`*:: -+ --- -List of shared libraries used by this ELF object. - -type: keyword - --- - -*`threat.indicator.file.elf.telfhash`*:: -+ --- -telfhash symbol hash for ELF file. - -type: keyword - --- - -*`threat.indicator.file.extension`*:: -+ --- -File extension, excluding the leading dot. -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - -type: keyword - -example: png - --- - -*`threat.indicator.file.gid`*:: -+ --- -Primary group ID (GID) of the file. - -type: keyword - -example: 1001 - --- - -*`threat.indicator.file.group`*:: -+ --- -Primary group name of the file. - -type: keyword - -example: alice - --- - -*`threat.indicator.file.inode`*:: -+ --- -Inode representing the file in the filesystem. - -type: keyword - -example: 256383 - --- - -*`threat.indicator.file.mime_type`*:: -+ --- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - -type: keyword - --- - -*`threat.indicator.file.mode`*:: -+ --- -Mode of the file in octal representation. - -type: keyword - -example: 0640 - --- - -*`threat.indicator.file.mtime`*:: -+ --- -Last time the file content was modified. - -type: date - --- - -*`threat.indicator.file.name`*:: -+ --- -Name of the file including the extension, without the directory. - -type: keyword - -example: example.png - --- - -*`threat.indicator.file.owner`*:: -+ --- -File owner's username. - -type: keyword - -example: alice - --- - -*`threat.indicator.file.path`*:: -+ --- -Full path to the file, including the file name. It should include the drive letter, when appropriate. - -type: keyword - -example: /home/alice/example.png - --- - -*`threat.indicator.file.path.text`*:: -+ --- -type: text - --- - -*`threat.indicator.file.size`*:: -+ --- -File size in bytes. -Only relevant when `file.type` is "file". - -type: long - -example: 16384 - --- - -*`threat.indicator.file.target_path`*:: -+ --- -Target path for symlinks. - -type: keyword - --- - -*`threat.indicator.file.target_path.text`*:: -+ --- -type: text - --- - -*`threat.indicator.file.type`*:: -+ --- -File type (file, dir, or symlink). - -type: keyword - -example: file - --- - -*`threat.indicator.file.uid`*:: -+ --- -The user ID (UID) or security identifier (SID) of the file owner. - -type: keyword - -example: 1001 - --- - -*`threat.indicator.first_seen`*:: -+ --- -The date and time when intelligence source first reported sighting this indicator. - -type: date - -example: 2020-11-05T17:25:47.000Z - --- - -*`threat.indicator.geo.city_name`*:: -+ --- -City name. - -type: keyword - -example: Montreal - --- - -*`threat.indicator.geo.continent_code`*:: -+ --- -Two-letter code representing continent's name. - -type: keyword - -example: NA - --- - -*`threat.indicator.geo.continent_name`*:: -+ --- -Name of the continent. - -type: keyword - -example: North America - --- - -*`threat.indicator.geo.country_iso_code`*:: -+ --- -Country ISO code. - -type: keyword - -example: CA - --- - -*`threat.indicator.geo.country_name`*:: -+ --- -Country name. - -type: keyword - -example: Canada - --- - -*`threat.indicator.geo.location`*:: -+ --- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } - --- - -*`threat.indicator.geo.name`*:: -+ --- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - -type: keyword - -example: boston-dc - --- - -*`threat.indicator.geo.postal_code`*:: -+ --- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - -type: keyword - -example: 94040 - --- - -*`threat.indicator.geo.region_iso_code`*:: -+ --- -Region ISO code. - -type: keyword - -example: CA-QC - --- - -*`threat.indicator.geo.region_name`*:: -+ --- -Region name. - -type: keyword - -example: Quebec - --- - -*`threat.indicator.geo.timezone`*:: -+ --- -The time zone of the location, such as IANA time zone name. - -type: keyword - -example: America/Argentina/Buenos_Aires - --- - -*`threat.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - -*`threat.indicator.ip`*:: -+ --- -Identifies a threat indicator as an IP address (irrespective of direction). - -type: ip - -example: 1.2.3.4 - --- - -*`threat.indicator.last_seen`*:: -+ --- -The date and time when intelligence source last reported sighting this indicator. - -type: date - -example: 2020-11-05T17:25:47.000Z - --- - -*`threat.indicator.marking.tlp`*:: -+ --- -Traffic Light Protocol sharing markings. -Recommended values are: - * WHITE - * GREEN - * AMBER - * RED - -type: keyword - -example: WHITE - --- - -*`threat.indicator.modified_at`*:: -+ --- -The date and time when intelligence source last modified information for this indicator. - -type: date - -example: 2020-11-05T17:25:47.000Z - --- - -*`threat.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - -*`threat.indicator.port`*:: -+ --- -Identifies a threat indicator as a port number (irrespective of direction). - -type: long - -example: 443 - --- - -*`threat.indicator.provider`*:: -+ --- -The name of the indicator's provider. - -type: keyword - -example: lrz_urlhaus - --- - -*`threat.indicator.reference`*:: -+ --- -Reference URL linking to additional information about this indicator. - -type: keyword - -example: https://system.example.com/indicator/0001234 - --- - -*`threat.indicator.registry.data.bytes`*:: -+ --- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. - -type: keyword - -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - --- - -*`threat.indicator.registry.data.strings`*:: -+ --- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - -type: keyword - -example: ["C:\rta\red_ttp\bin\myapp.exe"] - --- - -*`threat.indicator.registry.data.type`*:: -+ --- -Standard registry type for encoding contents - -type: keyword - -example: REG_SZ - --- - -*`threat.indicator.registry.hive`*:: -+ --- -Abbreviated name for the hive. - -type: keyword - -example: HKLM - --- - -*`threat.indicator.registry.key`*:: -+ --- -Hive-relative path of keys. - -type: keyword - -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - --- - -*`threat.indicator.registry.path`*:: -+ --- -Full path, including hive, key and value - -type: keyword - -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - --- - -*`threat.indicator.registry.value`*:: -+ --- -Name of the value written. - -type: keyword - -example: Debugger - --- - -*`threat.indicator.scanner_stats`*:: -+ --- -Count of AV/EDR vendors that successfully detected malicious file or URL. - -type: long - -example: 4 - --- - -*`threat.indicator.sightings`*:: -+ --- -Number of times this indicator was observed conducting threat activity. - -type: long - -example: 20 - --- - -*`threat.indicator.type`*:: -+ --- -Type of indicator as represented by Cyber Observable in STIX 2.0. -Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - -type: keyword - -example: ipv4-addr - --- - -*`threat.indicator.url.domain`*:: -+ --- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - -type: keyword - -example: www.elastic.co - --- - -*`threat.indicator.url.extension`*:: -+ --- -The field contains the file extension from the original request url, excluding the leading dot. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - -type: keyword - -example: png - --- - -*`threat.indicator.url.fragment`*:: -+ --- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. - -type: keyword - --- - -*`threat.indicator.url.full`*:: -+ --- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top - --- - -*`threat.indicator.url.full.text`*:: -+ --- -type: text - --- - -*`threat.indicator.url.original`*:: -+ --- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. - -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - --- - -*`threat.indicator.url.original.text`*:: -+ --- -type: text - --- - -*`threat.indicator.url.password`*:: -+ --- -Password of the request. - -type: keyword - --- - -*`threat.indicator.url.path`*:: -+ --- -Path of the request, such as "/search". - -type: keyword - --- - -*`threat.indicator.url.port`*:: -+ --- -Port of the request, such as 443. - -type: long - -example: 443 - -format: string - --- - -*`threat.indicator.url.query`*:: -+ --- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - -type: keyword - --- - -*`threat.indicator.url.registered_domain`*:: -+ --- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword - -example: example.com - --- - -*`threat.indicator.url.scheme`*:: -+ --- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -type: keyword - -example: https - --- - -*`threat.indicator.url.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - -type: keyword - -example: east - --- - -*`threat.indicator.url.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword - -example: co.uk - --- - -*`threat.indicator.url.username`*:: -+ --- -Username of the request. - -type: keyword - --- - -*`threat.indicator.x509.alternative_names`*:: -+ --- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co - --- - -*`threat.indicator.x509.issuer.common_name`*:: -+ --- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: Example SHA2 High Assurance Server CA - --- - -*`threat.indicator.x509.issuer.country`*:: -+ --- -List of country (C) codes - -type: keyword - -example: US - --- - -*`threat.indicator.x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`threat.indicator.x509.issuer.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: Mountain View - --- - -*`threat.indicator.x509.issuer.organization`*:: -+ --- -List of organizations (O) of issuing certificate authority. - -type: keyword - -example: Example Inc - --- - -*`threat.indicator.x509.issuer.organizational_unit`*:: -+ --- -List of organizational units (OU) of issuing certificate authority. - -type: keyword - -example: www.example.com - --- - -*`threat.indicator.x509.issuer.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`threat.indicator.x509.not_after`*:: -+ --- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39+00:00 - --- - -*`threat.indicator.x509.not_before`*:: -+ --- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25+00:00 - --- - -*`threat.indicator.x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. - -type: keyword - -example: RSA - --- - -*`threat.indicator.x509.public_key_curve`*:: -+ --- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword - -example: nistp521 - --- - -*`threat.indicator.x509.public_key_exponent`*:: -+ --- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - -Field is not indexed. - --- - -*`threat.indicator.x509.public_key_size`*:: -+ --- -The size of the public key space in bits. - -type: long - -example: 2048 - --- - -*`threat.indicator.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`threat.indicator.x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - -type: keyword - -example: SHA256-RSA - --- - -*`threat.indicator.x509.subject.common_name`*:: -+ --- -List of common names (CN) of subject. - -type: keyword - -example: shared.global.example.net - --- - -*`threat.indicator.x509.subject.country`*:: -+ --- -List of country (C) code - -type: keyword - -example: US - --- - -*`threat.indicator.x509.subject.distinguished_name`*:: -+ --- -Distinguished name (DN) of the certificate subject entity. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`threat.indicator.x509.subject.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: San Francisco - --- - -*`threat.indicator.x509.subject.organization`*:: -+ --- -List of organizations (O) of subject. - -type: keyword - -example: Example, Inc. - --- - -*`threat.indicator.x509.subject.organizational_unit`*:: -+ --- -List of organizational units (OU) of subject. - -type: keyword - --- - -*`threat.indicator.x509.subject.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`threat.indicator.x509.version_number`*:: -+ --- -Version of x509 format. - -type: keyword - -example: 3 - --- - -*`threat.software.id`*:: -+ --- -The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. - -type: keyword - -example: S0552 - --- - -*`threat.software.name`*:: -+ --- -The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. - -type: keyword - -example: AdFind - --- - -*`threat.software.platforms`*:: -+ --- -The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. -Recommended Values: - * AWS - * Azure - * Azure AD - * GCP - * Linux - * macOS - * Network - * Office 365 - * SaaS - * Windows - -type: keyword - -example: [ "Windows" ] - --- - -*`threat.software.reference`*:: -+ --- -The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. - -type: keyword - -example: https://attack.mitre.org/software/S0552/ - --- - -*`threat.software.type`*:: -+ --- -The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. -Recommended values - * Malware - * Tool - -type: keyword - -example: Tool - --- - -*`threat.tactic.id`*:: -+ --- -The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - -type: keyword - -example: TA0002 - --- - -*`threat.tactic.name`*:: -+ --- -Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - -type: keyword - -example: Execution - --- - -*`threat.tactic.reference`*:: -+ --- -The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - -type: keyword - -example: https://attack.mitre.org/tactics/TA0002/ - --- - -*`threat.technique.id`*:: -+ --- -The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - -type: keyword - -example: T1059 - --- - -*`threat.technique.name`*:: -+ --- -The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - -type: keyword - -example: Command and Scripting Interpreter - --- - -*`threat.technique.name.text`*:: -+ --- -type: text - --- - -*`threat.technique.reference`*:: -+ --- -The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - -type: keyword - -example: https://attack.mitre.org/techniques/T1059/ - --- - -*`threat.technique.subtechnique.id`*:: -+ --- -The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) - -type: keyword - -example: T1059.001 - --- - -*`threat.technique.subtechnique.name`*:: -+ --- -The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) - -type: keyword - -example: PowerShell - --- - -*`threat.technique.subtechnique.name.text`*:: -+ --- -type: text - --- - -*`threat.technique.subtechnique.reference`*:: -+ --- -The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) - -type: keyword - -example: https://attack.mitre.org/techniques/T1059/001/ - --- - -[float] -=== tls - -Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. - - -*`tls.cipher`*:: -+ --- -String indicating the cipher used during the current connection. - -type: keyword - -example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - --- - -*`tls.client.certificate`*:: -+ --- -PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - -type: keyword - -example: MII... - --- - -*`tls.client.certificate_chain`*:: -+ --- -Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - -type: keyword - -example: ["MII...", "MII..."] - --- - -*`tls.client.hash.md5`*:: -+ --- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword - -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC - --- - -*`tls.client.hash.sha1`*:: -+ --- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword - -example: 9E393D93138888D288266C2D915214D1D1CCEB2A - --- - -*`tls.client.hash.sha256`*:: -+ --- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword - -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 - --- - -*`tls.client.issuer`*:: -+ --- -Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - -type: keyword - -example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com - --- - -*`tls.client.ja3`*:: -+ --- -A hash that identifies clients based on how they perform an SSL/TLS handshake. - -type: keyword - -example: d4e5b18d6b55c71272893221c96ba240 - --- - -*`tls.client.not_after`*:: -+ --- -Date/Time indicating when client certificate is no longer considered valid. - -type: date - -example: 2021-01-01T00:00:00.000Z - --- - -*`tls.client.not_before`*:: -+ --- -Date/Time indicating when client certificate is first considered valid. - -type: date - -example: 1970-01-01T00:00:00.000Z - --- - -*`tls.client.server_name`*:: -+ --- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - -type: keyword - -example: www.elastic.co - --- - -*`tls.client.subject`*:: -+ --- -Distinguished name of subject of the x.509 certificate presented by the client. - -type: keyword - -example: CN=myclient, OU=Documentation Team, DC=example, DC=com - --- - -*`tls.client.supported_ciphers`*:: -+ --- -Array of ciphers offered by the client during the client hello. - -type: keyword - -example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] - --- - -*`tls.client.x509.alternative_names`*:: -+ --- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co - --- - -*`tls.client.x509.issuer.common_name`*:: -+ --- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: Example SHA2 High Assurance Server CA - --- - -*`tls.client.x509.issuer.country`*:: -+ --- -List of country (C) codes - -type: keyword - -example: US - --- - -*`tls.client.x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`tls.client.x509.issuer.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: Mountain View - --- - -*`tls.client.x509.issuer.organization`*:: -+ --- -List of organizations (O) of issuing certificate authority. - -type: keyword - -example: Example Inc - --- - -*`tls.client.x509.issuer.organizational_unit`*:: -+ --- -List of organizational units (OU) of issuing certificate authority. - -type: keyword - -example: www.example.com - --- - -*`tls.client.x509.issuer.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`tls.client.x509.not_after`*:: -+ --- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39+00:00 - --- - -*`tls.client.x509.not_before`*:: -+ --- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25+00:00 - --- - -*`tls.client.x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. - -type: keyword - -example: RSA - --- - -*`tls.client.x509.public_key_curve`*:: -+ --- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword - -example: nistp521 - --- - -*`tls.client.x509.public_key_exponent`*:: -+ --- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - -Field is not indexed. - --- - -*`tls.client.x509.public_key_size`*:: -+ --- -The size of the public key space in bits. - -type: long - -example: 2048 - --- - -*`tls.client.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`tls.client.x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - -type: keyword - -example: SHA256-RSA - --- - -*`tls.client.x509.subject.common_name`*:: -+ --- -List of common names (CN) of subject. - -type: keyword - -example: shared.global.example.net - --- - -*`tls.client.x509.subject.country`*:: -+ --- -List of country (C) code - -type: keyword - -example: US - --- - -*`tls.client.x509.subject.distinguished_name`*:: -+ --- -Distinguished name (DN) of the certificate subject entity. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`tls.client.x509.subject.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: San Francisco - --- - -*`tls.client.x509.subject.organization`*:: -+ --- -List of organizations (O) of subject. - -type: keyword - -example: Example, Inc. - --- - -*`tls.client.x509.subject.organizational_unit`*:: -+ --- -List of organizational units (OU) of subject. - -type: keyword - --- - -*`tls.client.x509.subject.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`tls.client.x509.version_number`*:: -+ --- -Version of x509 format. - -type: keyword - -example: 3 - --- - -*`tls.curve`*:: -+ --- -String indicating the curve used for the given cipher, when applicable. - -type: keyword - -example: secp256r1 - --- - -*`tls.established`*:: -+ --- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - -type: boolean - --- - -*`tls.next_protocol`*:: -+ --- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - -type: keyword - -example: http/1.1 - --- - -*`tls.resumed`*:: -+ --- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - -type: boolean - --- - -*`tls.server.certificate`*:: -+ --- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - -type: keyword - -example: MII... - --- - -*`tls.server.certificate_chain`*:: -+ --- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - -type: keyword - -example: ["MII...", "MII..."] - --- - -*`tls.server.hash.md5`*:: -+ --- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword - -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC - --- - -*`tls.server.hash.sha1`*:: -+ --- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword - -example: 9E393D93138888D288266C2D915214D1D1CCEB2A - --- - -*`tls.server.hash.sha256`*:: -+ --- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword - -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 - --- - -*`tls.server.issuer`*:: -+ --- -Subject of the issuer of the x.509 certificate presented by the server. - -type: keyword - -example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com - --- - -*`tls.server.ja3s`*:: -+ --- -A hash that identifies servers based on how they perform an SSL/TLS handshake. - -type: keyword - -example: 394441ab65754e2207b1e1b457b3641d - --- - -*`tls.server.not_after`*:: -+ --- -Timestamp indicating when server certificate is no longer considered valid. - -type: date - -example: 2021-01-01T00:00:00.000Z - --- - -*`tls.server.not_before`*:: -+ --- -Timestamp indicating when server certificate is first considered valid. - -type: date - -example: 1970-01-01T00:00:00.000Z - --- - -*`tls.server.subject`*:: -+ --- -Subject of the x.509 certificate presented by the server. - -type: keyword - -example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com - --- - -*`tls.server.x509.alternative_names`*:: -+ --- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co - --- - -*`tls.server.x509.issuer.common_name`*:: -+ --- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: Example SHA2 High Assurance Server CA - --- - -*`tls.server.x509.issuer.country`*:: -+ --- -List of country (C) codes - -type: keyword - -example: US - --- - -*`tls.server.x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`tls.server.x509.issuer.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: Mountain View - --- - -*`tls.server.x509.issuer.organization`*:: -+ --- -List of organizations (O) of issuing certificate authority. - -type: keyword - -example: Example Inc - --- - -*`tls.server.x509.issuer.organizational_unit`*:: -+ --- -List of organizational units (OU) of issuing certificate authority. - -type: keyword - -example: www.example.com - --- - -*`tls.server.x509.issuer.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`tls.server.x509.not_after`*:: -+ --- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39+00:00 - --- - -*`tls.server.x509.not_before`*:: -+ --- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25+00:00 - --- - -*`tls.server.x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. - -type: keyword - -example: RSA - --- - -*`tls.server.x509.public_key_curve`*:: -+ --- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword - -example: nistp521 - --- - -*`tls.server.x509.public_key_exponent`*:: -+ --- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - -Field is not indexed. - --- - -*`tls.server.x509.public_key_size`*:: -+ --- -The size of the public key space in bits. - -type: long - -example: 2048 - --- - -*`tls.server.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`tls.server.x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - -type: keyword - -example: SHA256-RSA - --- - -*`tls.server.x509.subject.common_name`*:: -+ --- -List of common names (CN) of subject. - -type: keyword - -example: shared.global.example.net - --- - -*`tls.server.x509.subject.country`*:: -+ --- -List of country (C) code - -type: keyword - -example: US - --- - -*`tls.server.x509.subject.distinguished_name`*:: -+ --- -Distinguished name (DN) of the certificate subject entity. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`tls.server.x509.subject.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: San Francisco - --- - -*`tls.server.x509.subject.organization`*:: -+ --- -List of organizations (O) of subject. - -type: keyword - -example: Example, Inc. - --- - -*`tls.server.x509.subject.organizational_unit`*:: -+ --- -List of organizational units (OU) of subject. - -type: keyword - --- - -*`tls.server.x509.subject.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`tls.server.x509.version_number`*:: -+ --- -Version of x509 format. - -type: keyword - -example: 3 - --- - -*`tls.version`*:: -+ --- -Numeric part of the version parsed from the original string. - -type: keyword - -example: 1.2 - --- - -*`tls.version_protocol`*:: -+ --- -Normalized lowercase protocol name parsed from original string. - -type: keyword - -example: tls - --- - -*`span.id`*:: -+ --- -Unique identifier of the span within the scope of its trace. -A span represents an operation within a transaction, such as a request to another service, or a database query. - -type: keyword - -example: 3ff9a8981b7ccd5a - --- - -*`trace.id`*:: -+ --- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. - -type: keyword - -example: 4bf92f3577b34da6a3ce929d0e0e4736 - --- - -*`transaction.id`*:: -+ --- -Unique identifier of the transaction within the scope of its trace. -A transaction is the highest level of work measured within a service, such as a request to a server. - -type: keyword - -example: 00f067aa0ba902b7 - --- - -[float] -=== url - -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. - - -*`url.domain`*:: -+ --- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - -type: keyword - -example: www.elastic.co - --- - -*`url.extension`*:: -+ --- -The field contains the file extension from the original request url, excluding the leading dot. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - -type: keyword - -example: png - --- - -*`url.fragment`*:: -+ --- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. - -type: keyword - --- - -*`url.full`*:: -+ --- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top - --- - -*`url.full.text`*:: -+ --- -type: text - --- - -*`url.original`*:: -+ --- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. - -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - --- - -*`url.original.text`*:: -+ --- -type: text - --- - -*`url.password`*:: -+ --- -Password of the request. - -type: keyword - --- - -*`url.path`*:: -+ --- -Path of the request, such as "/search". - -type: keyword - --- - -*`url.port`*:: -+ --- -Port of the request, such as 443. - -type: long - -example: 443 - -format: string - --- - -*`url.query`*:: -+ --- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - -type: keyword - --- - -*`url.registered_domain`*:: -+ --- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword - -example: example.com - --- - -*`url.scheme`*:: -+ --- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -type: keyword - -example: https - --- - -*`url.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - -type: keyword - -example: east - --- - -*`url.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword - -example: co.uk - --- - -*`url.username`*:: -+ --- -Username of the request. - -type: keyword - --- - -[float] -=== user - -The user fields describe information about the user that is relevant to the event. -Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. - - -*`user.changes.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.email`*:: -+ --- -User email address. - -type: keyword - --- - -*`user.changes.full_name`*:: -+ --- -User's full name, if available. - -type: keyword - -example: Albert Einstein - --- - -*`user.changes.full_name.text`*:: -+ --- -type: text - --- - -*`user.changes.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.changes.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.changes.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.changes.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.changes.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- - -*`user.changes.name.text`*:: -+ --- -type: text - --- - -*`user.changes.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - -*`user.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.email`*:: -+ --- -User email address. - -type: keyword - --- - -*`user.effective.full_name`*:: -+ --- -User's full name, if available. - -type: keyword - -example: Albert Einstein - --- - -*`user.effective.full_name.text`*:: -+ --- -type: text - --- - -*`user.effective.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.effective.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.effective.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.effective.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.effective.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- - -*`user.effective.name.text`*:: -+ --- -type: text - --- - -*`user.effective.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - -*`user.email`*:: -+ --- -User email address. - -type: keyword - --- - -*`user.full_name`*:: -+ --- -User's full name, if available. - -type: keyword - -example: Albert Einstein - --- - -*`user.full_name.text`*:: -+ --- -type: text - --- - -*`user.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- - -*`user.name.text`*:: -+ --- -type: text - --- - -*`user.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - -*`user.target.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.email`*:: -+ --- -User email address. - -type: keyword - --- - -*`user.target.full_name`*:: -+ --- -User's full name, if available. - -type: keyword - -example: Albert Einstein - --- - -*`user.target.full_name.text`*:: -+ --- -type: text - --- - -*`user.target.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.target.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.target.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.target.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.target.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- - -*`user.target.name.text`*:: -+ --- -type: text - --- - -*`user.target.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - -[float] -=== user_agent - -The user_agent fields normally come from a browser request. -They often show up in web service logs coming from the parsed user agent string. - - -*`user_agent.device.name`*:: -+ --- -Name of the device. - -type: keyword - -example: iPhone - --- - -*`user_agent.name`*:: -+ --- -Name of the user agent. - -type: keyword - -example: Safari - --- - -*`user_agent.original`*:: -+ --- -Unparsed user_agent string. - -type: keyword - -example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 - --- - -*`user_agent.original.text`*:: -+ --- -type: text - --- - -*`user_agent.os.family`*:: -+ --- -OS family (such as redhat, debian, freebsd, windows). - -type: keyword - -example: debian - --- - -*`user_agent.os.full`*:: -+ --- -Operating system name, including the version or code name. - -type: keyword - -example: Mac OS Mojave - --- - -*`user_agent.os.full.text`*:: -+ --- -type: text - --- - -*`user_agent.os.kernel`*:: -+ --- -Operating system kernel version as a raw string. - -type: keyword - -example: 4.4.0-112-generic - --- - -*`user_agent.os.name`*:: -+ --- -Operating system name, without the version. - -type: keyword - -example: Mac OS X - --- - -*`user_agent.os.name.text`*:: -+ --- -type: text - --- - -*`user_agent.os.platform`*:: -+ --- -Operating system platform (such centos, ubuntu, windows). - -type: keyword - -example: darwin - --- - -*`user_agent.os.type`*:: -+ --- -Use the `os.type` field to categorize the operating system into one of the broad commercial families. -One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - -type: keyword - -example: macos - --- - -*`user_agent.os.version`*:: -+ --- -Operating system version as a raw string. - -type: keyword - -example: 10.14.1 - --- - -*`user_agent.version`*:: -+ --- -Version of the user agent. - -type: keyword - -example: 12.0 - --- - -[float] -=== vlan - -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. -Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. -Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. -Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. - - -*`vlan.id`*:: -+ --- -VLAN ID as reported by the observer. - -type: keyword - -example: 10 - --- - -*`vlan.name`*:: -+ --- -Optional VLAN name as reported by the observer. - -type: keyword - -example: outside - --- - -[float] -=== vulnerability - -The vulnerability fields describe information about a vulnerability that is relevant to an event. - - -*`vulnerability.category`*:: -+ --- -The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) -This field must be an array. - -type: keyword - -example: ["Firewall"] - --- - -*`vulnerability.classification`*:: -+ --- -The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) - -type: keyword - -example: CVSS - --- - -*`vulnerability.description`*:: -+ --- -The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) - -type: keyword - -example: In macOS before 2.12.6, there is a vulnerability in the RPC... - --- - -*`vulnerability.description.text`*:: -+ --- -type: text - --- - -*`vulnerability.enumeration`*:: -+ --- -The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) - -type: keyword - -example: CVE - --- - -*`vulnerability.id`*:: -+ --- -The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] - -type: keyword - -example: CVE-2019-00001 - --- - -*`vulnerability.reference`*:: -+ --- -A resource that provides additional information, context, and mitigations for the identified vulnerability. - -type: keyword - -example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 - --- - -*`vulnerability.report_id`*:: -+ --- -The report or scan identification number. - -type: keyword - -example: 20191018.0001 - --- - -*`vulnerability.scanner.vendor`*:: -+ --- -The name of the vulnerability scanner vendor. - -type: keyword - -example: Tenable - --- - -*`vulnerability.score.base`*:: -+ --- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - -type: float - -example: 5.5 - --- - -*`vulnerability.score.environmental`*:: -+ --- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) - -type: float - -example: 5.5 - --- - -*`vulnerability.score.temporal`*:: -+ --- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) - -type: float - --- - -*`vulnerability.score.version`*:: -+ --- -The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. -CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) - -type: keyword - -example: 2.0 - --- - -*`vulnerability.severity`*:: -+ --- -The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) - -type: keyword - -example: Critical - --- - -[float] -=== x509 - -This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. -When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). -Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. - - -*`x509.alternative_names`*:: -+ --- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co - --- - -*`x509.issuer.common_name`*:: -+ --- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: Example SHA2 High Assurance Server CA - --- - -*`x509.issuer.country`*:: -+ --- -List of country (C) codes - -type: keyword - -example: US - --- - -*`x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`x509.issuer.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: Mountain View - --- - -*`x509.issuer.organization`*:: -+ --- -List of organizations (O) of issuing certificate authority. - -type: keyword - -example: Example Inc - --- - -*`x509.issuer.organizational_unit`*:: -+ --- -List of organizational units (OU) of issuing certificate authority. - -type: keyword - -example: www.example.com - --- - -*`x509.issuer.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`x509.not_after`*:: -+ --- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39+00:00 - --- - -*`x509.not_before`*:: -+ --- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25+00:00 - --- - -*`x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. - -type: keyword - -example: RSA - --- - -*`x509.public_key_curve`*:: -+ --- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword - -example: nistp521 - --- - -*`x509.public_key_exponent`*:: -+ --- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - -Field is not indexed. - --- - -*`x509.public_key_size`*:: -+ --- -The size of the public key space in bits. - -type: long - -example: 2048 - --- - -*`x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - -type: keyword - -example: SHA256-RSA - --- - -*`x509.subject.common_name`*:: -+ --- -List of common names (CN) of subject. - -type: keyword - -example: shared.global.example.net - --- - -*`x509.subject.country`*:: -+ --- -List of country (C) code - -type: keyword - -example: US - --- - -*`x509.subject.distinguished_name`*:: -+ --- -Distinguished name (DN) of the certificate subject entity. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`x509.subject.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: San Francisco - --- - -*`x509.subject.organization`*:: -+ --- -List of organizations (O) of subject. - -type: keyword - -example: Example, Inc. - --- - -*`x509.subject.organizational_unit`*:: -+ --- -List of organizational units (OU) of subject. - -type: keyword - --- - -*`x509.subject.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`x509.version_number`*:: -+ --- -Version of x509 format. - -type: keyword - -example: 3 - --- - -[[exported-fields-elasticsearch]] -== Elasticsearch fields - -elasticsearch Module - - - -[float] -=== elasticsearch - - - - -*`elasticsearch.component`*:: -+ --- -Elasticsearch component from where the log event originated - -type: keyword - -example: o.e.c.m.MetaDataCreateIndexService - --- - -*`elasticsearch.cluster.uuid`*:: -+ --- -UUID of the cluster - -type: keyword - -example: GmvrbHlNTiSVYiPf8kxg9g - --- - -*`elasticsearch.cluster.name`*:: -+ --- -Name of the cluster - -type: keyword - -example: docker-cluster - --- - -*`elasticsearch.node.id`*:: -+ --- -ID of the node - -type: keyword - -example: DSiWcTyeThWtUXLB9J0BMw - --- - -*`elasticsearch.node.name`*:: -+ --- -Name of the node - -type: keyword - -example: vWNJsZ3 - --- - -*`elasticsearch.index.name`*:: -+ --- -Index name - -type: keyword - -example: filebeat-test-input - --- - -*`elasticsearch.index.id`*:: -+ --- -Index id - -type: keyword - -example: aOGgDwbURfCV57AScqbCgw - --- - -*`elasticsearch.shard.id`*:: -+ --- -Id of the shard - -type: keyword - -example: 0 - --- - - -*`elasticsearch.audit.layer`*:: -+ --- -The layer from which this event originated: rest, transport or ip_filter - -type: keyword - -example: rest - --- - -*`elasticsearch.audit.event_type`*:: -+ --- -The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied - -type: keyword - -example: access_granted - --- - -*`elasticsearch.audit.origin.type`*:: -+ --- -Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) - -type: keyword - -example: local_node - --- - -*`elasticsearch.audit.realm`*:: -+ --- -The authentication realm the authentication was validated against - -type: keyword - --- - -*`elasticsearch.audit.user.realm`*:: -+ --- -The user's authentication realm, if authenticated - -type: keyword - --- - -*`elasticsearch.audit.user.roles`*:: -+ --- -Roles to which the principal belongs - -type: keyword - -example: ['kibana_admin', 'beats_admin'] - --- - -*`elasticsearch.audit.user.run_as.name`*:: -+ --- -type: keyword - --- - -*`elasticsearch.audit.user.run_as.realm`*:: -+ --- -type: keyword - --- - -*`elasticsearch.audit.component`*:: -+ --- -type: keyword - --- - -*`elasticsearch.audit.action`*:: -+ --- -The name of the action that was executed - -type: keyword - -example: cluster:monitor/main - --- - -*`elasticsearch.audit.url.params`*:: -+ --- -REST URI parameters - -example: {username=jacknich2} - --- - -*`elasticsearch.audit.indices`*:: -+ --- -Indices accessed by action - -type: keyword - -example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] - --- - -*`elasticsearch.audit.request.id`*:: -+ --- -Unique ID of request - -type: keyword - -example: WzL_kb6VSvOhAq0twPvHOQ - --- - -*`elasticsearch.audit.request.name`*:: -+ --- -The type of request that was executed - -type: keyword - -example: ClearScrollRequest - --- - -*`elasticsearch.audit.request_body`*:: -+ --- -type: alias - -alias to: http.request.body.content - --- - -*`elasticsearch.audit.origin_address`*:: -+ --- -type: alias - -alias to: source.ip - --- - -*`elasticsearch.audit.uri`*:: -+ --- -type: alias - -alias to: url.original - --- - -*`elasticsearch.audit.principal`*:: -+ --- -type: alias - -alias to: user.name - --- - -*`elasticsearch.audit.message`*:: -+ --- -type: text - --- - -*`elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user`*:: -+ --- -type: boolean - --- - -[float] -=== deprecation - - - -[float] -=== gc - -GC fileset fields. - - - -[float] -=== phase - -Fields specific to GC phase. - - - -*`elasticsearch.gc.phase.name`*:: -+ --- -Name of the GC collection phase. - - -type: keyword - --- - -*`elasticsearch.gc.phase.duration_sec`*:: -+ --- -Collection phase duration according to the Java virtual machine. - - -type: float - --- - -*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: -+ --- -Pause time in seconds cleaning up symbol tables. - - -type: float - --- - -*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: -+ --- -Pause time in seconds cleaning up string tables. - - -type: float - --- - -*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: -+ --- -Time spent processing weak references in seconds. - - -type: float - --- - -*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: -+ --- -Time spent in seconds marking live objects while application is stopped. - - -type: float - --- - -*`elasticsearch.gc.phase.class_unload_time_sec`*:: -+ --- -Time spent unloading unused classes in seconds. - - -type: float - --- - -[float] -=== cpu_time - -Process CPU time spent performing collections. - - - -*`elasticsearch.gc.phase.cpu_time.user_sec`*:: -+ --- -CPU time spent outside the kernel. - - -type: float - --- - -*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: -+ --- -CPU time spent inside the kernel. - - -type: float - --- - -*`elasticsearch.gc.phase.cpu_time.real_sec`*:: -+ --- -Total elapsed CPU time spent to complete the collection from start to finish. - - -type: float - --- - -*`elasticsearch.gc.jvm_runtime_sec`*:: -+ --- -The time from JVM start up in seconds, as a floating point number. - - -type: float - --- - -*`elasticsearch.gc.threads_total_stop_time_sec`*:: -+ --- -Garbage collection threads total stop time seconds. - - -type: float - --- - -*`elasticsearch.gc.stopping_threads_time_sec`*:: -+ --- -Time took to stop threads seconds. - - -type: float - --- - -*`elasticsearch.gc.tags`*:: -+ --- -GC logging tags. - - -type: keyword - --- - -[float] -=== heap - -Heap allocation and total size. - - - -*`elasticsearch.gc.heap.size_kb`*:: -+ --- -Total heap size in kilobytes. - - -type: integer - --- - -*`elasticsearch.gc.heap.used_kb`*:: -+ --- -Used heap in kilobytes. - - -type: integer - --- - -[float] -=== old_gen - -Old generation occupancy and total size. - - - -*`elasticsearch.gc.old_gen.size_kb`*:: -+ --- -Total size of old generation in kilobytes. - - -type: integer - --- - -*`elasticsearch.gc.old_gen.used_kb`*:: -+ --- -Old generation occupancy in kilobytes. - - -type: integer - --- - -[float] -=== young_gen - -Young generation occupancy and total size. - - - -*`elasticsearch.gc.young_gen.size_kb`*:: -+ --- -Total size of young generation in kilobytes. - - -type: integer - --- - -*`elasticsearch.gc.young_gen.used_kb`*:: -+ --- -Young generation occupancy in kilobytes. - - -type: integer - --- - -[float] -=== server - -Server log file - - -*`elasticsearch.server.stacktrace`*:: -+ --- -Field is not indexed. - --- - -[float] -=== gc - -GC log - - -[float] -=== young - -Young GC - - -*`elasticsearch.server.gc.young.one`*:: -+ --- - - -type: long - -example: - --- - -*`elasticsearch.server.gc.young.two`*:: -+ --- - - -type: long - -example: - --- - -*`elasticsearch.server.gc.overhead_seq`*:: -+ --- -Sequence number - -type: long - -example: 3449992 - --- - -*`elasticsearch.server.gc.collection_duration.ms`*:: -+ --- -Time spent in GC, in milliseconds - -type: float - -example: 1600 - --- - -*`elasticsearch.server.gc.observation_duration.ms`*:: -+ --- -Total time over which collection was observed, in milliseconds - -type: float - -example: 1800 - --- - -[float] -=== slowlog - -Slowlog events from Elasticsearch - - -*`elasticsearch.slowlog.logger`*:: -+ --- -Logger name - -type: keyword - -example: index.search.slowlog.fetch - --- - -*`elasticsearch.slowlog.took`*:: -+ --- -Time it took to execute the query - -type: keyword - -example: 300ms - --- - -*`elasticsearch.slowlog.types`*:: -+ --- -Types - -type: keyword - -example: - --- - -*`elasticsearch.slowlog.stats`*:: -+ --- -Stats groups - -type: keyword - -example: group1 - --- - -*`elasticsearch.slowlog.search_type`*:: -+ --- -Search type - -type: keyword - -example: QUERY_THEN_FETCH - --- - -*`elasticsearch.slowlog.source_query`*:: -+ --- -Slow query - -type: keyword - -example: {"query":{"match_all":{"boost":1.0}}} - --- - -*`elasticsearch.slowlog.extra_source`*:: -+ --- -Extra source information - -type: keyword - -example: - --- - -*`elasticsearch.slowlog.total_hits`*:: -+ --- -Total hits - -type: keyword - -example: 42 - --- - -*`elasticsearch.slowlog.total_shards`*:: -+ --- -Total queried shards - -type: keyword - -example: 22 - --- - -*`elasticsearch.slowlog.routing`*:: -+ --- -Routing - -type: keyword - -example: s01HZ2QBk9jw4gtgaFtn - --- - -*`elasticsearch.slowlog.id`*:: -+ --- -Id - -type: keyword - -example: - --- - -*`elasticsearch.slowlog.type`*:: -+ --- -Type - -type: keyword - -example: doc - --- - -*`elasticsearch.slowlog.source`*:: -+ --- -Source of document that was indexed - -type: keyword - --- - -[[exported-fields-envoyproxy]] -== Envoyproxy fields - -Module for handling logs produced by envoy - - - -[float] -=== envoyproxy - -Fields from envoy proxy logs after normalization - - - -*`envoyproxy.log_type`*:: -+ --- -Envoy log type, normally ACCESS - - -type: keyword - --- - -*`envoyproxy.response_flags`*:: -+ --- -Response flags - - -type: keyword - --- - -*`envoyproxy.upstream_service_time`*:: -+ --- -Upstream service time in nanoseconds - - -type: long - -format: duration - --- - -*`envoyproxy.request_id`*:: -+ --- -ID of the request - - -type: keyword - --- - -*`envoyproxy.authority`*:: -+ --- -Envoy proxy authority field - - -type: keyword - --- - -*`envoyproxy.proxy_type`*:: -+ --- -Envoy proxy type, tcp or http - - -type: keyword - --- - -[[exported-fields-f5]] -== Big-IP Access Policy Manager fields - -f5 fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. +Operating system name, including the version or code name. type: keyword +example: Mac OS Mojave + -- -*`rsa.internal.obj_server`*:: +*`user_agent.os.full.text`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: text -- -*`rsa.internal.obj_val`*:: +*`user_agent.os.kernel`*:: + -- -Deprecated key defined only in table map. +Operating system kernel version as a raw string. type: keyword +example: 4.4.0-112-generic + -- -*`rsa.internal.resource`*:: +*`user_agent.os.name`*:: + -- -Deprecated key defined only in table map. +Operating system name, without the version. type: keyword +example: Mac OS X + -- -*`rsa.internal.obj_id`*:: +*`user_agent.os.name.text`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: text -- -*`rsa.internal.statement`*:: +*`user_agent.os.platform`*:: + -- -Deprecated key defined only in table map. +Operating system platform (such centos, ubuntu, windows). type: keyword +example: darwin + -- -*`rsa.internal.audit_class`*:: +*`user_agent.os.type`*:: + -- -Deprecated key defined only in table map. +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword +example: macos + -- -*`rsa.internal.entry`*:: +*`user_agent.os.version`*:: + -- -Deprecated key defined only in table map. +Operating system version as a raw string. type: keyword +example: 10.14.1 + -- -*`rsa.internal.hcode`*:: +*`user_agent.version`*:: + -- -Deprecated key defined only in table map. +Version of the user agent. type: keyword --- +example: 12.0 -*`rsa.internal.inode`*:: -+ -- -Deprecated key defined only in table map. -type: long +[float] +=== vlan --- +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. -*`rsa.internal.resource_class`*:: + +*`vlan.id`*:: + -- -Deprecated key defined only in table map. +VLAN ID as reported by the observer. type: keyword +example: 10 + -- -*`rsa.internal.dead`*:: +*`vlan.name`*:: + -- -Deprecated key defined only in table map. +Optional VLAN name as reported by the observer. -type: long +type: keyword --- +example: outside -*`rsa.internal.feed_desc`*:: -+ -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +[float] +=== vulnerability --- +The vulnerability fields describe information about a vulnerability that is relevant to an event. -*`rsa.internal.feed_name`*:: + +*`vulnerability.category`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) +This field must be an array. type: keyword +example: ["Firewall"] + -- -*`rsa.internal.cid`*:: +*`vulnerability.classification`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) type: keyword +example: CVSS + -- -*`rsa.internal.device_class`*:: +*`vulnerability.description`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) type: keyword +example: In macOS before 2.12.6, there is a vulnerability in the RPC... + -- -*`rsa.internal.device_group`*:: +*`vulnerability.description.text`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: text -- -*`rsa.internal.device_host`*:: +*`vulnerability.enumeration`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) type: keyword +example: CVE + -- -*`rsa.internal.device_ip`*:: +*`vulnerability.id`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] -type: ip +type: keyword + +example: CVE-2019-00001 -- -*`rsa.internal.device_ipv6`*:: +*`vulnerability.reference`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +A resource that provides additional information, context, and mitigations for the identified vulnerability. -type: ip +type: keyword + +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 -- -*`rsa.internal.device_type`*:: +*`vulnerability.report_id`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The report or scan identification number. type: keyword +example: 20191018.0001 + -- -*`rsa.internal.device_type_id`*:: +*`vulnerability.scanner.vendor`*:: + -- -Deprecated key defined only in table map. +The name of the vulnerability scanner vendor. -type: long +type: keyword + +example: Tenable -- -*`rsa.internal.did`*:: +*`vulnerability.score.base`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) -type: keyword +type: float + +example: 5.5 -- -*`rsa.internal.entropy_req`*:: +*`vulnerability.score.environmental`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) -type: long +type: float + +example: 5.5 -- -*`rsa.internal.entropy_res`*:: +*`vulnerability.score.temporal`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) -type: long +type: float -- -*`rsa.internal.event_name`*:: +*`vulnerability.score.version`*:: + -- -Deprecated key defined only in table map. +The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. +CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword +example: 2.0 + -- -*`rsa.internal.feed_category`*:: +*`vulnerability.severity`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword --- +example: Critical -*`rsa.internal.forward_ip`*:: -+ -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: ip +[float] +=== x509 --- +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. +When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). +Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. -*`rsa.internal.forward_ipv6`*:: + +*`x509.alternative_names`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -type: ip +type: keyword + +example: *.elastic.co -- -*`rsa.internal.header_id`*:: +*`x509.issuer.common_name`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of common name (CN) of issuing certificate authority. type: keyword +example: Example SHA2 High Assurance Server CA + -- -*`rsa.internal.lc_cid`*:: +*`x509.issuer.country`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of country (C) codes type: keyword +example: US + -- -*`rsa.internal.lc_ctime`*:: +*`x509.issuer.distinguished_name`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Distinguished name (DN) of issuing certificate authority. -type: date +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`rsa.internal.mcb_req`*:: +*`x509.issuer.locality`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +List of locality names (L) -type: long +type: keyword + +example: Mountain View -- -*`rsa.internal.mcb_res`*:: +*`x509.issuer.organization`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +List of organizations (O) of issuing certificate authority. -type: long +type: keyword + +example: Example Inc -- -*`rsa.internal.mcbc_req`*:: +*`x509.issuer.organizational_unit`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +List of organizational units (OU) of issuing certificate authority. -type: long +type: keyword + +example: www.example.com -- -*`rsa.internal.mcbc_res`*:: +*`x509.issuer.state_or_province`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +List of state or province names (ST, S, or P) -type: long +type: keyword + +example: California -- -*`rsa.internal.medium`*:: +*`x509.not_after`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +Time at which the certificate is no longer considered valid. -type: long +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`rsa.internal.node_name`*:: +*`x509.not_before`*:: + -- -Deprecated key defined only in table map. +Time at which the certificate is first considered valid. -type: keyword +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`rsa.internal.nwe_callback_id`*:: +*`x509.public_key_algorithm`*:: + -- -This key denotes that event is endpoint related +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`rsa.internal.parse_error`*:: +*`x509.public_key_curve`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`rsa.internal.payload_req`*:: +*`x509.public_key_exponent`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +Exponent used to derive the public key. This is algorithm specific. type: long +example: 65537 + +Field is not indexed. + -- -*`rsa.internal.payload_res`*:: +*`x509.public_key_size`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +The size of the public key space in bits. type: long +example: 2048 + -- -*`rsa.internal.process_vid_dst`*:: +*`x509.serial_number`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -*`rsa.internal.process_vid_src`*:: +*`x509.signature_algorithm`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword +example: SHA256-RSA + -- -*`rsa.internal.rid`*:: +*`x509.subject.common_name`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of common names (CN) of subject. -type: long +type: keyword + +example: shared.global.example.net -- -*`rsa.internal.session_split`*:: +*`x509.subject.country`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of country (C) code type: keyword +example: US + -- -*`rsa.internal.site`*:: +*`x509.subject.distinguished_name`*:: + -- -Deprecated key defined only in table map. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`rsa.internal.size`*:: +*`x509.subject.locality`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of locality names (L) -type: long +type: keyword + +example: San Francisco -- -*`rsa.internal.sourcefile`*:: +*`x509.subject.organization`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of organizations (O) of subject. type: keyword +example: Example, Inc. + -- -*`rsa.internal.ubc_req`*:: +*`x509.subject.organizational_unit`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +List of organizational units (OU) of subject. -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`x509.subject.state_or_province`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +List of state or province names (ST, S, or P) -type: long +type: keyword + +example: California -- -*`rsa.internal.word`*:: +*`x509.version_number`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +Version of x509 format. type: keyword +example: 3 + -- +[[exported-fields-elasticsearch]] +== Elasticsearch fields -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +elasticsearch Module -type: date --- -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. +[float] +=== elasticsearch -type: double --- -*`rsa.time.event_time_str`*:: + +*`elasticsearch.component`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +Elasticsearch component from where the log event originated type: keyword +example: o.e.c.m.MetaDataCreateIndexService + -- -*`rsa.time.starttime`*:: +*`elasticsearch.cluster.uuid`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form +UUID of the cluster -type: date +type: keyword + +example: GmvrbHlNTiSVYiPf8kxg9g -- -*`rsa.time.month`*:: +*`elasticsearch.cluster.name`*:: + -- +Name of the cluster + type: keyword +example: docker-cluster + -- -*`rsa.time.day`*:: +*`elasticsearch.node.id`*:: + -- +ID of the node + type: keyword +example: DSiWcTyeThWtUXLB9J0BMw + -- -*`rsa.time.endtime`*:: +*`elasticsearch.node.name`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +Name of the node -type: date +type: keyword + +example: vWNJsZ3 -- -*`rsa.time.timezone`*:: +*`elasticsearch.index.name`*:: + -- -This key is used to capture the timezone of the Event Time +Index name type: keyword +example: filebeat-test-input + -- -*`rsa.time.duration_str`*:: +*`elasticsearch.index.id`*:: + -- -A text string version of the duration +Index id type: keyword +example: aOGgDwbURfCV57AScqbCgw + -- -*`rsa.time.date`*:: +*`elasticsearch.shard.id`*:: + -- +Id of the shard + type: keyword --- +example: 0 -*`rsa.time.year`*:: -+ -- -type: keyword --- -*`rsa.time.recorded_time`*:: +*`elasticsearch.audit.layer`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. +The layer from which this event originated: rest, transport or ip_filter -type: date +type: keyword + +example: rest -- -*`rsa.time.datetime`*:: +*`elasticsearch.audit.event_type`*:: + -- +The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied + type: keyword +example: access_granted + -- -*`rsa.time.effective_time`*:: +*`elasticsearch.audit.origin.type`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format +Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) -type: date +type: keyword + +example: local_node -- -*`rsa.time.expire_time`*:: +*`elasticsearch.audit.realm`*:: + -- -This key is the timestamp that explicitly refers to an expiration. +The authentication realm the authentication was validated against -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`elasticsearch.audit.user.realm`*:: + -- -Deprecated, use duration.time +The user's authentication realm, if authenticated type: keyword -- -*`rsa.time.hour`*:: +*`elasticsearch.audit.user.roles`*:: + -- +Roles to which the principal belongs + type: keyword +example: ['kibana_admin', 'beats_admin'] + -- -*`rsa.time.min`*:: +*`elasticsearch.audit.user.run_as.name`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`elasticsearch.audit.user.run_as.realm`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`elasticsearch.audit.component`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`elasticsearch.audit.action`*:: + -- +The name of the action that was executed + type: keyword +example: cluster:monitor/main + -- -*`rsa.time.tzone`*:: +*`elasticsearch.audit.url.params`*:: + -- -type: keyword +REST URI parameters + +example: {username=jacknich2} -- -*`rsa.time.eventtime`*:: +*`elasticsearch.audit.indices`*:: + -- +Indices accessed by action + type: keyword +example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] + -- -*`rsa.time.gmtdate`*:: +*`elasticsearch.audit.request.id`*:: + -- +Unique ID of request + type: keyword +example: WzL_kb6VSvOhAq0twPvHOQ + -- -*`rsa.time.gmttime`*:: +*`elasticsearch.audit.request.name`*:: + -- +The type of request that was executed + type: keyword +example: ClearScrollRequest + -- -*`rsa.time.p_date`*:: +*`elasticsearch.audit.request_body`*:: + -- -type: keyword +type: alias + +alias to: http.request.body.content -- -*`rsa.time.p_month`*:: +*`elasticsearch.audit.origin_address`*:: + -- -type: keyword +type: alias + +alias to: source.ip -- -*`rsa.time.p_time`*:: +*`elasticsearch.audit.uri`*:: + -- -type: keyword +type: alias + +alias to: url.original -- -*`rsa.time.p_time2`*:: +*`elasticsearch.audit.principal`*:: + -- -type: keyword +type: alias + +alias to: user.name -- -*`rsa.time.p_year`*:: +*`elasticsearch.audit.message`*:: + -- -type: keyword +type: text -- -*`rsa.time.expire_time_str`*:: +*`elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword +type: boolean -- -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. +[float] +=== deprecation -type: date --- +[float] +=== gc -*`rsa.misc.action`*:: +GC fileset fields. + + + +[float] +=== phase + +Fields specific to GC phase. + + + +*`elasticsearch.gc.phase.name`*:: + -- +Name of the GC collection phase. + + type: keyword -- -*`rsa.misc.result`*:: +*`elasticsearch.gc.phase.duration_sec`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +Collection phase duration according to the Java virtual machine. -type: keyword + +type: float -- -*`rsa.misc.severity`*:: +*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: + -- -This key is used to capture the severity given the session +Pause time in seconds cleaning up symbol tables. -type: keyword + +type: float -- -*`rsa.misc.event_type`*:: +*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: + -- -This key captures the event category type as specified by the event source. +Pause time in seconds cleaning up string tables. -type: keyword + +type: float -- -*`rsa.misc.reference_id`*:: +*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: + -- -This key is used to capture an event id from the session directly +Time spent processing weak references in seconds. -type: keyword + +type: float -- -*`rsa.misc.version`*:: +*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: + -- -This key captures Version of the application or OS which is generating the event. +Time spent in seconds marking live objects while application is stopped. -type: keyword + +type: float -- -*`rsa.misc.disposition`*:: +*`elasticsearch.gc.phase.class_unload_time_sec`*:: + -- -This key captures the The end state of an action. +Time spent unloading unused classes in seconds. -type: keyword + +type: float -- -*`rsa.misc.result_code`*:: +[float] +=== cpu_time + +Process CPU time spent performing collections. + + + +*`elasticsearch.gc.phase.cpu_time.user_sec`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session +CPU time spent outside the kernel. -type: keyword + +type: float -- -*`rsa.misc.category`*:: +*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: + -- -This key is used to capture the category of an event given by the vendor in the session +CPU time spent inside the kernel. -type: keyword + +type: float -- -*`rsa.misc.obj_name`*:: +*`elasticsearch.gc.phase.cpu_time.real_sec`*:: + -- -This is used to capture name of object +Total elapsed CPU time spent to complete the collection from start to finish. -type: keyword + +type: float -- -*`rsa.misc.obj_type`*:: +*`elasticsearch.gc.jvm_runtime_sec`*:: + -- -This is used to capture type of object +The time from JVM start up in seconds, as a floating point number. -type: keyword + +type: float -- -*`rsa.misc.event_source`*:: +*`elasticsearch.gc.threads_total_stop_time_sec`*:: + -- -This key captures Source of the event that’s not a hostname +Garbage collection threads total stop time seconds. -type: keyword + +type: float -- -*`rsa.misc.log_session_id`*:: +*`elasticsearch.gc.stopping_threads_time_sec`*:: + -- -This key is used to capture a sessionid from the session directly +Time took to stop threads seconds. -type: keyword + +type: float -- -*`rsa.misc.group`*:: +*`elasticsearch.gc.tags`*:: + -- -This key captures the Group Name value +GC logging tags. + type: keyword -- -*`rsa.misc.policy_name`*:: +[float] +=== heap + +Heap allocation and total size. + + + +*`elasticsearch.gc.heap.size_kb`*:: + -- -This key is used to capture the Policy Name only. +Total heap size in kilobytes. -type: keyword + +type: integer -- -*`rsa.misc.rule_name`*:: +*`elasticsearch.gc.heap.used_kb`*:: + -- -This key captures the Rule Name +Used heap in kilobytes. -type: keyword + +type: integer -- -*`rsa.misc.context`*:: +[float] +=== old_gen + +Old generation occupancy and total size. + + + +*`elasticsearch.gc.old_gen.size_kb`*:: + -- -This key captures Information which adds additional context to the event. +Total size of old generation in kilobytes. -type: keyword + +type: integer -- -*`rsa.misc.change_new`*:: +*`elasticsearch.gc.old_gen.used_kb`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session +Old generation occupancy in kilobytes. -type: keyword + +type: integer -- -*`rsa.misc.space`*:: +[float] +=== young_gen + +Young generation occupancy and total size. + + + +*`elasticsearch.gc.young_gen.size_kb`*:: + -- -type: keyword +Total size of young generation in kilobytes. + + +type: integer -- -*`rsa.misc.client`*:: +*`elasticsearch.gc.young_gen.used_kb`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. +Young generation occupancy in kilobytes. -type: keyword + +type: integer -- -*`rsa.misc.msgIdPart1`*:: +[float] +=== server + +Server log file + + +*`elasticsearch.server.stacktrace`*:: + -- -type: keyword +Field is not indexed. -- -*`rsa.misc.msgIdPart2`*:: +[float] +=== gc + +GC log + + +[float] +=== young + +Young GC + + +*`elasticsearch.server.gc.young.one`*:: + -- -type: keyword + + +type: long + +example: -- -*`rsa.misc.change_old`*:: +*`elasticsearch.server.gc.young.two`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session -type: keyword + +type: long + +example: -- -*`rsa.misc.operation_id`*:: +*`elasticsearch.server.gc.overhead_seq`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. +Sequence number -type: keyword +type: long + +example: 3449992 -- -*`rsa.misc.event_state`*:: +*`elasticsearch.server.gc.collection_duration.ms`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. +Time spent in GC, in milliseconds -type: keyword +type: float + +example: 1600 -- -*`rsa.misc.group_object`*:: +*`elasticsearch.server.gc.observation_duration.ms`*:: + -- -This key captures a collection/grouping of entities. Specific usage +Total time over which collection was observed, in milliseconds -type: keyword +type: float + +example: 1800 -- -*`rsa.misc.node`*:: +[float] +=== slowlog + +Slowlog events from Elasticsearch + + +*`elasticsearch.slowlog.logger`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. +Logger name type: keyword +example: index.search.slowlog.fetch + -- -*`rsa.misc.rule`*:: +*`elasticsearch.slowlog.took`*:: + -- -This key captures the Rule number +Time it took to execute the query type: keyword +example: 300ms + -- -*`rsa.misc.device_name`*:: +*`elasticsearch.slowlog.types`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc +Types type: keyword +example: + -- -*`rsa.misc.param`*:: +*`elasticsearch.slowlog.stats`*:: + -- -This key is the parameters passed as part of a command or application, etc. +Stats groups type: keyword +example: group1 + -- -*`rsa.misc.change_attrib`*:: +*`elasticsearch.slowlog.search_type`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session +Search type type: keyword +example: QUERY_THEN_FETCH + -- -*`rsa.misc.event_computer`*:: +*`elasticsearch.slowlog.source_query`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +Slow query type: keyword +example: {"query":{"match_all":{"boost":1.0}}} + -- -*`rsa.misc.reference_id1`*:: +*`elasticsearch.slowlog.extra_source`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +Extra source information type: keyword +example: + -- -*`rsa.misc.event_log`*:: +*`elasticsearch.slowlog.total_hits`*:: + -- -This key captures the Name of the event log +Total hits type: keyword +example: 42 + -- -*`rsa.misc.OS`*:: +*`elasticsearch.slowlog.total_shards`*:: + -- -This key captures the Name of the Operating System +Total queried shards type: keyword +example: 22 + -- -*`rsa.misc.terminal`*:: +*`elasticsearch.slowlog.routing`*:: + -- -This key captures the Terminal Names only +Routing type: keyword +example: s01HZ2QBk9jw4gtgaFtn + -- -*`rsa.misc.msgIdPart3`*:: +*`elasticsearch.slowlog.id`*:: + -- +Id + type: keyword +example: + -- -*`rsa.misc.filter`*:: +*`elasticsearch.slowlog.type`*:: + -- -This key captures Filter used to reduce result set +Type type: keyword +example: doc + -- -*`rsa.misc.serial_number`*:: +*`elasticsearch.slowlog.source`*:: + -- -This key is the Serial number associated with a physical asset. +Source of document that was indexed type: keyword -- -*`rsa.misc.checksum`*:: +[[exported-fields-envoyproxy]] +== Envoyproxy fields + +Module for handling logs produced by envoy + + + +[float] +=== envoyproxy + +Fields from envoy proxy logs after normalization + + + +*`envoyproxy.log_type`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. +Envoy log type, normally ACCESS + type: keyword -- -*`rsa.misc.event_user`*:: +*`envoyproxy.response_flags`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. +Response flags + type: keyword -- -*`rsa.misc.virusname`*:: +*`envoyproxy.upstream_service_time`*:: + -- -This key captures the name of the virus +Upstream service time in nanoseconds -type: keyword + +type: long + +format: duration -- -*`rsa.misc.content_type`*:: +*`envoyproxy.request_id`*:: + -- -This key is used to capture Content Type only. +ID of the request + type: keyword -- -*`rsa.misc.group_id`*:: +*`envoyproxy.authority`*:: + -- -This key captures Group ID Number (related to the group name) +Envoy proxy authority field + type: keyword -- -*`rsa.misc.policy_id`*:: +*`envoyproxy.proxy_type`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise +Envoy proxy type, tcp or http + type: keyword -- -*`rsa.misc.vsys`*:: +[[exported-fields-f5]] +== Big-IP Access Policy Manager fields + +f5 fields. + + + +*`network.interface.name`*:: + -- -This key captures Virtual System Name +Name of the network interface where the traffic has been observed. + type: keyword -- -*`rsa.misc.connection_id`*:: + + +*`rsa.internal.msg`*:: + -- -This key captures the Connection ID +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.internal.messageid`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.internal.event_desc`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.internal.message`*:: + -- -This key captures IDS/IPS Int Signature ID +This key captures the contents of instant messages -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.internal.time`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -*`rsa.misc.rule_group`*:: +*`rsa.internal.level`*:: + -- -This key captures the Rule group name +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.risk_num`*:: +*`rsa.internal.msg_id`*:: + -- -This key captures a Numeric Risk value +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.internal.msg_vid`*:: + -- -This key captures the Value of the trigger or threshold condition. +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.internal.data`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.internal.obj_server`*:: + -- -This key captures the Version level of a sub-component of a product. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.internal.obj_val`*:: + -- -This key captures Version level of a signature or database content. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.internal.resource`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.internal.obj_id`*:: + -- -This key captures the non-numeric risk value +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.status`*:: +*`rsa.internal.entry`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.internal.hcode`*:: + -- -This key is used to capture the mailbox id/name +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.internal.inode`*:: + -- -This key is the Unique Identifier for a rule. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.trigger_desc`*:: +*`rsa.internal.resource_class`*:: + -- -This key captures the Description of the trigger or threshold condition. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.internal.dead`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.p_msgid`*:: +*`rsa.internal.feed_desc`*:: + -- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.internal.cid`*:: + -- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.error`*:: +*`rsa.internal.device_class`*:: + -- -This key captures All non successful Error codes or responses +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.index`*:: +*`rsa.internal.device_group`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.internal.device_host`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.internal.device_ip`*:: + -- -type: keyword +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`rsa.misc.observed_val`*:: +*`rsa.internal.device_ipv6`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.policy_value`*:: +*`rsa.internal.device_type`*:: + -- -This key captures the contents of the policy. This contains details about the policy +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.internal.device_type_id`*:: + -- -This key captures the name of a resource pool +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.rule_template`*:: +*`rsa.internal.did`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.count`*:: +*`rsa.internal.entropy_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.number`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.sigcat`*:: +*`rsa.internal.event_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.type`*:: +*`rsa.internal.feed_category`*:: + -- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.internal.forward_ip`*:: + -- -Comment information provided in the log message +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`rsa.misc.doc_number`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This key captures File Identification number +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: ip -- -*`rsa.misc.expected_val`*:: +*`rsa.internal.header_id`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.internal.lc_cid`*:: + -- -This key captures the Job Number +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.internal.lc_ctime`*:: + -- -Destination SPI Index +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`rsa.misc.spi_src`*:: +*`rsa.internal.mcb_req`*:: + -- -Source SPI Index +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.misc.code`*:: +*`rsa.internal.mcb_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`rsa.misc.agent_id`*:: +*`rsa.internal.mcbc_req`*:: + -- -This key is used to capture agent id +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.misc.message_body`*:: +*`rsa.internal.mcbc_res`*:: + -- -This key captures the The contents of the message body. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.misc.phone`*:: +*`rsa.internal.medium`*:: + -- -type: keyword +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long -- -*`rsa.misc.sig_id_str`*:: +*`rsa.internal.node_name`*:: + -- -This key captures a string object of the sigid variable. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.internal.nwe_callback_id`*:: + -- +This key denotes that event is endpoint related + type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.internal.parse_error`*:: + -- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.name`*:: +*`rsa.internal.payload_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`rsa.misc.cpu`*:: +*`rsa.internal.payload_res`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`rsa.misc.event_desc`*:: +*`rsa.internal.process_vid_dst`*:: + -- -This key is used to capture a description of an event available directly or inferred +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.internal.process_vid_src`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.internal.rid`*:: + -- -type: keyword +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.im_client`*:: +*`rsa.internal.session_split`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.internal.site`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.internal.size`*:: + -- -type: keyword +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.priority`*:: +*`rsa.internal.sourcefile`*:: + -- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.internal.ubc_req`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.misc.context_target`*:: +*`rsa.internal.ubc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`rsa.misc.cve`*:: +*`rsa.internal.word`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`rsa.misc.fcatnum`*:: + +*`rsa.time.event_time`*:: + -- -This key captures Filter Category Number. Legacy Usage +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`rsa.misc.library`*:: +*`rsa.time.duration_time`*:: + -- -This key is used to capture library information in mainframe devices +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- -*`rsa.misc.parent_node`*:: +*`rsa.time.event_time_str`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.time.starttime`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.misc.tcp_flags`*:: +*`rsa.time.month`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.time.day`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.time.endtime`*:: + -- -VMWare Target **VMWARE** only varaible. +This key is used to capture the End time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.misc.workspace`*:: +*`rsa.time.timezone`*:: + -- -This key captures Workspace Description +This key is used to capture the timezone of the Event Time type: keyword -- -*`rsa.misc.command`*:: +*`rsa.time.duration_str`*:: + -- +A text string version of the duration + type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.time.date`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.time.recorded_time`*:: + -- -type: keyword +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date -- -*`rsa.misc.jobname`*:: +*`rsa.time.datetime`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.time.effective_time`*:: + -- -type: keyword +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date -- -*`rsa.misc.policy`*:: +*`rsa.time.expire_time`*:: + -- -type: keyword +This key is the timestamp that explicitly refers to an expiration. + +type: date -- -*`rsa.misc.policy_waiver`*:: +*`rsa.time.process_time`*:: + -- +Deprecated, use duration.time + type: keyword -- -*`rsa.misc.second`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.time.event_queue_time`*:: + -- -type: keyword +This key is the Time that the event was queued. + +type: date -- -*`rsa.misc.alert_id`*:: +*`rsa.time.p_time1`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.time.tzone`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.time.eventtime`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.time.gmtdate`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.time.gmttime`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.time.p_date`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.time.p_month`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.time.p_time`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.time.p_time2`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.time.p_year`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.time.expire_time_str`*:: + -- -This key captures Risk Number SandBox +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.time.stamp`*:: + -- -This key captures Risk Number Static +Deprecated key defined only in table map. -type: double +type: date -- -*`rsa.misc.risk_suspicious`*:: + +*`rsa.misc.action`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.result`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.severity`*:: + -- -SNMP Object Identifier +This key is used to capture the severity given the session type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.event_type`*:: + -- -This key captures the SQL query +This key captures the event category type as specified by the event source. type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.reference_id`*:: + -- -This key captures the Vulnerability Reference details +This key is used to capture an event id from the session directly type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.version`*:: + -- +This key captures Version of the application or OS which is generating the event. + type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.disposition`*:: + -- +This key captures the The end state of an action. + type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.result_code`*:: + -- +This key is used to capture the outcome/result numeric value of an action in a session + type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.category`*:: + -- +This key is used to capture the category of an event given by the vendor in the session + type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.obj_name`*:: + -- +This is used to capture name of object + type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.obj_type`*:: + -- +This is used to capture type of object + type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.event_source`*:: + -- +This key captures Source of the event that’s not a hostname + type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.log_session_id`*:: + -- +This key is used to capture a sessionid from the session directly + type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.group`*:: + -- +This key captures the Group Name value + type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.policy_name`*:: + -- +This key is used to capture the Policy Name only. + type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.rule_name`*:: + -- +This key captures the Rule Name + type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.context`*:: + -- +This key captures Information which adds additional context to the event. + type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.change_new`*:: + -- +This key is used to capture the new values of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.client`*:: + -- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.change_old`*:: + -- +This key is used to capture the old value of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.operation_id`*:: + -- +An alert number or operation number. The values should be unique and non-repeating. + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.event_state`*:: + -- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.group_object`*:: + -- +This key captures a collection/grouping of entities. Specific usage + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.node`*:: + -- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.rule`*:: + -- +This key captures the Rule number + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.device_name`*:: + -- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.param`*:: + -- +This key is the parameters passed as part of a command or application, etc. + type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.change_attrib`*:: + -- +This key is used to capture the name of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.event_computer`*:: + -- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.reference_id1`*:: + -- +This key is for Linked ID to be used as an addition to "reference.id" + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.event_log`*:: + -- +This key captures the Name of the event log + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.OS`*:: + -- +This key captures the Name of the Operating System + type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.terminal`*:: + -- +This key captures the Terminal Names only + type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.msgIdPart3`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.filter`*:: + -- +This key captures Filter used to reduce result set + type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.serial_number`*:: + -- +This key is the Serial number associated with a physical asset. + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.checksum`*:: + -- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.event_user`*:: + -- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.virusname`*:: + -- +This key captures the name of the virus + type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.content_type`*:: + -- +This key is used to capture Content Type only. + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.group_id`*:: + -- +This key captures Group ID Number (related to the group name) + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.policy_id`*:: + -- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.misc.sensor`*:: + -- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.sig_id`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID + +type: long -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.misc.port_name`*:: + -- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.rule_group`*:: + -- +This key captures the Rule group name + type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.risk_num`*:: + -- -type: keyword +This key captures a Numeric Risk value + +type: double -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.trigger_val`*:: + -- +This key captures the Value of the trigger or threshold condition. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.log_session_id1`*:: + -- +This key is used to capture a Linked (Related) Session ID from the session directly + type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.comp_version`*:: + -- +This key captures the Version level of a sub-component of a product. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.content_version`*:: + -- +This key captures Version level of a signature or database content. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.hardware_id`*:: + -- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.risk`*:: + -- +This key captures the non-numeric risk value + type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.mail_id`*:: + -- +This key is used to capture the mailbox id/name + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.rule_uid`*:: + -- +This key is the Unique Identifier for a rule. + type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.trigger_desc`*:: + -- +This key captures the Description of the trigger or threshold condition. + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.misc.listnum`*:: + -- +This key is used to capture listname or listnumber, primarily for collecting access-list + type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.misc.observed_val`*:: + -- +This key captures the Value observed (from the perspective of the device generating the log). + type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.misc.policy_value`*:: + -- +This key captures the contents of the policy. This contains details about the policy + type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.pool_name`*:: + -- +This key captures the name of a resource pool + type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.misc.rule_template`*:: + -- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.count`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.misc.comments`*:: + -- +Comment information provided in the log message + type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.misc.doc_number`*:: + -- -type: keyword +This key captures File Identification number + +type: long -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.misc.expected_val`*:: + -- +This key captures the Value expected (from the perspective of the device generating the log). + type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.misc.job_num`*:: + -- +This key captures the Job Number + type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.misc.spi_dst`*:: + -- +Destination SPI Index + type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.misc.spi_src`*:: + -- +Source SPI Index + type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.misc.agent_id`*:: + -- +This key is used to capture agent id + type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.misc.message_body`*:: + -- +This key captures the The contents of the message body. + type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.misc.sig_id_str`*:: + -- +This key captures a string object of the sigid variable. + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.cmd`*:: + -- type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.misc.name`*:: + -- type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.misc.cpu`*:: + -- -type: keyword +This key is the CPU time used in the execution of the event being recorded. + +type: long -- -*`rsa.misc.cs_data`*:: +*`rsa.misc.event_desc`*:: + -- +This key is used to capture a description of an event available directly or inferred + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.misc.sig_id1`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.im_client`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.misc.priority`*:: + -- type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.misc.context_subject`*:: + -- +This key is to be used in an audit context where the subject is the object being identified + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.misc.context_target`*:: + -- type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.misc.cve`*:: + -- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.misc.fcatnum`*:: + -- +This key captures Filter Category Number. Legacy Usage + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.misc.library`*:: + -- +This key is used to capture library information in mainframe devices + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.misc.parent_node`*:: + -- +This key captures the Parent Node Name. Must be related to node variable. + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.misc.risk_info`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: keyword +This key is captures the TCP flags set in any packet of session + +type: long -- -*`rsa.misc.cs_loginname`*:: +*`rsa.misc.tos`*:: + -- -type: keyword +This key describes the type of service + +type: long -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.misc.vm_target`*:: + -- +VMWare Target **VMWARE** only varaible. + type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.misc.workspace`*:: + -- +This key captures Workspace Description + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.misc.alert_id`*:: + -- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.misc.checksum_dst`*:: + -- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.misc.checksum_src`*:: + -- +This key is used to capture the checksum or hash of the source entity such as a file or process. + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.misc.fresult`*:: + -- -type: keyword +This key captures the Filter Result + +type: long -- -*`rsa.misc.dstburb`*:: +*`rsa.misc.payload_dst`*:: + -- +This key is used to capture destination payload + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.misc.payload_src`*:: + -- +This key is used to capture source payload + type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.misc.pool_id`*:: + -- +This key captures the identifier (typically numeric field) of a resource pool + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.misc.process_id_val`*:: + -- +This key is a failure key for Process ID when it is not an integer value + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.misc.risk_num_comm`*:: + -- -type: keyword +This key captures Risk Number Community + +type: double -- -*`rsa.misc.finterface`*:: +*`rsa.misc.risk_num_next`*:: + -- -type: keyword +This key captures Risk Number NextGen + +type: double -- -*`rsa.misc.flags`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: keyword +This key captures Risk Number SandBox + +type: double -- -*`rsa.misc.gaddr`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: keyword +This key captures Risk Number Static + +type: double -- -*`rsa.misc.id3`*:: +*`rsa.misc.risk_suspicious`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.misc.risk_warning`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.misc.snmp_oid`*:: + -- +SNMP Object Identifier + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.misc.sql`*:: + -- +This key captures the SQL query + type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.misc.vuln_ref`*:: + -- +This key captures the Vulnerability Reference details + type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`rsa.misc.num`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.misc.cn_asn_src`*:: + -- type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`rsa.misc.object`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.misc.cn_engine_id`*:: + -- type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- type: keyword -- -*`rsa.misc.password_expire`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.misc.cn_l_switch`*:: + -- type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`rsa.misc.program`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`rsa.misc.session`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`rsa.misc.state`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.misc.cn_template_id`*:: + -- type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.misc.criticality`*:: + -- type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -This is used to capture Auto Run type - type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Valid Credit Card Numbers only - -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.misc.cs_av_other`*:: + -- -This key captures the content type from protocol headers - type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Employee Identification Numbers only - -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -This is used to capture the results of regex match - type: keyword -- -*`rsa.misc.language`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -This is used to capture list of languages the client support and what it prefers - type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.misc.cs_bit9status`*:: + -- -This key is used to capture the session lifetime in seconds. - -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.misc.cs_context`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.misc.match`*:: +*`rsa.misc.cs_control`*:: + -- -This key is for regex match name from search.ini - type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.misc.cs_data`*:: + -- -This key captures the command line/launch argument of the target process or file - type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.misc.cs_datecret`*:: + -- -This key captures source parameter - type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -This key captures the Search Text used - type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This key is used to capture the Signature Name only. - type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -SNMP set request value - type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This key captures number of streams in session - -type: long +type: keyword -- - -*`rsa.db.index`*:: +*`rsa.misc.cs_filetype`*:: + -- -This key captures IndexID of the index. - type: keyword -- -*`rsa.db.instance`*:: +*`rsa.misc.cs_fld`*:: + -- -This key is used to capture the database server instance name - type: keyword -- -*`rsa.db.database`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session - type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.misc.cs_if_name`*:: + -- -This key captures the SQL transantion ID of the current session - type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This key captures permission or privilege level assigned to a resource. - type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -This key is used to capture the table name - type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key is used to capture the unique identifier for a database - type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.misc.cs_lifetime`*:: + -- -This key captures the process id of a connection with database server - -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This key is used for the number of logical reads - -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.misc.cs_loginname`*:: + -- -This key is used for the number of logical writes - -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This key is used for the number of physical writes - -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - type: keyword -- -*`rsa.network.domain`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.misc.cs_payload`*:: + -- -This key should only be used when it’s a Destination Hostname - type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.misc.cs_registrant`*:: + -- -This is used to capture layer 7 protocols/service names - type: keyword -- -*`rsa.network.interface`*:: +*`rsa.misc.cs_registrar`*:: + -- -This key should be used when the source or destination context of an interface is not clear - type: keyword -- -*`rsa.network.network_port`*:: +*`rsa.misc.cs_represult`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long +type: keyword -- -*`rsa.network.eth_host`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Deprecated, use alias.mac - type: keyword -- -*`rsa.network.sinterface`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -This key should only be used when it’s a Source Interface - type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This key should only be used when it’s a Destination Interface - type: keyword -- -*`rsa.network.vlan`*:: +*`rsa.misc.cs_streams`*:: + -- -This key should only be used to capture the ID of the Virtual LAN - -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -This key should only be used when it’s a Source Zone. - type: keyword -- -*`rsa.network.zone`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -This key should be used when the source or destination context of a Zone is not clear - type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.misc.cs_whois_server`*:: + -- -This key should only be used when it’s a Destination Zone. - type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This key is used to capture the IP Address of the gateway - type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.misc.description`*:: + -- -This key is used to capture the ICMP type only - -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.misc.devvendor`*:: + -- -This key is used to capture the device network IPmask. - type: keyword -- -*`rsa.network.icmp_code`*:: +*`rsa.misc.distance`*:: + -- -This key is used to capture the ICMP code only - -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.misc.dstburb`*:: + -- -This key should be used to capture additional protocol information - type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.misc.edomain`*:: + -- -This key is used for Destionation Device network mask - type: keyword -- -*`rsa.network.port`*:: +*`rsa.misc.edomaub`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.misc.euid`*:: + -- -This key is used for capturing source Network Mask - type: keyword -- -*`rsa.network.netname`*:: +*`rsa.misc.facility`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.misc.finterface`*:: + -- -Deprecated - -type: ip +type: keyword -- -*`rsa.network.faddr`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`rsa.network.origin`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`rsa.network.addr`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.network.fport`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.network.phost`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.misc.linenum`*:: + -- -Deprecated, use host.dst - type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.misc.list_name`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.misc.load_data`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`rsa.network.dns_id`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.network.domain1`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.misc.lport`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.misc.mbug_data`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - type: keyword -- -*`rsa.network.vlan_name`*:: +*`rsa.misc.misc_name`*:: + -- -This key should only be used to capture the name of the Virtual LAN - type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.misc.msg_type`*:: + -- -This key captures the particular event activity(Ex:Logoff) - type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.misc.msgid`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) - type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.misc.netsessid`*:: + -- -This key captures the Subject of a particular Event(Ex:User) - type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.misc.num`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) - type: keyword -- -*`rsa.investigations.event_cat`*:: +*`rsa.misc.number1`*:: + -- -This key captures the Event category number - -type: long +type: keyword -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.misc.number2`*:: + -- -This key captures the event category name corresponding to the event cat code - type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.misc.nwwn`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.misc.object`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`rsa.misc.operation`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.misc.opkt`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - type: keyword -- -*`rsa.investigations.boc`*:: +*`rsa.misc.orig_from`*:: + -- -This is used to capture behaviour of compromise - type: keyword -- -*`rsa.investigations.eoc`*:: +*`rsa.misc.owner_id`*:: + -- -This is used to capture Enablers of Compromise - type: keyword -- -*`rsa.investigations.inv_category`*:: +*`rsa.misc.p_action`*:: + -- -This used to capture investigation category - type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.misc.p_filter`*:: + -- -This used to capture investigation context - type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.misc.p_group_object`*:: + -- -This is key capture indicator of compromise - type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.misc.p_id`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`rsa.misc.p_msgid1`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long +type: keyword -- -*`rsa.counters.event_counter`*:: +*`rsa.misc.p_msgid2`*:: + -- -This is used to capture the number of times an event repeated - -type: long +type: keyword -- -*`rsa.counters.dclass_r1`*:: +*`rsa.misc.p_result1`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only - type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.misc.password_chg`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.misc.password_expire`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only - type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.misc.permgranted`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only - type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.misc.permwanted`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only - type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.misc.pgid`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only - type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.misc.policyUUID`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only - type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`rsa.misc.prog_asp_num`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only - type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.misc.program`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only - type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.misc.real_data`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only - type: keyword -- - -*`rsa.identity.auth_method`*:: +*`rsa.misc.rec_asp_device`*:: + -- -This key is used to capture authentication methods used only - type: keyword -- -*`rsa.identity.user_role`*:: +*`rsa.misc.rec_asp_num`*:: + -- -This key is used to capture the Role of a user only - type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.misc.rec_library`*:: + -- -X.500 (LDAP) Distinguished Name - type: keyword -- -*`rsa.identity.logon_type`*:: +*`rsa.misc.recordnum`*:: + -- -This key is used to capture the type of logon method used. - type: keyword -- -*`rsa.identity.profile`*:: +*`rsa.misc.ruid`*:: + -- -This key is used to capture the user profile - type: keyword -- -*`rsa.identity.accesses`*:: +*`rsa.misc.sburb`*:: + -- -This key is used to capture actual privileges used in accessing an object - type: keyword -- -*`rsa.identity.realm`*:: +*`rsa.misc.sdomain_fld`*:: + -- -Radius realm or similar grouping of accounts - type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.misc.sec`*:: + -- -This key captures Destination User Session ID - type: keyword -- -*`rsa.identity.dn_src`*:: +*`rsa.misc.sensorname`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - type: keyword -- -*`rsa.identity.org`*:: +*`rsa.misc.seqnum`*:: + -- -This key captures the User organization - type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.misc.session`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.misc.sessiontype`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.lastname`*:: +*`rsa.misc.sigUUID`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.user_dept`*:: +*`rsa.misc.spi`*:: + -- -User's Department Names only - type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`rsa.misc.srcburb`*:: + -- -This key captures Source User Session ID - type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.misc.srcdom`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. - type: keyword -- -*`rsa.identity.federated_idp`*:: +*`rsa.misc.srcservice`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. - type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.misc.state`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.misc.status1`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.password`*:: +*`rsa.misc.svcno`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted - type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.misc.system`*:: + -- -This key should only be used to capture the role of a Host Machine - type: keyword -- -*`rsa.identity.ldap`*:: +*`rsa.misc.tbdstr1`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - type: keyword -- -*`rsa.identity.ldap_query`*:: +*`rsa.misc.tgtdom`*:: + -- -This key is the Search criteria from an LDAP search - type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.misc.tgtdomain`*:: + -- -This key is to capture Results from an LDAP search - type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.misc.threshold`*:: + -- -This is used to capture username the process or service is running as, the author of the task - type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.misc.type1`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - type: keyword -- - -*`rsa.email.email_dst`*:: +*`rsa.misc.udb_class`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.misc.url_fld`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email - type: keyword -- -*`rsa.email.subject`*:: +*`rsa.misc.user_div`*:: + -- -This key is used to capture the subject string from an Email only. - type: keyword -- -*`rsa.email.email`*:: +*`rsa.misc.userid`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear - type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.misc.username_fld`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.misc.utcstamp`*:: + -- -Deprecated key defined only in table map. - type: keyword -- - -*`rsa.file.privilege`*:: +*`rsa.misc.v_instafname`*:: + -- -Deprecated, use permissions - type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.misc.virt_data`*:: + -- -This key captures the attachment file name - type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.file.binary`*:: +*`rsa.misc.autorun_type`*:: + -- -Deprecated key defined only in table map. +This is used to capture Auto Run type type: keyword -- -*`rsa.file.filename_dst`*:: +*`rsa.misc.cc_number`*:: + -- -This is used to capture name of the file targeted by the action +Valid Credit Card Numbers only -type: keyword +type: long -- -*`rsa.file.filename_src`*:: +*`rsa.misc.content`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +This key captures the content type from protocol headers type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.file.directory_dst`*:: +*`rsa.misc.found`*:: + -- -This key is used to capture the directory of the target process or file +This is used to capture the results of regex match type: keyword -- -*`rsa.file.directory_src`*:: +*`rsa.misc.language`*:: + -- -This key is used to capture the directory of the source process or file +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.misc.lifetime`*:: + -- -This is used to capture entropy vale of a file +This key is used to capture the session lifetime in seconds. -type: double +type: long -- -*`rsa.file.file_vendor`*:: +*`rsa.misc.link`*:: + -- -This is used to capture Company name of file located in version_info +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.file.task_name`*:: +*`rsa.misc.match`*:: + -- -This is used to capture name of the task +This key is for regex match name from search.ini type: keyword -- - -*`rsa.web.fqdn`*:: +*`rsa.misc.param_dst`*:: + -- -Fully Qualified Domain Names +This key captures the command line/launch argument of the target process or file type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.misc.param_src`*:: + -- -This key is used to capture the Web cookies specifically. +This key captures source parameter type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.misc.sig_name`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +This key is used to capture the Signature Name only. -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`rsa.misc.snmp_value`*:: + -- -Web referer's domain +SNMP set request value type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.misc.streams`*:: + -- -This key captures Web referer's query portion of the URL +This key captures number of streams in session -type: keyword +type: long -- -*`rsa.web.remote_domain`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.db.instance`*:: + -- -This key captures Web referer's page information +This key is used to capture the database server instance name type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.db.database`*:: + -- -Web referer's root URL path +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.web.p_user_agent`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.web.p_web_cookie`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.web.p_web_method`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes --- +type: long -*`rsa.web.p_web_referer`*:: -+ -- -type: keyword --- -*`rsa.web.web_extension_tmp`*:: +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.web.web_page`*:: +*`rsa.network.domain`*:: + -- type: keyword -- - -*`rsa.threat.threat_category`*:: +*`rsa.network.host_dst`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +This key should only be used when it’s a Destination Hostname type: keyword -- -*`rsa.threat.threat_desc`*:: +*`rsa.network.network_service`*:: + -- -This key is used to capture the threat description from the session directly or inferred +This is used to capture layer 7 protocols/service names type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.network.interface`*:: + -- -This key is used to capture name of the alert +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.network.network_port`*:: + -- -This key is used to capture source of the threat +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- - -*`rsa.crypto.crypto`*:: +*`rsa.network.eth_host`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +Deprecated, use alias.mac type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.network.sinterface`*:: + -- -This key is for Source (Client) Cipher +This key should only be used when it’s a Source Interface type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.network.dinterface`*:: + -- -This key is used to capture the Certificate organization only +This key should only be used when it’s a Destination Interface type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.network.vlan`*:: + -- -This key is for Encryption peer's IP Address +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.network.zone_src`*:: + -- -This key captures Source (Client) Cipher Size +This key should only be used when it’s a Source Zone. -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.network.zone`*:: + -- -IKE negotiation phase. +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.network.zone_dst`*:: + -- -This key captures the Encryption scheme used +This key should only be used when it’s a Destination Zone. type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.network.gateway`*:: + -- -This key is for Encryption peer’s identity +This key is used to capture the IP Address of the gateway type: keyword -- -*`rsa.crypto.sig_type`*:: +*`rsa.network.icmp_type`*:: + -- -This key captures the Signature Type +This key is used to capture the ICMP type only -type: keyword +type: long -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.network.icmp_code`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the ICMP code only -type: keyword +type: long -- -*`rsa.crypto.cert_error`*:: +*`rsa.network.protocol_detail`*:: + -- -This key captures the Certificate Error String +This key should be used to capture additional protocol information type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.network.dmask`*:: + -- -This key is for Destination (Server) Cipher +This key is used for Destionation Device network mask type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.network.port`*:: + -- -This key captures Destination (Server) Cipher Size +This key should only be used to capture a Network Port when the directionality is not clear type: long -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.network.smask`*:: + -- -Deprecated, use version +This key is used for capturing source Network Mask type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.network.faddr`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One - type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.network.lhost`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two - type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.network.remote_domain_id`*:: + -- -This key is used for the hostname category value of a certificate - type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.network.addr`*:: + -- -This key is used to capture the Certificate serial number only - type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.network.dns_a_record`*:: + -- -This key captures Certificate validation status - type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.network.dns_ptr_record`*:: + -- -Deprecated, use version - type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.network.phost`*:: + -- -This key is used to capture the Certificate signing authority only - type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.network.ad_computer_dst`*:: + -- -This key is used to capture the Certificate common name only +Deprecated, use host.dst type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.network.eth_type`*:: + -- -This key is used to capture the ssid of a Wireless Session +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only -type: keyword +type: long -- -*`rsa.wireless.access_point`*:: +*`rsa.network.ip_proto`*:: + -- -This key is used to capture the access point name. +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: keyword +type: long -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.network.dns_cname_record`*:: + -- -This is used to capture the channel names - -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.network.dns_id`*:: + -- -This key captures either WLAN number/name - type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.network.dns_opcode`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk - type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.network.dns_resp`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. - type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.network.dns_type`*:: + -- -This uniquely identifies a port on a HBA. - type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.network.domain1`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.network.host_type`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. - type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.network.packet_length`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.network.host_orig`*:: + -- -This key captures the unique ID for a patient +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.network.rpayload`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.network.vlan_name`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key should only be used to capture the name of the Virtual LAN type: keyword -- -*`rsa.endpoint.host_state`*:: +*`rsa.investigations.ec_activity`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.investigations.ec_theme`*:: + -- -This key captures the path to the registry key +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.investigations.ec_subject`*:: + -- -This key captures values or decorators used within a registry entry +This key captures the Subject of a particular Event(Ex:User) type: keyword -- -[[exported-fields-fortinet]] -== Fortinet fields - -fortinet Module - - - -*`network.interface.name`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Name of the network interface where the traffic has been observed. - +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- - - -*`rsa.internal.msg`*:: +*`rsa.investigations.event_cat`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +This key captures the Event category number -type: keyword +type: long -- -*`rsa.internal.messageid`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.internal.message`*:: +*`rsa.investigations.analysis_file`*:: + -- -This key captures the contents of instant messages +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -- -*`rsa.internal.time`*:: +*`rsa.investigations.analysis_service`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.investigations.analysis_session`*:: + -- -Deprecated key defined only in table map. +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.investigations.boc`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is used to capture behaviour of compromise type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.investigations.eoc`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is used to capture Enablers of Compromise type: keyword -- -*`rsa.internal.data`*:: +*`rsa.investigations.inv_category`*:: + -- -Deprecated key defined only in table map. +This used to capture investigation category type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.investigations.inv_context`*:: + -- -Deprecated key defined only in table map. +This used to capture investigation context type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.investigations.ioc`*:: + -- -Deprecated key defined only in table map. +This is key capture indicator of compromise type: keyword -- -*`rsa.internal.resource`*:: + +*`rsa.counters.dclass_c1`*:: + -- -Deprecated key defined only in table map. +This is a generic counter key that should be used with the label dclass.c1.str only -type: keyword +type: long -- -*`rsa.internal.obj_id`*:: +*`rsa.counters.dclass_c2`*:: + -- -Deprecated key defined only in table map. +This is a generic counter key that should be used with the label dclass.c2.str only -type: keyword +type: long -- -*`rsa.internal.statement`*:: +*`rsa.counters.event_counter`*:: + -- -Deprecated key defined only in table map. +This is used to capture the number of times an event repeated -type: keyword +type: long -- -*`rsa.internal.audit_class`*:: +*`rsa.counters.dclass_r1`*:: + -- -Deprecated key defined only in table map. +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.counters.dclass_c3`*:: + -- -Deprecated key defined only in table map. +This is a generic counter key that should be used with the label dclass.c3.str only -type: keyword +type: long -- -*`rsa.internal.hcode`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -Deprecated key defined only in table map. +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -Deprecated key defined only in table map. +This is a generic counter string key that should be used with the label dclass.c2 only -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Deprecated key defined only in table map. +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.counters.dclass_r2`*:: + -- -Deprecated key defined only in table map. +This is a generic ratio key that should be used with the label dclass.r2.str only -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.counters.dclass_r3`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -*`rsa.internal.device_group`*:: + +*`rsa.identity.auth_method`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture authentication methods used only type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.identity.user_role`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the Role of a user only type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.identity.dn`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +X.500 (LDAP) Distinguished Name -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.identity.logon_type`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the type of logon method used. -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.identity.profile`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the user profile type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.identity.accesses`*:: + -- -Deprecated key defined only in table map. +This key is used to capture actual privileges used in accessing an object -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.identity.realm`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Radius realm or similar grouping of accounts type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.identity.user_sid_dst`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +This key captures Destination User Session ID -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.identity.dn_src`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.identity.org`*:: + -- -Deprecated key defined only in table map. +This key captures the User organization type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.identity.dn_dst`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.identity.firstname`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.identity.lastname`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.identity.user_dept`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +User's Department Names only type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.identity.user_sid_src`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Source User Session ID type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.identity.federated_sp`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is the Federated Service Provider. This is the application requesting authentication. -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.identity.federated_idp`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +This key is the federated Identity Provider. This is the server providing the authentication. -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.identity.logon_type_desc`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.identity.middlename`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.identity.password`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +This key is for Passwords seen in any session, plain text or encrypted -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.identity.host_role`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +This key should only be used to capture the role of a Host Machine -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.identity.ldap`*:: + -- -Deprecated key defined only in table map. +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.identity.ldap_query`*:: + -- -This key denotes that event is endpoint related +This key is the Search criteria from an LDAP search type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.identity.ldap_response`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is to capture Results from an LDAP search type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.identity.owner`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +This is used to capture username the process or service is running as, the author of the task -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.identity.service_account`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: + +*`rsa.email.email_dst`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.email.email_src`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.email.subject`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the subject string from an Email only. -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.email.email`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -- -*`rsa.internal.site`*:: +*`rsa.email.trans_from`*:: + -- Deprecated key defined only in table map. @@ -60929,11137 +54049,11093 @@ type: keyword -- -*`rsa.internal.size`*:: +*`rsa.email.trans_to`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: + +*`rsa.file.privilege`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Deprecated, use permissions type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.file.attachment`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +This key captures the attachment file name -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.file.filesystem`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.file.binary`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +Deprecated key defined only in table map. type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.file.filename_dst`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +This is used to capture name of the file targeted by the action -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.file.filename_src`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. +This is used to capture name of the parent filename, the file which performed the action -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.file.filename_tmp`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.file.directory_dst`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form +This key is used to capture the directory of the target process or file -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.time.day`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`rsa.time.endtime`*:: +*`rsa.file.file_vendor`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +This is used to capture Company name of file located in version_info -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`rsa.file.task_name`*:: + -- -This key is used to capture the timezone of the Event Time +This is used to capture name of the task type: keyword -- -*`rsa.time.duration_str`*:: + +*`rsa.web.fqdn`*:: + -- -A text string version of the duration +Fully Qualified Domain Names type: keyword -- -*`rsa.time.date`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`rsa.time.year`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.web.reputation_num`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. +Reputation Number of an entity. Typically used for Web Domains -type: date +type: double -- -*`rsa.time.datetime`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.web.web_ref_query`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format +This key captures Web referer's query portion of the URL -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.web.remote_domain`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.web.web_ref_page`*:: + -- -Deprecated, use duration.time +This key captures Web referer's page information type: keyword -- -*`rsa.time.hour`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`rsa.time.min`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.web.urlpage`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.threat.alert`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. +This key is used to capture name of the alert type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.threat.threat_source`*:: + -- -Deprecated key defined only in table map. +This key is used to capture source of the threat -type: date +type: keyword -- -*`rsa.misc.action`*:: +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`rsa.misc.result`*:: +*`rsa.crypto.cipher_src`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +This key is for Source (Client) Cipher type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.crypto.cert_subject`*:: + -- -This key is used to capture the severity given the session +This key is used to capture the Certificate organization only type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.crypto.peer`*:: + -- -This key captures the event category type as specified by the event source. +This key is for Encryption peer's IP Address type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -This key is used to capture an event id from the session directly +This key captures Source (Client) Cipher Size -type: keyword +type: long -- -*`rsa.misc.version`*:: +*`rsa.crypto.ike`*:: + -- -This key captures Version of the application or OS which is generating the event. +IKE negotiation phase. type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.crypto.scheme`*:: + -- -This key captures the The end state of an action. +This key captures the Encryption scheme used type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.crypto.peer_id`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session +This key is for Encryption peer’s identity type: keyword -- -*`rsa.misc.category`*:: +*`rsa.crypto.sig_type`*:: + -- -This key is used to capture the category of an event given by the vendor in the session +This key captures the Signature Type type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.crypto.cert_issuer`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.crypto.cert_host_name`*:: + -- -This is used to capture type of object +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.crypto.cert_error`*:: + -- -This key captures Source of the event that’s not a hostname +This key captures the Certificate Error String type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.crypto.cipher_dst`*:: + -- -This key is used to capture a sessionid from the session directly +This key is for Destination (Server) Cipher type: keyword -- -*`rsa.misc.group`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -This key captures the Group Name value +This key captures Destination (Server) Cipher Size -type: keyword +type: long -- -*`rsa.misc.policy_name`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -This key is used to capture the Policy Name only. +Deprecated, use version type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.crypto.d_certauth`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.crypto.s_certauth`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`rsa.misc.space`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.misc.client`*:: +*`rsa.crypto.cert_checksum`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.crypto.cert_status`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session +This key captures Certificate validation status type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. +Deprecated, use version type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.crypto.cert_keysize`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.crypto.cert_username`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.crypto.https_insact`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.crypto.https_valid`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.crypto.cert_ca`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc +This key is used to capture the Certificate signing authority only type: keyword -- -*`rsa.misc.param`*:: +*`rsa.crypto.cert_common`*:: + -- -This key is the parameters passed as part of a command or application, etc. +This key is used to capture the Certificate common name only type: keyword -- -*`rsa.misc.change_attrib`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.wireless.access_point`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +This key is used to capture the access point name. type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.wireless.wlan_channel`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +This is used to capture the channel names -type: keyword +type: long -- -*`rsa.misc.event_log`*:: +*`rsa.wireless.wlan_name`*:: + -- -This key captures the Name of the event log +This key captures either WLAN number/name type: keyword -- -*`rsa.misc.OS`*:: + +*`rsa.storage.disk_volume`*:: + -- -This key captures the Name of the Operating System +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.storage.lun`*:: + -- -This key captures the Terminal Names only +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.storage.pwwn`*:: + -- +This uniquely identifies a port on a HBA. + type: keyword -- -*`rsa.misc.filter`*:: + +*`rsa.physical.org_dst`*:: + -- -This key captures Filter used to reduce result set +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.physical.org_src`*:: + -- -This key is the Serial number associated with a physical asset. +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.misc.checksum`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.healthcare.patient_id`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. +This key captures the unique ID for a patient type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.healthcare.patient_lname`*:: + -- -This key captures the name of the virus +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.healthcare.patient_mname`*:: + -- -This key is used to capture Content Type only. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.group_id`*:: + +*`rsa.endpoint.host_state`*:: + -- -This key captures Group ID Number (related to the group name) +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.endpoint.registry_key`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise +This key captures the path to the registry key type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.endpoint.registry_value`*:: + -- -This key captures Virtual System Name +This key captures values or decorators used within a registry entry type: keyword -- -*`rsa.misc.connection_id`*:: +[[exported-fields-fortinet]] +== Fortinet fields + +fortinet Module + + + +*`network.interface.name`*:: + -- -This key captures the Connection ID +Name of the network interface where the traffic has been observed. + type: keyword -- -*`rsa.misc.reference_id2`*:: + + +*`rsa.internal.msg`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.internal.messageid`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.internal.event_desc`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.internal.message`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). +This key captures the contents of instant messages type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.internal.time`*:: + -- -This key captures the Rule group name +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -*`rsa.misc.risk_num`*:: +*`rsa.internal.level`*:: + -- -This key captures a Numeric Risk value +Deprecated key defined only in table map. -type: double +type: long -- -*`rsa.misc.trigger_val`*:: +*`rsa.internal.msg_id`*:: + -- -This key captures the Value of the trigger or threshold condition. +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.internal.msg_vid`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.internal.data`*:: + -- -This key captures the Version level of a sub-component of a product. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.internal.obj_server`*:: + -- -This key captures Version level of a signature or database content. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.internal.obj_val`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.internal.resource`*:: + -- -This key captures the non-numeric risk value +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.internal.obj_id`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.status`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.internal.entry`*:: + -- -This key is used to capture the mailbox id/name +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.internal.hcode`*:: + -- -This key is the Unique Identifier for a rule. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.internal.inode`*:: + -- -This key captures the Description of the trigger or threshold condition. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.inout`*:: +*`rsa.internal.resource_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.internal.dead`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.data_type`*:: +*`rsa.internal.feed_desc`*:: + -- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.error`*:: +*`rsa.internal.cid`*:: + -- -This key captures All non successful Error codes or responses +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.index`*:: +*`rsa.internal.device_class`*:: + -- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.internal.device_group`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.internal.device_host`*:: + -- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.internal.device_ip`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.policy_value`*:: +*`rsa.internal.device_ipv6`*:: + -- -This key captures the contents of the policy. This contains details about the policy +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.pool_name`*:: +*`rsa.internal.device_type`*:: + -- -This key captures the name of a resource pool +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.internal.device_type_id`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.count`*:: +*`rsa.internal.did`*:: + -- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.number`*:: +*`rsa.internal.entropy_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.sigcat`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.type`*:: +*`rsa.internal.event_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.internal.feed_category`*:: + -- -Comment information provided in the log message +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.internal.forward_ip`*:: + -- -This key captures File Identification number +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: long +type: ip -- -*`rsa.misc.expected_val`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.job_num`*:: +*`rsa.internal.header_id`*:: + -- -This key captures the Job Number +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.internal.lc_cid`*:: + -- -Destination SPI Index +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.internal.lc_ctime`*:: + -- -Source SPI Index +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`rsa.misc.code`*:: +*`rsa.internal.mcb_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`rsa.misc.agent_id`*:: +*`rsa.internal.mcb_res`*:: + -- -This key is used to capture agent id +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.misc.message_body`*:: +*`rsa.internal.mcbc_req`*:: + -- -This key captures the The contents of the message body. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.misc.phone`*:: +*`rsa.internal.mcbc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`rsa.misc.sig_id_str`*:: +*`rsa.internal.medium`*:: + -- -This key captures a string object of the sigid variable. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`rsa.misc.cmd`*:: +*`rsa.internal.node_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.internal.nwe_callback_id`*:: + -- +This key denotes that event is endpoint related + type: keyword -- -*`rsa.misc.name`*:: +*`rsa.internal.parse_error`*:: + -- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.internal.payload_req`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`rsa.misc.event_desc`*:: +*`rsa.internal.payload_res`*:: + -- -This key is used to capture a description of an event available directly or inferred +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.misc.sig_id1`*:: +*`rsa.internal.process_vid_dst`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.internal.process_vid_src`*:: + -- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.internal.rid`*:: + -- -type: keyword +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.im_userid`*:: +*`rsa.internal.session_split`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.internal.site`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.internal.size`*:: + -- -type: keyword +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.context_subject`*:: +*`rsa.internal.sourcefile`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.internal.ubc_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`rsa.misc.cve`*:: +*`rsa.internal.ubc_res`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.misc.fcatnum`*:: +*`rsa.internal.word`*:: + -- -This key captures Filter Category Number. Legacy Usage +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`rsa.misc.library`*:: + +*`rsa.time.event_time`*:: + -- -This key is used to capture library information in mainframe devices +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`rsa.misc.parent_node`*:: +*`rsa.time.duration_time`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- -*`rsa.misc.risk_info`*:: +*`rsa.time.event_time_str`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.time.starttime`*:: + -- -This key is captures the TCP flags set in any packet of session +This key is used to capture the Start time mentioned in a session in a standard form -type: long +type: date -- -*`rsa.misc.tos`*:: +*`rsa.time.month`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.time.day`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.time.endtime`*:: + -- -This key captures Workspace Description +This key is used to capture the End time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.misc.command`*:: +*`rsa.time.timezone`*:: + -- +This key is used to capture the timezone of the Event Time + type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.time.duration_str`*:: + -- +A text string version of the duration + type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.time.date`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.time.recorded_time`*:: + -- -type: keyword +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date -- -*`rsa.misc.mode`*:: +*`rsa.time.datetime`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.time.effective_time`*:: + -- -type: keyword +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date -- -*`rsa.misc.policy_waiver`*:: +*`rsa.time.expire_time`*:: + -- -type: keyword +This key is the timestamp that explicitly refers to an expiration. + +type: date -- -*`rsa.misc.second`*:: +*`rsa.time.process_time`*:: + -- +Deprecated, use duration.time + type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.time.event_queue_time`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is the Time that the event was queued. -type: keyword +type: date -- -*`rsa.misc.checksum_dst`*:: +*`rsa.time.p_time1`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.time.tzone`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.time.eventtime`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.time.gmtdate`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.time.gmttime`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.time.p_date`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.time.p_month`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.time.p_time`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.time.p_time2`*:: + -- -This key captures Risk Number NextGen +type: keyword -type: double +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.time.expire_time_str`*:: + -- -This key captures Risk Number SandBox +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.time.stamp`*:: + -- -This key captures Risk Number Static +Deprecated key defined only in table map. -type: double +type: date -- -*`rsa.misc.risk_suspicious`*:: + +*`rsa.misc.action`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.result`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.severity`*:: + -- -SNMP Object Identifier +This key is used to capture the severity given the session type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.event_type`*:: + -- -This key captures the SQL query +This key captures the event category type as specified by the event source. type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.reference_id`*:: + -- -This key captures the Vulnerability Reference details +This key is used to capture an event id from the session directly type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.version`*:: + -- +This key captures Version of the application or OS which is generating the event. + type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.disposition`*:: + -- +This key captures the The end state of an action. + type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.result_code`*:: + -- +This key is used to capture the outcome/result numeric value of an action in a session + type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.category`*:: + -- +This key is used to capture the category of an event given by the vendor in the session + type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.obj_name`*:: + -- +This is used to capture name of object + type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.obj_type`*:: + -- +This is used to capture type of object + type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.event_source`*:: + -- +This key captures Source of the event that’s not a hostname + type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.log_session_id`*:: + -- +This key is used to capture a sessionid from the session directly + type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.group`*:: + -- +This key captures the Group Name value + type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.policy_name`*:: + -- +This key is used to capture the Policy Name only. + type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.rule_name`*:: + -- +This key captures the Rule Name + type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.context`*:: + -- +This key captures Information which adds additional context to the event. + type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.change_new`*:: + -- +This key is used to capture the new values of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.client`*:: + -- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.change_old`*:: + -- +This key is used to capture the old value of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.operation_id`*:: + -- +An alert number or operation number. The values should be unique and non-repeating. + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.event_state`*:: + -- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.group_object`*:: + -- +This key captures a collection/grouping of entities. Specific usage + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.node`*:: + -- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.rule`*:: + -- +This key captures the Rule number + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.device_name`*:: + -- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.param`*:: + -- +This key is the parameters passed as part of a command or application, etc. + type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.change_attrib`*:: + -- +This key is used to capture the name of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.event_computer`*:: + -- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.reference_id1`*:: + -- +This key is for Linked ID to be used as an addition to "reference.id" + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.event_log`*:: + -- +This key captures the Name of the event log + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.OS`*:: + -- +This key captures the Name of the Operating System + type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.terminal`*:: + -- +This key captures the Terminal Names only + type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.msgIdPart3`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.filter`*:: + -- +This key captures Filter used to reduce result set + type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.serial_number`*:: + -- +This key is the Serial number associated with a physical asset. + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.checksum`*:: + -- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.event_user`*:: + -- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.virusname`*:: + -- +This key captures the name of the virus + type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.content_type`*:: + -- +This key is used to capture Content Type only. + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.group_id`*:: + -- +This key captures Group ID Number (related to the group name) + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.policy_id`*:: + -- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.misc.sensor`*:: + -- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.sig_id`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID + +type: long -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.misc.port_name`*:: + -- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.rule_group`*:: + -- +This key captures the Rule group name + type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.risk_num`*:: + -- -type: keyword +This key captures a Numeric Risk value + +type: double -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.trigger_val`*:: + -- +This key captures the Value of the trigger or threshold condition. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.log_session_id1`*:: + -- +This key is used to capture a Linked (Related) Session ID from the session directly + type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.comp_version`*:: + -- +This key captures the Version level of a sub-component of a product. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.content_version`*:: + -- +This key captures Version level of a signature or database content. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.hardware_id`*:: + -- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.risk`*:: + -- +This key captures the non-numeric risk value + type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.mail_id`*:: + -- +This key is used to capture the mailbox id/name + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.rule_uid`*:: + -- +This key is the Unique Identifier for a rule. + type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.trigger_desc`*:: + -- +This key captures the Description of the trigger or threshold condition. + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.misc.listnum`*:: + -- +This key is used to capture listname or listnumber, primarily for collecting access-list + type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.misc.observed_val`*:: + -- +This key captures the Value observed (from the perspective of the device generating the log). + type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.misc.policy_value`*:: + -- +This key captures the contents of the policy. This contains details about the policy + type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.pool_name`*:: + -- +This key captures the name of a resource pool + type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.misc.rule_template`*:: + -- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.count`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.misc.comments`*:: + -- +Comment information provided in the log message + type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.misc.doc_number`*:: + -- -type: keyword +This key captures File Identification number + +type: long -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.misc.expected_val`*:: + -- +This key captures the Value expected (from the perspective of the device generating the log). + type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.misc.job_num`*:: + -- +This key captures the Job Number + type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.misc.spi_dst`*:: + -- +Destination SPI Index + type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.misc.spi_src`*:: + -- +Source SPI Index + type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.misc.agent_id`*:: + -- +This key is used to capture agent id + type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.misc.message_body`*:: + -- +This key captures the The contents of the message body. + type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.misc.sig_id_str`*:: + -- +This key captures a string object of the sigid variable. + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.cmd`*:: + -- type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.misc.name`*:: + -- type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.misc.cpu`*:: + -- -type: keyword +This key is the CPU time used in the execution of the event being recorded. + +type: long -- -*`rsa.misc.cs_data`*:: +*`rsa.misc.event_desc`*:: + -- +This key is used to capture a description of an event available directly or inferred + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.misc.sig_id1`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.im_client`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.misc.priority`*:: + -- type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.misc.context_subject`*:: + -- +This key is to be used in an audit context where the subject is the object being identified + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.misc.context_target`*:: + -- type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.misc.cve`*:: + -- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.misc.fcatnum`*:: + -- +This key captures Filter Category Number. Legacy Usage + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.misc.library`*:: + -- +This key is used to capture library information in mainframe devices + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.misc.parent_node`*:: + -- +This key captures the Parent Node Name. Must be related to node variable. + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.misc.risk_info`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: keyword +This key is captures the TCP flags set in any packet of session + +type: long -- -*`rsa.misc.cs_loginname`*:: +*`rsa.misc.tos`*:: + -- -type: keyword +This key describes the type of service + +type: long -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.misc.vm_target`*:: + -- +VMWare Target **VMWARE** only varaible. + type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.misc.workspace`*:: + -- +This key captures Workspace Description + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.misc.alert_id`*:: + -- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.misc.checksum_dst`*:: + -- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.misc.checksum_src`*:: + -- +This key is used to capture the checksum or hash of the source entity such as a file or process. + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.misc.fresult`*:: + -- -type: keyword +This key captures the Filter Result + +type: long -- -*`rsa.misc.dstburb`*:: +*`rsa.misc.payload_dst`*:: + -- +This key is used to capture destination payload + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.misc.payload_src`*:: + -- +This key is used to capture source payload + type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.misc.pool_id`*:: + -- +This key captures the identifier (typically numeric field) of a resource pool + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.misc.process_id_val`*:: + -- +This key is a failure key for Process ID when it is not an integer value + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.misc.risk_num_comm`*:: + -- -type: keyword +This key captures Risk Number Community + +type: double -- -*`rsa.misc.finterface`*:: +*`rsa.misc.risk_num_next`*:: + -- -type: keyword +This key captures Risk Number NextGen + +type: double -- -*`rsa.misc.flags`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: keyword +This key captures Risk Number SandBox + +type: double -- -*`rsa.misc.gaddr`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: keyword +This key captures Risk Number Static + +type: double -- -*`rsa.misc.id3`*:: +*`rsa.misc.risk_suspicious`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.misc.risk_warning`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.misc.snmp_oid`*:: + -- +SNMP Object Identifier + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.misc.sql`*:: + -- +This key captures the SQL query + type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.misc.vuln_ref`*:: + -- +This key captures the Vulnerability Reference details + type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`rsa.misc.num`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.misc.cn_asn_src`*:: + -- type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`rsa.misc.object`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.misc.cn_engine_id`*:: + -- type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- type: keyword -- -*`rsa.misc.password_expire`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.misc.cn_l_switch`*:: + -- type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`rsa.misc.program`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`rsa.misc.session`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`rsa.misc.state`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.misc.cn_template_id`*:: + -- type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.misc.criticality`*:: + -- type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -This is used to capture Auto Run type - type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Valid Credit Card Numbers only - -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.misc.cs_av_other`*:: + -- -This key captures the content type from protocol headers - type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Employee Identification Numbers only - -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -This is used to capture the results of regex match - type: keyword -- -*`rsa.misc.language`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -This is used to capture list of languages the client support and what it prefers - type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.misc.cs_bit9status`*:: + -- -This key is used to capture the session lifetime in seconds. - -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.misc.cs_context`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.misc.match`*:: +*`rsa.misc.cs_control`*:: + -- -This key is for regex match name from search.ini - type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.misc.cs_data`*:: + -- -This key captures the command line/launch argument of the target process or file - type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.misc.cs_datecret`*:: + -- -This key captures source parameter - type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -This key captures the Search Text used - type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This key is used to capture the Signature Name only. - type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -SNMP set request value - type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This key captures number of streams in session - -type: long +type: keyword -- - -*`rsa.db.index`*:: +*`rsa.misc.cs_filetype`*:: + -- -This key captures IndexID of the index. - type: keyword -- -*`rsa.db.instance`*:: +*`rsa.misc.cs_fld`*:: + -- -This key is used to capture the database server instance name - type: keyword -- -*`rsa.db.database`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session - type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.misc.cs_if_name`*:: + -- -This key captures the SQL transantion ID of the current session - type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This key captures permission or privilege level assigned to a resource. - type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -This key is used to capture the table name - type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key is used to capture the unique identifier for a database - type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.misc.cs_lifetime`*:: + -- -This key captures the process id of a connection with database server - -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This key is used for the number of logical reads - -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.misc.cs_loginname`*:: + -- -This key is used for the number of logical writes - -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This key is used for the number of physical writes - -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - type: keyword -- -*`rsa.network.domain`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.misc.cs_payload`*:: + -- -This key should only be used when it’s a Destination Hostname - type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.misc.cs_registrant`*:: + -- -This is used to capture layer 7 protocols/service names - type: keyword -- -*`rsa.network.interface`*:: +*`rsa.misc.cs_registrar`*:: + -- -This key should be used when the source or destination context of an interface is not clear - type: keyword -- -*`rsa.network.network_port`*:: +*`rsa.misc.cs_represult`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long +type: keyword -- -*`rsa.network.eth_host`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Deprecated, use alias.mac - type: keyword -- -*`rsa.network.sinterface`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -This key should only be used when it’s a Source Interface - type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This key should only be used when it’s a Destination Interface - type: keyword -- -*`rsa.network.vlan`*:: +*`rsa.misc.cs_streams`*:: + -- -This key should only be used to capture the ID of the Virtual LAN - -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -This key should only be used when it’s a Source Zone. - type: keyword -- -*`rsa.network.zone`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -This key should be used when the source or destination context of a Zone is not clear - type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.misc.cs_whois_server`*:: + -- -This key should only be used when it’s a Destination Zone. - type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This key is used to capture the IP Address of the gateway - type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.misc.description`*:: + -- -This key is used to capture the ICMP type only - -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.misc.devvendor`*:: + -- -This key is used to capture the device network IPmask. - type: keyword -- -*`rsa.network.icmp_code`*:: +*`rsa.misc.distance`*:: + -- -This key is used to capture the ICMP code only - -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.misc.dstburb`*:: + -- -This key should be used to capture additional protocol information - type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.misc.edomain`*:: + -- -This key is used for Destionation Device network mask - type: keyword -- -*`rsa.network.port`*:: +*`rsa.misc.edomaub`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.misc.euid`*:: + -- -This key is used for capturing source Network Mask - type: keyword -- -*`rsa.network.netname`*:: +*`rsa.misc.facility`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.misc.finterface`*:: + -- -Deprecated - -type: ip +type: keyword -- -*`rsa.network.faddr`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`rsa.network.origin`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`rsa.network.addr`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.network.fport`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.network.phost`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.misc.linenum`*:: + -- -Deprecated, use host.dst - type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.misc.list_name`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.misc.load_data`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`rsa.network.dns_id`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.network.domain1`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.misc.lport`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.misc.mbug_data`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - type: keyword -- -*`rsa.network.vlan_name`*:: +*`rsa.misc.misc_name`*:: + -- -This key should only be used to capture the name of the Virtual LAN - type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.misc.msg_type`*:: + -- -This key captures the particular event activity(Ex:Logoff) - type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.misc.msgid`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) - type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.misc.netsessid`*:: + -- -This key captures the Subject of a particular Event(Ex:User) - type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.misc.num`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) - type: keyword -- -*`rsa.investigations.event_cat`*:: +*`rsa.misc.number1`*:: + -- -This key captures the Event category number - -type: long +type: keyword -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.misc.number2`*:: + -- -This key captures the event category name corresponding to the event cat code - type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.misc.nwwn`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.misc.object`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`rsa.misc.operation`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.misc.opkt`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - type: keyword -- -*`rsa.investigations.boc`*:: +*`rsa.misc.orig_from`*:: + -- -This is used to capture behaviour of compromise - type: keyword -- -*`rsa.investigations.eoc`*:: +*`rsa.misc.owner_id`*:: + -- -This is used to capture Enablers of Compromise - type: keyword -- -*`rsa.investigations.inv_category`*:: +*`rsa.misc.p_action`*:: + -- -This used to capture investigation category - type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.misc.p_filter`*:: + -- -This used to capture investigation context - type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.misc.p_group_object`*:: + -- -This is key capture indicator of compromise - type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.misc.p_id`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`rsa.misc.p_msgid1`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long +type: keyword -- -*`rsa.counters.event_counter`*:: +*`rsa.misc.p_msgid2`*:: + -- -This is used to capture the number of times an event repeated - -type: long +type: keyword -- -*`rsa.counters.dclass_r1`*:: +*`rsa.misc.p_result1`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only - type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.misc.password_chg`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.misc.password_expire`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only - type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.misc.permgranted`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only - type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.misc.permwanted`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only - type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.misc.pgid`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only - type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.misc.policyUUID`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only - type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`rsa.misc.prog_asp_num`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only - type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.misc.program`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only - type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.misc.real_data`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only - type: keyword -- - -*`rsa.identity.auth_method`*:: +*`rsa.misc.rec_asp_device`*:: + -- -This key is used to capture authentication methods used only - type: keyword -- -*`rsa.identity.user_role`*:: +*`rsa.misc.rec_asp_num`*:: + -- -This key is used to capture the Role of a user only - type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.misc.rec_library`*:: + -- -X.500 (LDAP) Distinguished Name - type: keyword -- -*`rsa.identity.logon_type`*:: +*`rsa.misc.recordnum`*:: + -- -This key is used to capture the type of logon method used. - type: keyword -- -*`rsa.identity.profile`*:: +*`rsa.misc.ruid`*:: + -- -This key is used to capture the user profile - type: keyword -- -*`rsa.identity.accesses`*:: +*`rsa.misc.sburb`*:: + -- -This key is used to capture actual privileges used in accessing an object - type: keyword -- -*`rsa.identity.realm`*:: +*`rsa.misc.sdomain_fld`*:: + -- -Radius realm or similar grouping of accounts - type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.misc.sec`*:: + -- -This key captures Destination User Session ID - type: keyword -- -*`rsa.identity.dn_src`*:: +*`rsa.misc.sensorname`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - type: keyword -- -*`rsa.identity.org`*:: +*`rsa.misc.seqnum`*:: + -- -This key captures the User organization - type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.misc.session`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.misc.sessiontype`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.lastname`*:: +*`rsa.misc.sigUUID`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.user_dept`*:: +*`rsa.misc.spi`*:: + -- -User's Department Names only - type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`rsa.misc.srcburb`*:: + -- -This key captures Source User Session ID - type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.misc.srcdom`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. - type: keyword -- -*`rsa.identity.federated_idp`*:: +*`rsa.misc.srcservice`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. - type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.misc.state`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.misc.status1`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.password`*:: +*`rsa.misc.svcno`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted - type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.misc.system`*:: + -- -This key should only be used to capture the role of a Host Machine - type: keyword -- -*`rsa.identity.ldap`*:: +*`rsa.misc.tbdstr1`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - type: keyword -- -*`rsa.identity.ldap_query`*:: +*`rsa.misc.tgtdom`*:: + -- -This key is the Search criteria from an LDAP search - type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.misc.tgtdomain`*:: + -- -This key is to capture Results from an LDAP search - type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.misc.threshold`*:: + -- -This is used to capture username the process or service is running as, the author of the task - type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.misc.type1`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - type: keyword -- - -*`rsa.email.email_dst`*:: +*`rsa.misc.udb_class`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.misc.url_fld`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email - type: keyword -- -*`rsa.email.subject`*:: +*`rsa.misc.user_div`*:: + -- -This key is used to capture the subject string from an Email only. - type: keyword -- -*`rsa.email.email`*:: +*`rsa.misc.userid`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear - type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.misc.username_fld`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.misc.utcstamp`*:: + -- -Deprecated key defined only in table map. - type: keyword -- - -*`rsa.file.privilege`*:: +*`rsa.misc.v_instafname`*:: + -- -Deprecated, use permissions - type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.misc.virt_data`*:: + -- -This key captures the attachment file name - type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.file.binary`*:: +*`rsa.misc.autorun_type`*:: + -- -Deprecated key defined only in table map. +This is used to capture Auto Run type type: keyword -- -*`rsa.file.filename_dst`*:: +*`rsa.misc.cc_number`*:: + -- -This is used to capture name of the file targeted by the action +Valid Credit Card Numbers only -type: keyword +type: long -- -*`rsa.file.filename_src`*:: +*`rsa.misc.content`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +This key captures the content type from protocol headers type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.file.directory_dst`*:: +*`rsa.misc.found`*:: + -- -This key is used to capture the directory of the target process or file +This is used to capture the results of regex match type: keyword -- -*`rsa.file.directory_src`*:: +*`rsa.misc.language`*:: + -- -This key is used to capture the directory of the source process or file +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.misc.lifetime`*:: + -- -This is used to capture entropy vale of a file +This key is used to capture the session lifetime in seconds. -type: double +type: long -- -*`rsa.file.file_vendor`*:: +*`rsa.misc.link`*:: + -- -This is used to capture Company name of file located in version_info +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.file.task_name`*:: +*`rsa.misc.match`*:: + -- -This is used to capture name of the task +This key is for regex match name from search.ini type: keyword -- - -*`rsa.web.fqdn`*:: +*`rsa.misc.param_dst`*:: + -- -Fully Qualified Domain Names +This key captures the command line/launch argument of the target process or file type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.misc.param_src`*:: + -- -This key is used to capture the Web cookies specifically. +This key captures source parameter type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.misc.sig_name`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +This key is used to capture the Signature Name only. -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`rsa.misc.snmp_value`*:: + -- -Web referer's domain +SNMP set request value type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.misc.streams`*:: + -- -This key captures Web referer's query portion of the URL +This key captures number of streams in session -type: keyword +type: long -- -*`rsa.web.remote_domain`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.db.instance`*:: + -- -This key captures Web referer's page information +This key is used to capture the database server instance name type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.db.database`*:: + -- -Web referer's root URL path +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.web.p_user_agent`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.web.p_web_cookie`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.web.p_web_method`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`rsa.web.p_web_referer`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.web.web_page`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- - -*`rsa.threat.threat_category`*:: +*`rsa.network.network_service`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +This is used to capture layer 7 protocols/service names type: keyword -- -*`rsa.threat.threat_desc`*:: +*`rsa.network.interface`*:: + -- -This key is used to capture the threat description from the session directly or inferred +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.network.network_port`*:: + -- -This key is used to capture name of the alert +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`rsa.threat.threat_source`*:: +*`rsa.network.eth_host`*:: + -- -This key is used to capture source of the threat +Deprecated, use alias.mac type: keyword -- - -*`rsa.crypto.crypto`*:: +*`rsa.network.sinterface`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +This key should only be used when it’s a Source Interface type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.network.dinterface`*:: + -- -This key is for Source (Client) Cipher +This key should only be used when it’s a Destination Interface type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.network.vlan`*:: + -- -This key is used to capture the Certificate organization only +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`rsa.crypto.peer`*:: +*`rsa.network.zone_src`*:: + -- -This key is for Encryption peer's IP Address +This key should only be used when it’s a Source Zone. type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.network.zone`*:: + -- -This key captures Source (Client) Cipher Size +This key should be used when the source or destination context of a Zone is not clear -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.network.zone_dst`*:: + -- -IKE negotiation phase. +This key should only be used when it’s a Destination Zone. type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.network.gateway`*:: + -- -This key captures the Encryption scheme used +This key is used to capture the IP Address of the gateway type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.network.icmp_type`*:: + -- -This key is for Encryption peer’s identity +This key is used to capture the ICMP type only -type: keyword +type: long -- -*`rsa.crypto.sig_type`*:: +*`rsa.network.mask`*:: + -- -This key captures the Signature Type +This key is used to capture the device network IPmask. type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.network.protocol_detail`*:: + -- -Deprecated key defined only in table map. +This key should be used to capture additional protocol information type: keyword -- -*`rsa.crypto.cert_error`*:: +*`rsa.network.dmask`*:: + -- -This key captures the Certificate Error String +This key is used for Destionation Device network mask type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.network.port`*:: + -- -This key is for Destination (Server) Cipher +This key should only be used to capture a Network Port when the directionality is not clear -type: keyword +type: long -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.network.smask`*:: + -- -This key captures Destination (Server) Cipher Size +This key is used for capturing source Network Mask -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.network.netname`*:: + -- -Deprecated, use version +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.crypto.s_certauth`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.network.lhost`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One - type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.network.origin`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two - type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.network.addr`*:: + -- -This key is used for the hostname category value of a certificate - type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.network.dns_a_record`*:: + -- -This key is used to capture the Certificate serial number only - type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.network.dns_ptr_record`*:: + -- -This key captures Certificate validation status - type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.network.fhost`*:: + -- -Deprecated, use version - type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.network.ad_computer_dst`*:: + -- -This key is used to capture the Certificate signing authority only +Deprecated, use host.dst type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.network.eth_type`*:: + -- -This key is used to capture the Certificate common name only +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only -type: keyword +type: long -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.network.ip_proto`*:: + -- -This key is used to capture the ssid of a Wireless Session +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: keyword +type: long -- -*`rsa.wireless.access_point`*:: +*`rsa.network.dns_cname_record`*:: + -- -This key is used to capture the access point name. - type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.network.dns_id`*:: + -- -This is used to capture the channel names - -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.network.dns_opcode`*:: + -- -This key captures either WLAN number/name - type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.network.dns_resp`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk - type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.network.dns_type`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. - type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.network.domain1`*:: + -- -This uniquely identifies a port on a HBA. - type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.network.host_type`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.network.packet_length`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. - type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.network.host_orig`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.network.rpayload`*:: + -- -This key captures the unique ID for a patient +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.network.vlan_name`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key should only be used to capture the name of the Virtual LAN type: keyword -- -*`rsa.healthcare.patient_mname`*:: + +*`rsa.investigations.ec_activity`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key captures the particular event activity(Ex:Logoff) type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.investigations.ec_theme`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.investigations.ec_subject`*:: + -- -This key captures the path to the registry key +This key captures the Subject of a particular Event(Ex:User) type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.investigations.ec_outcome`*:: + -- -This key captures values or decorators used within a registry entry +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -[float] -=== fortinet - -Fields from fortinet FortiOS +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number +type: long +-- -*`fortinet.file.hash.crc32`*:: +*`rsa.investigations.event_cat_name`*:: + -- -CRC32 Hash of file - +This key captures the event category name corresponding to the event cat code type: keyword -- -[float] -=== firewall - -Module for parsing Fortinet syslog. +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +type: keyword +-- -*`fortinet.firewall.acct_stat`*:: +*`rsa.investigations.analysis_file`*:: + -- -Accounting state (RADIUS) - +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -- -*`fortinet.firewall.acktime`*:: +*`rsa.investigations.analysis_service`*:: + -- -Alarm Acknowledge Time - +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service type: keyword -- -*`fortinet.firewall.act`*:: +*`rsa.investigations.analysis_session`*:: + -- -Action - +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session type: keyword -- -*`fortinet.firewall.action`*:: +*`rsa.investigations.boc`*:: + -- -Status of the session - +This is used to capture behaviour of compromise type: keyword -- -*`fortinet.firewall.activity`*:: +*`rsa.investigations.eoc`*:: + -- -HA activity message - +This is used to capture Enablers of Compromise type: keyword -- -*`fortinet.firewall.addr`*:: +*`rsa.investigations.inv_category`*:: + -- -IP Address - +This used to capture investigation category -type: ip +type: keyword -- -*`fortinet.firewall.addr_type`*:: +*`rsa.investigations.inv_context`*:: + -- -Address Type - +This used to capture investigation context type: keyword -- -*`fortinet.firewall.addrgrp`*:: +*`rsa.investigations.ioc`*:: + -- -Address Group - +This is key capture indicator of compromise type: keyword -- -*`fortinet.firewall.adgroup`*:: + +*`rsa.counters.dclass_c1`*:: + -- -AD Group Name - +This is a generic counter key that should be used with the label dclass.c1.str only -type: keyword +type: long -- -*`fortinet.firewall.admin`*:: +*`rsa.counters.dclass_c2`*:: + -- -Admin User - +This is a generic counter key that should be used with the label dclass.c2.str only -type: keyword +type: long -- -*`fortinet.firewall.age`*:: +*`rsa.counters.event_counter`*:: + -- -Time in seconds - time passed since last seen - +This is used to capture the number of times an event repeated -type: integer +type: long -- -*`fortinet.firewall.agent`*:: +*`rsa.counters.dclass_r1`*:: + -- -User agent - eg. agent="Mozilla/5.0" - +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -- -*`fortinet.firewall.alarmid`*:: +*`rsa.counters.dclass_c3`*:: + -- -Alarm ID - +This is a generic counter key that should be used with the label dclass.c3.str only -type: integer +type: long -- -*`fortinet.firewall.alert`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -Alert - +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -*`fortinet.firewall.analyticscksum`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -The checksum of the file submitted for analytics - +This is a generic counter string key that should be used with the label dclass.c2 only type: keyword -- -*`fortinet.firewall.analyticssubmit`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -The flag for analytics submission - +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`fortinet.firewall.ap`*:: +*`rsa.counters.dclass_r2`*:: + -- -Access Point - +This is a generic ratio key that should be used with the label dclass.r2.str only type: keyword -- -*`fortinet.firewall.app-type`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -Address Type - +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -- -*`fortinet.firewall.appact`*:: +*`rsa.counters.dclass_r3`*:: + -- -The security action from app control - +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`fortinet.firewall.appid`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -Application ID - +This is a generic ratio string key that should be used with the label dclass.r2 only -type: integer +type: keyword -- -*`fortinet.firewall.applist`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -Application Control profile - +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -*`fortinet.firewall.apprisk`*:: + +*`rsa.identity.auth_method`*:: + -- -Application Risk Level - +This key is used to capture authentication methods used only type: keyword -- -*`fortinet.firewall.apscan`*:: +*`rsa.identity.user_role`*:: + -- -The name of the AP, which scanned and detected the rogue AP - +This key is used to capture the Role of a user only type: keyword -- -*`fortinet.firewall.apsn`*:: +*`rsa.identity.dn`*:: + -- -Access Point - +X.500 (LDAP) Distinguished Name type: keyword -- -*`fortinet.firewall.apstatus`*:: +*`rsa.identity.logon_type`*:: + -- -Access Point status - +This key is used to capture the type of logon method used. type: keyword -- -*`fortinet.firewall.aptype`*:: +*`rsa.identity.profile`*:: + -- -Access Point type - +This key is used to capture the user profile type: keyword -- -*`fortinet.firewall.assigned`*:: +*`rsa.identity.accesses`*:: + -- -Assigned IP Address - +This key is used to capture actual privileges used in accessing an object -type: ip +type: keyword -- -*`fortinet.firewall.assignip`*:: +*`rsa.identity.realm`*:: + -- -Assigned IP Address - +Radius realm or similar grouping of accounts -type: ip +type: keyword -- -*`fortinet.firewall.attachment`*:: +*`rsa.identity.user_sid_dst`*:: + -- -The flag for email attachement - +This key captures Destination User Session ID type: keyword -- -*`fortinet.firewall.attack`*:: +*`rsa.identity.dn_src`*:: + -- -Attack Name - +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -- -*`fortinet.firewall.attackcontext`*:: +*`rsa.identity.org`*:: + -- -The trigger patterns and the packetdata with base64 encoding - +This key captures the User organization type: keyword -- -*`fortinet.firewall.attackcontextid`*:: +*`rsa.identity.dn_dst`*:: + -- -Attack context id / total - +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`fortinet.firewall.attackid`*:: +*`rsa.identity.firstname`*:: + -- -Attack ID - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: integer +type: keyword -- -*`fortinet.firewall.auditid`*:: +*`rsa.identity.lastname`*:: + -- -Audit ID - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`fortinet.firewall.auditscore`*:: +*`rsa.identity.user_dept`*:: + -- -The Audit Score - +User's Department Names only type: keyword -- -*`fortinet.firewall.audittime`*:: +*`rsa.identity.user_sid_src`*:: + -- -The time of the audit - +This key captures Source User Session ID -type: long +type: keyword -- -*`fortinet.firewall.authgrp`*:: +*`rsa.identity.federated_sp`*:: + -- -Authorization Group - +This key is the Federated Service Provider. This is the application requesting authentication. type: keyword -- -*`fortinet.firewall.authid`*:: +*`rsa.identity.federated_idp`*:: + -- -Authentication ID - +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -- -*`fortinet.firewall.authproto`*:: +*`rsa.identity.logon_type_desc`*:: + -- -The protocol that initiated the authentication - +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -*`fortinet.firewall.authserver`*:: +*`rsa.identity.middlename`*:: + -- -Authentication server - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`fortinet.firewall.bandwidth`*:: +*`rsa.identity.password`*:: + -- -Bandwidth - +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`fortinet.firewall.banned_rule`*:: +*`rsa.identity.host_role`*:: + -- -NAC quarantine Banned Rule Name - +This key should only be used to capture the role of a Host Machine type: keyword -- -*`fortinet.firewall.banned_src`*:: +*`rsa.identity.ldap`*:: + -- -NAC quarantine Banned Source IP - +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`fortinet.firewall.banword`*:: +*`rsa.identity.ldap_query`*:: + -- -Banned word - +This key is the Search criteria from an LDAP search type: keyword -- -*`fortinet.firewall.botnetdomain`*:: +*`rsa.identity.ldap_response`*:: + -- -Botnet Domain Name - +This key is to capture Results from an LDAP search type: keyword -- -*`fortinet.firewall.botnetip`*:: +*`rsa.identity.owner`*:: + -- -Botnet IP Address - +This is used to capture username the process or service is running as, the author of the task -type: ip +type: keyword -- -*`fortinet.firewall.bssid`*:: +*`rsa.identity.service_account`*:: + -- -Service Set ID - +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage type: keyword -- -*`fortinet.firewall.call_id`*:: + +*`rsa.email.email_dst`*:: + -- -Caller ID - +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`fortinet.firewall.carrier_ep`*:: +*`rsa.email.email_src`*:: + -- -The FortiOS Carrier end-point identification - +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`fortinet.firewall.cat`*:: +*`rsa.email.subject`*:: + -- -DNS category ID - +This key is used to capture the subject string from an Email only. -type: integer +type: keyword -- -*`fortinet.firewall.category`*:: +*`rsa.email.email`*:: + -- -Authentication category - +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -- -*`fortinet.firewall.cc`*:: +*`rsa.email.trans_from`*:: + -- -CC Email Address - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.cdrcontent`*:: +*`rsa.email.trans_to`*:: + -- -Cdrcontent - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.centralnatid`*:: + +*`rsa.file.privilege`*:: + -- -Central NAT ID - +Deprecated, use permissions -type: integer +type: keyword -- -*`fortinet.firewall.cert`*:: +*`rsa.file.attachment`*:: + -- -Certificate - +This key captures the attachment file name type: keyword -- -*`fortinet.firewall.cert-type`*:: +*`rsa.file.filesystem`*:: + -- -Certificate type - - type: keyword -- -*`fortinet.firewall.certhash`*:: +*`rsa.file.binary`*:: + -- -Certificate hash - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.cfgattr`*:: +*`rsa.file.filename_dst`*:: + -- -Configuration attribute - +This is used to capture name of the file targeted by the action type: keyword -- -*`fortinet.firewall.cfgobj`*:: +*`rsa.file.filename_src`*:: + -- -Configuration object - +This is used to capture name of the parent filename, the file which performed the action type: keyword -- -*`fortinet.firewall.cfgpath`*:: +*`rsa.file.filename_tmp`*:: + -- -Configuration path - - type: keyword -- -*`fortinet.firewall.cfgtid`*:: +*`rsa.file.directory_dst`*:: + -- -Configuration transaction ID - +This key is used to capture the directory of the target process or file type: keyword -- -*`fortinet.firewall.cfgtxpower`*:: +*`rsa.file.directory_src`*:: + -- -Configuration TX power - +This key is used to capture the directory of the source process or file -type: integer +type: keyword -- -*`fortinet.firewall.channel`*:: +*`rsa.file.file_entropy`*:: + -- -Wireless Channel - +This is used to capture entropy vale of a file -type: integer +type: double -- -*`fortinet.firewall.channeltype`*:: +*`rsa.file.file_vendor`*:: + -- -SSH channel type - +This is used to capture Company name of file located in version_info type: keyword -- -*`fortinet.firewall.chassisid`*:: +*`rsa.file.task_name`*:: + -- -Chassis ID - +This is used to capture name of the task -type: integer +type: keyword -- -*`fortinet.firewall.checksum`*:: + +*`rsa.web.fqdn`*:: + -- -The checksum of the scanned file - +Fully Qualified Domain Names type: keyword -- -*`fortinet.firewall.chgheaders`*:: +*`rsa.web.web_cookie`*:: + -- -HTTP Headers - +This key is used to capture the Web cookies specifically. type: keyword -- -*`fortinet.firewall.cldobjid`*:: +*`rsa.web.alias_host`*:: + -- -Connector object ID - - type: keyword -- -*`fortinet.firewall.client_addr`*:: +*`rsa.web.reputation_num`*:: + -- -Wifi client address - +Reputation Number of an entity. Typically used for Web Domains -type: keyword +type: double -- -*`fortinet.firewall.cloudaction`*:: +*`rsa.web.web_ref_domain`*:: + -- -Cloud Action - +Web referer's domain type: keyword -- -*`fortinet.firewall.clouduser`*:: +*`rsa.web.web_ref_query`*:: + -- -Cloud User - +This key captures Web referer's query portion of the URL type: keyword -- -*`fortinet.firewall.column`*:: +*`rsa.web.remote_domain`*:: + -- -VOIP Column - - -type: integer +type: keyword -- -*`fortinet.firewall.command`*:: +*`rsa.web.web_ref_page`*:: + -- -CLI Command - +This key captures Web referer's page information type: keyword -- -*`fortinet.firewall.community`*:: +*`rsa.web.web_ref_root`*:: + -- -SNMP Community - +Web referer's root URL path type: keyword -- -*`fortinet.firewall.configcountry`*:: +*`rsa.web.cn_asn_dst`*:: + -- -Configuration country - - type: keyword -- -*`fortinet.firewall.connection_type`*:: +*`rsa.web.cn_rpackets`*:: + -- -FortiClient Connection Type - - type: keyword -- -*`fortinet.firewall.conserve`*:: +*`rsa.web.urlpage`*:: + -- -Flag for conserve mode - - type: keyword -- -*`fortinet.firewall.constraint`*:: +*`rsa.web.urlroot`*:: + -- -WAF http protocol restrictions - - type: keyword -- -*`fortinet.firewall.contentdisarmed`*:: +*`rsa.web.p_url`*:: + -- -Email scanned content - - type: keyword -- -*`fortinet.firewall.contenttype`*:: +*`rsa.web.p_user_agent`*:: + -- -Content Type from HTTP header +type: keyword +-- +*`rsa.web.p_web_cookie`*:: ++ +-- type: keyword -- -*`fortinet.firewall.cookies`*:: +*`rsa.web.p_web_method`*:: + -- -VPN Cookie +type: keyword +-- +*`rsa.web.p_web_referer`*:: ++ +-- type: keyword -- -*`fortinet.firewall.count`*:: +*`rsa.web.web_extension_tmp`*:: + -- -Counts of action type +type: keyword +-- -type: integer +*`rsa.web.web_page`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.countapp`*:: + +*`rsa.threat.threat_category`*:: + -- -Number of App Ctrl logs associated with the session - +This key captures Threat Name/Threat Category/Categorization of alert -type: integer +type: keyword -- -*`fortinet.firewall.countav`*:: +*`rsa.threat.threat_desc`*:: + -- -Number of AV logs associated with the session - +This key is used to capture the threat description from the session directly or inferred -type: integer +type: keyword -- -*`fortinet.firewall.countcifs`*:: +*`rsa.threat.alert`*:: + -- -Number of CIFS logs associated with the session - +This key is used to capture name of the alert -type: integer +type: keyword -- -*`fortinet.firewall.countdlp`*:: +*`rsa.threat.threat_source`*:: + -- -Number of DLP logs associated with the session - +This key is used to capture source of the threat -type: integer +type: keyword -- -*`fortinet.firewall.countdns`*:: + +*`rsa.crypto.crypto`*:: + -- -Number of DNS logs associated with the session - +This key is used to capture the Encryption Type or Encryption Key only -type: integer +type: keyword -- -*`fortinet.firewall.countemail`*:: +*`rsa.crypto.cipher_src`*:: + -- -Number of email logs associated with the session - +This key is for Source (Client) Cipher -type: integer +type: keyword -- -*`fortinet.firewall.countff`*:: +*`rsa.crypto.cert_subject`*:: + -- -Number of ff logs associated with the session - +This key is used to capture the Certificate organization only -type: integer +type: keyword -- -*`fortinet.firewall.countips`*:: +*`rsa.crypto.peer`*:: + -- -Number of IPS logs associated with the session - +This key is for Encryption peer's IP Address -type: integer +type: keyword -- -*`fortinet.firewall.countssh`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -Number of SSH logs associated with the session - +This key captures Source (Client) Cipher Size -type: integer +type: long -- -*`fortinet.firewall.countssl`*:: +*`rsa.crypto.ike`*:: + -- -Number of SSL logs associated with the session - +IKE negotiation phase. -type: integer +type: keyword -- -*`fortinet.firewall.countwaf`*:: +*`rsa.crypto.scheme`*:: + -- -Number of WAF logs associated with the session - +This key captures the Encryption scheme used -type: integer +type: keyword -- -*`fortinet.firewall.countweb`*:: +*`rsa.crypto.peer_id`*:: + -- -Number of Web filter logs associated with the session - +This key is for Encryption peer’s identity -type: integer +type: keyword -- -*`fortinet.firewall.cpu`*:: +*`rsa.crypto.sig_type`*:: + -- -CPU Usage - +This key captures the Signature Type -type: integer +type: keyword -- -*`fortinet.firewall.craction`*:: +*`rsa.crypto.cert_issuer`*:: + -- -Client Reputation Action - - -type: integer +type: keyword -- -*`fortinet.firewall.criticalcount`*:: +*`rsa.crypto.cert_host_name`*:: + -- -Number of critical ratings - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`fortinet.firewall.crl`*:: +*`rsa.crypto.cert_error`*:: + -- -Client Reputation Level - +This key captures the Certificate Error String type: keyword -- -*`fortinet.firewall.crlevel`*:: +*`rsa.crypto.cipher_dst`*:: + -- -Client Reputation Level - +This key is for Destination (Server) Cipher type: keyword -- -*`fortinet.firewall.crscore`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -Some description - +This key captures Destination (Server) Cipher Size -type: integer +type: long -- -*`fortinet.firewall.cveid`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -CVE ID - +Deprecated, use version type: keyword -- -*`fortinet.firewall.daemon`*:: +*`rsa.crypto.d_certauth`*:: + -- -Daemon name - - type: keyword -- -*`fortinet.firewall.datarange`*:: +*`rsa.crypto.s_certauth`*:: + -- -Data range for reports - - type: keyword -- -*`fortinet.firewall.date`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -Date - +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`fortinet.firewall.ddnsserver`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -DDNS server - +ID of the negotiation — sent for ISAKMP Phase Two -type: ip +type: keyword -- -*`fortinet.firewall.desc`*:: +*`rsa.crypto.cert_checksum`*:: + -- -Description - - type: keyword -- -*`fortinet.firewall.detectionmethod`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -Detection method - +This key is used for the hostname category value of a certificate type: keyword -- -*`fortinet.firewall.devcategory`*:: +*`rsa.crypto.cert_serial`*:: + -- -Device category - +This key is used to capture the Certificate serial number only type: keyword -- -*`fortinet.firewall.devintfname`*:: +*`rsa.crypto.cert_status`*:: + -- -HA device Interface Name - +This key captures Certificate validation status type: keyword -- -*`fortinet.firewall.devtype`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -Device type - +Deprecated, use version type: keyword -- -*`fortinet.firewall.dhcp_msg`*:: +*`rsa.crypto.cert_keysize`*:: + -- -DHCP Message - - type: keyword -- -*`fortinet.firewall.dintf`*:: +*`rsa.crypto.cert_username`*:: + -- -Destination interface - - type: keyword -- -*`fortinet.firewall.disk`*:: +*`rsa.crypto.https_insact`*:: + -- -Assosciated disk +type: keyword +-- +*`rsa.crypto.https_valid`*:: ++ +-- type: keyword -- -*`fortinet.firewall.disklograte`*:: +*`rsa.crypto.cert_ca`*:: + -- -Disk logging rate - +This key is used to capture the Certificate signing authority only -type: long +type: keyword -- -*`fortinet.firewall.dlpextra`*:: +*`rsa.crypto.cert_common`*:: + -- -DLP extra information - +This key is used to capture the Certificate common name only type: keyword -- -*`fortinet.firewall.docsource`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -DLP fingerprint document source - +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`fortinet.firewall.domainctrlauthstate`*:: +*`rsa.wireless.access_point`*:: + -- -CIFS domain auth state - +This key is used to capture the access point name. -type: integer +type: keyword -- -*`fortinet.firewall.domainctrlauthtype`*:: +*`rsa.wireless.wlan_channel`*:: + -- -CIFS domain auth type - +This is used to capture the channel names -type: integer +type: long -- -*`fortinet.firewall.domainctrldomain`*:: +*`rsa.wireless.wlan_name`*:: + -- -CIFS domain auth domain - +This key captures either WLAN number/name type: keyword -- -*`fortinet.firewall.domainctrlip`*:: + +*`rsa.storage.disk_volume`*:: + -- -CIFS Domain IP - +A unique name assigned to logical units (volumes) within a physical disk -type: ip +type: keyword -- -*`fortinet.firewall.domainctrlname`*:: +*`rsa.storage.lun`*:: + -- -CIFS Domain name - +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`fortinet.firewall.domainctrlprotocoltype`*:: +*`rsa.storage.pwwn`*:: + -- -CIFS Domain connection protocol - +This uniquely identifies a port on a HBA. -type: integer +type: keyword -- -*`fortinet.firewall.domainctrlusername`*:: + +*`rsa.physical.org_dst`*:: + -- -CIFS Domain username - +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`fortinet.firewall.domainfilteridx`*:: +*`rsa.physical.org_src`*:: + -- -Domain filter ID - +This is used to capture the source organization based on the GEOPIP Maxmind database. -type: integer +type: keyword -- -*`fortinet.firewall.domainfilterlist`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -Domain filter name - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`fortinet.firewall.ds`*:: +*`rsa.healthcare.patient_id`*:: + -- -Direction with distribution system - +This key captures the unique ID for a patient type: keyword -- -*`fortinet.firewall.dst_int`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Destination interface - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`fortinet.firewall.dstintfrole`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Destination interface role - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`fortinet.firewall.dstcountry`*:: + +*`rsa.endpoint.host_state`*:: + -- -Destination country - +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`fortinet.firewall.dstdevcategory`*:: +*`rsa.endpoint.registry_key`*:: + -- -Destination device category - +This key captures the path to the registry key type: keyword -- -*`fortinet.firewall.dstdevtype`*:: +*`rsa.endpoint.registry_value`*:: + -- -Destination device type - +This key captures values or decorators used within a registry entry type: keyword -- -*`fortinet.firewall.dstfamily`*:: -+ --- -Destination OS family +[float] +=== fortinet +Fields from fortinet FortiOS -type: keyword --- -*`fortinet.firewall.dsthwvendor`*:: +*`fortinet.file.hash.crc32`*:: + -- -Destination HW vendor +CRC32 Hash of file type: keyword -- -*`fortinet.firewall.dsthwversion`*:: +[float] +=== firewall + +Module for parsing Fortinet syslog. + + + +*`fortinet.firewall.acct_stat`*:: + -- -Destination HW version +Accounting state (RADIUS) type: keyword -- -*`fortinet.firewall.dstinetsvc`*:: +*`fortinet.firewall.acktime`*:: + -- -Destination interface service +Alarm Acknowledge Time type: keyword -- -*`fortinet.firewall.dstosname`*:: +*`fortinet.firewall.act`*:: + -- -Destination OS name +Action type: keyword -- -*`fortinet.firewall.dstosversion`*:: +*`fortinet.firewall.action`*:: + -- -Destination OS version +Status of the session type: keyword -- -*`fortinet.firewall.dstserver`*:: +*`fortinet.firewall.activity`*:: + -- -Destination server +HA activity message -type: integer +type: keyword -- -*`fortinet.firewall.dstssid`*:: +*`fortinet.firewall.addr`*:: + -- -Destination SSID +IP Address -type: keyword +type: ip -- -*`fortinet.firewall.dstswversion`*:: +*`fortinet.firewall.addr_type`*:: + -- -Destination software version +Address Type type: keyword -- -*`fortinet.firewall.dstunauthusersource`*:: +*`fortinet.firewall.addrgrp`*:: + -- -Destination unauthenticated source +Address Group type: keyword -- -*`fortinet.firewall.dstuuid`*:: +*`fortinet.firewall.adgroup`*:: + -- -UUID of the Destination IP address +AD Group Name type: keyword -- -*`fortinet.firewall.duid`*:: +*`fortinet.firewall.admin`*:: + -- -DHCP UID +Admin User type: keyword -- -*`fortinet.firewall.eapolcnt`*:: +*`fortinet.firewall.age`*:: + -- -EAPOL packet count +Time in seconds - time passed since last seen type: integer -- -*`fortinet.firewall.eapoltype`*:: +*`fortinet.firewall.agent`*:: + -- -EAPOL packet type +User agent - eg. agent="Mozilla/5.0" type: keyword -- -*`fortinet.firewall.encrypt`*:: +*`fortinet.firewall.alarmid`*:: + -- -Whether the packet is encrypted or not +Alarm ID type: integer -- -*`fortinet.firewall.encryption`*:: +*`fortinet.firewall.alert`*:: + -- -Encryption method +Alert type: keyword -- -*`fortinet.firewall.epoch`*:: +*`fortinet.firewall.analyticscksum`*:: + -- -Epoch used for locating file +The checksum of the file submitted for analytics -type: integer +type: keyword -- -*`fortinet.firewall.espauth`*:: +*`fortinet.firewall.analyticssubmit`*:: + -- -ESP Authentication +The flag for analytics submission type: keyword -- -*`fortinet.firewall.esptransform`*:: +*`fortinet.firewall.ap`*:: + -- -ESP Transform +Access Point type: keyword -- -*`fortinet.firewall.eventtype`*:: +*`fortinet.firewall.app-type`*:: + -- -UTM Event Type +Address Type type: keyword -- -*`fortinet.firewall.exch`*:: +*`fortinet.firewall.appact`*:: + -- -Mail Exchanges from DNS response answer section +The security action from app control type: keyword -- -*`fortinet.firewall.exchange`*:: +*`fortinet.firewall.appid`*:: + -- -Mail Exchanges from DNS response answer section +Application ID -type: keyword +type: integer -- -*`fortinet.firewall.expectedsignature`*:: +*`fortinet.firewall.applist`*:: + -- -Expected SSL signature +Application Control profile type: keyword -- -*`fortinet.firewall.expiry`*:: +*`fortinet.firewall.apprisk`*:: + -- -FortiGuard override expiry timestamp +Application Risk Level type: keyword -- -*`fortinet.firewall.fams_pause`*:: +*`fortinet.firewall.apscan`*:: + -- -Fortinet Analysis and Management Service Pause +The name of the AP, which scanned and detected the rogue AP -type: integer +type: keyword -- -*`fortinet.firewall.fazlograte`*:: +*`fortinet.firewall.apsn`*:: + -- -FortiAnalyzer Logging Rate +Access Point -type: long +type: keyword -- -*`fortinet.firewall.fctemssn`*:: +*`fortinet.firewall.apstatus`*:: + -- -FortiClient Endpoint SSN +Access Point status type: keyword -- -*`fortinet.firewall.fctuid`*:: +*`fortinet.firewall.aptype`*:: + -- -FortiClient UID +Access Point type type: keyword -- -*`fortinet.firewall.field`*:: +*`fortinet.firewall.assigned`*:: + -- -NTP status field +Assigned IP Address -type: keyword +type: ip -- -*`fortinet.firewall.filefilter`*:: +*`fortinet.firewall.assignip`*:: + -- -The filter used to identify the affected file +Assigned IP Address -type: keyword +type: ip -- -*`fortinet.firewall.filehashsrc`*:: +*`fortinet.firewall.attachment`*:: + -- -Filehash source +The flag for email attachement type: keyword -- -*`fortinet.firewall.filtercat`*:: +*`fortinet.firewall.attack`*:: + -- -DLP filter category +Attack Name type: keyword -- -*`fortinet.firewall.filteridx`*:: +*`fortinet.firewall.attackcontext`*:: + -- -DLP filter ID +The trigger patterns and the packetdata with base64 encoding -type: integer +type: keyword -- -*`fortinet.firewall.filtername`*:: +*`fortinet.firewall.attackcontextid`*:: + -- -DLP rule name +Attack context id / total type: keyword -- -*`fortinet.firewall.filtertype`*:: +*`fortinet.firewall.attackid`*:: + -- -DLP filter type +Attack ID -type: keyword +type: integer -- -*`fortinet.firewall.fortiguardresp`*:: +*`fortinet.firewall.auditid`*:: + -- -Antispam ESP value +Audit ID -type: keyword +type: long -- -*`fortinet.firewall.forwardedfor`*:: +*`fortinet.firewall.auditscore`*:: + -- -Email address forwarded +The Audit Score type: keyword -- -*`fortinet.firewall.fqdn`*:: +*`fortinet.firewall.audittime`*:: + -- -FQDN +The time of the audit + + +type: long + +-- + +*`fortinet.firewall.authgrp`*:: ++ +-- +Authorization Group type: keyword -- -*`fortinet.firewall.frametype`*:: +*`fortinet.firewall.authid`*:: + -- -Wireless frametype +Authentication ID type: keyword -- -*`fortinet.firewall.freediskstorage`*:: +*`fortinet.firewall.authproto`*:: + -- -Free disk integer +The protocol that initiated the authentication -type: integer +type: keyword -- -*`fortinet.firewall.from`*:: +*`fortinet.firewall.authserver`*:: + -- -From email address +Authentication server type: keyword -- -*`fortinet.firewall.from_vcluster`*:: +*`fortinet.firewall.bandwidth`*:: + -- -Source virtual cluster number +Bandwidth -type: integer +type: keyword -- -*`fortinet.firewall.fsaverdict`*:: +*`fortinet.firewall.banned_rule`*:: + -- -FSA verdict +NAC quarantine Banned Rule Name type: keyword -- -*`fortinet.firewall.fwserver_name`*:: +*`fortinet.firewall.banned_src`*:: + -- -Web proxy server name +NAC quarantine Banned Source IP type: keyword -- -*`fortinet.firewall.gateway`*:: +*`fortinet.firewall.banword`*:: + -- -Gateway ip address for PPPoE status report +Banned word -type: ip +type: keyword -- -*`fortinet.firewall.green`*:: +*`fortinet.firewall.botnetdomain`*:: + -- -Memory status +Botnet Domain Name type: keyword -- -*`fortinet.firewall.groupid`*:: +*`fortinet.firewall.botnetip`*:: + -- -User Group ID +Botnet IP Address -type: integer +type: ip -- -*`fortinet.firewall.ha-prio`*:: +*`fortinet.firewall.bssid`*:: + -- -HA Priority +Service Set ID -type: integer +type: keyword -- -*`fortinet.firewall.ha_group`*:: +*`fortinet.firewall.call_id`*:: + -- -HA Group +Caller ID type: keyword -- -*`fortinet.firewall.ha_role`*:: +*`fortinet.firewall.carrier_ep`*:: + -- -HA Role +The FortiOS Carrier end-point identification type: keyword -- -*`fortinet.firewall.handshake`*:: +*`fortinet.firewall.cat`*:: + -- -SSL Handshake +DNS category ID -type: keyword +type: integer -- -*`fortinet.firewall.hash`*:: +*`fortinet.firewall.category`*:: + -- -Hash value of downloaded file +Authentication category type: keyword -- -*`fortinet.firewall.hbdn_reason`*:: +*`fortinet.firewall.cc`*:: + -- -Heartbeat down reason +CC Email Address type: keyword -- -*`fortinet.firewall.highcount`*:: +*`fortinet.firewall.cdrcontent`*:: + -- -Highcount fabric summary +Cdrcontent -type: integer +type: keyword -- -*`fortinet.firewall.host`*:: +*`fortinet.firewall.centralnatid`*:: + -- -Hostname +Central NAT ID -type: keyword +type: integer -- -*`fortinet.firewall.iaid`*:: +*`fortinet.firewall.cert`*:: + -- -DHCPv6 id +Certificate type: keyword -- -*`fortinet.firewall.icmpcode`*:: +*`fortinet.firewall.cert-type`*:: + -- -Destination Port of the ICMP message +Certificate type type: keyword -- -*`fortinet.firewall.icmpid`*:: +*`fortinet.firewall.certhash`*:: + -- -Source port of the ICMP message +Certificate hash type: keyword -- -*`fortinet.firewall.icmptype`*:: +*`fortinet.firewall.cfgattr`*:: + -- -The type of ICMP message +Configuration attribute type: keyword -- -*`fortinet.firewall.identifier`*:: +*`fortinet.firewall.cfgobj`*:: + -- -Network traffic identifier +Configuration object -type: integer +type: keyword -- -*`fortinet.firewall.in_spi`*:: +*`fortinet.firewall.cfgpath`*:: + -- -IPSEC inbound SPI +Configuration path type: keyword -- -*`fortinet.firewall.incidentserialno`*:: +*`fortinet.firewall.cfgtid`*:: + -- -Incident serial number +Configuration transaction ID -type: integer +type: keyword -- -*`fortinet.firewall.infected`*:: +*`fortinet.firewall.cfgtxpower`*:: + -- -Infected MMS +Configuration TX power type: integer -- -*`fortinet.firewall.infectedfilelevel`*:: +*`fortinet.firewall.channel`*:: + -- -DLP infected file level +Wireless Channel type: integer -- -*`fortinet.firewall.informationsource`*:: +*`fortinet.firewall.channeltype`*:: + -- -Information source +SSH channel type type: keyword -- -*`fortinet.firewall.init`*:: +*`fortinet.firewall.chassisid`*:: + -- -IPSEC init stage +Chassis ID -type: keyword +type: integer -- -*`fortinet.firewall.initiator`*:: +*`fortinet.firewall.checksum`*:: + -- -Original login user name for Fortiguard override +The checksum of the scanned file type: keyword -- -*`fortinet.firewall.interface`*:: +*`fortinet.firewall.chgheaders`*:: + -- -Related interface +HTTP Headers type: keyword -- -*`fortinet.firewall.intf`*:: +*`fortinet.firewall.cldobjid`*:: + -- -Related interface +Connector object ID type: keyword -- -*`fortinet.firewall.invalidmac`*:: +*`fortinet.firewall.client_addr`*:: + -- -The MAC address with invalid OUI +Wifi client address type: keyword -- -*`fortinet.firewall.ip`*:: +*`fortinet.firewall.cloudaction`*:: + -- -Related IP +Cloud Action -type: ip +type: keyword -- -*`fortinet.firewall.iptype`*:: +*`fortinet.firewall.clouduser`*:: + -- -Related IP type +Cloud User type: keyword -- -*`fortinet.firewall.keyword`*:: +*`fortinet.firewall.column`*:: + -- -Keyword used for search +VOIP Column -type: keyword +type: integer -- -*`fortinet.firewall.kind`*:: +*`fortinet.firewall.command`*:: + -- -VOIP kind +CLI Command type: keyword -- -*`fortinet.firewall.lanin`*:: +*`fortinet.firewall.community`*:: + -- -LAN incoming traffic in bytes +SNMP Community -type: long +type: keyword -- -*`fortinet.firewall.lanout`*:: +*`fortinet.firewall.configcountry`*:: + -- -LAN outbound traffic in bytes +Configuration country -type: long +type: keyword -- -*`fortinet.firewall.lease`*:: +*`fortinet.firewall.connection_type`*:: + -- -DHCP lease +FortiClient Connection Type -type: integer +type: keyword -- -*`fortinet.firewall.license_limit`*:: +*`fortinet.firewall.conserve`*:: + -- -Maximum Number of FortiClients for the License +Flag for conserve mode type: keyword -- -*`fortinet.firewall.limit`*:: +*`fortinet.firewall.constraint`*:: + -- -Virtual Domain Resource Limit +WAF http protocol restrictions -type: integer +type: keyword -- -*`fortinet.firewall.line`*:: +*`fortinet.firewall.contentdisarmed`*:: + -- -VOIP line +Email scanned content type: keyword -- -*`fortinet.firewall.live`*:: +*`fortinet.firewall.contenttype`*:: + -- -Time in seconds +Content Type from HTTP header -type: integer +type: keyword -- -*`fortinet.firewall.local`*:: +*`fortinet.firewall.cookies`*:: + -- -Local IP for a PPPD Connection +VPN Cookie -type: ip +type: keyword -- -*`fortinet.firewall.log`*:: +*`fortinet.firewall.count`*:: + -- -Log message +Counts of action type -type: keyword +type: integer -- -*`fortinet.firewall.login`*:: +*`fortinet.firewall.countapp`*:: + -- -SSH login +Number of App Ctrl logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.lowcount`*:: +*`fortinet.firewall.countav`*:: + -- -Fabric lowcount +Number of AV logs associated with the session type: integer -- -*`fortinet.firewall.mac`*:: +*`fortinet.firewall.countcifs`*:: + -- -DHCP mac address +Number of CIFS logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.malform_data`*:: +*`fortinet.firewall.countdlp`*:: + -- -VOIP malformed data +Number of DLP logs associated with the session type: integer -- -*`fortinet.firewall.malform_desc`*:: +*`fortinet.firewall.countdns`*:: + -- -VOIP malformed data description +Number of DNS logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.manuf`*:: +*`fortinet.firewall.countemail`*:: + -- -Manufacturer name +Number of email logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.masterdstmac`*:: +*`fortinet.firewall.countff`*:: + -- -Master mac address for a host with multiple network interfaces +Number of ff logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.mastersrcmac`*:: +*`fortinet.firewall.countips`*:: + -- -The master MAC address for a host that has multiple network interfaces +Number of IPS logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.mediumcount`*:: +*`fortinet.firewall.countssh`*:: + -- -Fabric medium count +Number of SSH logs associated with the session type: integer -- -*`fortinet.firewall.mem`*:: +*`fortinet.firewall.countssl`*:: + -- -Memory usage system statistics +Number of SSL logs associated with the session type: integer -- -*`fortinet.firewall.meshmode`*:: +*`fortinet.firewall.countwaf`*:: + -- -Wireless mesh mode +Number of WAF logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.message_type`*:: +*`fortinet.firewall.countweb`*:: + -- -VOIP message type +Number of Web filter logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.method`*:: +*`fortinet.firewall.cpu`*:: + -- -HTTP method +CPU Usage -type: keyword +type: integer -- -*`fortinet.firewall.mgmtcnt`*:: +*`fortinet.firewall.craction`*:: + -- -The number of unauthorized client flooding managemet frames +Client Reputation Action type: integer -- -*`fortinet.firewall.mode`*:: +*`fortinet.firewall.criticalcount`*:: + -- -IPSEC mode +Number of critical ratings -type: keyword +type: integer -- -*`fortinet.firewall.module`*:: +*`fortinet.firewall.crl`*:: + -- -PCI-DSS module +Client Reputation Level type: keyword -- -*`fortinet.firewall.monitor-name`*:: +*`fortinet.firewall.crlevel`*:: + -- -Health Monitor Name +Client Reputation Level type: keyword -- -*`fortinet.firewall.monitor-type`*:: +*`fortinet.firewall.crscore`*:: + -- -Health Monitor Type +Some description -type: keyword +type: integer -- -*`fortinet.firewall.mpsk`*:: +*`fortinet.firewall.cveid`*:: + -- -Wireless MPSK +CVE ID type: keyword -- -*`fortinet.firewall.msgproto`*:: +*`fortinet.firewall.daemon`*:: + -- -Message Protocol Number +Daemon name type: keyword -- -*`fortinet.firewall.mtu`*:: +*`fortinet.firewall.datarange`*:: + -- -Max Transmission Unit Value +Data range for reports -type: integer +type: keyword -- -*`fortinet.firewall.name`*:: +*`fortinet.firewall.date`*:: + -- -Name +Date type: keyword -- -*`fortinet.firewall.nat`*:: +*`fortinet.firewall.ddnsserver`*:: + -- -NAT IP Address +DDNS server -type: keyword +type: ip -- -*`fortinet.firewall.netid`*:: +*`fortinet.firewall.desc`*:: + -- -Connector NetID +Description type: keyword -- -*`fortinet.firewall.new_status`*:: +*`fortinet.firewall.detectionmethod`*:: + -- -New status on user change +Detection method type: keyword -- -*`fortinet.firewall.new_value`*:: +*`fortinet.firewall.devcategory`*:: + -- -New Virtual Domain Name +Device category type: keyword -- -*`fortinet.firewall.newchannel`*:: +*`fortinet.firewall.devintfname`*:: + -- -New Channel Number +HA device Interface Name -type: integer +type: keyword -- -*`fortinet.firewall.newchassisid`*:: +*`fortinet.firewall.devtype`*:: + -- -New Chassis ID +Device type -type: integer +type: keyword -- -*`fortinet.firewall.newslot`*:: +*`fortinet.firewall.dhcp_msg`*:: + -- -New Slot Number +DHCP Message -type: integer +type: keyword -- -*`fortinet.firewall.nextstat`*:: +*`fortinet.firewall.dintf`*:: + -- -Time interval in seconds for the next statistics. +Destination interface -type: integer +type: keyword -- -*`fortinet.firewall.nf_type`*:: +*`fortinet.firewall.disk`*:: + -- -Notification Type +Assosciated disk type: keyword -- -*`fortinet.firewall.noise`*:: +*`fortinet.firewall.disklograte`*:: + -- -Wifi Noise +Disk logging rate -type: integer +type: long -- -*`fortinet.firewall.old_status`*:: +*`fortinet.firewall.dlpextra`*:: + -- -Original Status +DLP extra information type: keyword -- -*`fortinet.firewall.old_value`*:: +*`fortinet.firewall.docsource`*:: + -- -Original Virtual Domain name +DLP fingerprint document source type: keyword -- -*`fortinet.firewall.oldchannel`*:: +*`fortinet.firewall.domainctrlauthstate`*:: + -- -Original channel +CIFS domain auth state type: integer -- -*`fortinet.firewall.oldchassisid`*:: +*`fortinet.firewall.domainctrlauthtype`*:: + -- -Original Chassis Number +CIFS domain auth type type: integer -- -*`fortinet.firewall.oldslot`*:: +*`fortinet.firewall.domainctrldomain`*:: + -- -Original Slot Number +CIFS domain auth domain -type: integer +type: keyword -- -*`fortinet.firewall.oldsn`*:: +*`fortinet.firewall.domainctrlip`*:: + -- -Old Serial number +CIFS Domain IP -type: keyword +type: ip -- -*`fortinet.firewall.oldwprof`*:: +*`fortinet.firewall.domainctrlname`*:: + -- -Old Web Filter Profile +CIFS Domain name type: keyword -- -*`fortinet.firewall.onwire`*:: +*`fortinet.firewall.domainctrlprotocoltype`*:: + -- -A flag to indicate if the AP is onwire or not +CIFS Domain connection protocol -type: keyword +type: integer -- -*`fortinet.firewall.opercountry`*:: +*`fortinet.firewall.domainctrlusername`*:: + -- -Operating Country +CIFS Domain username type: keyword -- -*`fortinet.firewall.opertxpower`*:: +*`fortinet.firewall.domainfilteridx`*:: + -- -Operating TX power +Domain filter ID type: integer -- -*`fortinet.firewall.osname`*:: +*`fortinet.firewall.domainfilterlist`*:: + -- -Operating System name +Domain filter name type: keyword -- -*`fortinet.firewall.osversion`*:: +*`fortinet.firewall.ds`*:: + -- -Operating System version +Direction with distribution system type: keyword -- -*`fortinet.firewall.out_spi`*:: +*`fortinet.firewall.dst_int`*:: + -- -Out SPI +Destination interface type: keyword -- -*`fortinet.firewall.outintf`*:: +*`fortinet.firewall.dstintfrole`*:: + -- -Out interface +Destination interface role type: keyword -- -*`fortinet.firewall.passedcount`*:: -+ --- -Fabric passed count - - -type: integer - --- - -*`fortinet.firewall.passwd`*:: +*`fortinet.firewall.dstcountry`*:: + -- -Changed user password information +Destination country type: keyword -- -*`fortinet.firewall.path`*:: +*`fortinet.firewall.dstdevcategory`*:: + -- -Path of looped configuration for security fabric +Destination device category type: keyword -- -*`fortinet.firewall.peer`*:: +*`fortinet.firewall.dstdevtype`*:: + -- -WAN optimization peer +Destination device type type: keyword -- -*`fortinet.firewall.peer_notif`*:: +*`fortinet.firewall.dstfamily`*:: + -- -VPN peer notification +Destination OS family type: keyword -- -*`fortinet.firewall.phase2_name`*:: +*`fortinet.firewall.dsthwvendor`*:: + -- -VPN phase2 name +Destination HW vendor type: keyword -- -*`fortinet.firewall.phone`*:: +*`fortinet.firewall.dsthwversion`*:: + -- -VOIP Phone +Destination HW version type: keyword -- -*`fortinet.firewall.pid`*:: +*`fortinet.firewall.dstinetsvc`*:: + -- -Process ID +Destination interface service -type: integer +type: keyword -- -*`fortinet.firewall.policytype`*:: +*`fortinet.firewall.dstosname`*:: + -- -Policy Type +Destination OS name type: keyword -- -*`fortinet.firewall.poolname`*:: +*`fortinet.firewall.dstosversion`*:: + -- -IP Pool name +Destination OS version type: keyword -- -*`fortinet.firewall.port`*:: +*`fortinet.firewall.dstserver`*:: + -- -Log upload error port +Destination server type: integer -- -*`fortinet.firewall.portbegin`*:: +*`fortinet.firewall.dstssid`*:: + -- -IP Pool port number to begin +Destination SSID -type: integer +type: keyword -- -*`fortinet.firewall.portend`*:: +*`fortinet.firewall.dstswversion`*:: + -- -IP Pool port number to end +Destination software version -type: integer +type: keyword -- -*`fortinet.firewall.probeproto`*:: +*`fortinet.firewall.dstunauthusersource`*:: + -- -Link Monitor Probe Protocol +Destination unauthenticated source type: keyword -- -*`fortinet.firewall.process`*:: +*`fortinet.firewall.dstuuid`*:: + -- -URL Filter process +UUID of the Destination IP address type: keyword -- -*`fortinet.firewall.processtime`*:: +*`fortinet.firewall.duid`*:: + -- -Process time for reports +DHCP UID -type: integer +type: keyword -- -*`fortinet.firewall.profile`*:: +*`fortinet.firewall.eapolcnt`*:: + -- -Profile Name +EAPOL packet count -type: keyword +type: integer -- -*`fortinet.firewall.profile_vd`*:: +*`fortinet.firewall.eapoltype`*:: + -- -Virtual Domain Name +EAPOL packet type type: keyword -- -*`fortinet.firewall.profilegroup`*:: +*`fortinet.firewall.encrypt`*:: + -- -Profile Group Name +Whether the packet is encrypted or not -type: keyword +type: integer -- -*`fortinet.firewall.profiletype`*:: +*`fortinet.firewall.encryption`*:: + -- -Profile Type +Encryption method type: keyword -- -*`fortinet.firewall.qtypeval`*:: +*`fortinet.firewall.epoch`*:: + -- -DNS question type value +Epoch used for locating file type: integer -- -*`fortinet.firewall.quarskip`*:: +*`fortinet.firewall.espauth`*:: + -- -Quarantine skip explanation +ESP Authentication type: keyword -- -*`fortinet.firewall.quotaexceeded`*:: +*`fortinet.firewall.esptransform`*:: + -- -If quota has been exceeded +ESP Transform type: keyword -- -*`fortinet.firewall.quotamax`*:: +*`fortinet.firewall.eventtype`*:: + -- -Maximum quota allowed - in seconds if time-based - in bytes if traffic-based +UTM Event Type -type: long +type: keyword -- -*`fortinet.firewall.quotatype`*:: +*`fortinet.firewall.exch`*:: + -- -Quota type +Mail Exchanges from DNS response answer section type: keyword -- -*`fortinet.firewall.quotaused`*:: +*`fortinet.firewall.exchange`*:: + -- -Quota used - in seconds if time-based - in bytes if trafficbased) +Mail Exchanges from DNS response answer section -type: long +type: keyword -- -*`fortinet.firewall.radioband`*:: +*`fortinet.firewall.expectedsignature`*:: + -- -Radio band +Expected SSL signature type: keyword -- -*`fortinet.firewall.radioid`*:: +*`fortinet.firewall.expiry`*:: + -- -Radio ID +FortiGuard override expiry timestamp -type: integer +type: keyword -- -*`fortinet.firewall.radioidclosest`*:: +*`fortinet.firewall.fams_pause`*:: + -- -Radio ID on the AP closest the rogue AP +Fortinet Analysis and Management Service Pause type: integer -- -*`fortinet.firewall.radioiddetected`*:: +*`fortinet.firewall.fazlograte`*:: + -- -Radio ID on the AP which detected the rogue AP +FortiAnalyzer Logging Rate -type: integer +type: long -- -*`fortinet.firewall.rate`*:: +*`fortinet.firewall.fctemssn`*:: + -- -Wireless rogue rate value +FortiClient Endpoint SSN type: keyword -- -*`fortinet.firewall.rawdata`*:: +*`fortinet.firewall.fctuid`*:: + -- -Raw data value +FortiClient UID type: keyword -- -*`fortinet.firewall.rawdataid`*:: +*`fortinet.firewall.field`*:: + -- -Raw data ID +NTP status field type: keyword -- -*`fortinet.firewall.rcvddelta`*:: +*`fortinet.firewall.filefilter`*:: + -- -Received bytes delta +The filter used to identify the affected file type: keyword -- -*`fortinet.firewall.reason`*:: +*`fortinet.firewall.filehashsrc`*:: + -- -Alert reason +Filehash source type: keyword -- -*`fortinet.firewall.received`*:: +*`fortinet.firewall.filtercat`*:: + -- -Server key exchange received +DLP filter category -type: integer +type: keyword -- -*`fortinet.firewall.receivedsignature`*:: +*`fortinet.firewall.filteridx`*:: + -- -Server key exchange received signature +DLP filter ID -type: keyword +type: integer -- -*`fortinet.firewall.red`*:: +*`fortinet.firewall.filtername`*:: + -- -Memory information in red +DLP rule name type: keyword -- -*`fortinet.firewall.referralurl`*:: +*`fortinet.firewall.filtertype`*:: + -- -Web filter referralurl +DLP filter type type: keyword -- -*`fortinet.firewall.remote`*:: +*`fortinet.firewall.fortiguardresp`*:: + -- -Remote PPP IP address +Antispam ESP value -type: ip +type: keyword -- -*`fortinet.firewall.remotewtptime`*:: +*`fortinet.firewall.forwardedfor`*:: + -- -Remote Wifi Radius authentication time +Email address forwarded type: keyword -- -*`fortinet.firewall.reporttype`*:: +*`fortinet.firewall.fqdn`*:: + -- -Report type +FQDN type: keyword -- -*`fortinet.firewall.reqtype`*:: +*`fortinet.firewall.frametype`*:: + -- -Request type +Wireless frametype type: keyword -- -*`fortinet.firewall.request_name`*:: +*`fortinet.firewall.freediskstorage`*:: + -- -VOIP request name +Free disk integer -type: keyword +type: integer -- -*`fortinet.firewall.result`*:: +*`fortinet.firewall.from`*:: + -- -VPN phase result +From email address type: keyword -- -*`fortinet.firewall.role`*:: +*`fortinet.firewall.from_vcluster`*:: + -- -VPN Phase 2 role +Source virtual cluster number -type: keyword +type: integer -- -*`fortinet.firewall.rssi`*:: +*`fortinet.firewall.fsaverdict`*:: + -- -Received signal strength indicator +FSA verdict -type: integer +type: keyword -- -*`fortinet.firewall.rsso_key`*:: +*`fortinet.firewall.fwserver_name`*:: + -- -RADIUS SSO attribute value +Web proxy server name type: keyword -- -*`fortinet.firewall.ruledata`*:: +*`fortinet.firewall.gateway`*:: + -- -Rule data +Gateway ip address for PPPoE status report -type: keyword +type: ip -- -*`fortinet.firewall.ruletype`*:: +*`fortinet.firewall.green`*:: + -- -Rule type +Memory status type: keyword -- -*`fortinet.firewall.scanned`*:: +*`fortinet.firewall.groupid`*:: + -- -Number of Scanned MMSs +User Group ID type: integer -- -*`fortinet.firewall.scantime`*:: +*`fortinet.firewall.ha-prio`*:: + -- -Scanned time +HA Priority -type: long +type: integer -- -*`fortinet.firewall.scope`*:: +*`fortinet.firewall.ha_group`*:: + -- -FortiGuard Override Scope +HA Group type: keyword -- -*`fortinet.firewall.security`*:: +*`fortinet.firewall.ha_role`*:: + -- -Wireless rogue security +HA Role type: keyword -- -*`fortinet.firewall.sensitivity`*:: +*`fortinet.firewall.handshake`*:: + -- -Sensitivity for document fingerprint +SSL Handshake type: keyword -- -*`fortinet.firewall.sensor`*:: +*`fortinet.firewall.hash`*:: + -- -NAC Sensor Name +Hash value of downloaded file type: keyword -- -*`fortinet.firewall.sentdelta`*:: +*`fortinet.firewall.hbdn_reason`*:: + -- -Sent bytes delta +Heartbeat down reason type: keyword -- -*`fortinet.firewall.seq`*:: +*`fortinet.firewall.highcount`*:: + -- -Sequence number +Highcount fabric summary -type: keyword +type: integer -- -*`fortinet.firewall.serial`*:: +*`fortinet.firewall.host`*:: + -- -WAN optimisation serial +Hostname type: keyword -- -*`fortinet.firewall.serialno`*:: +*`fortinet.firewall.iaid`*:: + -- -Serial number +DHCPv6 id type: keyword -- -*`fortinet.firewall.server`*:: +*`fortinet.firewall.icmpcode`*:: + -- -AD server FQDN or IP +Destination Port of the ICMP message type: keyword -- -*`fortinet.firewall.session_id`*:: +*`fortinet.firewall.icmpid`*:: + -- -Session ID +Source port of the ICMP message type: keyword -- -*`fortinet.firewall.sessionid`*:: +*`fortinet.firewall.icmptype`*:: + -- -WAD Session ID +The type of ICMP message -type: integer +type: keyword -- -*`fortinet.firewall.setuprate`*:: +*`fortinet.firewall.identifier`*:: + -- -Session Setup Rate +Network traffic identifier -type: long +type: integer -- -*`fortinet.firewall.severity`*:: +*`fortinet.firewall.in_spi`*:: + -- -Severity +IPSEC inbound SPI type: keyword -- -*`fortinet.firewall.shaperdroprcvdbyte`*:: +*`fortinet.firewall.incidentserialno`*:: + -- -Received bytes dropped by shaper +Incident serial number type: integer -- -*`fortinet.firewall.shaperdropsentbyte`*:: +*`fortinet.firewall.infected`*:: + -- -Sent bytes dropped by shaper +Infected MMS type: integer -- -*`fortinet.firewall.shaperperipdropbyte`*:: +*`fortinet.firewall.infectedfilelevel`*:: + -- -Dropped bytes per IP by shaper +DLP infected file level type: integer -- -*`fortinet.firewall.shaperperipname`*:: +*`fortinet.firewall.informationsource`*:: + -- -Traffic shaper name (per IP) +Information source type: keyword -- -*`fortinet.firewall.shaperrcvdname`*:: +*`fortinet.firewall.init`*:: + -- -Traffic shaper name for received traffic +IPSEC init stage type: keyword -- -*`fortinet.firewall.shapersentname`*:: +*`fortinet.firewall.initiator`*:: + -- -Traffic shaper name for sent traffic +Original login user name for Fortiguard override type: keyword -- -*`fortinet.firewall.shapingpolicyid`*:: +*`fortinet.firewall.interface`*:: + -- -Traffic shaper policy ID +Related interface -type: integer +type: keyword -- -*`fortinet.firewall.signal`*:: +*`fortinet.firewall.intf`*:: + -- -Wireless rogue API signal +Related interface -type: integer +type: keyword -- -*`fortinet.firewall.size`*:: +*`fortinet.firewall.invalidmac`*:: + -- -Email size in bytes +The MAC address with invalid OUI -type: long +type: keyword -- -*`fortinet.firewall.slot`*:: +*`fortinet.firewall.ip`*:: + -- -Slot number +Related IP -type: integer +type: ip -- -*`fortinet.firewall.sn`*:: +*`fortinet.firewall.iptype`*:: + -- -Security fabric serial number +Related IP type type: keyword -- -*`fortinet.firewall.snclosest`*:: +*`fortinet.firewall.keyword`*:: + -- -SN of the AP closest to the rogue AP +Keyword used for search type: keyword -- -*`fortinet.firewall.sndetected`*:: +*`fortinet.firewall.kind`*:: + -- -SN of the AP which detected the rogue AP +VOIP kind type: keyword -- -*`fortinet.firewall.snmeshparent`*:: +*`fortinet.firewall.lanin`*:: + -- -SN of the mesh parent +LAN incoming traffic in bytes -type: keyword +type: long -- -*`fortinet.firewall.spi`*:: +*`fortinet.firewall.lanout`*:: + -- -IPSEC SPI +LAN outbound traffic in bytes -type: keyword +type: long -- -*`fortinet.firewall.src_int`*:: +*`fortinet.firewall.lease`*:: + -- -Source interface +DHCP lease -type: keyword +type: integer -- -*`fortinet.firewall.srcintfrole`*:: +*`fortinet.firewall.license_limit`*:: + -- -Source interface role +Maximum Number of FortiClients for the License type: keyword -- -*`fortinet.firewall.srccountry`*:: +*`fortinet.firewall.limit`*:: + -- -Source country +Virtual Domain Resource Limit -type: keyword +type: integer -- -*`fortinet.firewall.srcfamily`*:: +*`fortinet.firewall.line`*:: + -- -Source family +VOIP line type: keyword -- -*`fortinet.firewall.srchwvendor`*:: +*`fortinet.firewall.live`*:: + -- -Source hardware vendor +Time in seconds -type: keyword +type: integer -- -*`fortinet.firewall.srchwversion`*:: +*`fortinet.firewall.local`*:: + -- -Source hardware version +Local IP for a PPPD Connection -type: keyword +type: ip -- -*`fortinet.firewall.srcinetsvc`*:: +*`fortinet.firewall.log`*:: + -- -Source interface service +Log message type: keyword -- -*`fortinet.firewall.srcname`*:: +*`fortinet.firewall.login`*:: + -- -Source name +SSH login type: keyword -- -*`fortinet.firewall.srcserver`*:: +*`fortinet.firewall.lowcount`*:: + -- -Source server +Fabric lowcount type: integer -- -*`fortinet.firewall.srcssid`*:: +*`fortinet.firewall.mac`*:: + -- -Source SSID +DHCP mac address type: keyword -- -*`fortinet.firewall.srcswversion`*:: +*`fortinet.firewall.malform_data`*:: + -- -Source software version +VOIP malformed data -type: keyword +type: integer -- -*`fortinet.firewall.srcuuid`*:: +*`fortinet.firewall.malform_desc`*:: + -- -Source UUID +VOIP malformed data description type: keyword -- -*`fortinet.firewall.sscname`*:: +*`fortinet.firewall.manuf`*:: + -- -SSC name +Manufacturer name type: keyword -- -*`fortinet.firewall.ssid`*:: +*`fortinet.firewall.masterdstmac`*:: + -- -Base Service Set ID +Master mac address for a host with multiple network interfaces type: keyword -- -*`fortinet.firewall.sslaction`*:: +*`fortinet.firewall.mastersrcmac`*:: + -- -SSL Action +The master MAC address for a host that has multiple network interfaces type: keyword -- -*`fortinet.firewall.ssllocal`*:: +*`fortinet.firewall.mediumcount`*:: + -- -WAD SSL local +Fabric medium count -type: keyword +type: integer -- -*`fortinet.firewall.sslremote`*:: +*`fortinet.firewall.mem`*:: + -- -WAD SSL remote +Memory usage system statistics -type: keyword +type: integer -- -*`fortinet.firewall.stacount`*:: +*`fortinet.firewall.meshmode`*:: + -- -Number of stations/clients +Wireless mesh mode -type: integer +type: keyword -- -*`fortinet.firewall.stage`*:: +*`fortinet.firewall.message_type`*:: + -- -IPSEC stage +VOIP message type type: keyword -- -*`fortinet.firewall.stamac`*:: +*`fortinet.firewall.method`*:: + -- -802.1x station mac +HTTP method type: keyword -- -*`fortinet.firewall.state`*:: +*`fortinet.firewall.mgmtcnt`*:: + -- -Admin login state +The number of unauthorized client flooding managemet frames -type: keyword +type: integer -- -*`fortinet.firewall.status`*:: +*`fortinet.firewall.mode`*:: + -- -Status +IPSEC mode type: keyword -- -*`fortinet.firewall.stitch`*:: +*`fortinet.firewall.module`*:: + -- -Automation stitch triggered +PCI-DSS module type: keyword -- -*`fortinet.firewall.subject`*:: +*`fortinet.firewall.monitor-name`*:: + -- -Email subject +Health Monitor Name type: keyword -- -*`fortinet.firewall.submodule`*:: +*`fortinet.firewall.monitor-type`*:: + -- -Configuration Sub-Module Name +Health Monitor Type type: keyword -- -*`fortinet.firewall.subservice`*:: +*`fortinet.firewall.mpsk`*:: + -- -AV subservice +Wireless MPSK type: keyword -- -*`fortinet.firewall.subtype`*:: +*`fortinet.firewall.msgproto`*:: + -- -Log subtype +Message Protocol Number type: keyword -- -*`fortinet.firewall.suspicious`*:: +*`fortinet.firewall.mtu`*:: + -- -Number of Suspicious MMSs +Max Transmission Unit Value type: integer -- -*`fortinet.firewall.switchproto`*:: +*`fortinet.firewall.name`*:: + -- -Protocol change information +Name type: keyword -- -*`fortinet.firewall.sync_status`*:: +*`fortinet.firewall.nat`*:: + -- -The sync status with the master +NAT IP Address type: keyword -- -*`fortinet.firewall.sync_type`*:: +*`fortinet.firewall.netid`*:: + -- -The sync type with the master +Connector NetID type: keyword -- -*`fortinet.firewall.sysuptime`*:: +*`fortinet.firewall.new_status`*:: + -- -System uptime +New status on user change type: keyword -- -*`fortinet.firewall.tamac`*:: +*`fortinet.firewall.new_value`*:: + -- -the MAC address of Transmitter, if none, then Receiver +New Virtual Domain Name type: keyword -- -*`fortinet.firewall.threattype`*:: +*`fortinet.firewall.newchannel`*:: + -- -WIDS threat type +New Channel Number -type: keyword +type: integer -- -*`fortinet.firewall.time`*:: +*`fortinet.firewall.newchassisid`*:: + -- -Time of the event +New Chassis ID -type: keyword +type: integer -- -*`fortinet.firewall.to`*:: +*`fortinet.firewall.newslot`*:: + -- -Email to field +New Slot Number -type: keyword +type: integer -- -*`fortinet.firewall.to_vcluster`*:: +*`fortinet.firewall.nextstat`*:: + -- -destination virtual cluster number +Time interval in seconds for the next statistics. type: integer -- -*`fortinet.firewall.total`*:: +*`fortinet.firewall.nf_type`*:: + -- -Total memory +Notification Type -type: integer +type: keyword -- -*`fortinet.firewall.totalsession`*:: +*`fortinet.firewall.noise`*:: + -- -Total Number of Sessions +Wifi Noise type: integer -- -*`fortinet.firewall.trace_id`*:: +*`fortinet.firewall.old_status`*:: + -- -Session clash trace ID +Original Status type: keyword -- -*`fortinet.firewall.trandisp`*:: +*`fortinet.firewall.old_value`*:: + -- -NAT translation type +Original Virtual Domain name type: keyword -- -*`fortinet.firewall.transid`*:: +*`fortinet.firewall.oldchannel`*:: + -- -HTTP transaction ID +Original channel type: integer -- -*`fortinet.firewall.translationid`*:: +*`fortinet.firewall.oldchassisid`*:: + -- -DNS filter transaltion ID +Original Chassis Number + + +type: integer + +-- + +*`fortinet.firewall.oldslot`*:: ++ +-- +Original Slot Number + + +type: integer + +-- + +*`fortinet.firewall.oldsn`*:: ++ +-- +Old Serial number type: keyword -- -*`fortinet.firewall.trigger`*:: +*`fortinet.firewall.oldwprof`*:: + -- -Automation stitch trigger +Old Web Filter Profile type: keyword -- -*`fortinet.firewall.trueclntip`*:: +*`fortinet.firewall.onwire`*:: + -- -File filter true client IP +A flag to indicate if the AP is onwire or not -type: ip +type: keyword -- -*`fortinet.firewall.tunnelid`*:: +*`fortinet.firewall.opercountry`*:: + -- -IPSEC tunnel ID +Operating Country -type: integer +type: keyword -- -*`fortinet.firewall.tunnelip`*:: +*`fortinet.firewall.opertxpower`*:: + -- -IPSEC tunnel IP +Operating TX power -type: ip +type: integer -- -*`fortinet.firewall.tunneltype`*:: +*`fortinet.firewall.osname`*:: + -- -IPSEC tunnel type +Operating System name type: keyword -- -*`fortinet.firewall.type`*:: +*`fortinet.firewall.osversion`*:: + -- -Module type +Operating System version type: keyword -- -*`fortinet.firewall.ui`*:: +*`fortinet.firewall.out_spi`*:: + -- -Admin authentication UI type +Out SPI type: keyword -- -*`fortinet.firewall.unauthusersource`*:: +*`fortinet.firewall.outintf`*:: + -- -Unauthenticated user source +Out interface type: keyword -- -*`fortinet.firewall.unit`*:: +*`fortinet.firewall.passedcount`*:: + -- -Power supply unit +Fabric passed count type: integer -- -*`fortinet.firewall.urlfilteridx`*:: +*`fortinet.firewall.passwd`*:: + -- -URL filter ID +Changed user password information -type: integer +type: keyword -- -*`fortinet.firewall.urlfilterlist`*:: +*`fortinet.firewall.path`*:: + -- -URL filter list +Path of looped configuration for security fabric type: keyword -- -*`fortinet.firewall.urlsource`*:: +*`fortinet.firewall.peer`*:: + -- -URL filter source +WAN optimization peer type: keyword -- -*`fortinet.firewall.urltype`*:: +*`fortinet.firewall.peer_notif`*:: + -- -URL filter type +VPN peer notification type: keyword -- -*`fortinet.firewall.used`*:: +*`fortinet.firewall.phase2_name`*:: + -- -Number of Used IPs +VPN phase2 name -type: integer +type: keyword -- -*`fortinet.firewall.used_for_type`*:: +*`fortinet.firewall.phone`*:: + -- -Connection for the type +VOIP Phone -type: integer +type: keyword -- -*`fortinet.firewall.utmaction`*:: +*`fortinet.firewall.pid`*:: + -- -Security action performed by UTM +Process ID -type: keyword +type: integer -- -*`fortinet.firewall.utmref`*:: +*`fortinet.firewall.policytype`*:: + -- -Reference to UTM +Policy Type type: keyword -- -*`fortinet.firewall.vap`*:: +*`fortinet.firewall.poolname`*:: + -- -Virtual AP +IP Pool name type: keyword -- -*`fortinet.firewall.vapmode`*:: +*`fortinet.firewall.port`*:: + -- -Virtual AP mode +Log upload error port -type: keyword +type: integer -- -*`fortinet.firewall.vcluster`*:: +*`fortinet.firewall.portbegin`*:: + -- -virtual cluster id +IP Pool port number to begin type: integer -- -*`fortinet.firewall.vcluster_member`*:: +*`fortinet.firewall.portend`*:: + -- -Virtual cluster member +IP Pool port number to end type: integer -- -*`fortinet.firewall.vcluster_state`*:: +*`fortinet.firewall.probeproto`*:: + -- -Virtual cluster state +Link Monitor Probe Protocol type: keyword -- -*`fortinet.firewall.vd`*:: +*`fortinet.firewall.process`*:: + -- -Virtual Domain Name +URL Filter process type: keyword -- -*`fortinet.firewall.vdname`*:: +*`fortinet.firewall.processtime`*:: + -- -Virtual Domain Name +Process time for reports -type: keyword +type: integer -- -*`fortinet.firewall.vendorurl`*:: +*`fortinet.firewall.profile`*:: + -- -Vulnerability scan vendor name +Profile Name type: keyword -- -*`fortinet.firewall.version`*:: +*`fortinet.firewall.profile_vd`*:: + -- -Version +Virtual Domain Name type: keyword -- -*`fortinet.firewall.vip`*:: +*`fortinet.firewall.profilegroup`*:: + -- -Virtual IP +Profile Group Name type: keyword -- -*`fortinet.firewall.virus`*:: +*`fortinet.firewall.profiletype`*:: + -- -Virus name +Profile Type type: keyword -- -*`fortinet.firewall.virusid`*:: +*`fortinet.firewall.qtypeval`*:: + -- -Virus ID (unique virus identifier) +DNS question type value type: integer -- -*`fortinet.firewall.voip_proto`*:: +*`fortinet.firewall.quarskip`*:: + -- -VOIP protocol +Quarantine skip explanation type: keyword -- -*`fortinet.firewall.vpn`*:: +*`fortinet.firewall.quotaexceeded`*:: + -- -VPN description +If quota has been exceeded type: keyword -- -*`fortinet.firewall.vpntunnel`*:: +*`fortinet.firewall.quotamax`*:: + -- -IPsec Vpn Tunnel Name +Maximum quota allowed - in seconds if time-based - in bytes if traffic-based -type: keyword +type: long -- -*`fortinet.firewall.vpntype`*:: +*`fortinet.firewall.quotatype`*:: + -- -The type of the VPN tunnel +Quota type type: keyword -- -*`fortinet.firewall.vrf`*:: +*`fortinet.firewall.quotaused`*:: + -- -VRF number +Quota used - in seconds if time-based - in bytes if trafficbased) -type: integer +type: long -- -*`fortinet.firewall.vulncat`*:: +*`fortinet.firewall.radioband`*:: + -- -Vulnerability Category +Radio band type: keyword -- -*`fortinet.firewall.vulnid`*:: +*`fortinet.firewall.radioid`*:: + -- -Vulnerability ID +Radio ID type: integer -- -*`fortinet.firewall.vulnname`*:: +*`fortinet.firewall.radioidclosest`*:: + -- -Vulnerability name +Radio ID on the AP closest the rogue AP -type: keyword +type: integer -- -*`fortinet.firewall.vwlid`*:: +*`fortinet.firewall.radioiddetected`*:: + -- -VWL ID +Radio ID on the AP which detected the rogue AP type: integer -- -*`fortinet.firewall.vwlquality`*:: +*`fortinet.firewall.rate`*:: + -- -VWL quality +Wireless rogue rate value type: keyword -- -*`fortinet.firewall.vwlservice`*:: +*`fortinet.firewall.rawdata`*:: + -- -VWL service +Raw data value type: keyword -- -*`fortinet.firewall.vwpvlanid`*:: +*`fortinet.firewall.rawdataid`*:: + -- -VWP VLAN ID +Raw data ID -type: integer +type: keyword -- -*`fortinet.firewall.wanin`*:: +*`fortinet.firewall.rcvddelta`*:: + -- -WAN incoming traffic in bytes +Received bytes delta -type: long +type: keyword -- -*`fortinet.firewall.wanoptapptype`*:: +*`fortinet.firewall.reason`*:: + -- -WAN Optimization Application type +Alert reason type: keyword -- -*`fortinet.firewall.wanout`*:: +*`fortinet.firewall.received`*:: + -- -WAN outgoing traffic in bytes +Server key exchange received -type: long +type: integer -- -*`fortinet.firewall.weakwepiv`*:: +*`fortinet.firewall.receivedsignature`*:: + -- -Weak Wep Initiation Vector +Server key exchange received signature type: keyword -- -*`fortinet.firewall.xauthgroup`*:: +*`fortinet.firewall.red`*:: + -- -XAuth Group Name +Memory information in red type: keyword -- -*`fortinet.firewall.xauthuser`*:: +*`fortinet.firewall.referralurl`*:: + -- -XAuth User Name +Web filter referralurl type: keyword -- -*`fortinet.firewall.xid`*:: +*`fortinet.firewall.remote`*:: + -- -Wireless X ID +Remote PPP IP address -type: integer +type: ip -- -[[exported-fields-gcp]] -== Google Cloud Platform (GCP) fields +*`fortinet.firewall.remotewtptime`*:: ++ +-- +Remote Wifi Radius authentication time -Module for handling logs from Google Cloud. +type: keyword +-- -[float] -=== gcp +*`fortinet.firewall.reporttype`*:: ++ +-- +Report type -Fields from Google Cloud logs. +type: keyword +-- -[float] -=== destination.instance +*`fortinet.firewall.reqtype`*:: ++ +-- +Request type -If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. +type: keyword +-- -*`gcp.destination.instance.project_id`*:: +*`fortinet.firewall.request_name`*:: + -- -ID of the project containing the VM. +VOIP request name type: keyword -- -*`gcp.destination.instance.region`*:: +*`fortinet.firewall.result`*:: + -- -Region of the VM. +VPN phase result type: keyword -- -*`gcp.destination.instance.zone`*:: +*`fortinet.firewall.role`*:: + -- -Zone of the VM. +VPN Phase 2 role type: keyword -- -[float] -=== destination.vpc +*`fortinet.firewall.rssi`*:: ++ +-- +Received signal strength indicator -If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. +type: integer +-- -*`gcp.destination.vpc.project_id`*:: +*`fortinet.firewall.rsso_key`*:: + -- -ID of the project containing the VM. +RADIUS SSO attribute value type: keyword -- -*`gcp.destination.vpc.vpc_name`*:: +*`fortinet.firewall.ruledata`*:: + -- -VPC on which the VM is operating. +Rule data type: keyword -- -*`gcp.destination.vpc.subnetwork_name`*:: +*`fortinet.firewall.ruletype`*:: + -- -Subnetwork on which the VM is operating. +Rule type type: keyword -- -[float] -=== source.instance +*`fortinet.firewall.scanned`*:: ++ +-- +Number of Scanned MMSs -If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. +type: integer +-- -*`gcp.source.instance.project_id`*:: +*`fortinet.firewall.scantime`*:: + -- -ID of the project containing the VM. +Scanned time -type: keyword +type: long -- -*`gcp.source.instance.region`*:: +*`fortinet.firewall.scope`*:: + -- -Region of the VM. +FortiGuard Override Scope type: keyword -- -*`gcp.source.instance.zone`*:: +*`fortinet.firewall.security`*:: + -- -Zone of the VM. +Wireless rogue security type: keyword -- -[float] -=== source.vpc +*`fortinet.firewall.sensitivity`*:: ++ +-- +Sensitivity for document fingerprint -If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. +type: keyword +-- -*`gcp.source.vpc.project_id`*:: +*`fortinet.firewall.sensor`*:: + -- -ID of the project containing the VM. +NAC Sensor Name type: keyword -- -*`gcp.source.vpc.vpc_name`*:: +*`fortinet.firewall.sentdelta`*:: + -- -VPC on which the VM is operating. +Sent bytes delta type: keyword -- -*`gcp.source.vpc.subnetwork_name`*:: +*`fortinet.firewall.seq`*:: + -- -Subnetwork on which the VM is operating. +Sequence number type: keyword -- -[float] -=== audit +*`fortinet.firewall.serial`*:: ++ +-- +WAN optimisation serial -Fields for Google Cloud audit logs. +type: keyword +-- -*`gcp.audit.type`*:: +*`fortinet.firewall.serialno`*:: + -- -Type property. +Serial number type: keyword -- -[float] -=== authentication_info +*`fortinet.firewall.server`*:: ++ +-- +AD server FQDN or IP -Authentication information. +type: keyword +-- -*`gcp.audit.authentication_info.principal_email`*:: +*`fortinet.firewall.session_id`*:: + -- -The email address of the authenticated user making the request. +Session ID type: keyword -- -*`gcp.audit.authentication_info.authority_selector`*:: +*`fortinet.firewall.sessionid`*:: + -- -The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. +WAD Session ID -type: keyword +type: integer -- -*`gcp.audit.authorization_info`*:: +*`fortinet.firewall.setuprate`*:: + -- -Authorization information for the operation. +Session Setup Rate -type: array +type: long -- -*`gcp.audit.method_name`*:: +*`fortinet.firewall.severity`*:: + -- -The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. +Severity type: keyword -- -*`gcp.audit.num_response_items`*:: +*`fortinet.firewall.shaperdroprcvdbyte`*:: + -- -The number of items returned from a List or Query API method, if applicable. +Received bytes dropped by shaper -type: long +type: integer -- -[float] -=== request +*`fortinet.firewall.shaperdropsentbyte`*:: ++ +-- +Sent bytes dropped by shaper -The operation request. +type: integer +-- -*`gcp.audit.request.proto_name`*:: +*`fortinet.firewall.shaperperipdropbyte`*:: + -- -Type property of the request. +Dropped bytes per IP by shaper -type: keyword +type: integer -- -*`gcp.audit.request.filter`*:: +*`fortinet.firewall.shaperperipname`*:: + -- -Filter of the request. +Traffic shaper name (per IP) type: keyword -- -*`gcp.audit.request.name`*:: +*`fortinet.firewall.shaperrcvdname`*:: + -- -Name of the request. +Traffic shaper name for received traffic type: keyword -- -*`gcp.audit.request.resource_name`*:: +*`fortinet.firewall.shapersentname`*:: + -- -Name of the request resource. +Traffic shaper name for sent traffic type: keyword -- -[float] -=== request_metadata +*`fortinet.firewall.shapingpolicyid`*:: ++ +-- +Traffic shaper policy ID -Metadata about the request. +type: integer +-- -*`gcp.audit.request_metadata.caller_ip`*:: +*`fortinet.firewall.signal`*:: + -- -The IP address of the caller. +Wireless rogue API signal -type: ip +type: integer -- -*`gcp.audit.request_metadata.caller_supplied_user_agent`*:: +*`fortinet.firewall.size`*:: + -- -The user agent of the caller. This information is not authenticated and should be treated accordingly. +Email size in bytes -type: keyword +type: long -- -[float] -=== response +*`fortinet.firewall.slot`*:: ++ +-- +Slot number -The operation response. +type: integer +-- -*`gcp.audit.response.proto_name`*:: +*`fortinet.firewall.sn`*:: + -- -Type property of the response. +Security fabric serial number type: keyword -- -[float] -=== details - -The details of the response. - - - -*`gcp.audit.response.details.group`*:: +*`fortinet.firewall.snclosest`*:: + -- -The name of the group. +SN of the AP closest to the rogue AP type: keyword -- -*`gcp.audit.response.details.kind`*:: +*`fortinet.firewall.sndetected`*:: + -- -The kind of the response details. +SN of the AP which detected the rogue AP type: keyword -- -*`gcp.audit.response.details.name`*:: +*`fortinet.firewall.snmeshparent`*:: + -- -The name of the response details. +SN of the mesh parent type: keyword -- -*`gcp.audit.response.details.uid`*:: +*`fortinet.firewall.spi`*:: + -- -The uid of the response details. +IPSEC SPI type: keyword -- -*`gcp.audit.response.status`*:: +*`fortinet.firewall.src_int`*:: + -- -Status of the response. +Source interface type: keyword -- -*`gcp.audit.resource_name`*:: +*`fortinet.firewall.srcintfrole`*:: + -- -The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. +Source interface role type: keyword -- -[float] -=== resource_location - -The location of the resource. - - - -*`gcp.audit.resource_location.current_locations`*:: +*`fortinet.firewall.srccountry`*:: + -- -Current locations of the resource. +Source country type: keyword -- -*`gcp.audit.service_name`*:: +*`fortinet.firewall.srcfamily`*:: + -- -The name of the API service performing the operation. For example, datastore.googleapis.com. +Source family type: keyword -- -[float] -=== status - -The status of the overall operation. - - - -*`gcp.audit.status.code`*:: +*`fortinet.firewall.srchwvendor`*:: + -- -The status code, which should be an enum value of google.rpc.Code. +Source hardware vendor -type: integer +type: keyword -- -*`gcp.audit.status.message`*:: +*`fortinet.firewall.srchwversion`*:: + -- -A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. +Source hardware version type: keyword -- -[float] -=== firewall - -Fields for Google Cloud Firewall logs. - - - -[float] -=== rule_details - -Description of the firewall rule that matched this connection. - - - -*`gcp.firewall.rule_details.priority`*:: +*`fortinet.firewall.srcinetsvc`*:: + -- -The priority for the firewall rule. +Source interface service -type: long + +type: keyword -- -*`gcp.firewall.rule_details.action`*:: +*`fortinet.firewall.srcname`*:: + -- -Action that the rule performs on match. +Source name + type: keyword -- -*`gcp.firewall.rule_details.direction`*:: +*`fortinet.firewall.srcserver`*:: + -- -Direction of traffic that matches this rule. +Source server -type: keyword + +type: integer -- -*`gcp.firewall.rule_details.reference`*:: +*`fortinet.firewall.srcssid`*:: + -- -Reference to the firewall rule. +Source SSID + type: keyword -- -*`gcp.firewall.rule_details.source_range`*:: +*`fortinet.firewall.srcswversion`*:: + -- -List of source ranges that the firewall rule applies to. +Source software version + type: keyword -- -*`gcp.firewall.rule_details.destination_range`*:: +*`fortinet.firewall.srcuuid`*:: + -- -List of destination ranges that the firewall applies to. +Source UUID + type: keyword -- -*`gcp.firewall.rule_details.source_tag`*:: +*`fortinet.firewall.sscname`*:: + -- -List of all the source tags that the firewall rule applies to. +SSC name type: keyword -- -*`gcp.firewall.rule_details.target_tag`*:: +*`fortinet.firewall.ssid`*:: + -- -List of all the target tags that the firewall rule applies to. +Base Service Set ID type: keyword -- -*`gcp.firewall.rule_details.ip_port_info`*:: +*`fortinet.firewall.sslaction`*:: + -- -List of ip protocols and applicable port ranges for rules. +SSL Action -type: array +type: keyword -- -*`gcp.firewall.rule_details.source_service_account`*:: +*`fortinet.firewall.ssllocal`*:: + -- -List of all the source service accounts that the firewall rule applies to. +WAD SSL local type: keyword -- -*`gcp.firewall.rule_details.target_service_account`*:: +*`fortinet.firewall.sslremote`*:: + -- -List of all the target service accounts that the firewall rule applies to. +WAD SSL remote type: keyword -- -[float] -=== vpcflow +*`fortinet.firewall.stacount`*:: ++ +-- +Number of stations/clients -Fields for Google Cloud VPC flow logs. +type: integer +-- -*`gcp.vpcflow.reporter`*:: +*`fortinet.firewall.stage`*:: + -- -The side which reported the flow. Can be either 'SRC' or 'DEST'. +IPSEC stage type: keyword -- -*`gcp.vpcflow.rtt.ms`*:: +*`fortinet.firewall.stamac`*:: + -- -Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. +802.1x station mac -type: long +type: keyword -- -[[exported-fields-google_workspace]] -== google_workspace fields - -Google Workspace Module - - - -[float] -=== google_workspace +*`fortinet.firewall.state`*:: ++ +-- +Admin login state -Google Workspace specific fields. -More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +type: keyword +-- -*`google_workspace.actor.type`*:: +*`fortinet.firewall.status`*:: + -- -The type of actor. -Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. +Status type: keyword -- -*`google_workspace.actor.key`*:: +*`fortinet.firewall.stitch`*:: + -- -Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. +Automation stitch triggered type: keyword -- -*`google_workspace.event.type`*:: +*`fortinet.firewall.subject`*:: + -- -The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +Email subject type: keyword -example: audit#activity - -- -*`google_workspace.kind`*:: +*`fortinet.firewall.submodule`*:: + -- -The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +Configuration Sub-Module Name type: keyword -example: audit#activity - -- -*`google_workspace.organization.domain`*:: +*`fortinet.firewall.subservice`*:: + -- -The domain that is affected by the report's event. +AV subservice type: keyword -- - -*`google_workspace.admin.application.edition`*:: +*`fortinet.firewall.subtype`*:: + -- -The Google Workspace edition. +Log subtype + type: keyword -- -*`google_workspace.admin.application.name`*:: +*`fortinet.firewall.suspicious`*:: + -- -The application's name. +Number of Suspicious MMSs -type: keyword + +type: integer -- -*`google_workspace.admin.application.enabled`*:: +*`fortinet.firewall.switchproto`*:: + -- -The enabled application. +Protocol change information + type: keyword -- -*`google_workspace.admin.application.licences_order_number`*:: +*`fortinet.firewall.sync_status`*:: + -- -Order number used to redeem licenses. +The sync status with the master + type: keyword -- -*`google_workspace.admin.application.licences_purchased`*:: +*`fortinet.firewall.sync_type`*:: + -- -Number of licences purchased. +The sync type with the master + type: keyword -- -*`google_workspace.admin.application.id`*:: +*`fortinet.firewall.sysuptime`*:: + -- -The application ID. +System uptime + type: keyword -- -*`google_workspace.admin.application.asp_id`*:: +*`fortinet.firewall.tamac`*:: + -- -The application specific password ID. +the MAC address of Transmitter, if none, then Receiver + type: keyword -- -*`google_workspace.admin.application.package_id`*:: +*`fortinet.firewall.threattype`*:: + -- -The mobile application package ID. +WIDS threat type + type: keyword -- -*`google_workspace.admin.group.email`*:: +*`fortinet.firewall.time`*:: + -- -The group's primary email address. +Time of the event + type: keyword -- -*`google_workspace.admin.new_value`*:: +*`fortinet.firewall.to`*:: + -- -The new value for the setting. +Email to field + type: keyword -- -*`google_workspace.admin.old_value`*:: +*`fortinet.firewall.to_vcluster`*:: + -- -The old value for the setting. +destination virtual cluster number -type: keyword + +type: integer -- -*`google_workspace.admin.org_unit.name`*:: +*`fortinet.firewall.total`*:: + -- -The organizational unit name. +Total memory -type: keyword + +type: integer -- -*`google_workspace.admin.org_unit.full`*:: +*`fortinet.firewall.totalsession`*:: + -- -The org unit full path including the root org unit name. +Total Number of Sessions -type: keyword + +type: integer -- -*`google_workspace.admin.setting.name`*:: +*`fortinet.firewall.trace_id`*:: + -- -The setting name. +Session clash trace ID + type: keyword -- -*`google_workspace.admin.user_defined_setting.name`*:: +*`fortinet.firewall.trandisp`*:: + -- -The name of the user-defined setting. +NAT translation type + type: keyword -- -*`google_workspace.admin.setting.description`*:: +*`fortinet.firewall.transid`*:: + -- -The setting name. +HTTP transaction ID -type: keyword + +type: integer -- -*`google_workspace.admin.group.priorities`*:: +*`fortinet.firewall.translationid`*:: + -- -Group priorities. +DNS filter transaltion ID + type: keyword -- -*`google_workspace.admin.domain.alias`*:: +*`fortinet.firewall.trigger`*:: + -- -The domain alias. +Automation stitch trigger + type: keyword -- -*`google_workspace.admin.domain.name`*:: +*`fortinet.firewall.trueclntip`*:: + -- -The primary domain name. +File filter true client IP -type: keyword + +type: ip -- -*`google_workspace.admin.domain.secondary_name`*:: +*`fortinet.firewall.tunnelid`*:: + -- -The secondary domain name. +IPSEC tunnel ID -type: keyword + +type: integer -- -*`google_workspace.admin.managed_configuration`*:: +*`fortinet.firewall.tunnelip`*:: + -- -The name of the managed configuration. +IPSEC tunnel IP -type: keyword + +type: ip -- -*`google_workspace.admin.non_featured_services_selection`*:: +*`fortinet.firewall.tunneltype`*:: + -- -Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED +IPSEC tunnel type type: keyword -- -*`google_workspace.admin.field`*:: +*`fortinet.firewall.type`*:: + -- -The name of the field. +Module type + type: keyword -- -*`google_workspace.admin.resource.id`*:: +*`fortinet.firewall.ui`*:: + -- -The name of the resource identifier. +Admin authentication UI type + type: keyword -- -*`google_workspace.admin.user.email`*:: +*`fortinet.firewall.unauthusersource`*:: + -- -The user's primary email address. +Unauthenticated user source + type: keyword -- -*`google_workspace.admin.user.nickname`*:: +*`fortinet.firewall.unit`*:: + -- -The user's nickname. +Power supply unit -type: keyword + +type: integer -- -*`google_workspace.admin.user.birthdate`*:: +*`fortinet.firewall.urlfilteridx`*:: + -- -The user's birth date. +URL filter ID -type: date + +type: integer -- -*`google_workspace.admin.gateway.name`*:: +*`fortinet.firewall.urlfilterlist`*:: + -- -Gateway name. Present on some chat settings. +URL filter list + type: keyword -- -*`google_workspace.admin.chrome_os.session_type`*:: +*`fortinet.firewall.urlsource`*:: + -- -Chrome OS session type. +URL filter source + type: keyword -- -*`google_workspace.admin.device.serial_number`*:: +*`fortinet.firewall.urltype`*:: + -- -Device serial number. +URL filter type + type: keyword -- -*`google_workspace.admin.device.id`*:: +*`fortinet.firewall.used`*:: + -- -type: keyword +Number of Used IPs + + +type: integer -- -*`google_workspace.admin.device.type`*:: +*`fortinet.firewall.used_for_type`*:: + -- -Device type. +Connection for the type -type: keyword + +type: integer -- -*`google_workspace.admin.print_server.name`*:: +*`fortinet.firewall.utmaction`*:: + -- -The name of the print server. +Security action performed by UTM + type: keyword -- -*`google_workspace.admin.printer.name`*:: +*`fortinet.firewall.utmref`*:: + -- -The name of the printer. +Reference to UTM + type: keyword -- -*`google_workspace.admin.device.command_details`*:: +*`fortinet.firewall.vap`*:: + -- -Command details. +Virtual AP + type: keyword -- -*`google_workspace.admin.role.id`*:: +*`fortinet.firewall.vapmode`*:: + -- -Unique identifier for this role privilege. +Virtual AP mode + type: keyword -- -*`google_workspace.admin.role.name`*:: +*`fortinet.firewall.vcluster`*:: + -- -The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings +virtual cluster id -type: keyword +type: integer -- -*`google_workspace.admin.privilege.name`*:: +*`fortinet.firewall.vcluster_member`*:: + -- -Privilege name. +Virtual cluster member -type: keyword + +type: integer -- -*`google_workspace.admin.service.name`*:: +*`fortinet.firewall.vcluster_state`*:: + -- -The service name. +Virtual cluster state + type: keyword -- -*`google_workspace.admin.url.name`*:: +*`fortinet.firewall.vd`*:: + -- -The website name. +Virtual Domain Name + type: keyword -- -*`google_workspace.admin.product.name`*:: +*`fortinet.firewall.vdname`*:: + -- -The product name. +Virtual Domain Name + type: keyword -- -*`google_workspace.admin.product.sku`*:: +*`fortinet.firewall.vendorurl`*:: + -- -The product SKU. +Vulnerability scan vendor name + type: keyword -- -*`google_workspace.admin.bulk_upload.failed`*:: +*`fortinet.firewall.version`*:: + -- -Number of failed records in bulk upload operation. +Version -type: long + +type: keyword -- -*`google_workspace.admin.bulk_upload.total`*:: +*`fortinet.firewall.vip`*:: + -- -Number of total records in bulk upload operation. +Virtual IP -type: long + +type: keyword -- -*`google_workspace.admin.group.allowed_list`*:: +*`fortinet.firewall.virus`*:: + -- -Names of allow-listed groups. +Virus name + type: keyword -- -*`google_workspace.admin.email.quarantine_name`*:: +*`fortinet.firewall.virusid`*:: + -- -The name of the quarantine. +Virus ID (unique virus identifier) -type: keyword + +type: integer -- -*`google_workspace.admin.email.log_search_filter.message_id`*:: +*`fortinet.firewall.voip_proto`*:: + -- -The log search filter's email message ID. +VOIP protocol + type: keyword -- -*`google_workspace.admin.email.log_search_filter.start_date`*:: +*`fortinet.firewall.vpn`*:: + -- -The log search filter's start date. +VPN description -type: date + +type: keyword -- -*`google_workspace.admin.email.log_search_filter.end_date`*:: +*`fortinet.firewall.vpntunnel`*:: + -- -The log search filter's ending date. +IPsec Vpn Tunnel Name -type: date + +type: keyword -- -*`google_workspace.admin.email.log_search_filter.recipient.value`*:: +*`fortinet.firewall.vpntype`*:: + -- -The log search filter's email recipient. +The type of the VPN tunnel + type: keyword -- -*`google_workspace.admin.email.log_search_filter.sender.value`*:: +*`fortinet.firewall.vrf`*:: + -- -The log search filter's email sender. +VRF number -type: keyword + +type: integer -- -*`google_workspace.admin.email.log_search_filter.recipient.ip`*:: +*`fortinet.firewall.vulncat`*:: + -- -The log search filter's email recipient's IP address. +Vulnerability Category -type: ip + +type: keyword -- -*`google_workspace.admin.email.log_search_filter.sender.ip`*:: +*`fortinet.firewall.vulnid`*:: + -- -The log search filter's email sender's IP address. +Vulnerability ID -type: ip + +type: integer -- -*`google_workspace.admin.chrome_licenses.enabled`*:: +*`fortinet.firewall.vulnname`*:: + -- -Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings +Vulnerability name type: keyword -- -*`google_workspace.admin.chrome_licenses.allowed`*:: +*`fortinet.firewall.vwlid`*:: + -- -Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings +VWL ID -type: keyword +type: integer -- -*`google_workspace.admin.oauth2.service.name`*:: +*`fortinet.firewall.vwlquality`*:: + -- -OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings +VWL quality type: keyword -- -*`google_workspace.admin.oauth2.application.id`*:: +*`fortinet.firewall.vwlservice`*:: + -- -OAuth2 application ID. +VWL service + type: keyword -- -*`google_workspace.admin.oauth2.application.name`*:: +*`fortinet.firewall.vwpvlanid`*:: + -- -OAuth2 application name. +VWP VLAN ID -type: keyword + +type: integer -- -*`google_workspace.admin.oauth2.application.type`*:: +*`fortinet.firewall.wanin`*:: + -- -OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings +WAN incoming traffic in bytes -type: keyword +type: long -- -*`google_workspace.admin.verification_method`*:: +*`fortinet.firewall.wanoptapptype`*:: + -- -Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings +WAN Optimization Application type type: keyword -- -*`google_workspace.admin.alert.name`*:: +*`fortinet.firewall.wanout`*:: + -- -The alert name. +WAN outgoing traffic in bytes -type: keyword + +type: long -- -*`google_workspace.admin.rule.name`*:: +*`fortinet.firewall.weakwepiv`*:: + -- -The rule name. +Weak Wep Initiation Vector + type: keyword -- -*`google_workspace.admin.api.client.name`*:: +*`fortinet.firewall.xauthgroup`*:: + -- -The API client name. +XAuth Group Name + type: keyword -- -*`google_workspace.admin.api.scopes`*:: +*`fortinet.firewall.xauthuser`*:: + -- -The API scopes. +XAuth User Name + type: keyword -- -*`google_workspace.admin.mdm.token`*:: +*`fortinet.firewall.xid`*:: + -- -The MDM vendor enrollment token. +Wireless X ID -type: keyword + +type: integer -- -*`google_workspace.admin.mdm.vendor`*:: +[[exported-fields-gcp]] +== Google Cloud Platform (GCP) fields + +Module for handling logs from Google Cloud. + + + +[float] +=== gcp + +Fields from Google Cloud logs. + + + +[float] +=== destination.instance + +If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. + + + +*`gcp.destination.instance.project_id`*:: + -- -The MDM vendor's name. +ID of the project containing the VM. + type: keyword -- -*`google_workspace.admin.info_type`*:: +*`gcp.destination.instance.region`*:: + -- -This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings +Region of the VM. type: keyword -- -*`google_workspace.admin.email_monitor.dest_email`*:: +*`gcp.destination.instance.zone`*:: + -- -The destination address of the email monitor. +Zone of the VM. + type: keyword -- -*`google_workspace.admin.email_monitor.level.chat`*:: -+ --- -The chat email monitor level. +[float] +=== destination.vpc -type: keyword +If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. --- -*`google_workspace.admin.email_monitor.level.draft`*:: + +*`gcp.destination.vpc.project_id`*:: + -- -The draft email monitor level. +ID of the project containing the VM. + type: keyword -- -*`google_workspace.admin.email_monitor.level.incoming`*:: +*`gcp.destination.vpc.vpc_name`*:: + -- -The incoming email monitor level. +VPC on which the VM is operating. + type: keyword -- -*`google_workspace.admin.email_monitor.level.outgoing`*:: +*`gcp.destination.vpc.subnetwork_name`*:: + -- -The outgoing email monitor level. +Subnetwork on which the VM is operating. + type: keyword -- -*`google_workspace.admin.email_dump.include_deleted`*:: -+ --- -Indicates if deleted emails are included in the export. +[float] +=== source.instance -type: boolean +If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. --- -*`google_workspace.admin.email_dump.package_content`*:: + +*`gcp.source.instance.project_id`*:: + -- -The contents of the mailbox package. +ID of the project containing the VM. + type: keyword -- -*`google_workspace.admin.email_dump.query`*:: +*`gcp.source.instance.region`*:: + -- -The search query used for the dump. +Region of the VM. + type: keyword -- -*`google_workspace.admin.request.id`*:: +*`gcp.source.instance.zone`*:: + -- -The request ID. +Zone of the VM. + type: keyword -- -*`google_workspace.admin.mobile.action.id`*:: -+ --- -The mobile device action's ID. +[float] +=== source.vpc -type: keyword +If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. --- -*`google_workspace.admin.mobile.action.type`*:: + +*`gcp.source.vpc.project_id`*:: + -- -The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings +ID of the project containing the VM. type: keyword -- -*`google_workspace.admin.mobile.certificate.name`*:: +*`gcp.source.vpc.vpc_name`*:: + -- -The mobile certificate common name. +VPC on which the VM is operating. + type: keyword -- -*`google_workspace.admin.mobile.company_owned_devices`*:: +*`gcp.source.vpc.subnetwork_name`*:: + -- -The number of devices a company owns. +Subnetwork on which the VM is operating. -type: long --- +type: keyword -*`google_workspace.admin.distribution.entity.name`*:: -+ -- -The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings +[float] +=== audit -type: keyword +Fields for Google Cloud audit logs. --- -*`google_workspace.admin.distribution.entity.type`*:: + +*`gcp.audit.type`*:: + -- -The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings +Type property. type: keyword -- +[float] +=== authentication_info -*`google_workspace.drive.billable`*:: -+ --- -Whether this activity is billable. +Authentication information. -type: boolean --- -*`google_workspace.drive.source_folder_id`*:: +*`gcp.audit.authentication_info.principal_email`*:: + -- -type: keyword +The email address of the authenticated user making the request. --- -*`google_workspace.drive.source_folder_title`*:: -+ --- type: keyword -- -*`google_workspace.drive.destination_folder_id`*:: +*`gcp.audit.authentication_info.authority_selector`*:: + -- -type: keyword +The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. --- -*`google_workspace.drive.destination_folder_title`*:: -+ --- type: keyword -- -*`google_workspace.drive.file.id`*:: +*`gcp.audit.authorization_info`*:: + -- -type: keyword +Authorization information for the operation. + + +type: array -- -*`google_workspace.drive.file.type`*:: +*`gcp.audit.method_name`*:: + -- -Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive +The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. type: keyword -- -*`google_workspace.drive.originating_app_id`*:: +*`gcp.audit.num_response_items`*:: + -- -The Google Cloud Project ID of the application that performed the action. +The number of items returned from a List or Query API method, if applicable. -type: keyword +type: long -- -*`google_workspace.drive.file.owner.email`*:: -+ --- -type: keyword +[float] +=== request --- +The operation request. -*`google_workspace.drive.file.owner.is_shared_drive`*:: + + +*`gcp.audit.request.proto_name`*:: + -- -Boolean flag denoting whether owner is a shared drive. +Type property of the request. -type: boolean +type: keyword -- -*`google_workspace.drive.primary_event`*:: +*`gcp.audit.request.filter`*:: + -- -Whether this is a primary event. A single user action in Drive may generate several events. +Filter of the request. -type: boolean +type: keyword -- -*`google_workspace.drive.shared_drive_id`*:: +*`gcp.audit.request.name`*:: + -- -The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. +Name of the request. type: keyword -- -*`google_workspace.drive.visibility`*:: +*`gcp.audit.request.resource_name`*:: + -- -Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive +Name of the request resource. type: keyword -- -*`google_workspace.drive.new_value`*:: -+ --- -When a setting or property of the file changes, the new value for it will appear here. +[float] +=== request_metadata +Metadata about the request. -type: keyword --- -*`google_workspace.drive.old_value`*:: +*`gcp.audit.request_metadata.caller_ip`*:: + -- -When a setting or property of the file changes, the old value for it will appear here. +The IP address of the caller. -type: keyword +type: ip -- -*`google_workspace.drive.sheets_import_range_recipient_doc`*:: +*`gcp.audit.request_metadata.caller_supplied_user_agent`*:: + -- -Doc ID of the recipient of a sheets import range. +The user agent of the caller. This information is not authenticated and should be treated accordingly. + type: keyword -- -*`google_workspace.drive.old_visibility`*:: -+ --- -When visibility changes, this holds the old value. +[float] +=== response +The operation response. -type: keyword --- -*`google_workspace.drive.visibility_change`*:: +*`gcp.audit.response.proto_name`*:: + -- -When visibility changes, this holds the new overall visibility of the file. +Type property of the response. type: keyword -- -*`google_workspace.drive.target_domain`*:: -+ --- -The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. +[float] +=== details +The details of the response. -type: keyword --- -*`google_workspace.drive.added_role`*:: +*`gcp.audit.response.details.group`*:: + -- -Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive +The name of the group. type: keyword -- -*`google_workspace.drive.membership_change_type`*:: +*`gcp.audit.response.details.kind`*:: + -- -Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive +The kind of the response details. type: keyword -- -*`google_workspace.drive.shared_drive_settings_change_type`*:: +*`gcp.audit.response.details.name`*:: + -- -Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive +The name of the response details. type: keyword -- -*`google_workspace.drive.removed_role`*:: +*`gcp.audit.response.details.uid`*:: + -- -Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive +The uid of the response details. type: keyword -- -*`google_workspace.drive.target`*:: +*`gcp.audit.response.status`*:: + -- -Target user or group. +Status of the response. + type: keyword -- - -*`google_workspace.groups.acl_permission`*:: +*`gcp.audit.resource_name`*:: + -- -Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. type: keyword -- -*`google_workspace.groups.email`*:: -+ --- -Group email. +[float] +=== resource_location +The location of the resource. -type: keyword --- -*`google_workspace.groups.member.email`*:: +*`gcp.audit.resource_location.current_locations`*:: + -- -Member email. +Current locations of the resource. type: keyword -- -*`google_workspace.groups.member.role`*:: +*`gcp.audit.service_name`*:: + -- -Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +The name of the API service performing the operation. For example, datastore.googleapis.com. type: keyword -- -*`google_workspace.groups.setting`*:: -+ --- -Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +[float] +=== status +The status of the overall operation. -type: keyword --- -*`google_workspace.groups.new_value`*:: +*`gcp.audit.status.code`*:: + -- -New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +The status code, which should be an enum value of google.rpc.Code. -type: keyword +type: integer -- -*`google_workspace.groups.old_value`*:: +*`gcp.audit.status.message`*:: + -- -Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + type: keyword -- -*`google_workspace.groups.value`*:: -+ --- -Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +[float] +=== firewall +Fields for Google Cloud Firewall logs. -type: keyword --- -*`google_workspace.groups.message.id`*:: -+ --- -SMTP message Id of an email message. Present for moderation events. +[float] +=== rule_details +Description of the firewall rule that matched this connection. -type: keyword --- -*`google_workspace.groups.message.moderation_action`*:: +*`gcp.firewall.rule_details.priority`*:: + -- -Message moderation action. Possible values are `approved` and `rejected`. - +The priority for the firewall rule. -type: keyword +type: long -- -*`google_workspace.groups.status`*:: +*`gcp.firewall.rule_details.action`*:: + -- -A status describing the output of an operation. Possible values are `failed` and `succeeded`. - +Action that the rule performs on match. type: keyword -- - -*`google_workspace.login.affected_email_address`*:: +*`gcp.firewall.rule_details.direction`*:: + -- +Direction of traffic that matches this rule. + type: keyword -- -*`google_workspace.login.challenge_method`*:: +*`gcp.firewall.rule_details.reference`*:: + -- -Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - +Reference to the firewall rule. type: keyword -- -*`google_workspace.login.failure_type`*:: +*`gcp.firewall.rule_details.source_range`*:: + -- -Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - +List of source ranges that the firewall rule applies to. type: keyword -- -*`google_workspace.login.type`*:: +*`gcp.firewall.rule_details.destination_range`*:: + -- -Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - +List of destination ranges that the firewall applies to. type: keyword -- -*`google_workspace.login.is_second_factor`*:: +*`gcp.firewall.rule_details.source_tag`*:: + -- -type: boolean +List of all the source tags that the firewall rule applies to. --- -*`google_workspace.login.is_suspicious`*:: -+ --- -type: boolean +type: keyword -- - -*`google_workspace.saml.application_name`*:: +*`gcp.firewall.rule_details.target_tag`*:: + -- -Saml SP application name. +List of all the target tags that the firewall rule applies to. type: keyword -- -*`google_workspace.saml.failure_type`*:: +*`gcp.firewall.rule_details.ip_port_info`*:: + -- -Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. +List of ip protocols and applicable port ranges for rules. -type: keyword +type: array -- -*`google_workspace.saml.initiated_by`*:: +*`gcp.firewall.rule_details.source_service_account`*:: + -- -Requester of SAML authentication. +List of all the source service accounts that the firewall rule applies to. type: keyword -- -*`google_workspace.saml.orgunit_path`*:: +*`gcp.firewall.rule_details.target_service_account`*:: + -- -User orgunit. +List of all the target service accounts that the firewall rule applies to. type: keyword -- -*`google_workspace.saml.status_code`*:: +[float] +=== vpcflow + +Fields for Google Cloud VPC flow logs. + + + +*`gcp.vpcflow.reporter`*:: + -- -SAML status code. +The side which reported the flow. Can be either 'SRC' or 'DEST'. type: keyword -- -*`google_workspace.saml.second_level_status_code`*:: +*`gcp.vpcflow.rtt.ms`*:: + -- -SAML second level status code. +Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. -type: keyword +type: long -- -[[exported-fields-gsuite]] -== gsuite fields +[[exported-fields-google_workspace]] +== google_workspace fields -gsuite Module +Google Workspace Module [float] -=== gsuite +=== google_workspace -Gsuite specific fields. +Google Workspace specific fields. More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list -*`gsuite.actor.type`*:: +*`google_workspace.actor.type`*:: + -- The type of actor. @@ -72073,7 +65149,7 @@ type: keyword -- -*`gsuite.actor.key`*:: +*`google_workspace.actor.key`*:: + -- Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. @@ -72083,10 +65159,10 @@ type: keyword -- -*`gsuite.event.type`*:: +*`google_workspace.event.type`*:: + -- -The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list type: keyword @@ -72095,7 +65171,7 @@ example: audit#activity -- -*`gsuite.kind`*:: +*`google_workspace.kind`*:: + -- The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list @@ -72107,7 +65183,7 @@ example: audit#activity -- -*`gsuite.organization.domain`*:: +*`google_workspace.organization.domain`*:: + -- The domain that is affected by the report's event. @@ -72118,16 +65194,16 @@ type: keyword -- -*`gsuite.admin.application.edition`*:: +*`google_workspace.admin.application.edition`*:: + -- -The GSuite edition. +The Google Workspace edition. type: keyword -- -*`gsuite.admin.application.name`*:: +*`google_workspace.admin.application.name`*:: + -- The application's name. @@ -72136,7 +65212,7 @@ type: keyword -- -*`gsuite.admin.application.enabled`*:: +*`google_workspace.admin.application.enabled`*:: + -- The enabled application. @@ -72145,7 +65221,7 @@ type: keyword -- -*`gsuite.admin.application.licences_order_number`*:: +*`google_workspace.admin.application.licences_order_number`*:: + -- Order number used to redeem licenses. @@ -72154,7 +65230,7 @@ type: keyword -- -*`gsuite.admin.application.licences_purchased`*:: +*`google_workspace.admin.application.licences_purchased`*:: + -- Number of licences purchased. @@ -72163,7 +65239,7 @@ type: keyword -- -*`gsuite.admin.application.id`*:: +*`google_workspace.admin.application.id`*:: + -- The application ID. @@ -72172,7 +65248,7 @@ type: keyword -- -*`gsuite.admin.application.asp_id`*:: +*`google_workspace.admin.application.asp_id`*:: + -- The application specific password ID. @@ -72181,7 +65257,7 @@ type: keyword -- -*`gsuite.admin.application.package_id`*:: +*`google_workspace.admin.application.package_id`*:: + -- The mobile application package ID. @@ -72190,7 +65266,7 @@ type: keyword -- -*`gsuite.admin.group.email`*:: +*`google_workspace.admin.group.email`*:: + -- The group's primary email address. @@ -72199,7 +65275,7 @@ type: keyword -- -*`gsuite.admin.new_value`*:: +*`google_workspace.admin.new_value`*:: + -- The new value for the setting. @@ -72208,7 +65284,7 @@ type: keyword -- -*`gsuite.admin.old_value`*:: +*`google_workspace.admin.old_value`*:: + -- The old value for the setting. @@ -72217,7 +65293,7 @@ type: keyword -- -*`gsuite.admin.org_unit.name`*:: +*`google_workspace.admin.org_unit.name`*:: + -- The organizational unit name. @@ -72226,7 +65302,7 @@ type: keyword -- -*`gsuite.admin.org_unit.full`*:: +*`google_workspace.admin.org_unit.full`*:: + -- The org unit full path including the root org unit name. @@ -72235,7 +65311,7 @@ type: keyword -- -*`gsuite.admin.setting.name`*:: +*`google_workspace.admin.setting.name`*:: + -- The setting name. @@ -72244,7 +65320,7 @@ type: keyword -- -*`gsuite.admin.user_defined_setting.name`*:: +*`google_workspace.admin.user_defined_setting.name`*:: + -- The name of the user-defined setting. @@ -72253,7 +65329,7 @@ type: keyword -- -*`gsuite.admin.setting.description`*:: +*`google_workspace.admin.setting.description`*:: + -- The setting name. @@ -72262,7 +65338,7 @@ type: keyword -- -*`gsuite.admin.group.priorities`*:: +*`google_workspace.admin.group.priorities`*:: + -- Group priorities. @@ -72271,7 +65347,7 @@ type: keyword -- -*`gsuite.admin.domain.alias`*:: +*`google_workspace.admin.domain.alias`*:: + -- The domain alias. @@ -72280,7 +65356,7 @@ type: keyword -- -*`gsuite.admin.domain.name`*:: +*`google_workspace.admin.domain.name`*:: + -- The primary domain name. @@ -72289,7 +65365,7 @@ type: keyword -- -*`gsuite.admin.domain.secondary_name`*:: +*`google_workspace.admin.domain.secondary_name`*:: + -- The secondary domain name. @@ -72298,7 +65374,7 @@ type: keyword -- -*`gsuite.admin.managed_configuration`*:: +*`google_workspace.admin.managed_configuration`*:: + -- The name of the managed configuration. @@ -72307,7 +65383,7 @@ type: keyword -- -*`gsuite.admin.non_featured_services_selection`*:: +*`google_workspace.admin.non_featured_services_selection`*:: + -- Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED @@ -72317,7 +65393,7 @@ type: keyword -- -*`gsuite.admin.field`*:: +*`google_workspace.admin.field`*:: + -- The name of the field. @@ -72326,7 +65402,7 @@ type: keyword -- -*`gsuite.admin.resource.id`*:: +*`google_workspace.admin.resource.id`*:: + -- The name of the resource identifier. @@ -72335,7 +65411,7 @@ type: keyword -- -*`gsuite.admin.user.email`*:: +*`google_workspace.admin.user.email`*:: + -- The user's primary email address. @@ -72344,7 +65420,7 @@ type: keyword -- -*`gsuite.admin.user.nickname`*:: +*`google_workspace.admin.user.nickname`*:: + -- The user's nickname. @@ -72353,7 +65429,7 @@ type: keyword -- -*`gsuite.admin.user.birthdate`*:: +*`google_workspace.admin.user.birthdate`*:: + -- The user's birth date. @@ -72362,7 +65438,7 @@ type: date -- -*`gsuite.admin.gateway.name`*:: +*`google_workspace.admin.gateway.name`*:: + -- Gateway name. Present on some chat settings. @@ -72371,7 +65447,7 @@ type: keyword -- -*`gsuite.admin.chrome_os.session_type`*:: +*`google_workspace.admin.chrome_os.session_type`*:: + -- Chrome OS session type. @@ -72380,7 +65456,7 @@ type: keyword -- -*`gsuite.admin.device.serial_number`*:: +*`google_workspace.admin.device.serial_number`*:: + -- Device serial number. @@ -72389,14 +65465,14 @@ type: keyword -- -*`gsuite.admin.device.id`*:: +*`google_workspace.admin.device.id`*:: + -- type: keyword -- -*`gsuite.admin.device.type`*:: +*`google_workspace.admin.device.type`*:: + -- Device type. @@ -72405,7 +65481,7 @@ type: keyword -- -*`gsuite.admin.print_server.name`*:: +*`google_workspace.admin.print_server.name`*:: + -- The name of the print server. @@ -72414,7 +65490,7 @@ type: keyword -- -*`gsuite.admin.printer.name`*:: +*`google_workspace.admin.printer.name`*:: + -- The name of the printer. @@ -72423,7 +65499,7 @@ type: keyword -- -*`gsuite.admin.device.command_details`*:: +*`google_workspace.admin.device.command_details`*:: + -- Command details. @@ -72432,7 +65508,7 @@ type: keyword -- -*`gsuite.admin.role.id`*:: +*`google_workspace.admin.role.id`*:: + -- Unique identifier for this role privilege. @@ -72441,7 +65517,7 @@ type: keyword -- -*`gsuite.admin.role.name`*:: +*`google_workspace.admin.role.name`*:: + -- The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings @@ -72451,7 +65527,7 @@ type: keyword -- -*`gsuite.admin.privilege.name`*:: +*`google_workspace.admin.privilege.name`*:: + -- Privilege name. @@ -72460,7 +65536,7 @@ type: keyword -- -*`gsuite.admin.service.name`*:: +*`google_workspace.admin.service.name`*:: + -- The service name. @@ -72469,7 +65545,7 @@ type: keyword -- -*`gsuite.admin.url.name`*:: +*`google_workspace.admin.url.name`*:: + -- The website name. @@ -72478,7 +65554,7 @@ type: keyword -- -*`gsuite.admin.product.name`*:: +*`google_workspace.admin.product.name`*:: + -- The product name. @@ -72487,7 +65563,7 @@ type: keyword -- -*`gsuite.admin.product.sku`*:: +*`google_workspace.admin.product.sku`*:: + -- The product SKU. @@ -72496,7 +65572,7 @@ type: keyword -- -*`gsuite.admin.bulk_upload.failed`*:: +*`google_workspace.admin.bulk_upload.failed`*:: + -- Number of failed records in bulk upload operation. @@ -72505,7 +65581,7 @@ type: long -- -*`gsuite.admin.bulk_upload.total`*:: +*`google_workspace.admin.bulk_upload.total`*:: + -- Number of total records in bulk upload operation. @@ -72514,7 +65590,7 @@ type: long -- -*`gsuite.admin.group.allowed_list`*:: +*`google_workspace.admin.group.allowed_list`*:: + -- Names of allow-listed groups. @@ -72523,7 +65599,7 @@ type: keyword -- -*`gsuite.admin.email.quarantine_name`*:: +*`google_workspace.admin.email.quarantine_name`*:: + -- The name of the quarantine. @@ -72532,7 +65608,7 @@ type: keyword -- -*`gsuite.admin.email.log_search_filter.message_id`*:: +*`google_workspace.admin.email.log_search_filter.message_id`*:: + -- The log search filter's email message ID. @@ -72541,7 +65617,7 @@ type: keyword -- -*`gsuite.admin.email.log_search_filter.start_date`*:: +*`google_workspace.admin.email.log_search_filter.start_date`*:: + -- The log search filter's start date. @@ -72550,7 +65626,7 @@ type: date -- -*`gsuite.admin.email.log_search_filter.end_date`*:: +*`google_workspace.admin.email.log_search_filter.end_date`*:: + -- The log search filter's ending date. @@ -72559,7 +65635,7 @@ type: date -- -*`gsuite.admin.email.log_search_filter.recipient.value`*:: +*`google_workspace.admin.email.log_search_filter.recipient.value`*:: + -- The log search filter's email recipient. @@ -72568,7 +65644,7 @@ type: keyword -- -*`gsuite.admin.email.log_search_filter.sender.value`*:: +*`google_workspace.admin.email.log_search_filter.sender.value`*:: + -- The log search filter's email sender. @@ -72577,7 +65653,7 @@ type: keyword -- -*`gsuite.admin.email.log_search_filter.recipient.ip`*:: +*`google_workspace.admin.email.log_search_filter.recipient.ip`*:: + -- The log search filter's email recipient's IP address. @@ -72586,7 +65662,7 @@ type: ip -- -*`gsuite.admin.email.log_search_filter.sender.ip`*:: +*`google_workspace.admin.email.log_search_filter.sender.ip`*:: + -- The log search filter's email sender's IP address. @@ -72595,7 +65671,7 @@ type: ip -- -*`gsuite.admin.chrome_licenses.enabled`*:: +*`google_workspace.admin.chrome_licenses.enabled`*:: + -- Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings @@ -72605,7 +65681,7 @@ type: keyword -- -*`gsuite.admin.chrome_licenses.allowed`*:: +*`google_workspace.admin.chrome_licenses.allowed`*:: + -- Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings @@ -72615,7 +65691,7 @@ type: keyword -- -*`gsuite.admin.oauth2.service.name`*:: +*`google_workspace.admin.oauth2.service.name`*:: + -- OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings @@ -72625,7 +65701,7 @@ type: keyword -- -*`gsuite.admin.oauth2.application.id`*:: +*`google_workspace.admin.oauth2.application.id`*:: + -- OAuth2 application ID. @@ -72634,7 +65710,7 @@ type: keyword -- -*`gsuite.admin.oauth2.application.name`*:: +*`google_workspace.admin.oauth2.application.name`*:: + -- OAuth2 application name. @@ -72643,7 +65719,7 @@ type: keyword -- -*`gsuite.admin.oauth2.application.type`*:: +*`google_workspace.admin.oauth2.application.type`*:: + -- OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings @@ -72653,7 +65729,7 @@ type: keyword -- -*`gsuite.admin.verification_method`*:: +*`google_workspace.admin.verification_method`*:: + -- Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings @@ -72663,7 +65739,7 @@ type: keyword -- -*`gsuite.admin.alert.name`*:: +*`google_workspace.admin.alert.name`*:: + -- The alert name. @@ -72672,7 +65748,7 @@ type: keyword -- -*`gsuite.admin.rule.name`*:: +*`google_workspace.admin.rule.name`*:: + -- The rule name. @@ -72681,7 +65757,7 @@ type: keyword -- -*`gsuite.admin.api.client.name`*:: +*`google_workspace.admin.api.client.name`*:: + -- The API client name. @@ -72690,7 +65766,7 @@ type: keyword -- -*`gsuite.admin.api.scopes`*:: +*`google_workspace.admin.api.scopes`*:: + -- The API scopes. @@ -72699,7 +65775,7 @@ type: keyword -- -*`gsuite.admin.mdm.token`*:: +*`google_workspace.admin.mdm.token`*:: + -- The MDM vendor enrollment token. @@ -72708,7 +65784,7 @@ type: keyword -- -*`gsuite.admin.mdm.vendor`*:: +*`google_workspace.admin.mdm.vendor`*:: + -- The MDM vendor's name. @@ -72717,7 +65793,7 @@ type: keyword -- -*`gsuite.admin.info_type`*:: +*`google_workspace.admin.info_type`*:: + -- This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings @@ -72727,7 +65803,7 @@ type: keyword -- -*`gsuite.admin.email_monitor.dest_email`*:: +*`google_workspace.admin.email_monitor.dest_email`*:: + -- The destination address of the email monitor. @@ -72736,7 +65812,7 @@ type: keyword -- -*`gsuite.admin.email_monitor.level.chat`*:: +*`google_workspace.admin.email_monitor.level.chat`*:: + -- The chat email monitor level. @@ -72745,7 +65821,7 @@ type: keyword -- -*`gsuite.admin.email_monitor.level.draft`*:: +*`google_workspace.admin.email_monitor.level.draft`*:: + -- The draft email monitor level. @@ -72754,7 +65830,7 @@ type: keyword -- -*`gsuite.admin.email_monitor.level.incoming`*:: +*`google_workspace.admin.email_monitor.level.incoming`*:: + -- The incoming email monitor level. @@ -72763,7 +65839,7 @@ type: keyword -- -*`gsuite.admin.email_monitor.level.outgoing`*:: +*`google_workspace.admin.email_monitor.level.outgoing`*:: + -- The outgoing email monitor level. @@ -72772,7 +65848,7 @@ type: keyword -- -*`gsuite.admin.email_dump.include_deleted`*:: +*`google_workspace.admin.email_dump.include_deleted`*:: + -- Indicates if deleted emails are included in the export. @@ -72781,7 +65857,7 @@ type: boolean -- -*`gsuite.admin.email_dump.package_content`*:: +*`google_workspace.admin.email_dump.package_content`*:: + -- The contents of the mailbox package. @@ -72790,7 +65866,7 @@ type: keyword -- -*`gsuite.admin.email_dump.query`*:: +*`google_workspace.admin.email_dump.query`*:: + -- The search query used for the dump. @@ -72799,7 +65875,7 @@ type: keyword -- -*`gsuite.admin.request.id`*:: +*`google_workspace.admin.request.id`*:: + -- The request ID. @@ -72808,7 +65884,7 @@ type: keyword -- -*`gsuite.admin.mobile.action.id`*:: +*`google_workspace.admin.mobile.action.id`*:: + -- The mobile device action's ID. @@ -72817,7 +65893,7 @@ type: keyword -- -*`gsuite.admin.mobile.action.type`*:: +*`google_workspace.admin.mobile.action.type`*:: + -- The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings @@ -72827,7 +65903,7 @@ type: keyword -- -*`gsuite.admin.mobile.certificate.name`*:: +*`google_workspace.admin.mobile.certificate.name`*:: + -- The mobile certificate common name. @@ -72836,7 +65912,7 @@ type: keyword -- -*`gsuite.admin.mobile.company_owned_devices`*:: +*`google_workspace.admin.mobile.company_owned_devices`*:: + -- The number of devices a company owns. @@ -72845,7 +65921,7 @@ type: long -- -*`gsuite.admin.distribution.entity.name`*:: +*`google_workspace.admin.distribution.entity.name`*:: + -- The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings @@ -72855,7 +65931,7 @@ type: keyword -- -*`gsuite.admin.distribution.entity.type`*:: +*`google_workspace.admin.distribution.entity.type`*:: + -- The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings @@ -72866,7 +65942,7 @@ type: keyword -- -*`gsuite.drive.billable`*:: +*`google_workspace.drive.billable`*:: + -- Whether this activity is billable. @@ -72875,42 +65951,42 @@ type: boolean -- -*`gsuite.drive.source_folder_id`*:: +*`google_workspace.drive.source_folder_id`*:: + -- type: keyword -- -*`gsuite.drive.source_folder_title`*:: +*`google_workspace.drive.source_folder_title`*:: + -- type: keyword -- -*`gsuite.drive.destination_folder_id`*:: +*`google_workspace.drive.destination_folder_id`*:: + -- type: keyword -- -*`gsuite.drive.destination_folder_title`*:: +*`google_workspace.drive.destination_folder_title`*:: + -- type: keyword -- -*`gsuite.drive.file.id`*:: +*`google_workspace.drive.file.id`*:: + -- type: keyword -- -*`gsuite.drive.file.type`*:: +*`google_workspace.drive.file.type`*:: + -- Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -72920,7 +65996,7 @@ type: keyword -- -*`gsuite.drive.originating_app_id`*:: +*`google_workspace.drive.originating_app_id`*:: + -- The Google Cloud Project ID of the application that performed the action. @@ -72930,14 +66006,14 @@ type: keyword -- -*`gsuite.drive.file.owner.email`*:: +*`google_workspace.drive.file.owner.email`*:: + -- type: keyword -- -*`gsuite.drive.file.owner.is_shared_drive`*:: +*`google_workspace.drive.file.owner.is_shared_drive`*:: + -- Boolean flag denoting whether owner is a shared drive. @@ -72947,7 +66023,7 @@ type: boolean -- -*`gsuite.drive.primary_event`*:: +*`google_workspace.drive.primary_event`*:: + -- Whether this is a primary event. A single user action in Drive may generate several events. @@ -72957,7 +66033,7 @@ type: boolean -- -*`gsuite.drive.shared_drive_id`*:: +*`google_workspace.drive.shared_drive_id`*:: + -- The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. @@ -72967,7 +66043,7 @@ type: keyword -- -*`gsuite.drive.visibility`*:: +*`google_workspace.drive.visibility`*:: + -- Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -72977,7 +66053,7 @@ type: keyword -- -*`gsuite.drive.new_value`*:: +*`google_workspace.drive.new_value`*:: + -- When a setting or property of the file changes, the new value for it will appear here. @@ -72987,7 +66063,7 @@ type: keyword -- -*`gsuite.drive.old_value`*:: +*`google_workspace.drive.old_value`*:: + -- When a setting or property of the file changes, the old value for it will appear here. @@ -72997,7 +66073,7 @@ type: keyword -- -*`gsuite.drive.sheets_import_range_recipient_doc`*:: +*`google_workspace.drive.sheets_import_range_recipient_doc`*:: + -- Doc ID of the recipient of a sheets import range. @@ -73006,7 +66082,7 @@ type: keyword -- -*`gsuite.drive.old_visibility`*:: +*`google_workspace.drive.old_visibility`*:: + -- When visibility changes, this holds the old value. @@ -73016,7 +66092,7 @@ type: keyword -- -*`gsuite.drive.visibility_change`*:: +*`google_workspace.drive.visibility_change`*:: + -- When visibility changes, this holds the new overall visibility of the file. @@ -73026,7 +66102,7 @@ type: keyword -- -*`gsuite.drive.target_domain`*:: +*`google_workspace.drive.target_domain`*:: + -- The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. @@ -73036,7 +66112,7 @@ type: keyword -- -*`gsuite.drive.added_role`*:: +*`google_workspace.drive.added_role`*:: + -- Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -73046,7 +66122,7 @@ type: keyword -- -*`gsuite.drive.membership_change_type`*:: +*`google_workspace.drive.membership_change_type`*:: + -- Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -73056,7 +66132,7 @@ type: keyword -- -*`gsuite.drive.shared_drive_settings_change_type`*:: +*`google_workspace.drive.shared_drive_settings_change_type`*:: + -- Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -73066,7 +66142,7 @@ type: keyword -- -*`gsuite.drive.removed_role`*:: +*`google_workspace.drive.removed_role`*:: + -- Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -73076,7 +66152,7 @@ type: keyword -- -*`gsuite.drive.target`*:: +*`google_workspace.drive.target`*:: + -- Target user or group. @@ -73086,7 +66162,7 @@ type: keyword -- -*`gsuite.groups.acl_permission`*:: +*`google_workspace.groups.acl_permission`*:: + -- Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -73096,7 +66172,7 @@ type: keyword -- -*`gsuite.groups.email`*:: +*`google_workspace.groups.email`*:: + -- Group email. @@ -73106,7 +66182,7 @@ type: keyword -- -*`gsuite.groups.member.email`*:: +*`google_workspace.groups.member.email`*:: + -- Member email. @@ -73116,7 +66192,7 @@ type: keyword -- -*`gsuite.groups.member.role`*:: +*`google_workspace.groups.member.role`*:: + -- Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -73126,7 +66202,7 @@ type: keyword -- -*`gsuite.groups.setting`*:: +*`google_workspace.groups.setting`*:: + -- Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -73136,7 +66212,7 @@ type: keyword -- -*`gsuite.groups.new_value`*:: +*`google_workspace.groups.new_value`*:: + -- New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -73146,7 +66222,7 @@ type: keyword -- -*`gsuite.groups.old_value`*:: +*`google_workspace.groups.old_value`*:: + -- Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -73155,7 +66231,7 @@ type: keyword -- -*`gsuite.groups.value`*:: +*`google_workspace.groups.value`*:: + -- Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -73165,7 +66241,7 @@ type: keyword -- -*`gsuite.groups.message.id`*:: +*`google_workspace.groups.message.id`*:: + -- SMTP message Id of an email message. Present for moderation events. @@ -73175,7 +66251,7 @@ type: keyword -- -*`gsuite.groups.message.moderation_action`*:: +*`google_workspace.groups.message.moderation_action`*:: + -- Message moderation action. Possible values are `approved` and `rejected`. @@ -73185,7 +66261,7 @@ type: keyword -- -*`gsuite.groups.status`*:: +*`google_workspace.groups.status`*:: + -- A status describing the output of an operation. Possible values are `failed` and `succeeded`. @@ -73196,14 +66272,14 @@ type: keyword -- -*`gsuite.login.affected_email_address`*:: +*`google_workspace.login.affected_email_address`*:: + -- type: keyword -- -*`gsuite.login.challenge_method`*:: +*`google_workspace.login.challenge_method`*:: + -- Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. @@ -73213,7 +66289,7 @@ type: keyword -- -*`gsuite.login.failure_type`*:: +*`google_workspace.login.failure_type`*:: + -- Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. @@ -73223,7 +66299,7 @@ type: keyword -- -*`gsuite.login.type`*:: +*`google_workspace.login.type`*:: + -- Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. @@ -73233,14 +66309,14 @@ type: keyword -- -*`gsuite.login.is_second_factor`*:: +*`google_workspace.login.is_second_factor`*:: + -- type: boolean -- -*`gsuite.login.is_suspicious`*:: +*`google_workspace.login.is_suspicious`*:: + -- type: boolean @@ -73248,7 +66324,7 @@ type: boolean -- -*`gsuite.saml.application_name`*:: +*`google_workspace.saml.application_name`*:: + -- Saml SP application name. @@ -73258,7 +66334,7 @@ type: keyword -- -*`gsuite.saml.failure_type`*:: +*`google_workspace.saml.failure_type`*:: + -- Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. @@ -73268,7 +66344,7 @@ type: keyword -- -*`gsuite.saml.initiated_by`*:: +*`google_workspace.saml.initiated_by`*:: + -- Requester of SAML authentication. @@ -73278,7 +66354,7 @@ type: keyword -- -*`gsuite.saml.orgunit_path`*:: +*`google_workspace.saml.orgunit_path`*:: + -- User orgunit. @@ -73288,7 +66364,7 @@ type: keyword -- -*`gsuite.saml.status_code`*:: +*`google_workspace.saml.status_code`*:: + -- SAML status code. @@ -73298,7 +66374,7 @@ type: keyword -- -*`gsuite.saml.second_level_status_code`*:: +*`google_workspace.saml.second_level_status_code`*:: + -- SAML second level status code. diff --git a/filebeat/docs/filebeat-modules-options.asciidoc b/filebeat/docs/filebeat-modules-options.asciidoc index 643f964080d..80b87e14f12 100644 --- a/filebeat/docs/filebeat-modules-options.asciidoc +++ b/filebeat/docs/filebeat-modules-options.asciidoc @@ -75,8 +75,12 @@ The following example shows a configuration that runs the `nginx`,`mysql`, and ---- {beatname_lc}.modules: - module: nginx + access: + error: - module: mysql + slowlog: - module: system + auth: ---- [[advanced-settings]] diff --git a/filebeat/docs/filebeat-options.asciidoc b/filebeat/docs/filebeat-options.asciidoc index 2e609307e67..ec8d8ef2faf 100644 --- a/filebeat/docs/filebeat-options.asciidoc +++ b/filebeat/docs/filebeat-options.asciidoc @@ -72,6 +72,7 @@ You can configure {beatname_uc} to use the following inputs: * <<{beatname_lc}-input-gcp-pubsub>> * <<{beatname_lc}-input-http_endpoint>> * <<{beatname_lc}-input-httpjson>> +* <<{beatname_lc}-input-journald>> * <<{beatname_lc}-input-kafka>> * <<{beatname_lc}-input-log>> * <<{beatname_lc}-input-mqtt>> @@ -106,6 +107,8 @@ include::../../x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc[] include::../../x-pack/filebeat/docs/inputs/input-httpjson.asciidoc[] +include::inputs/input-journald.asciidoc[] + include::inputs/input-kafka.asciidoc[] include::inputs/input-log.asciidoc[] diff --git a/filebeat/docs/getting-started.asciidoc b/filebeat/docs/getting-started.asciidoc index 8f340bde6a5..d51a267b91f 100644 --- a/filebeat/docs/getting-started.asciidoc +++ b/filebeat/docs/getting-started.asciidoc @@ -86,8 +86,8 @@ configs: include::{libbeat-dir}/tab-widgets/enable-modules-widget.asciidoc[] -- -. In the module configs under `modules.d`, change the module settings to match -your environment. +. In the module configs under `modules.d`, enable the desired datasets and +change the module settings to match your environment. + For example, log locations are set based on the OS. If your logs aren't in default locations, set the `paths` variable: @@ -97,6 +97,7 @@ default locations, set the `paths` variable: ---- - module: nginx access: + enabled: true var.paths: ["/var/log/nginx/access.log*"] <1> ---- -- diff --git a/filebeat/docs/inputs/input-journald.asciidoc b/filebeat/docs/inputs/input-journald.asciidoc new file mode 100644 index 00000000000..0279f768d65 --- /dev/null +++ b/filebeat/docs/inputs/input-journald.asciidoc @@ -0,0 +1,223 @@ +:type: journald + +[id="{beatname_lc}-input-{type}"] +=== Journald input + +++++ +journald +++++ + +https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html[`journald`] +is a system service that collects and stores logging data. The `journald` input +reads this log data and the metadata associated with it. + +The simplest configuration example is one that reads all logs from the default +journal. + +["source","yaml",subs="attributes"] +---- +{beatname_lc}.inputs: +- type: journald + id: everything +---- + +You may wish to have separate inputs for each service. You can use +`include_matches` to specify a list of filter expressions that are applied as a +logical OR. A good way to list the journald fields that are available for +filtering messages is to run `journalctl -o json` to output logs and metadata as +JSON. This example collects logs from the `vault.service` systemd unit. + +["source","yaml",subs="attributes"] +---- +{beatname_lc}.inputs: +- type: journald + id: service-vault + include_matches: + - _SYSTEMD_UNIT=vault.service +---- + +This example collects kernel logs where the message begins with `iptables`. +Note that `include_matches` is more efficient than Beat processors because that +are applied before the data is passed to the {beatname_uc} so prefer them where +possible. + +["source","yaml",subs="attributes"] +---- +{beatname_lc}.inputs: +- type: journald + id: iptables + include_matches: + - _TRANSPORT=kernel + processors: + - drop_event: + when.not.regex.message: '^iptables' +---- + +Each example adds the `id` for the input to ensure the cursor is persisted to +the registry with a unique ID. The ID should be unique among journald inputs. +If you don't specify and `id` then one is created for you by hashing +the configuration. So when you modify the config this will result in a new ID +and a fresh cursor. + +[id="{beatname_lc}-input-{type}-options"] +==== Configuration options + +The `journald` input supports the following configuration options plus the +<<{beatname_lc}-input-{type}-common-options>> described later. + +[float] +[id="{beatname_lc}-input-{type}-id"] +==== `id` + +An optional unique identifier for the input. By providing a unique `id` you can +operate multiple inputs on the same journal. This allows each input's cursor to +be persisted independently in the registry file. + +["source","yaml",subs="attributes"] +---- +{beatname_lc}.inputs: +- type: journald + id: consul.service + include_matches: + - _SYSTEMD_UNIT=consul.service + +- type: journald + id: vault.service + include_matches: + - _SYSTEMD_UNIT=vault.service +---- + +[float] +[id="{beatname_lc}-input-{type}-paths"] +==== `paths` + +A list of paths that will be crawled and fetched. Each path can be a directory +path (to collect events from all journals in a directory), or a file path. If +you specify a directory, {beatname_uc} merges all journals under the directory +into a single journal and reads them. + +If no paths are specified, {beatname_uc} reads from the default journal. + +[float] +[id="{beatname_lc}-input-{type}-backoff"] +==== `backoff` + +The number of seconds to wait before trying to read again from journals. The +default is 1s. + +[float] +[id="{beatname_lc}-input-{type}-max-backoff"] +==== `max_backoff` + +The maximum number of seconds to wait before attempting to read again from +journals. The default is 60s. + +[float] +[id="{beatname_lc}-input-{type}-seek"] +==== `seek` + +The position to start reading the journal from. Valid settings are: + +* `head`: Starts reading at the beginning of the journal. After a restart, +{beatname_uc} resends all log messages in the journal. +* `tail`: Starts reading at the end of the journal. After a restart, +{beatname_uc} resends the last message, which might result in duplicates. If +multiple log messages are written to a journal while {beatname_uc} is down, +only the last log message is sent on restart. +* `cursor`: On first read, starts reading at the beginning of the journal. After +a reload or restart, continues reading at the last known position. + +If you have old log files and want to skip lines, start {beatname_uc} with +`seek: tail` specified. Then stop {beatname_uc}, set `seek: cursor`, and restart +{beatname_uc}. + +[float] +[id="{beatname_lc}-input-{type}-include-matches"] +==== `include_matches` + +A list of filter expressions used to match fields. The format of the expression +is `field=value`. {beatname_uc} fetches all events that exactly match the +expressions. Pattern matching is not supported. + +To reference fields, use one of the following: + +* The field name used by the systemd journal. For example, +`CONTAINER_TAG=redis`. +* The <<{beatname_lc}-input-{type}-translated-fields,translated field name>> +used by {beatname_uc}. For example, `container.image.tag=redis`. {beatname_uc} +does not translate all fields from the journal. For custom fields, use the name +specified in the systemd journal. + +[float] +[id="{beatname_lc}-input-{type}-translated-fields"] +=== Translated field names + +You can use the following translated names in filter expressions to reference +journald fields: + +[horizontal] +*Journald field name*:: *Translated name* +`COREDUMP_UNIT`:: `journald.coredump.unit` +`COREDUMP_USER_UNIT`:: `journald.coredump.user_unit` +`OBJECT_AUDIT_LOGINUID`:: `journald.object.audit.login_uid` +`OBJECT_AUDIT_SESSION`:: `journald.object.audit.session` +`OBJECT_CMDLINE`:: `journald.object.cmd` +`OBJECT_COMM`:: `journald.object.name` +`OBJECT_EXE`:: `journald.object.executable` +`OBJECT_GID`:: `journald.object.gid` +`OBJECT_PID`:: `journald.object.pid` +`OBJECT_SYSTEMD_OWNER_UID`:: `journald.object.systemd.owner_uid` +`OBJECT_SYSTEMD_SESSION`:: `journald.object.systemd.session` +`OBJECT_SYSTEMD_UNIT`:: `journald.object.systemd.unit` +`OBJECT_SYSTEMD_USER_UNIT`:: `journald.object.systemd.user_unit` +`OBJECT_UID`:: `journald.object.uid` +`_AUDIT_LOGINUID`:: `process.audit.login_uid` +`_AUDIT_SESSION`:: `process.audit.session` +`_BOOT_ID`:: `host.boot_id` +`_CAP_EFFECTIVE`:: `process.capabilites` +`_CMDLINE`:: `process.cmd` +`_CODE_FILE`:: `journald.code.file` +`_CODE_FUNC`:: `journald.code.func` +`_CODE_LINE`:: `journald.code.line` +`_COMM`:: `process.name` +`_EXE`:: `process.executable` +`_GID`:: `process.uid` +`_HOSTNAME`:: `host.name` +`_KERNEL_DEVICE`:: `journald.kernel.device` +`_KERNEL_SUBSYSTEM`:: `journald.kernel.subsystem` +`_MACHINE_ID`:: `host.id` +`_MESSAGE`:: `message` +`_PID`:: `process.pid` +`_PRIORITY`:: `syslog.priority` +`_SYSLOG_FACILITY`:: `syslog.facility` +`_SYSLOG_IDENTIFIER`:: `syslog.identifier` +`_SYSLOG_PID`:: `syslog.pid` +`_SYSTEMD_CGROUP`:: `systemd.cgroup` +`_SYSTEMD_INVOCATION_ID`:: `systemd.invocation_id` +`_SYSTEMD_OWNER_UID`:: `systemd.owner_uid` +`_SYSTEMD_SESSION`:: `systemd.session` +`_SYSTEMD_SLICE`:: `systemd.slice` +`_SYSTEMD_UNIT`:: `systemd.unit` +`_SYSTEMD_USER_SLICE`:: `systemd.user_slice` +`_SYSTEMD_USER_UNIT`:: `systemd.user_unit` +`_TRANSPORT`:: `systemd.transport` +`_UDEV_DEVLINK`:: `journald.kernel.device_symlinks` +`_UDEV_DEVNODE`:: `journald.kernel.device_node_path` +`_UDEV_SYSNAME`:: `journald.kernel.device_name` +`_UID`:: `process.uid` + +The following translated fields for +https://docs.docker.com/config/containers/logging/journald/[Docker] are also +available: + +[horizontal] +`CONTAINER_ID`:: `container.id_truncated` +`CONTAINER_ID_FULL`:: `container.id` +`CONTAINER_NAME`:: `container.name` +`CONTAINER_PARTIAL_MESSAGE`:: `container.partial` +`CONTAINER_TAG`:: `container.image.tag` + +[id="{beatname_lc}-input-{type}-common-options"] +include::../inputs/input-common-options.asciidoc[] + +:type!: diff --git a/filebeat/docs/modules/aws.asciidoc b/filebeat/docs/modules/aws.asciidoc index 32d3eab6c9b..a1652498c96 100644 --- a/filebeat/docs/modules/aws.asciidoc +++ b/filebeat/docs/modules/aws.asciidoc @@ -197,6 +197,29 @@ Required when using temporary security credentials. *`var.role_arn`*:: AWS IAM Role to assume. +[float] +=== config behaviour +Beware that in case both `var.queue_url` and `var.bucket_arn` are not set +instead of failing to start Filebeat with a config validation error, only the +specific fileset input will be stopped and a warning printed: +``` +2021-08-26T14:33:03.661-0600 WARN [aws-s3] awss3/config.go:54 neither queue_url nor bucket_arn were provided, input aws-s3 will stop +2021-08-26T14:33:10.668-0600 INFO [input.aws-s3] compat/compat.go:111 Input aws-s3 starting {"id": "29F3565F5B2A7070"} +2021-08-26T14:33:10.668-0600 INFO [input.aws-s3] compat/compat.go:124 Input 'aws-s3' stopped {"id": "29F3565F5B2A7070"} +``` + +This behaviour is required in order to reduce destruction of existing Filebeat setup +where not all AWS module's filesets are defined and will change in next major release. + +Setting `enabled: false` in the unused fileset will silence the warning and it is +the suggested setup. For example (assuming `cloudtrail` as unused fileset): +``` +- module: aws + cloudtrail: + enabled: false + +``` + [float] === cloudtrail fileset diff --git a/filebeat/docs/modules/cyberark.asciidoc b/filebeat/docs/modules/cyberark.asciidoc deleted file mode 100644 index bff645d0809..00000000000 --- a/filebeat/docs/modules/cyberark.asciidoc +++ /dev/null @@ -1,79 +0,0 @@ -//// -This file is generated! See scripts/docs_collector.py -//// - -[[filebeat-module-cyberark]] -[role="xpack"] - -:modulename: cyberark -:has-dashboards: false - -== Cyberark module - -deprecated::[7.13.0,"This module is deprecated. Use the <>"] - -This is a module for receiving Cyber-Ark logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: corepas - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `corepas` fileset settings - -deprecated::[7.13.0] - -NOTE: This was converted from RSA NetWitness log parser XML "cyberark" device revision 124. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9527` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - - - -[float] -=== Fields - -For a description of each field in the module, see the -<> section. - diff --git a/filebeat/docs/modules/gsuite.asciidoc b/filebeat/docs/modules/gsuite.asciidoc deleted file mode 100644 index 2df022216c5..00000000000 --- a/filebeat/docs/modules/gsuite.asciidoc +++ /dev/null @@ -1,146 +0,0 @@ -//// -This file is generated! See scripts/docs_collector.py -//// - -[[filebeat-module-gsuite]] -[role="xpack"] - -:modulename: gsuite -:has-dashboards: false - -== GSuite module - -beta[] - -deprecated::[7.12] - -This is a module for ingesting data from the different GSuite audit reports API's. - -include::../include/gs-link.asciidoc[] - -[float] -=== Compatibility - -It is compatible with a subset of applications under the https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started[Google Reports API v1]. As of today it supports: - -[options="header"] -|=========================================================================================================================================================================================================================== -| GSuite Service | Description | -| SAML https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[api docs] https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054[help] | View users’ successful and failed sign-ins to SAML applications. | -| User Accounts https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[api docs] https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054[help] | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | -| Login https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[api docs] https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054[help] | Track user sign-in activity to your domain. | -| Admin https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[api docs] https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054[help] | View administrator activity performed within the Google Admin console. | -| Drive https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[api docs] https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054[help] | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | -| Groups https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[api docs] https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054[help] | Track changes to groups, group memberships and group messages. | -|=========================================================================================================================================================================================================================== - -[float] -=== Configure the module - -In order for Filebeat to ingest data from the Google Reports API you must: - -- Have an *administrator account*. -- https://support.google.com/gsuitemigrate/answer/9222993?hl=en[Set up a ServiceAccount] using the administrator account. -- https://support.google.com/gsuitemigrate/answer/9222865?hl=en[Set up access to the Admin SDK API] for the ServiceAccount. -- https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Enable Domain-Wide Delegation] for your ServiceAccount. - -This module will make use of the following *oauth2 scope*: - -- `https://www.googleapis.com/auth/admin.reports.audit.readonly` - -Once you have downloaded your service account credentials as a JSON file, -you can set up your module: - -[float] -===== Configuration options - -[source,yaml] ----- -- module: gsuite - saml: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - user_accounts: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - login: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - admin: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - drive: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - groups: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" ----- - -Every fileset has the following configuration options: - -*`var.jwt_file`*:: - -Specifies the path to the JWT credentials file. - -*`var.delegated_account`*:: - -Email of the admin user used to access the API. - -*`var.http_client_timeout`*:: - -Duration of the time limit on HTTP requests made by the module. Defaults to -`60s`. - -*`var.interval`*:: - -Duration between requests to the API. Defaults to `2h`. - -NOTE: GSuite defaults to a 2 hour polling interval because Google reports can go from -some minutes up to 3 days of delay. For more details on this, you can read more https://support.google.com/a/answer/7061566[here]. - -*`var.user_key`*:: - -Specifies the user key to fetch reports from. Defaults to `all`. - -*`var.initial_interval`*:: - -It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to `24h`. - -[float] -==== GSuite Reports ECS fields - -This is a list of GSuite Reports fields that are mapped to ECS. - -[options="header"] -|=============================================================================================== -| GSuite Reports | ECS Fields | -| `items[].id.time` | `@timestamp` | -| `items[].id.uniqueQualifier` | `event.id` | -| `items[].id.applicationName` | `event.provider` | -| `items[].events[].name` | `event.action` | -| `items[].customerId` | `organization.id` | -| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` | -| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | -| `items[].actor.profileId` | `source.user.id` | -|=============================================================================================== - -These are the common ones to all filesets. - -:has-dashboards!: - -:modulename!: - - -[float] -=== Fields - -For a description of each field in the module, see the -<> section. - diff --git a/filebeat/docs/modules/sophos.asciidoc b/filebeat/docs/modules/sophos.asciidoc index 510afde1f65..35438478d5d 100644 --- a/filebeat/docs/modules/sophos.asciidoc +++ b/filebeat/docs/modules/sophos.asciidoc @@ -16,17 +16,17 @@ logs in syslog format or from a file for the following devices: - `xg` fileset: supports Sophos XG SFOS logs. - `utm` fileset: supports Sophos UTM logs. -To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. +To configure a remote syslog destination, please reference the https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/SyslogServerAdd.html[SophosXG/SFOS Documentation]. -The syslog format choosen should be `Default`. +The syslog format choosen in Sophos configuration should be `Central Reporting Format`. include::../include/gs-link.asciidoc[] [float] === Compatibility -This module has been tested against SFOS version 17.5.x and 18.0.x. -Versions above this are expected to work but have not been tested. +This module has been tested against SFOS version 17.5.x, 18.0.x, and 18.5.x. +Versions above this and between 18.0 - 18.5 are expected to work but have not been tested. include::../include/configuring-intro.asciidoc[] diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index bb588001ee1..c55da6935ad 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -16,7 +16,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -25,7 +24,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -91,7 +89,6 @@ include::modules/checkpoint.asciidoc[] include::modules/cisco.asciidoc[] include::modules/coredns.asciidoc[] include::modules/crowdstrike.asciidoc[] -include::modules/cyberark.asciidoc[] include::modules/cyberarkpas.asciidoc[] include::modules/cylance.asciidoc[] include::modules/elasticsearch.asciidoc[] @@ -100,7 +97,6 @@ include::modules/f5.asciidoc[] include::modules/fortinet.asciidoc[] include::modules/gcp.asciidoc[] include::modules/google_workspace.asciidoc[] -include::modules/gsuite.asciidoc[] include::modules/haproxy.asciidoc[] include::modules/ibmmq.asciidoc[] include::modules/icinga.asciidoc[] diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index dbdb731c0dc..33a24a5fb9c 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -80,32 +80,32 @@ filebeat.modules: - module: elasticsearch # Server log server: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: @@ -114,7 +114,7 @@ filebeat.modules: - module: haproxy # All logs log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: @@ -191,7 +191,7 @@ filebeat.modules: - module: kafka # All logs log: - enabled: true + enabled: false # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. @@ -205,7 +205,7 @@ filebeat.modules: - module: kibana # Server logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -213,7 +213,7 @@ filebeat.modules: # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -281,7 +281,7 @@ filebeat.modules: - module: nats # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -322,9 +322,9 @@ filebeat.modules: # #var.paths: #------------------------------- Osquery Module ------------------------------- -- module: osquery - result: - enabled: true +#- module: osquery + #result: + #enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -339,7 +339,7 @@ filebeat.modules: - module: pensando # Firewall logs dfw: - enabled: true + enabled: false var.syslog_host: 0.0.0.0 var.syslog_port: 9001 @@ -384,7 +384,7 @@ filebeat.modules: #----------------------------- Google Santa Module ----------------------------- - module: santa log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/filebeat/fileset/compatibility.go b/filebeat/fileset/compatibility.go index 8fe4e64a4db..8a38e6158cc 100644 --- a/filebeat/fileset/compatibility.go +++ b/filebeat/fileset/compatibility.go @@ -106,6 +106,13 @@ var processorCompatibilityChecks = []processorCompatibility{ }, adaptConfig: deleteProcessor, }, + { + procType: "*", + checkVersion: func(esVersion *common.Version) bool { + return esVersion.LessThan(common.MustNewVersion("7.9.0")) + }, + adaptConfig: removeDescription, + }, } // Processor represents and Ingest Node processor definition. @@ -273,7 +280,7 @@ nextProcessor: // Run compatibility checks on the processor. for _, proc := range processorCompatibilityChecks { - if processor.Name() != proc.procType { + if processor.Name() != proc.procType && proc.procType != "*" { continue } @@ -281,9 +288,9 @@ nextProcessor: continue } - processor, err = proc.adaptConfig(processor, log.With("processor_type", proc.procType, "processor_index", i)) + processor, err = proc.adaptConfig(processor, log.With("processor_type", processor.Name(), "processor_index", i)) if err != nil { - return fmt.Errorf("failed to adapt %q processor at index %d: %w", proc.procType, i, err) + return fmt.Errorf("failed to adapt %q processor at index %d: %w", processor.Name(), i, err) } if processor.IsNil() { continue nextProcessor @@ -408,3 +415,16 @@ func replaceConvertIP(processor Processor, log *logp.Logger) (Processor, error) log.Debug("processor output=", processor.String()) return processor, nil } + +// removeDescription removes the description config option so ES less than 7.9 will work. +func removeDescription(processor Processor, log *logp.Logger) (Processor, error) { + _, ok := processor.GetString("description") + if !ok { + return processor, nil + } + + log.Debug("Removing unsupported 'description' from processor.") + processor.Delete("description") + + return processor, nil +} diff --git a/filebeat/fileset/compatibility_test.go b/filebeat/fileset/compatibility_test.go index 0d3b000d8b7..560af3940ab 100644 --- a/filebeat/fileset/compatibility_test.go +++ b/filebeat/fileset/compatibility_test.go @@ -922,7 +922,6 @@ func TestReplaceConvertIPWithGrok(t *testing.T) { "^%{IP:bar}$", }, "ignore_missing": true, - "description": "foo bar", "if": "condition", "ignore_failure": false, "tag": "myTag", @@ -1341,3 +1340,118 @@ func TestReplaceAlternativeFlowProcessors(t *testing.T) { }) } } + +func TestRemoveDescription(t *testing.T) { + cases := []struct { + name string + esVersion *common.Version + content map[string]interface{} + expected map[string]interface{} + isErrExpected bool + }{ + { + name: "ES < 7.9.0", + esVersion: common.MustNewVersion("7.8.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "description": "This is a description", + }, + }, + map[string]interface{}{ + "script": map[string]interface{}{ + "source": "abcd", + "lang": "painless", + "description": "This is a description", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + }, + }, + map[string]interface{}{ + "script": map[string]interface{}{ + "source": "abcd", + "lang": "painless", + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES == 7.9.0", + esVersion: common.MustNewVersion("7.9.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "description": "This is a description", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "description": "This is a description", + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES > 7.9.0", + esVersion: common.MustNewVersion("8.0.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "description": "This is a description", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "description": "This is a description", + }, + }, + }, + }, + isErrExpected: false, + }, + } + + for _, test := range cases { + test := test + t.Run(test.name, func(t *testing.T) { + t.Parallel() + err := adaptPipelineForCompatibility(*test.esVersion, "foo-pipeline", test.content, logp.NewLogger(logName)) + if test.isErrExpected { + assert.Error(t, err) + } else { + require.NoError(t, err) + assert.Equal(t, test.expected, test.content, test.name) + } + }) + } +} diff --git a/filebeat/fileset/modules.go b/filebeat/fileset/modules.go index 3df41999f8f..72c8d17cb25 100644 --- a/filebeat/fileset/modules.go +++ b/filebeat/fileset/modules.go @@ -69,33 +69,13 @@ func newModuleRegistry(modulesPath string, return nil, fmt.Errorf("error getting filesets for module %s: %v", mcfg.Module, err) } - for _, filesetName := range moduleFilesets { - fcfg, exists := mcfg.Filesets[filesetName] - if !exists { - fcfg = &FilesetConfig{} - } + for filesetName, fcfg := range mcfg.Filesets { fcfg, err = applyOverrides(fcfg, mcfg.Module, filesetName, overrides) if err != nil { return nil, fmt.Errorf("error applying overrides on fileset %s/%s: %v", mcfg.Module, filesetName, err) } - if fcfg.Enabled != nil && !(*fcfg.Enabled) { - continue - } - - fileset, err := New(modulesPath, filesetName, mcfg, fcfg) - if err != nil { - return nil, err - } - if err = fileset.Read(beatInfo); err != nil { - return nil, fmt.Errorf("error reading fileset %s/%s: %v", mcfg.Module, filesetName, err) - } - reg.registry[mcfg.Module][filesetName] = fileset - } - - // check that no extra filesets are configured - for filesetName, fcfg := range mcfg.Filesets { if fcfg.Enabled != nil && !(*fcfg.Enabled) { continue } @@ -108,6 +88,15 @@ func newModuleRegistry(modulesPath string, if !found { return nil, fmt.Errorf("fileset %s/%s is configured but doesn't exist", mcfg.Module, filesetName) } + + fileset, err := New(modulesPath, filesetName, mcfg, fcfg) + if err != nil { + return nil, err + } + if err = fileset.Read(beatInfo); err != nil { + return nil, fmt.Errorf("error reading fileset %s/%s: %v", mcfg.Module, filesetName, err) + } + reg.registry[mcfg.Module][filesetName] = fileset } } @@ -152,9 +141,30 @@ func NewModuleRegistry(moduleConfigs []*common.Config, beatInfo beat.Info, init return nil, err } + enableFilesetsFromOverrides(mcfgs, modulesOverrides) return newModuleRegistry(modulesPath, mcfgs, modulesOverrides, beatInfo) } +// enableFilesetsFromOverrides enables in mcfgs the filesets mentioned in overrides, +// so that the overridden configuration can be applied. +func enableFilesetsFromOverrides(mcfgs []*ModuleConfig, overrides *ModuleOverrides) { + if overrides == nil { + return + } + for _, mcfg := range mcfgs { + if modOvr, ok := (*overrides)[mcfg.Module]; ok { + for fset := range modOvr { + if _, ok = mcfg.Filesets[fset]; !ok { + if mcfg.Filesets == nil { + mcfg.Filesets = make(map[string]*FilesetConfig) + } + mcfg.Filesets[fset] = &FilesetConfig{} + } + } + } + } +} + func mcfgFromConfig(cfg *common.Config) (*ModuleConfig, error) { var mcfg ModuleConfig @@ -171,11 +181,18 @@ func mcfgFromConfig(cfg *common.Config) (*ModuleConfig, error) { } mcfg.Filesets = map[string]*FilesetConfig{} - for name, filesetConfig := range dict { + + // This calls cfg.GetFields() instead of iterating over `dict` keys + // because cfg.Unpack above doesn't return keys that map to a nil value, + // but GetFields() returns all keys. We need to observe filesets that + // don't contain any configuration (all default values). + for _, name := range cfg.GetFields() { if name == "module" || name == "enabled" || name == "path" { continue } + filesetConfig, _ := dict[name] // Nil config if name is not present. + tmpCfg, err := common.NewConfigFrom(filesetConfig) if err != nil { return nil, fmt.Errorf("error creating config from fileset %s/%s: %v", mcfg.Module, name, err) @@ -400,9 +417,19 @@ func (reg *ModuleRegistry) ModuleNames() []string { return modules } -// ModuleFilesets return the list of available filesets for the given module +// ModuleAvailableFilesets return the list of available filesets for the given module // it returns an empty list if the module doesn't exist -func (reg *ModuleRegistry) ModuleFilesets(module string) ([]string, error) { +func (reg *ModuleRegistry) ModuleAvailableFilesets(module string) ([]string, error) { modulesPath := paths.Resolve(paths.Home, "module") return getModuleFilesets(modulesPath, module) } + +// ModuleConfiguredFilesets return the list of configured filesets for the given module +// it returns an empty list if the module doesn't exist +func (reg *ModuleRegistry) ModuleConfiguredFilesets(module string) (list []string, err error) { + filesets, _ := reg.registry[module] + for name := range filesets { + list = append(list, name) + } + return +} diff --git a/filebeat/fileset/modules_integration_test.go b/filebeat/fileset/modules_integration_test.go index 7afd9bbb547..4d5a79a9426 100644 --- a/filebeat/fileset/modules_integration_test.go +++ b/filebeat/fileset/modules_integration_test.go @@ -105,7 +105,13 @@ func TestSetupNginx(t *testing.T) { require.NoError(t, err) configs := []*ModuleConfig{ - {Module: "nginx"}, + { + Module: "nginx", + Filesets: map[string]*FilesetConfig{ + "error": {}, + "access": {}, + }, + }, } reg, err := newModuleRegistry(modulesPath, configs, nil, makeTestInfo("5.2.0")) diff --git a/filebeat/fileset/modules_test.go b/filebeat/fileset/modules_test.go index f69db27648c..7fe2e32aaab 100644 --- a/filebeat/fileset/modules_test.go +++ b/filebeat/fileset/modules_test.go @@ -45,11 +45,39 @@ func TestNewModuleRegistry(t *testing.T) { modulesPath, err := filepath.Abs("../module") require.NoError(t, err) + falseVar := false + configs := []*ModuleConfig{ - {Module: "nginx"}, - {Module: "mysql"}, - {Module: "system"}, - {Module: "auditd"}, + { + Module: "nginx", + Filesets: map[string]*FilesetConfig{ + "access": {}, + "error": {}, + "ingress_controller": { + Enabled: &falseVar, + }, + }, + }, + { + Module: "mysql", + Filesets: map[string]*FilesetConfig{ + "slowlog": {}, + "error": {}, + }, + }, + { + Module: "system", + Filesets: map[string]*FilesetConfig{ + "syslog": {}, + "auth": {}, + }, + }, + { + Module: "auditd", + Filesets: map[string]*FilesetConfig{ + "log": {}, + }, + }, } reg, err := newModuleRegistry(modulesPath, configs, nil, beat.Info{Version: "5.2.0"}) @@ -58,7 +86,7 @@ func TestNewModuleRegistry(t *testing.T) { expectedModules := map[string][]string{ "auditd": {"log"}, - "nginx": {"access", "error", "ingress_controller"}, + "nginx": {"access", "error"}, "mysql": {"slowlog", "error"}, "system": {"syslog", "auth"}, } @@ -374,6 +402,19 @@ func TestMcfgFromConfig(t *testing.T) { }, }, }, + { + name: "empty fileset (nil)", + config: load(t, map[string]interface{}{ + "module": "nginx", + "error": nil, + }), + expected: ModuleConfig{ + Module: "nginx", + Filesets: map[string]*FilesetConfig{ + "error": {}, + }, + }, + }, } for _, test := range tests { @@ -451,3 +492,132 @@ func TestInterpretError(t *testing.T) { }) } } + +func TestEnableFilesetsFromOverrides(t *testing.T) { + tests := []struct { + Name string + Cfg []*ModuleConfig + Overrides *ModuleOverrides + Expected []*ModuleConfig + }{ + { + Name: "add fileset", + Cfg: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": {}, + }, + }, + }, + Overrides: &ModuleOverrides{ + "foo": { + "baz": nil, + }, + }, + Expected: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": {}, + "baz": {}, + }, + }, + }, + }, + { + Name: "defined fileset", + Cfg: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": { + Var: map[string]interface{}{ + "a": "b", + }, + }, + }, + }, + }, + Overrides: &ModuleOverrides{ + "foo": { + "bar": nil, + }, + }, + Expected: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": { + Var: map[string]interface{}{ + "a": "b", + }, + }, + }, + }, + }, + }, + { + Name: "disabled module", + Cfg: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": {}, + }, + }, + }, + Overrides: &ModuleOverrides{ + "other": { + "bar": nil, + }, + }, + Expected: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": {}, + }, + }, + }, + }, + { + Name: "nil overrides", + Cfg: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": {}, + }, + }, + }, + Overrides: nil, + Expected: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": {}, + }, + }, + }, + }, + { + Name: "no modules", + Cfg: nil, + Overrides: &ModuleOverrides{ + "other": { + "bar": nil, + }, + }, + Expected: nil, + }, + } + + for _, test := range tests { + t.Run(test.Name, func(t *testing.T) { + enableFilesetsFromOverrides(test.Cfg, test.Overrides) + assert.Equal(t, test.Expected, test.Cfg) + }) + } + +} diff --git a/filebeat/input/default-inputs/inputs_linux.go b/filebeat/input/default-inputs/inputs_linux.go index c2ec4960e92..deaa915b918 100644 --- a/filebeat/input/default-inputs/inputs_linux.go +++ b/filebeat/input/default-inputs/inputs_linux.go @@ -18,6 +18,7 @@ package inputs import ( + "github.com/elastic/beats/v7/filebeat/input/journald" v2 "github.com/elastic/beats/v7/filebeat/input/v2" cursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" "github.com/elastic/beats/v7/libbeat/beat" @@ -31,8 +32,12 @@ type osComponents interface { } func osInputs(info beat.Info, log *logp.Logger, components osComponents) []v2.Plugin { - return []v2.Plugin{ - // XXX: journald is currently disable. - // journald.Plugin(log, components), + var plugins []v2.Plugin + + zeroPlugin := v2.Plugin{} + if journald := journald.Plugin(log, components); journald != zeroPlugin { + plugins = append(plugins, journald) } + + return plugins } diff --git a/filebeat/input/filestream/input.go b/filebeat/input/filestream/input.go index ec051273171..c1ba829d65f 100644 --- a/filebeat/input/filestream/input.go +++ b/filebeat/input/filestream/input.go @@ -27,7 +27,6 @@ import ( loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" input "github.com/elastic/beats/v7/filebeat/input/v2" - "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/cleanup" "github.com/elastic/beats/v7/libbeat/common/match" @@ -330,8 +329,7 @@ func (inp *filestream) readFromSource( continue } - event := inp.eventFromMessage(message, path) - if err := p.Publish(event, s); err != nil { + if err := p.Publish(message.ToEvent(), s); err != nil { return err } } @@ -365,21 +363,3 @@ func matchAny(matchers []match.Matcher, text string) bool { } return false } - -func (inp *filestream) eventFromMessage(m reader.Message, path string) beat.Event { - if m.Fields == nil { - m.Fields = common.MapStr{} - } - - if len(m.Content) > 0 { - if _, ok := m.Fields["message"]; !ok { - m.Fields["message"] = string(m.Content) - } - } - - return beat.Event{ - Timestamp: m.Ts, - Meta: m.Meta, - Fields: m.Fields, - } -} diff --git a/filebeat/input/filestream/parsers_integration_test.go b/filebeat/input/filestream/parsers_integration_test.go index aab501ca146..87f592c0849 100644 --- a/filebeat/input/filestream/parsers_integration_test.go +++ b/filebeat/input/filestream/parsers_integration_test.go @@ -247,6 +247,8 @@ The total should be 4 lines covered // test_rabbitmq_multiline_log from test_multiline.py func TestParsersRabbitMQMultilineLog(t *testing.T) { + t.Skip("Flaky test: https://github.com/elastic/beats/issues/27893") + env := newInputTestingEnvironment(t) testlogName := "test.log" @@ -291,6 +293,8 @@ connection <0.23893.109>, channel 3 - soft error: // test_max_lines from test_multiline.py func TestParsersMultilineMaxLines(t *testing.T) { + t.Skip("Flaky test: https://github.com/elastic/beats/issues/27894") + env := newInputTestingEnvironment(t) testlogName := "test.log" @@ -501,6 +505,8 @@ func TestParsersCloseTimeoutWithMultiline(t *testing.T) { // test_consecutive_newline from test_multiline.py func TestParsersConsecutiveNewline(t *testing.T) { + t.Skip("Flaky test: https://github.com/elastic/beats/issues/27085") + env := newInputTestingEnvironment(t) testlogName := "test.log" diff --git a/filebeat/input/journald/input_stub.go b/filebeat/input/journald/input_stub.go new file mode 100644 index 00000000000..4eada4569c5 --- /dev/null +++ b/filebeat/input/journald/input_stub.go @@ -0,0 +1,30 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !linux !cgo !withjournald + +package journald + +import ( + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + cursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" + "github.com/elastic/beats/v7/libbeat/logp" +) + +func Plugin(log *logp.Logger, store cursor.StateStore) v2.Plugin { + return v2.Plugin{} +} diff --git a/filebeat/input/v2/simplemanager.go b/filebeat/input/v2/simplemanager.go index 76ade85c9f5..5024fcfa3d1 100644 --- a/filebeat/input/v2/simplemanager.go +++ b/filebeat/input/v2/simplemanager.go @@ -33,12 +33,12 @@ func ConfigureWith(fn func(*common.Config) (Input, error)) InputManager { return &simpleInputManager{configure: fn} } -// Init is required to fullfil the input.InputManager interface. +// Init is required to fulfil the input.InputManager interface. // For the kafka input no special initialization is required. func (*simpleInputManager) Init(grp unison.Group, m Mode) error { return nil } -// Creates builds a new Input instance from the given configuation, or returns -// an error if the configuation is invalid. +// Create builds a new Input instance from the given configuration, or returns +// an error if the configuration is invalid. func (manager *simpleInputManager) Create(cfg *common.Config) (Input, error) { return manager.configure(cfg) } diff --git a/filebeat/magefile.go b/filebeat/magefile.go index 0d68e5a86c4..8e55f6e0d4d 100644 --- a/filebeat/magefile.go +++ b/filebeat/magefile.go @@ -39,21 +39,6 @@ import ( "github.com/elastic/beats/v7/dev-tools/mage/target/test" ) -// declare journald dependencies for cross build target -var ( - journaldPlatforms = []devtools.PlatformDescription{ - devtools.Linux386, devtools.LinuxAMD64, - devtools.LinuxARM64, devtools.LinuxARM5, devtools.LinuxARM6, devtools.LinuxARM7, - devtools.LinuxMIPS, devtools.LinuxMIPSLE, devtools.LinuxMIPS64LE, - devtools.LinuxPPC64LE, - devtools.LinuxS390x, - } - - journaldDeps = devtools.NewPackageInstaller(). - AddEach(journaldPlatforms, "libsystemd-dev"). - Add(devtools.Linux386, "libsystemd0", "libgcrypt20") -) - func init() { common.RegisterCheckDeps(Update) test.RegisterDeps(IntegTest) @@ -66,13 +51,10 @@ func Build() error { return devtools.Build(devtools.DefaultBuildArgs()) } -// GolangCrossBuild build the Beat binary inside of the golang-builder. +// GolangCrossBuild builds the Beat binary inside the golang-builder. // Do not use directly, use crossBuild instead. func GolangCrossBuild() error { - // XXX: enable once we have systemd available in the cross build image - // mg.Deps(journaldDeps.Installer(devtools.Platform.Name)) - - return devtools.GolangCrossBuild(devtools.DefaultGolangCrossBuildArgs()) + return filebeat.GolangCrossBuild() } // BuildGoDaemon builds the go-daemon binary (use crossBuildGoDaemon). @@ -82,7 +64,7 @@ func BuildGoDaemon() error { // CrossBuild cross-builds the beat for all target platforms. func CrossBuild() error { - return devtools.CrossBuild() + return filebeat.CrossBuild() } // CrossBuildGoDaemon cross-builds the go-daemon binary using Docker. @@ -123,6 +105,7 @@ func Update() { // modules.d directory. func Config() { mg.Deps(devtools.GenerateDirModulesD, configYML) + mg.SerialDeps(devtools.ValidateDirModulesD, devtools.ValidateDirModulesDDatasetsDisabled) } func configYML() error { diff --git a/filebeat/module/apache/_meta/config.yml b/filebeat/module/apache/_meta/config.yml index 24e64df694a..ddf2b0c40d4 100644 --- a/filebeat/module/apache/_meta/config.yml +++ b/filebeat/module/apache/_meta/config.yml @@ -1,7 +1,7 @@ - module: apache # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/apache/_meta/fields.yml b/filebeat/module/apache/_meta/fields.yml index cbd235a7268..ead9903ad9d 100644 --- a/filebeat/module/apache/_meta/fields.yml +++ b/filebeat/module/apache/_meta/fields.yml @@ -4,134 +4,6 @@ Apache Module short_config: true fields: - - name: apache2 - type: group - description: > - Aliases for backward compatibility with old apache2 fields - fields: - - name: access - type: group - fields: - - name: remote_ip - type: alias - path: source.address - migration: true - - name: ssl.protocol - type: alias - path: apache.access.ssl.protocol - migration: true - - name: ssl.cipher - type: alias - path: apache.access.ssl.cipher - migration: true - - name: body_sent.bytes - type: alias - path: http.response.body.bytes - migration: true - - name: user_name - type: alias - path: user.name - migration: true - - name: method - type: alias - path: http.request.method - migration: true - - name: url - type: alias - path: url.original - migration: true - - name: http_version - type: alias - path: http.version - migration: true - - name: response_code - type: alias - path: http.response.status_code - migration: true - - name: referrer - type: alias - path: http.request.referrer - migration: true - - name: agent - type: alias - path: user_agent.original - migration: true - - - name: user_agent - type: group - fields: - - name: device - type: alias - path: user_agent.device.name - migration: true - - name: name - type: alias - path: user_agent.name - migration: true - - name: os - type: alias - path: user_agent.os.full_name - migration: true - - name: os_name - type: alias - path: user_agent.os.name - migration: true - - name: original - type: alias - path: user_agent.original - migration: true - - name: geoip - type: group - fields: - - name: continent_name - type: alias - path: source.geo.continent_name - migration: true - - name: country_iso_code - type: alias - path: source.geo.country_iso_code - migration: true - - name: location - type: alias - path: source.geo.location - migration: true - - name: region_name - type: alias - path: source.geo.region_name - migration: true - - name: city_name - type: alias - path: source.geo.city_name - migration: true - - name: region_iso_code - type: alias - path: source.geo.region_iso_code - migration: true - - name: error - type: group - fields: - - name: level - type: alias - path: log.level - migration: true - - name: message - type: alias - path: message - migration: true - - name: pid - type: alias - path: process.pid - migration: true - - name: tid - type: alias - path: process.thread.id - migration: true - - name: module - type: alias - path: apache.error.module - migration: true - - - name: apache type: group description: > diff --git a/filebeat/module/apache/fields.go b/filebeat/module/apache/fields.go index 1e0b1608ebb..b24297a9888 100644 --- a/filebeat/module/apache/fields.go +++ b/filebeat/module/apache/fields.go @@ -32,5 +32,5 @@ func init() { // AssetApache returns asset data. // This is the base64 encoded zlib format compressed contents of module/apache. func AssetApache() string { - return "eJysl7+O4zgMxvs8BTH9qLgyxQGHAw5X3AELzPSGIjO2MIropegM/PYL/5tNMrIjOXEVyOH3/SjSgvgKH9jtQTfa1LgDECsO9/Dy17DwsgMoMRi2jVjye/hzBwAwvoT/qWxdHxRqYikM+aOt9iDc9otHi64M+yHgFbw+4Wzzx7AGIF2De6iY2mZaiXgNfs7qgAGOxHDQ5uNTcwmGTo0We7DOSgefVmogV84Wk/0kcclyxWMMhvC1HEOKhV9KMJ5IsLDN1dtZSffkN28aLfUeArVsUOmy5GuE/jnZivW4C9NufjcOwamGSciQy/Qe90iN2asVoVQOY5sa+WGKqEwKw4HKrgjoRR06wVu7eyC1SKMYQ0M+oOq1ojIpIG1ALvqfmQh9nIrEpXieUGoqt+X8s8UgKqqQlC7ntl7LThHbynq9pdl67OKMHCz5LRnHQ1Oc5/4oDJW51b1usCBa2hDTSeM4InP2x3ZV7wWNFHtdoZcNzV0MgamlX/62lv1vD21YOLgvJUs8W3NbhfWUommNOrEPOJbdEs1CeCbLgxAUM8lEoKCOrXOxgzAPZUkhn+dRlHjfbmFZVkr5/iqkhavGlv435MV69PLIRk83mQpJ3dVL3W9DrRfuChsodlBuQrurmArnyAx/exxqRSkVhrGy5J9Uv3Wx5OJZ6Z7VUCtSmTv0vFa6L7iENiMhM/FDY4fDM+bevRxVKhaXdskMQVe5F594VIpfY3NvtA3TMEh8j0zxk81+UjPqUm1yPc0TdI7xNDcNPaSiCt+uU5EhPHsGH2f+sSfVc+bqBav++Zu8aOvDZDGM/lLjjPHv+/sPeEM+I09mfXd/ccXYIGd2/sDuk/i2pCu8/fP29h/MqjBNGr+JtgzPmzFGzcFEbTx9Vlz+mWrCdLosyqCbVYeV/t+U+nuNk2ZfiLI11lcDoaOqwnI+j9TuVwAAAP//QYrRgg==" + return "eJysksFq6zAQRff+ikv28Qdo8eBRKF20UEj2xUgTWUTWiJGckr8vcuTUadNAaWY5su455mqNPR0Vutjpnhogu+xJYfV/WqwawFDS4mJ2HBT+NQBwOsQLm9GXS6lnyW+aw85ZhSxjWe4ceZPUdGGN0A20wJTJx0gKVniMdXMFtcCdAtu6XsZfILSmlM7ra5gbqDIPHHLnQqoI7FiQe5o1nrbbV2xIDiQVBs/27HXNbemXkm+jcGbN/uKD2XRPx3cW8+Xshm+ZzeYZcyoOJMlx+DT6UUS72JPcV+OUOUHab+2QCMtfynmsnQgPy1Km3F/1MMyP906/vu2pZpYizKhdsJOhZ2vJYKCUOktt8xEAAP//tzvrEQ==" } diff --git a/filebeat/module/apache2/module.yml b/filebeat/module/apache2/module.yml deleted file mode 100644 index 139027d128b..00000000000 --- a/filebeat/module/apache2/module.yml +++ /dev/null @@ -1 +0,0 @@ -movedTo: apache diff --git a/filebeat/module/auditd/_meta/config.yml b/filebeat/module/auditd/_meta/config.yml index bd952f49cc9..eaf816cec78 100644 --- a/filebeat/module/auditd/_meta/config.yml +++ b/filebeat/module/auditd/_meta/config.yml @@ -1,6 +1,6 @@ - module: auditd log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/elasticsearch/_meta/config.yml b/filebeat/module/elasticsearch/_meta/config.yml index 0c2562f2796..4a2f751b67c 100644 --- a/filebeat/module/elasticsearch/_meta/config.yml +++ b/filebeat/module/elasticsearch/_meta/config.yml @@ -1,32 +1,32 @@ - module: elasticsearch # Server log server: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/module/haproxy/_meta/config.yml b/filebeat/module/haproxy/_meta/config.yml index 0e1431e503c..b559d6d837f 100644 --- a/filebeat/module/haproxy/_meta/config.yml +++ b/filebeat/module/haproxy/_meta/config.yml @@ -1,7 +1,7 @@ - module: haproxy # All logs log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/filebeat/module/icinga/_meta/config.yml b/filebeat/module/icinga/_meta/config.yml index afcd57986a2..5fe0ddc2054 100644 --- a/filebeat/module/icinga/_meta/config.yml +++ b/filebeat/module/icinga/_meta/config.yml @@ -1,7 +1,7 @@ - module: icinga # Main logs main: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Debug logs debug: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -17,7 +17,7 @@ # Startup logs startup: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/iis/_meta/config.yml b/filebeat/module/iis/_meta/config.yml index 0ed84f14e52..f4f1d8cec36 100644 --- a/filebeat/module/iis/_meta/config.yml +++ b/filebeat/module/iis/_meta/config.yml @@ -1,7 +1,7 @@ - module: iis # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,9 +9,9 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: - \ No newline at end of file + diff --git a/filebeat/module/kafka/_meta/config.yml b/filebeat/module/kafka/_meta/config.yml index cbda5709c39..72e6d49ab44 100644 --- a/filebeat/module/kafka/_meta/config.yml +++ b/filebeat/module/kafka/_meta/config.yml @@ -1,7 +1,7 @@ - module: kafka # All logs log: - enabled: true + enabled: false # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. diff --git a/filebeat/module/kibana/_meta/config.yml b/filebeat/module/kibana/_meta/config.yml index ffb82496fca..2d6904e30c6 100644 --- a/filebeat/module/kibana/_meta/config.yml +++ b/filebeat/module/kibana/_meta/config.yml @@ -1,7 +1,7 @@ - module: kibana # Server logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/logstash/_meta/config.yml b/filebeat/module/logstash/_meta/config.yml index bdb8e488dac..d38c8058aca 100644 --- a/filebeat/module/logstash/_meta/config.yml +++ b/filebeat/module/logstash/_meta/config.yml @@ -1,7 +1,7 @@ - module: logstash # logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Slow logs slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/module/mongodb/_meta/config.yml b/filebeat/module/mongodb/_meta/config.yml index be6ea989c1c..28143b64eb4 100644 --- a/filebeat/module/mongodb/_meta/config.yml +++ b/filebeat/module/mongodb/_meta/config.yml @@ -1,7 +1,7 @@ - module: mongodb # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/mysql/_meta/config.yml b/filebeat/module/mysql/_meta/config.yml index 10afcb9e0ab..2b7c393eecc 100644 --- a/filebeat/module/mysql/_meta/config.yml +++ b/filebeat/module/mysql/_meta/config.yml @@ -1,7 +1,7 @@ - module: mysql # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Slow logs slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/nats/_meta/config.yml b/filebeat/module/nats/_meta/config.yml index 59a63637680..b09a36dd006 100644 --- a/filebeat/module/nats/_meta/config.yml +++ b/filebeat/module/nats/_meta/config.yml @@ -1,7 +1,7 @@ - module: nats # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/nginx/_meta/config.yml b/filebeat/module/nginx/_meta/config.yml index 3967af2693f..d520f4225b9 100644 --- a/filebeat/module/nginx/_meta/config.yml +++ b/filebeat/module/nginx/_meta/config.yml @@ -1,7 +1,7 @@ - module: nginx # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/osquery/_meta/config.reference.yml b/filebeat/module/osquery/_meta/config.reference.yml index b2a86b43c67..890e602f688 100644 --- a/filebeat/module/osquery/_meta/config.reference.yml +++ b/filebeat/module/osquery/_meta/config.reference.yml @@ -1,6 +1,6 @@ -- module: osquery - result: - enabled: true +#- module: osquery + #result: + #enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/osquery/_meta/config.yml b/filebeat/module/osquery/_meta/config.yml index b2a86b43c67..2f4fd911807 100644 --- a/filebeat/module/osquery/_meta/config.yml +++ b/filebeat/module/osquery/_meta/config.yml @@ -1,6 +1,6 @@ - module: osquery result: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/pensando/_meta/config.yml b/filebeat/module/pensando/_meta/config.yml index e632160bdd7..f352f542124 100644 --- a/filebeat/module/pensando/_meta/config.yml +++ b/filebeat/module/pensando/_meta/config.yml @@ -1,7 +1,7 @@ - module: pensando # Firewall logs dfw: - enabled: true + enabled: false var.syslog_host: 0.0.0.0 var.syslog_port: 9001 diff --git a/filebeat/module/postgresql/_meta/config.yml b/filebeat/module/postgresql/_meta/config.yml index c82734a9570..373954e6e4f 100644 --- a/filebeat/module/postgresql/_meta/config.yml +++ b/filebeat/module/postgresql/_meta/config.yml @@ -1,7 +1,7 @@ - module: postgresql # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/redis/_meta/config.yml b/filebeat/module/redis/_meta/config.yml index 4aa2f1eacf0..1a99edf7d29 100644 --- a/filebeat/module/redis/_meta/config.yml +++ b/filebeat/module/redis/_meta/config.yml @@ -1,7 +1,7 @@ - module: redis # Main logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Slow logs, retrieved via the Redis API (SLOWLOG) slowlog: - enabled: true + enabled: false # The Redis hosts to connect to. #var.hosts: ["localhost:6379"] diff --git a/filebeat/module/santa/_meta/config.yml b/filebeat/module/santa/_meta/config.yml index ab2588f900e..b6b03be3fe4 100644 --- a/filebeat/module/santa/_meta/config.yml +++ b/filebeat/module/santa/_meta/config.yml @@ -1,6 +1,6 @@ - module: santa log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/filebeat/module/system/_meta/config.yml b/filebeat/module/system/_meta/config.yml index f76dd905b4d..c1fe882374d 100644 --- a/filebeat/module/system/_meta/config.yml +++ b/filebeat/module/system/_meta/config.yml @@ -1,7 +1,7 @@ - module: system # Syslog syslog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Authorization logs auth: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/traefik/_meta/config.yml b/filebeat/module/traefik/_meta/config.yml index 16ec37f975e..3e9f73ce10b 100644 --- a/filebeat/module/traefik/_meta/config.yml +++ b/filebeat/module/traefik/_meta/config.yml @@ -1,7 +1,7 @@ - module: traefik # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/apache.yml.disabled b/filebeat/modules.d/apache.yml.disabled index c6a2c941469..d4fbc61659d 100644 --- a/filebeat/modules.d/apache.yml.disabled +++ b/filebeat/modules.d/apache.yml.disabled @@ -4,7 +4,7 @@ - module: apache # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/auditd.yml.disabled b/filebeat/modules.d/auditd.yml.disabled index 4b0bd49c6f6..8bcedafdee9 100644 --- a/filebeat/modules.d/auditd.yml.disabled +++ b/filebeat/modules.d/auditd.yml.disabled @@ -3,7 +3,7 @@ - module: auditd log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/elasticsearch.yml.disabled b/filebeat/modules.d/elasticsearch.yml.disabled index 4db2df4eaea..75236f1a664 100644 --- a/filebeat/modules.d/elasticsearch.yml.disabled +++ b/filebeat/modules.d/elasticsearch.yml.disabled @@ -4,32 +4,32 @@ - module: elasticsearch # Server log server: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/modules.d/haproxy.yml.disabled b/filebeat/modules.d/haproxy.yml.disabled index 7493d93d763..5863c5bbdf8 100644 --- a/filebeat/modules.d/haproxy.yml.disabled +++ b/filebeat/modules.d/haproxy.yml.disabled @@ -4,7 +4,7 @@ - module: haproxy # All logs log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/filebeat/modules.d/icinga.yml.disabled b/filebeat/modules.d/icinga.yml.disabled index 2b136d52072..10ab79616eb 100644 --- a/filebeat/modules.d/icinga.yml.disabled +++ b/filebeat/modules.d/icinga.yml.disabled @@ -4,7 +4,7 @@ - module: icinga # Main logs main: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Debug logs debug: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -20,7 +20,7 @@ # Startup logs startup: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/iis.yml.disabled b/filebeat/modules.d/iis.yml.disabled index 3fb8768b391..868fadedbb0 100644 --- a/filebeat/modules.d/iis.yml.disabled +++ b/filebeat/modules.d/iis.yml.disabled @@ -4,7 +4,7 @@ - module: iis # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,9 +12,9 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: - \ No newline at end of file + diff --git a/filebeat/modules.d/kafka.yml.disabled b/filebeat/modules.d/kafka.yml.disabled index 9d1b367b5c3..fd7b0013739 100644 --- a/filebeat/modules.d/kafka.yml.disabled +++ b/filebeat/modules.d/kafka.yml.disabled @@ -4,7 +4,7 @@ - module: kafka # All logs log: - enabled: true + enabled: false # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. diff --git a/filebeat/modules.d/kibana.yml.disabled b/filebeat/modules.d/kibana.yml.disabled index 0dbffa7e766..bc34de819a5 100644 --- a/filebeat/modules.d/kibana.yml.disabled +++ b/filebeat/modules.d/kibana.yml.disabled @@ -4,7 +4,7 @@ - module: kibana # Server logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/logstash.yml.disabled b/filebeat/modules.d/logstash.yml.disabled index 3eee07b97bf..fe99eeabae4 100644 --- a/filebeat/modules.d/logstash.yml.disabled +++ b/filebeat/modules.d/logstash.yml.disabled @@ -4,7 +4,7 @@ - module: logstash # logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Slow logs slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/modules.d/mongodb.yml.disabled b/filebeat/modules.d/mongodb.yml.disabled index 36745bca419..ac31f64bed1 100644 --- a/filebeat/modules.d/mongodb.yml.disabled +++ b/filebeat/modules.d/mongodb.yml.disabled @@ -4,7 +4,7 @@ - module: mongodb # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/mysql.yml.disabled b/filebeat/modules.d/mysql.yml.disabled index a7904e69f1b..dd5079648bc 100644 --- a/filebeat/modules.d/mysql.yml.disabled +++ b/filebeat/modules.d/mysql.yml.disabled @@ -4,7 +4,7 @@ - module: mysql # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Slow logs slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/nats.yml.disabled b/filebeat/modules.d/nats.yml.disabled index d203a1735e4..6074f499cad 100644 --- a/filebeat/modules.d/nats.yml.disabled +++ b/filebeat/modules.d/nats.yml.disabled @@ -4,7 +4,7 @@ - module: nats # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/nginx.yml.disabled b/filebeat/modules.d/nginx.yml.disabled index e15f4fe492d..450b30c0e01 100644 --- a/filebeat/modules.d/nginx.yml.disabled +++ b/filebeat/modules.d/nginx.yml.disabled @@ -4,7 +4,7 @@ - module: nginx # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/osquery.yml.disabled b/filebeat/modules.d/osquery.yml.disabled index 1c66965bfe9..0740b774a52 100644 --- a/filebeat/modules.d/osquery.yml.disabled +++ b/filebeat/modules.d/osquery.yml.disabled @@ -3,7 +3,7 @@ - module: osquery result: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/pensando.yml.disabled b/filebeat/modules.d/pensando.yml.disabled index 72350a5dcb6..1002b61bf3e 100644 --- a/filebeat/modules.d/pensando.yml.disabled +++ b/filebeat/modules.d/pensando.yml.disabled @@ -4,7 +4,7 @@ - module: pensando # Firewall logs dfw: - enabled: true + enabled: false var.syslog_host: 0.0.0.0 var.syslog_port: 9001 diff --git a/filebeat/modules.d/postgresql.yml.disabled b/filebeat/modules.d/postgresql.yml.disabled index 1e01709d02c..5df32fefc49 100644 --- a/filebeat/modules.d/postgresql.yml.disabled +++ b/filebeat/modules.d/postgresql.yml.disabled @@ -4,7 +4,7 @@ - module: postgresql # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/redis.yml.disabled b/filebeat/modules.d/redis.yml.disabled index 6a43828abfe..dfec32f8849 100644 --- a/filebeat/modules.d/redis.yml.disabled +++ b/filebeat/modules.d/redis.yml.disabled @@ -4,7 +4,7 @@ - module: redis # Main logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Slow logs, retrieved via the Redis API (SLOWLOG) slowlog: - enabled: true + enabled: false # The Redis hosts to connect to. #var.hosts: ["localhost:6379"] diff --git a/filebeat/modules.d/santa.yml.disabled b/filebeat/modules.d/santa.yml.disabled index 8e187d56b62..9655b1afb59 100644 --- a/filebeat/modules.d/santa.yml.disabled +++ b/filebeat/modules.d/santa.yml.disabled @@ -3,7 +3,7 @@ - module: santa log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/filebeat/modules.d/system.yml.disabled b/filebeat/modules.d/system.yml.disabled index 49e5c9c4d98..4171c65f7ad 100644 --- a/filebeat/modules.d/system.yml.disabled +++ b/filebeat/modules.d/system.yml.disabled @@ -4,7 +4,7 @@ - module: system # Syslog syslog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Authorization logs auth: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/traefik.yml.disabled b/filebeat/modules.d/traefik.yml.disabled index 22e6cdf0dc8..440028cc182 100644 --- a/filebeat/modules.d/traefik.yml.disabled +++ b/filebeat/modules.d/traefik.yml.disabled @@ -4,7 +4,7 @@ - module: traefik # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/scripts/mage/build.go b/filebeat/scripts/mage/build.go new file mode 100644 index 00000000000..b7786d947c5 --- /dev/null +++ b/filebeat/scripts/mage/build.go @@ -0,0 +1,85 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package mage + +import ( + "strings" + + "github.com/magefile/mage/mg" + "go.uber.org/multierr" + + devtools "github.com/elastic/beats/v7/dev-tools/mage" +) + +// declare journald dependencies for cross build target +var ( + journaldPlatforms = []devtools.PlatformDescription{ + devtools.Linux386, devtools.LinuxAMD64, + devtools.LinuxARM64, devtools.LinuxARM5, devtools.LinuxARM6, devtools.LinuxARM7, + devtools.LinuxMIPS, devtools.LinuxMIPSLE, devtools.LinuxMIPS64LE, + devtools.LinuxPPC64LE, + devtools.LinuxS390x, + } + + journaldDeps = devtools.NewPackageInstaller(). + AddEach(journaldPlatforms, "libsystemd-dev"). + Add(devtools.Linux386, "libsystemd0", "libgcrypt20") +) + +// GolangCrossBuild builds the Beat binary inside the golang-builder and then +// checks the binaries GLIBC requirements for RHEL compatability. +// Do not use directly, use crossBuild instead. +func GolangCrossBuild() error { + return multierr.Combine( + golangCrossBuild(), + // Test the linked glibc version requirement of the binary. + devtools.TestLinuxForCentosGLIBC(), + ) +} + +// golangCrossBuild builds the Beat binary inside the golang-builder. +// Do not use directly, use crossBuild instead. +func golangCrossBuild() error { + conf := devtools.DefaultGolangCrossBuildArgs() + if devtools.Platform.GOOS == "linux" { + mg.Deps(journaldDeps.Installer(devtools.Platform.Name)) + conf.ExtraFlags = append(conf.ExtraFlags, "-tags=withjournald") + } + return devtools.GolangCrossBuild(conf) +} + +// CrossBuild cross-builds the beat for all target platforms. +func CrossBuild() error { + return devtools.CrossBuild(devtools.ImageSelector(func(platform string) (string, error) { + image, err := devtools.CrossBuildImage(platform) + if err != nil { + return "", err + } + // Normally linux/amd64 and linux/386 binaries are build using debian7 + // because it has an older glibc version that makes the binaries work on + // RHEL 6, but debian7 does not have the systemd libraries needed for + // the journald input. + // + // So use the debian8 image, but test the binary to ensure that the + // linked glibc version requirement is still compatible with RHEL6. + if platform == "linux/amd64" || platform == "linux/386" { + image = strings.ReplaceAll(image, "main-debian7", "main-debian8") + } + return image, nil + })) +} diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index a9ce3637939..3702de33c94 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -128,7 +128,8 @@ def run_on_file(self, module, fileset, test_file, cfgfile): # Based on the convention that if a name contains -json the json format is needed. Currently used for LS. if "-json" in test_file: cmd.append("-M") - cmd.append("{module}.{fileset}.var.format=json".format(module=module, fileset=fileset)) + cmd.append("{module}.{fileset}.var.format=json".format( + module=module, fileset=fileset)) output_path = os.path.join(self.working_dir) # Runs inside a with block to ensure file is closed afterwards @@ -152,8 +153,10 @@ def run_on_file(self, module, fileset, test_file, cfgfile): # List of errors to check in filebeat output logs errors = ["error loading pipeline for fileset"] # Checks if the output of filebeat includes errors - contains_error, error_line = file_contains(os.path.join(output_path, "output.log"), errors) - assert contains_error is False, "Error found in log:{}".format(error_line) + contains_error, error_line = file_contains( + os.path.join(output_path, "output.log"), errors) + assert contains_error is False, "Error found in log:{}".format( + error_line) # Make sure index exists self.wait_until(lambda: self.es.indices.exists(self.index_name)) @@ -198,7 +201,8 @@ def _test_expected_events(self, test_file, objects): if isinstance(objects[k][key], list): objects[k][key].sort(key=str) - json.dump(objects, f, indent=4, separators=(',', ': '), sort_keys=True) + json.dump(objects, f, indent=4, separators=( + ',', ': '), sort_keys=True) with open(test_file + "-expected.json", "r") as f: expected = json.load(f) @@ -226,7 +230,8 @@ def _test_expected_events(self, test_file, objects): d = DeepDiff(ev, obj, ignore_order=True) - assert len(d) == 0, "The following expected object doesn't match:\n Diff:\n{}, full object: \n{}".format(d, obj) + assert len( + d) == 0, "The following expected object doesn't match:\n Diff:\n{}, full object: \n{}".format(d, obj) def clean_keys(obj): @@ -252,7 +257,6 @@ def clean_keys(obj): "cisco.asa", "cisco.ios", "citrix.netscaler", - "cyberark.corepas", "cylance.protect", "f5.bigipafm", "fortinet.clientendpoint", @@ -273,14 +277,6 @@ def clean_keys(obj): "microsoft.defender_atp", "crowdstrike.falcon_endpoint", "crowdstrike.falcon_audit", - "gsuite.admin", - "gsuite.config", - "gsuite.drive", - "gsuite.groups", - "gsuite.ingest", - "gsuite.login", - "gsuite.saml", - "gsuite.user_accounts", "zoom.webhook", "threatintel.otx", "threatintel.abuseurl", diff --git a/go.mod b/go.mod index 13c15c2e3a4..3595ff6bd19 100644 --- a/go.mod +++ b/go.mod @@ -45,7 +45,7 @@ require ( github.com/davecgh/go-xdr v0.0.0-20161123171359-e6a2ba005892 // indirect github.com/denisenkom/go-mssqldb v0.0.0-20200206145737-bbfc9a55622e github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2 // indirect - github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b + github.com/dgraph-io/badger/v3 v3.2103.1 github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1 github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf // indirect github.com/docker/docker v1.4.2-0.20170802015333-8af4db6f002a @@ -86,12 +86,12 @@ require ( github.com/godror/godror v0.10.4 github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b github.com/gofrs/uuid v3.3.0+incompatible - github.com/gogo/protobuf v1.3.1 + github.com/gogo/protobuf v1.3.2 github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.4.3 github.com/golang/snappy v0.0.3 github.com/gomodule/redigo v1.8.3 - github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9 + github.com/google/flatbuffers v1.12.0 github.com/google/go-cmp v0.5.4 github.com/google/gopacket v1.1.18-0.20191009163724-0ad7f2610e34 github.com/google/uuid v1.1.2 @@ -204,6 +204,7 @@ replace ( github.com/dop251/goja_nodejs => github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6 github.com/fsnotify/fsevents => github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 github.com/fsnotify/fsnotify => github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d + github.com/golang/glog => github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4 github.com/google/gopacket => github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41 github.com/insomniacslk/dhcp => github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 // indirect github.com/tonistiigi/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c diff --git a/go.sum b/go.sum index b70e27e1d6c..b5fa8e561e5 100644 --- a/go.sum +++ b/go.sum @@ -219,10 +219,10 @@ github.com/denisenkom/go-mssqldb v0.0.0-20200206145737-bbfc9a55622e/go.mod h1:xb github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2 h1:6+hM8KeYKV0Z9EIINNqIEDyyIRAcNc2FW+/TUYNmWyw= github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= -github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b h1:mUDs72Rlzv6A4YN8w3Ra3hU9x/plOQPcQjZYL/1f5SM= -github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b/go.mod h1:26P/7fbL4kUZVEVKLAKXkBXKOydDmM2p1e+NhhnBCAE= -github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de h1:t0UHb5vdojIDUqktM6+xJAfScFBsVpXZmqC9dsgJmeA= -github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= +github.com/dgraph-io/badger/v3 v3.2103.1 h1:zaX53IRg7ycxVlkd5pYdCeFp1FynD6qBGQoQql3R3Hk= +github.com/dgraph-io/badger/v3 v3.2103.1/go.mod h1:dULbq6ehJ5K0cGW/1TQ9iSfUk0gbSiToDWmWmTsJ53E= +github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI= +github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= @@ -269,6 +269,8 @@ github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6 h1 github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6/go.mod h1:uh/Gj9a0XEbYoM4NYz4LvaBVARz3QXLmlNjsrKY9fTc= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 h1:cWPqxlPtir4RoQVCpGSRXmLqjEHpJKbR60rxh1nQZY4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng= +github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4 h1:ViJxdtOsHeO+SWVekzM82fYHH1xnvZ8CvGPXZj+G4YI= +github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/elastic/go-concert v0.2.0 h1:GAQrhRVXprnNjtvTP9pWJ1d4ToEA4cU5ci7TwTa20xg= github.com/elastic/go-concert v0.2.0/go.mod h1:HWjpO3IAEJUxOeaJOWXWEp7imKd27foxz9V5vegC/38= github.com/elastic/go-libaudit/v2 v2.2.0 h1:TY3FDpG4Zr9Qnv6KYW6olYr/U+nfu0rD2QAbv75VxMQ= @@ -362,13 +364,13 @@ github.com/gofrs/uuid v3.3.0+incompatible h1:8K4tyRfvU1CYPgJsveYFQMhpFd/wXNM7iK6 github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= -github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0 h1:RAqyYixv1p7uEnocuy8P1nru5wprCh/MH2BIlW5z5/o= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -390,15 +392,14 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomodule/redigo v1.8.3 h1:HR0kYDX2RJZvAup8CsiJwxB4dTCSC0AaUq6S4SiLwUc= github.com/gomodule/redigo v1.8.3/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9 h1:b4EyQBj8pgtcWOr7YCSxK6NUQzJr0n4hxJ3mc+dtKk4= -github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/flatbuffers v1.12.0 h1:/PtAHvnBY4Kqnx/xCQ3OIV9uYcSFGScBsWI3Oogeh6w= +github.com/google/flatbuffers v1.12.0/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -528,9 +529,11 @@ github.com/karrick/godirwalk v1.15.6 h1:Yf2mmR8TJy+8Fa0SuQVto5SYap6IF7lNVX4Jdl8G github.com/karrick/godirwalk v1.15.6/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.12.2 h1:2KCfW3I9M7nSc5wOqXAlW2v2U6v+w6cbjvbfp+OykW8= github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= +github.com/klauspost/compress v1.12.3 h1:G5AfA94pHPysR56qqrkO2pxEexdDzrpFJ6yt/VqWxVU= +github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -793,8 +796,9 @@ go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg= go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= -go.opencensus.io v0.22.2 h1:75k/FF0Q2YM8QYo07VPddOLBslDt1MZOdEslOHvmzAs= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.5 h1:dntmOdLpSpHlVqbW5Eay97DelsZHe+55D+xC6i0dDS0= +go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/goleak v1.0.0 h1:qsup4IcBdlmsnGfqyLl4Ntn3C2XCCuKAE7DwHpScyUo= @@ -870,6 +874,7 @@ golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200425230154-ff2c4b7c35a0/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q= golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= @@ -906,7 +911,6 @@ golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190529164535-6a60838ec259/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -925,9 +929,11 @@ golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/heartbeat/docs/monitors/monitor-browser.asciidoc b/heartbeat/docs/monitors/monitor-browser.asciidoc index 24ea6dc7beb..aa1a2ee1ceb 100644 --- a/heartbeat/docs/monitors/monitor-browser.asciidoc +++ b/heartbeat/docs/monitors/monitor-browser.asciidoc @@ -65,6 +65,7 @@ Under `zip_url`, specify these options: located in the repository. *`username`*:: The username for authenticating with the zip endpoint. This setting is optional. *`password`*:: The password for authenticating with the zip endpoint. This setting is optional. +*`ssl`*:: SSL options applied to downloading the zip, not the browser. See <> for more details. If `username` and `password` are provided, they will be sent as HTTP Basic Authentication headers to the remote zip endpoint. @@ -83,9 +84,11 @@ Example configuration: folder: "examples/todos" username: "" password: "" + # ssl options apply to downloading the zip, not the browser + #ssl: + # certificate_authorities: ['/etc/ca.crt'] ------------------------------------------------------------------------------- - [float] [[monitor-source-local]] ===== `Local directory` @@ -198,7 +201,6 @@ Example configuration: *`tags`*:: run only journeys with the given tag(s), or globs *`match`*:: run only journeys with a name or tags that matches the configured glob - [float] [[monitor-browser-synthetics-args]] ==== `synthetics_args` diff --git a/heartbeat/hbtest/hbtestutil.go b/heartbeat/hbtest/hbtestutil.go index ec802079fbc..80753294d8e 100644 --- a/heartbeat/hbtest/hbtestutil.go +++ b/heartbeat/hbtest/hbtestutil.go @@ -83,6 +83,15 @@ func SizedResponseHandler(bytes int) http.HandlerFunc { ) } +func CustomResponseHandler(body []byte, status int) http.HandlerFunc { + return http.HandlerFunc( + func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(status) + w.Write(body) + }, + ) +} + // RedirectHandler redirects the paths at the keys in the redirectingPaths map to the locations in their values. // For paths not in the redirectingPaths map it returns a 200 response with the given body. func RedirectHandler(redirectingPaths map[string]string, body string) http.HandlerFunc { diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go index 4e6f67dec97..48b37b74d89 100644 --- a/heartbeat/monitors/active/http/http_test.go +++ b/heartbeat/monitors/active/http/http_test.go @@ -341,6 +341,112 @@ func TestLargeResponse(t *testing.T) { ) } +func TestJsonBody(t *testing.T) { + type testCase struct { + name string + responseBody string + condition common.MapStr + expectedErrMsg string + expectedContentType string + } + + testCases := []testCase{ + { + "simple match", + "{\"foo\": \"bar\"}", + common.MapStr{ + "equals": common.MapStr{"foo": "bar"}, + }, + "", + "application/json", + }, + { + "mismatch", + "{\"foo\": \"bar\"}", + common.MapStr{ + "equals": common.MapStr{"baz": "bot"}, + }, + "JSON body did not match", + "application/json", + }, + { + "invalid json", + "notjson", + common.MapStr{ + "equals": common.MapStr{"foo": "bar"}, + }, + "could not parse JSON", + "text/plain; charset=utf-8", + }, + { + "complex type match json", + "{\"number\": 3, \"bool\": true}", + common.MapStr{ + "equals": common.MapStr{"number": 3, "bool": true}, + }, + "", + "application/json", + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + server := httptest.NewServer(hbtest.CustomResponseHandler([]byte(tc.responseBody), 200)) + defer server.Close() + + configSrc := map[string]interface{}{ + "hosts": server.URL, + "timeout": "1s", + "response.include_body": "never", + "check.response.json": []common.MapStr{ + { + "description": "myJsonCheck", + "condition": tc.condition, + }, + }, + } + + config, err := common.NewConfigFrom(configSrc) + require.NoError(t, err) + + p, err := create("largeresp", config) + require.NoError(t, err) + + sched, _ := schedule.Parse("@every 1s") + job := wrappers.WrapCommon(p.Jobs, stdfields.StdMonitorFields{ID: "test", Type: "http", Schedule: sched, Timeout: 1})[0] + + event := &beat.Event{} + _, err = job(event) + require.NoError(t, err) + + if tc.expectedErrMsg == "" { + testslike.Test( + t, + lookslike.Strict(lookslike.Compose( + hbtest.BaseChecks("127.0.0.1", "up", "http"), + hbtest.RespondingTCPChecks(), + hbtest.SummaryChecks(1, 0), + respondingHTTPChecks(server.URL, tc.expectedContentType, 200), + )), + event.Fields, + ) + } else { + testslike.Test( + t, + lookslike.Strict(lookslike.Compose( + hbtest.BaseChecks("127.0.0.1", "down", "http"), + hbtest.RespondingTCPChecks(), + hbtest.SummaryChecks(0, 1), + hbtest.ErrorChecks(tc.expectedErrMsg, "validate"), + respondingHTTPChecks(server.URL, tc.expectedContentType, 200), + )), + event.Fields, + ) + } + }) + } +} + func runHTTPSServerCheck( t *testing.T, server *httptest.Server, diff --git a/heartbeat/tests/system/test_monitor.py b/heartbeat/tests/system/test_monitor.py index 4952ab8d259..b7a1edae5be 100644 --- a/heartbeat/tests/system/test_monitor.py +++ b/heartbeat/tests/system/test_monitor.py @@ -90,88 +90,6 @@ def test_http_delayed(self): finally: server.shutdown() - @parameterized.expand([ - ("up", '{"foo": {"baz": "bar"}}'), - ("down", '{"foo": "unexpected"}'), - ("down", 'notjson'), - ]) - def test_http_json(self, expected_status, body): - """ - Test JSON response checks - """ - server = self.start_server(body, 200) - try: - self.render_config_template( - monitors=[{ - "type": "http", - "urls": ["http://localhost:{}".format(server.server_port)], - "check_response_json": [{ - "description": "foo equals bar", - "condition": { - "equals": {"foo": {"baz": "bar"}} - } - }] - }] - ) - - try: - proc = self.start_beat() - self.wait_until(lambda: self.log_contains("heartbeat is running")) - - self.wait_until( - lambda: self.output_has(lines=1)) - finally: - proc.check_kill_and_wait() - - self.assert_last_status(expected_status) - if expected_status == "down": - self.assertEqual(self.last_output_line()["http.response.body.content"], body) - if body == "notjson": - self.assertEqual(self.last_output_line()["http.response.mime_type"], "text/plain; charset=utf-8") - else: - self.assertEqual(self.last_output_line()["http.response.mime_type"], "application/json") - else: - assert "http.response.body.content" not in self.last_output_line() - finally: - server.shutdown() - - @parameterized.expand([ - ('{"foo": "bar"}', {"foo": "bar"}), - ('{"foo": true}', {"foo": True},), - ('{"foo": 3}', {"foo": 3},), - ]) - def test_json_simple_comparisons(self, body, comparison): - """ - Test JSON response with simple straight-forward comparisons - """ - server = self.start_server(body, 200) - try: - self.render_config_template( - monitors=[{ - "type": "http", - "urls": ["http://localhost:{}".format(server.server_port)], - "check_response_json": [{ - "description": body, - "condition": { - "equals": comparison - } - }] - }] - ) - - try: - proc = self.start_beat() - self.wait_until(lambda: self.log_contains("heartbeat is running")) - - self.wait_until( - lambda: self.output_has(lines=1)) - finally: - proc.check_kill_and_wait() - - self.assert_last_status("up") - finally: - server.shutdown() - @parameterized.expand([ (lambda server: "localhost:{}".format(server.server_port), "up"), # This IP is reserved in IPv4 diff --git a/libbeat/cmd/instance/beat_test.go b/libbeat/cmd/instance/beat_test.go index bb541c3d204..e05b4ddb87a 100644 --- a/libbeat/cmd/instance/beat_test.go +++ b/libbeat/cmd/instance/beat_test.go @@ -78,16 +78,31 @@ func TestInitKibanaConfig(t *testing.T) { assert.Equal(t, "testidx", b.Info.IndexPrefix) assert.Equal(t, "0.9", b.Info.Version) - cfg, err := cfgfile.Load("../test/filebeat_test.yml", nil) + const configPath = "../test/filebeat_test.yml" + + // Ensure that the config has owner-exclusive write permissions. + // This is necessary on some systems which have a default umask + // of 0o002, meaning that files are checked out by git with mode + // 0o664. This would cause cfgfile.Load to fail. + err = os.Chmod(configPath, 0o644) + assert.NoError(t, err) + + cfg, err := cfgfile.Load(configPath, nil) + assert.NoError(t, err) err = cfg.Unpack(&b.Config) assert.NoError(t, err) kibanaConfig := InitKibanaConfig(b.Config) username, err := kibanaConfig.String("username", -1) + assert.NoError(t, err) password, err := kibanaConfig.String("password", -1) + assert.NoError(t, err) api_key, err := kibanaConfig.String("api_key", -1) + assert.NoError(t, err) protocol, err := kibanaConfig.String("protocol", -1) + assert.NoError(t, err) host, err := kibanaConfig.String("host", -1) + assert.NoError(t, err) assert.Equal(t, "elastic-test-username", username) assert.Equal(t, "elastic-test-password", password) diff --git a/libbeat/cmd/instance/metrics/metrics.go b/libbeat/cmd/instance/metrics/metrics.go index 700b0420a76..8865b4967c9 100644 --- a/libbeat/cmd/instance/metrics/metrics.go +++ b/libbeat/cmd/instance/metrics/metrics.go @@ -28,6 +28,7 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/metric/system/cgroup" "github.com/elastic/beats/v7/libbeat/metric/system/cpu" + "github.com/elastic/beats/v7/libbeat/metric/system/numcpu" "github.com/elastic/beats/v7/libbeat/metric/system/process" "github.com/elastic/beats/v7/libbeat/monitoring" "github.com/elastic/beats/v7/libbeat/paths" @@ -265,7 +266,7 @@ func reportSystemCPUUsage(_ monitoring.Mode, V monitoring.Visitor) { V.OnRegistryStart() defer V.OnRegistryFinished() - monitoring.ReportInt(V, "cores", int64(runtime.NumCPU())) + monitoring.ReportInt(V, "cores", int64(numcpu.NumCPU())) } func reportRuntime(_ monitoring.Mode, V monitoring.Visitor) { diff --git a/libbeat/common/encoding/xml/decode.go b/libbeat/common/encoding/xml/decode.go index 665c0608f67..8fcc790ca5c 100644 --- a/libbeat/common/encoding/xml/decode.go +++ b/libbeat/common/encoding/xml/decode.go @@ -80,7 +80,7 @@ func (d *Decoder) decode(attrs []xml.Attr) (string, map[string]interface{}, erro // Add the data to the current object while taking into account // if the current key already exists (in the case of lists). key := d.key(elem.Name.Local) - value := elements[elem.Name.Local] + value := elements[key] switch v := value.(type) { case nil: elements[key] = add diff --git a/libbeat/common/encoding/xml/decode_test.go b/libbeat/common/encoding/xml/decode_test.go index 277972e56da..9dd585ac6d7 100644 --- a/libbeat/common/encoding/xml/decode_test.go +++ b/libbeat/common/encoding/xml/decode_test.go @@ -366,10 +366,16 @@ func ExampleDecoder_Decode() { // "event": { // "eventdata": { // "binary": "770069006E006C006F00670062006500610074002F0034000000", - // "data": { - // "#text": "running", - // "name": "param2" - // } + // "data": [ + // { + // "#text": "winlogbeat", + // "name": "param1" + // }, + // { + // "#text": "running", + // "name": "param2" + // } + // ] // }, // "processingerrordata": { // "dataitemname": "shellId", diff --git a/libbeat/dashboards/decode.go b/libbeat/dashboards/decode.go index cd79bfead43..10c0a694898 100644 --- a/libbeat/dashboards/decode.go +++ b/libbeat/dashboards/decode.go @@ -30,11 +30,13 @@ import ( var ( responseToDecode = []string{ - "attributes.uiStateJSON", - "attributes.visState", + "attributes.kibanaSavedObjectMeta.searchSourceJSON", + "attributes.layerListJSON", + "attributes.mapStateJSON", "attributes.optionsJSON", "attributes.panelsJSON", - "attributes.kibanaSavedObjectMeta.searchSourceJSON", + "attributes.uiStateJSON", + "attributes.visState", } ) @@ -76,15 +78,51 @@ func decodeLine(line []byte) []byte { if err != nil { return line } + o = decodeObject(o) + o = decodeEmbeddableConfig(o) + + return []byte(o.String()) +} + +func decodeObject(o common.MapStr) common.MapStr { for _, key := range responseToDecode { // All fields are optional, so errors are not caught err := decodeValue(o, key) if err != nil { logger := logp.NewLogger("dashboards") logger.Debugf("Error while decoding dashboard objects: %+v", err) + continue } } - return []byte(o.String()) + + return o +} + +func decodeEmbeddableConfig(o common.MapStr) common.MapStr { + p, err := o.GetValue("attributes.panelsJSON") + if err != nil { + return o + } + + if panels, ok := p.([]interface{}); ok { + for i, pan := range panels { + if panel, ok := pan.(map[string]interface{}); ok { + panelObj := common.MapStr(panel) + embedded, err := panelObj.GetValue("embeddableConfig") + if err != nil { + continue + } + if embeddedConfig, ok := embedded.(map[string]interface{}); ok { + embeddedConfigObj := common.MapStr(embeddedConfig) + panelObj.Put("embeddableConfig", decodeObject(embeddedConfigObj)) + panels[i] = panelObj + } + } + } + o.Put("attributes.panelsJSON", panels) + } + + return o } func decodeValue(data common.MapStr, key string) error { diff --git a/libbeat/dashboards/modify_json.go b/libbeat/dashboards/modify_json.go index 3178d6b2382..daacccdbc3f 100644 --- a/libbeat/dashboards/modify_json.go +++ b/libbeat/dashboards/modify_json.go @@ -21,6 +21,7 @@ import ( "bytes" "encoding/json" "fmt" + "regexp" "github.com/pkg/errors" @@ -46,11 +47,6 @@ type JSONObject struct { Attributes JSONObjectAttribute `json:"attributes"` } -// JSONFormat contains a list of JSON object -type JSONFormat struct { - Objects []JSONObject `json:"objects"` -} - // ReplaceIndexInIndexPattern replaces an index in a dashboard content body func ReplaceIndexInIndexPattern(index string, content common.MapStr) (err error) { if index == "" { @@ -128,43 +124,62 @@ func ReplaceIndexInSavedObject(logger *logp.Logger, index string, kibanaSavedObj } kibanaSavedObject["searchSourceJSON"] = searchSourceJSON } - if visStateJSON, ok := kibanaSavedObject["visState"].(string); ok { - visStateJSON = ReplaceIndexInVisState(logger, index, visStateJSON) - kibanaSavedObject["visState"] = visStateJSON + if visState, ok := kibanaSavedObject["visState"].(map[string]interface{}); ok { + kibanaSavedObject["visState"] = ReplaceIndexInVisState(logger, index, visState) } return kibanaSavedObject } -// ReplaceIndexInVisState replaces index appearing in visState params objects -func ReplaceIndexInVisState(logger *logp.Logger, index string, visStateJSON string) string { - - var visState map[string]interface{} - err := json.Unmarshal([]byte(visStateJSON), &visState) - if err != nil { - logger.Errorf("Fail to unmarshal visState: %v", err) - return visStateJSON - } +var timeLionIdxRegexp = regexp.MustCompile(`index=\".*beat-\*\"`) +// ReplaceIndexInVisState replaces index appearing in visState params objects +func ReplaceIndexInVisState(logger *logp.Logger, index string, visState map[string]interface{}) map[string]interface{} { params, ok := visState["params"].(map[string]interface{}) if !ok { - return visStateJSON + return visState } // Don't set it if it was not set before - if pattern, ok := params["index_pattern"].(string); !ok || len(pattern) == 0 { - return visStateJSON + if pattern, ok := params["index_pattern"].(string); ok && len(pattern) != 0 { + params["index_pattern"] = index + } + + if s, ok := params["series"].([]interface{}); ok { + for i, ser := range s { + if series, ok := ser.(map[string]interface{}); ok { + if _, ok := series["series_index_pattern"]; !ok { + continue + } + series["series_index_pattern"] = index + s[i] = series + } + } + params["series"] = s } - params["index_pattern"] = index + if annotations, ok := params["annotations"].([]interface{}); ok { + for i, ann := range annotations { + annotation, ok := ann.(map[string]interface{}) + if !ok { + continue + } + if _, ok = annotation["index_pattern"]; !ok { + continue + } + annotation["index_pattern"] = index + annotations[i] = annotation + } + params["annotations"] = annotations + } - d, err := json.Marshal(visState) - if err != nil { - logger.Errorf("Fail to marshal visState: %v", err) - return visStateJSON + if expr, ok := params["expression"].(string); ok { + params["expression"] = timeLionIdxRegexp.ReplaceAllString(expr, `index="`+index+`"`) } - return string(d) + visState["params"] = replaceIndexInParamControls(logger, index, params) + + return visState } // ReplaceIndexInDashboardObject replaces references to the index pattern in dashboard objects @@ -195,10 +210,28 @@ func ReplaceIndexInDashboardObject(index string, content []byte) []byte { attributes["kibanaSavedObjectMeta"] = ReplaceIndexInSavedObject(logger, index, kibanaSavedObject) } - if visState, ok := attributes["visState"].(string); ok { + if visState, ok := attributes["visState"].(map[string]interface{}); ok { attributes["visState"] = ReplaceIndexInVisState(logger, index, visState) } + if layerListJSON, ok := attributes["layerListJSON"].([]interface{}); ok { + attributes["layerListJSON"] = replaceIndexInLayerListJSON(logger, index, layerListJSON) + } + + if mapStateJSON, ok := attributes["mapStateJSON"].(map[string]interface{}); ok { + attributes["mapStateJSON"] = replaceIndexInMapStateJSON(logger, index, mapStateJSON) + } + + if panelsJSON, ok := attributes["panelsJSON"].([]interface{}); ok { + attributes["panelsJSON"] = replaceIndexInPanelsJSON(logger, index, panelsJSON) + } + + objectMap["attributes"] = attributes + + if references, ok := objectMap["references"].([]interface{}); ok { + objectMap["references"] = replaceIndexInReferences(index, references) + } + b, err := json.Marshal(objectMap) if err != nil { logger.Error("Error marshaling modified dashboard: %+v", err) @@ -208,6 +241,121 @@ func ReplaceIndexInDashboardObject(index string, content []byte) []byte { return b } +func replaceIndexInLayerListJSON(logger *logp.Logger, index string, layerListJSON []interface{}) []interface{} { + for i, layerListElem := range layerListJSON { + elem, ok := layerListElem.(map[string]interface{}) + if !ok { + continue + } + + if joins, ok := elem["joins"].([]interface{}); ok { + for j, join := range joins { + if pos, ok := join.(map[string]interface{}); ok { + for key, val := range pos { + if joinElems, ok := val.(map[string]interface{}); ok { + if _, ok := joinElems["indexPatternTitle"]; ok { + joinElems["indexPatternTitle"] = index + pos[key] = joinElems + } + } + } + joins[j] = pos + } + } + elem["joins"] = joins + } + if descriptor, ok := elem["sourceDescriptor"].(map[string]interface{}); ok { + if _, ok := descriptor["indexPatternId"]; ok { + descriptor["indexPatternId"] = index + } + elem["sourceDescriptor"] = descriptor + } + + layerListJSON[i] = elem + } + return layerListJSON +} + +func replaceIndexInMapStateJSON(logger *logp.Logger, index string, mapState map[string]interface{}) map[string]interface{} { + if filters, ok := mapState["filters"].([]interface{}); ok { + for i, f := range filters { + if filter, ok := f.(map[string]interface{}); ok { + if meta, ok := filter["meta"].(map[string]interface{}); ok { + if _, ok := meta["index"]; !ok { + continue + } + meta["index"] = index + filter["meta"] = meta + } + filters[i] = filter + } + } + mapState["filters"] = filters + } + + return mapState +} + +func replaceIndexInPanelsJSON(logger *logp.Logger, index string, panelsJSON []interface{}) []interface{} { + for i, p := range panelsJSON { + if panel, ok := p.(map[string]interface{}); ok { + config, ok := panel["embeddableConfig"].(map[string]interface{}) + if !ok { + continue + } + if configAttr, ok := config["attributes"].(map[string]interface{}); ok { + if references, ok := configAttr["references"].([]interface{}); ok { + configAttr["references"] = replaceIndexInReferences(index, references) + } + if layerListJSON, ok := configAttr["layerListJSON"].([]interface{}); ok { + configAttr["layerListJSON"] = replaceIndexInLayerListJSON(logger, index, layerListJSON) + } + config["attributes"] = configAttr + } + + if savedVis, ok := config["savedVis"].(map[string]interface{}); ok { + if params, ok := savedVis["params"].(map[string]interface{}); ok { + savedVis["params"] = replaceIndexInParamControls(logger, index, params) + } + config["savedVis"] = savedVis + } + + panel["embeddableConfig"] = config + panelsJSON[i] = panel + } + } + return panelsJSON +} + +func replaceIndexInParamControls(logger *logp.Logger, index string, params map[string]interface{}) map[string]interface{} { + if controlsList, ok := params["controls"].([]interface{}); ok { + for i, ctrl := range controlsList { + if control, ok := ctrl.(map[string]interface{}); ok { + if _, ok := control["indexPattern"]; ok { + control["indexPattern"] = index + controlsList[i] = control + } + } + } + params["controls"] = controlsList + } + return params +} + +func replaceIndexInReferences(index string, references []interface{}) []interface{} { + for i, ref := range references { + if reference, ok := ref.(map[string]interface{}); ok { + if refType, ok := reference["type"].(string); ok { + if refType == "index-pattern" { + reference["id"] = index + } + } + references[i] = reference + } + } + return references +} + func EncodeJSONObjects(content []byte) []byte { logger := logp.NewLogger("dashboards") diff --git a/libbeat/dashboards/modify_json_test.go b/libbeat/dashboards/modify_json_test.go index 48f0fe972c9..389e8b416a7 100644 --- a/libbeat/dashboards/modify_json_test.go +++ b/libbeat/dashboards/modify_json_test.go @@ -77,9 +77,34 @@ func TestReplaceIndexInDashboardObject(t *testing.T) { []byte(`{"attributes":{"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"otherindex-*\"}"}}}`), }, { - []byte(`{"attributes":{"kibanaSavedObjectMeta":{"visState":"{\"params\":{\"index_pattern\":\"metricbeat-*\"}}"}}}`), + []byte(`{"attributes":{"layerListJSON":[{"joins":[{"leftField":"iso2","right":{"indexPatternTitle":"filebeat-*"}}]}]}}`), "otherindex-*", - []byte(`{"attributes":{"kibanaSavedObjectMeta":{"visState":"{\"params\":{\"index_pattern\":\"otherindex-*\"}}"}}}`), + []byte(`{"attributes":{"layerListJSON":[{"joins":[{"leftField":"iso2","right":{"indexPatternTitle":"otherindex-*"}}]}]}}`), + }, + { + []byte(`{"attributes":{"panelsJSON":[{"embeddableConfig":{"attributes":{"references":[{"id":"filebeat-*","type":"index-pattern"}]}}}]}}`), + "otherindex-*", + []byte(`{"attributes":{"panelsJSON":[{"embeddableConfig":{"attributes":{"references":[{"id":"otherindex-*","type":"index-pattern"}]}}}]}}`), + }, + { + []byte(`{"attributes":{},"references":[{"id":"auditbeat-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}]}`), + "otherindex-*", + []byte(`{"attributes":{},"references":[{"id":"otherindex-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}]}`), + }, + { + []byte(`{"attributes":{"visState":{"params":{"index_pattern":"winlogbeat-*"}}}}`), + "otherindex-*", + []byte(`{"attributes":{"visState":{"params":{"index_pattern":"otherindex-*"}}}}`), + }, + { + []byte(`{"attributes":{"visState":{"params":{"series":[{"series_index_pattern":"filebeat-*"}]}}}}`), + "otherindex-*", + []byte(`{"attributes":{"visState":{"params":{"series":[{"series_index_pattern":"otherindex-*"}]}}}}`), + }, + { + []byte(`{"attributes":{"mapStateJSON":{"filters":[{"meta":{"index":"filebeat-*"}}]}}}`), + "otherindex-*", + []byte(`{"attributes":{"mapStateJSON":{"filters":[{"meta":{"index":"otherindex-*"}}]}}}`), }, } diff --git a/libbeat/docs/shared-docker.asciidoc b/libbeat/docs/shared-docker.asciidoc index 6b73a6d90a7..2e7e04e6c7a 100644 --- a/libbeat/docs/shared-docker.asciidoc +++ b/libbeat/docs/shared-docker.asciidoc @@ -294,10 +294,7 @@ ifeval::["{beatname_lc}"!="auditbeat"] ["source", "dockerfile", subs="attributes"] -------------------------------------------- FROM {dockerimage} -COPY {beatname_lc}.yml /usr/share/{beatname_lc}/{beatname_lc}.yml -USER root -RUN chown root:{beatname_lc} /usr/share/{beatname_lc}/{beatname_lc}.yml -USER {beatname_lc} +COPY --chown=root:{beatname_lc} {beatname_lc}.yml /usr/share/{beatname_lc}/{beatname_lc}.yml -------------------------------------------- endif::[] diff --git a/libbeat/metric/system/cgroup/cgcommon/metrics.go b/libbeat/metric/system/cgroup/cgcommon/metrics.go index 1791ba2ffc3..32d5a31803f 100644 --- a/libbeat/metric/system/cgroup/cgcommon/metrics.go +++ b/libbeat/metric/system/cgroup/cgcommon/metrics.go @@ -58,7 +58,6 @@ func (p Pressure) IsZero() bool { // See https://github.com/torvalds/linux/blob/master/Documentation/accounting/psi.rst func GetPressure(path string) (map[string]Pressure, error) { pressureData := make(map[string]Pressure) - f, err := os.Open(path) // pass along any OS open errors directly if err != nil { diff --git a/libbeat/metric/system/cgroup/cgstats.go b/libbeat/metric/system/cgroup/cgstats.go index e218ad04fc8..0fecf06232c 100644 --- a/libbeat/metric/system/cgroup/cgstats.go +++ b/libbeat/metric/system/cgroup/cgstats.go @@ -18,13 +18,13 @@ package cgroup import ( - "runtime" "time" "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/transform/typeconv" + "github.com/elastic/beats/v7/libbeat/metric/system/numcpu" "github.com/elastic/beats/v7/libbeat/opt" ) @@ -69,13 +69,11 @@ func (curStat *StatsV1) FillPercentages(prev CGStats, curTime, prevTime time.Tim totalCPUDeltaNanos := int64(curStat.CPUAccounting.Total.NS - prevStat.CPUAccounting.Total.NS) pct := float64(totalCPUDeltaNanos) / float64(timeDeltaNanos) - // Avoid using NumCPU unless we need to; the values in UsagePerCPU are more likely to reflect the running conditions of the cgroup - // NumCPU can vary based on the conditions of the running metricbeat process, as it uses Affinity Masks, not hardware data. var cpuCount int if len(curStat.CPUAccounting.UsagePerCPU) > 0 { cpuCount = len(curStat.CPUAccounting.UsagePerCPU) } else { - cpuCount = runtime.NumCPU() + cpuCount = numcpu.NumCPU() } // if you look at the raw cgroup stats, the following normalized value is literally an average of per-cpu numbers. @@ -132,7 +130,7 @@ func (curStat *StatsV2) FillPercentages(prev CGStats, curTime, prevTime time.Tim pct := float64(totalCPUDeltaNanos) / float64(timeDeltaNanos) - cpuCount := runtime.NumCPU() + cpuCount := numcpu.NumCPU() // if you look at the raw cgroup stats, the following normalized value is literally an average of per-cpu numbers. normalizedPct := pct / float64(cpuCount) diff --git a/libbeat/metric/system/cpu/cpu.go b/libbeat/metric/system/cpu/cpu.go index c27687a85ce..fc14652e6ac 100644 --- a/libbeat/metric/system/cpu/cpu.go +++ b/libbeat/metric/system/cpu/cpu.go @@ -20,9 +20,8 @@ package cpu import ( - "runtime" - "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/metric/system/numcpu" sigar "github.com/elastic/gosigar" ) @@ -62,7 +61,7 @@ func (m *LoadMetrics) Averages() LoadAverages { // NormalizedAverages return the CPU load averages normalized by the NumCPU. // These values should range from 0 to 1. func (m *LoadMetrics) NormalizedAverages() LoadAverages { - cpus := runtime.NumCPU() + cpus := numcpu.NumCPU() return LoadAverages{ OneMinute: common.Round(m.sample.One/float64(cpus), common.DefaultDecimalPlacesCount), FiveMinute: common.Round(m.sample.Five/float64(cpus), common.DefaultDecimalPlacesCount), diff --git a/libbeat/metric/system/diskio/diskstat_linux.go b/libbeat/metric/system/diskio/diskstat_linux.go index 5ab0f7e3723..964fbf7663d 100644 --- a/libbeat/metric/system/diskio/diskstat_linux.go +++ b/libbeat/metric/system/diskio/diskstat_linux.go @@ -20,10 +20,10 @@ package diskio import ( - "runtime" - "github.com/pkg/errors" "github.com/shirou/gopsutil/disk" + + "github.com/elastic/beats/v7/libbeat/metric/system/numcpu" ) // GetCLKTCK emulates the _SC_CLK_TCK syscall @@ -63,7 +63,7 @@ func (stat *IOStat) CalcIOStatistics(counter disk.IOCountersStat) (IOMetric, err } // calculate the delta ms between the CloseSampling and OpenSampling - deltams := 1000.0 * float64(stat.curCPU.Total()-stat.lastCPU.Total()) / float64(runtime.NumCPU()) / float64(GetCLKTCK()) + deltams := 1000.0 * float64(stat.curCPU.Total()-stat.lastCPU.Total()) / float64(numcpu.NumCPU()) / float64(GetCLKTCK()) if deltams <= 0 { return IOMetric{}, errors.New("The delta cpu time between close sampling and open sampling is less or equal to 0") } diff --git a/libbeat/metric/system/numcpu/cpu_bsd.go b/libbeat/metric/system/numcpu/cpu_bsd.go new file mode 100644 index 00000000000..1b0c4142ed4 --- /dev/null +++ b/libbeat/metric/system/numcpu/cpu_bsd.go @@ -0,0 +1,55 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build openbsd freebsd + +package numcpu + +/* +#include +#include +#include +#include +#include +*/ +import "C" + +import ( + "syscall" + "unsafe" +) + +// getCPU implements NumCPU on openbsd +// This is just using the HW_NCPU sysctl value. +func getCPU() (int, bool, error) { + + // Get count of available CPUs + ncpuMIB := [2]int32{C.CTL_HW, C.HW_NCPU} + callSize := uintptr(0) + var ncpu int + // Get size of return value. + _, _, errno := syscall.Syscall6(syscall.SYS___SYSCTL, uintptr(unsafe.Pointer(&ncpuMIB[0])), 2, 0, uintptr(unsafe.Pointer(&callSize)), 0, 0) + + if errno != 0 || callSize == 0 { + return -1, false, errno + } + + // Get CPU count + _, _, errno = syscall.Syscall6(syscall.SYS___SYSCTL, uintptr(unsafe.Pointer(&ncpuMIB[0])), 2, uintptr(unsafe.Pointer(&ncpu)), uintptr(unsafe.Pointer(&callSize)), 0, 0) + + return ncpu, true, nil +} diff --git a/libbeat/metric/system/numcpu/cpu_cgo.go b/libbeat/metric/system/numcpu/cpu_cgo.go new file mode 100644 index 00000000000..fe6da963daf --- /dev/null +++ b/libbeat/metric/system/numcpu/cpu_cgo.go @@ -0,0 +1,26 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build freebsd,!cgo openbsd,!cgo + +package numcpu + +// getCPU is the fallback for unimplemented platforms +func getCPU() (int, bool, error) { + + return -1, false, nil +} diff --git a/libbeat/metric/system/numcpu/cpu_linux.go b/libbeat/metric/system/numcpu/cpu_linux.go new file mode 100644 index 00000000000..d8f2e9f821c --- /dev/null +++ b/libbeat/metric/system/numcpu/cpu_linux.go @@ -0,0 +1,93 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package numcpu + +import ( + "fmt" + "io/ioutil" + "os" + "path/filepath" + "strings" + + "github.com/pkg/errors" + + "github.com/elastic/beats/v7/libbeat/paths" +) + +// getCPU implements NumCPU on linux +// see https://www.kernel.org/doc/Documentation/admin-guide/cputopology.rst +func getCPU() (int, bool, error) { + + // These are the files that LSCPU looks for + // This will report online CPUs, which are are the logical CPUS + // that are currently online and scheduleable by the system. + // Some users may expect a "present" count, which reflects what + // CPUs are available to the OS, online or off. + // These two values will only differ in cases where CPU hotplugging is in affect. + // This env var swaps between them. + _, isPresent := os.LookupEnv("LINUX_CPU_COUNT_PRESENT") + var cpuPath = "/sys/devices/system/cpu/online" + if isPresent { + cpuPath = "/sys/devices/system/cpu/present" + } + sysfspath := filepath.Join(paths.Paths.Hostfs, cpuPath) + + rawFile, err := ioutil.ReadFile(sysfspath) + // if the file doesn't exist, assume it's a support issue and not a bug + if errors.Is(err, os.ErrNotExist) { + return -1, false, nil + } + if err != nil { + return -1, false, errors.Wrapf(err, "error reading file %s", sysfspath) + } + + cpuCount, err := parseCPUList(string(rawFile)) + if err != nil { + return -1, false, errors.Wrapf(err, "error parsing file %s", sysfspath) + } + return cpuCount, true, nil +} + +// parse the weird list files we get from sysfs +func parseCPUList(raw string) (int, error) { + + listPart := strings.Split(raw, ",") + count := 0 + for _, v := range listPart { + if strings.Contains(v, "-") { + rangeC, err := parseCPURange(v) + if err != nil { + return 0, errors.Wrapf(err, "error parsing line %s", v) + } + count = count + rangeC + } else { + count++ + } + } + return count, nil +} + +func parseCPURange(cpuRange string) (int, error) { + var first, last int + _, err := fmt.Sscanf(cpuRange, "%d-%d", &first, &last) + if err != nil { + return 0, errors.Wrapf(err, "error reading from range %s", cpuRange) + } + + return (last - first) + 1, nil +} diff --git a/libbeat/metric/system/numcpu/cpu_linux_test.go b/libbeat/metric/system/numcpu/cpu_linux_test.go new file mode 100644 index 00000000000..af761ad70c9 --- /dev/null +++ b/libbeat/metric/system/numcpu/cpu_linux_test.go @@ -0,0 +1,49 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package numcpu + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestCPUParse(t *testing.T) { + + type cpuInput struct { + input string + platform string + expected int + } + + cpuList := []cpuInput{ + {input: "0-23", platform: "basic X86", expected: 24}, + {input: "0-1", platform: "ARMv7", expected: 2}, + {input: "0-63", platform: "POWER7", expected: 64}, + {input: "0", platform: "QEMU", expected: 1}, + {input: "0-1,3", platform: "Kernel docs example 1", expected: 3}, + {input: "2,4-31,32-63", platform: "Kernel docs example 2", expected: 61}, + } + + for _, cpuTest := range cpuList { + res, err := parseCPUList(cpuTest.input) + assert.NoError(t, err, cpuTest.platform) + assert.Equal(t, cpuTest.expected, res, cpuTest.platform) + } + +} diff --git a/libbeat/metric/system/numcpu/cpu_other.go b/libbeat/metric/system/numcpu/cpu_other.go new file mode 100644 index 00000000000..9e7bca21d6f --- /dev/null +++ b/libbeat/metric/system/numcpu/cpu_other.go @@ -0,0 +1,26 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !linux,!freebsd,!openbsd,!windows + +package numcpu + +// getCPU is the fallback for unimplemented platforms +func getCPU() (int, bool, error) { + + return -1, false, nil +} diff --git a/libbeat/metric/system/numcpu/cpu_windows.go b/libbeat/metric/system/numcpu/cpu_windows.go new file mode 100644 index 00000000000..b5ddd766968 --- /dev/null +++ b/libbeat/metric/system/numcpu/cpu_windows.go @@ -0,0 +1,38 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package numcpu + +import ( + "github.com/pkg/errors" + + "github.com/elastic/gosigar/sys/windows" +) + +// getCPU implements NumCPU on windows +// For now, this is a bit of a hack that just asks for per-CPU performance data, and reports the CPU count +func getCPU() (int, bool, error) { + + // get per-cpu data + cpus, err := windows.NtQuerySystemProcessorPerformanceInformation() + if err != nil { + return -1, false, errors.Wrap(err, "NtQuerySystemProcessorPerformanceInformation failed") + } + + return len(cpus), true, nil + +} diff --git a/libbeat/metric/system/numcpu/numcpu.go b/libbeat/metric/system/numcpu/numcpu.go new file mode 100644 index 00000000000..1e328d349a2 --- /dev/null +++ b/libbeat/metric/system/numcpu/numcpu.go @@ -0,0 +1,46 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package numcpu + +import ( + "runtime" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// NumCPU is a drop-in replacement for runtime.NumCPU for accurate system config reporting. +// runtime.NumCPU doesn't query any kind of hardware or OS state, +// but merely uses affinity APIs to count what CPUs the given go process is available to run on. +// Most of the time this works okay for reporting metrics, but under certain conditions, such as cases where +// affinity masks are being manually set to manage the go process, or certain job controllers/VMs/etc, +// this number will not reflect the system config. +// Because this is drop-in, it will not return an error. +// if it can't fetch the CPU count the "correct" way, it'll fallback to runtime.NumCPU(). +func NumCPU() int { + count, exists, err := getCPU() + if err != nil { + logp.L().Debugf("Error fetching CPU count: %s", err) + return runtime.NumCPU() + } + if !exists { + logp.L().Debugf("Accurate CPU counts not available on platform, falling back to runtime.NumCPU for metrics") + return runtime.NumCPU() + } + + return count +} diff --git a/libbeat/metric/system/numcpu/numcpu_test.go b/libbeat/metric/system/numcpu/numcpu_test.go new file mode 100644 index 00000000000..12ceba74512 --- /dev/null +++ b/libbeat/metric/system/numcpu/numcpu_test.go @@ -0,0 +1,40 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package numcpu + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestGetCPU(t *testing.T) { + cpuCount, exists, err := getCPU() + assert.NoError(t, err, "getCPU") + if exists { + assert.Greater(t, cpuCount, 0) + t.Logf("Got actual CPU counts.") + } + t.Logf("CPU Count: %d", cpuCount) +} + +func TestNumCPU(t *testing.T) { + cpuCount := NumCPU() + assert.NotEqual(t, -1, cpuCount) + t.Logf("CPU Count: %d", cpuCount) +} diff --git a/libbeat/metric/system/process/process.go b/libbeat/metric/system/process/process.go index 3e3c1a078fd..8ec358d3a81 100644 --- a/libbeat/metric/system/process/process.go +++ b/libbeat/metric/system/process/process.go @@ -33,6 +33,7 @@ import ( "github.com/elastic/beats/v7/libbeat/common/match" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/metric/system/cgroup" + "github.com/elastic/beats/v7/libbeat/metric/system/numcpu" sysinfo "github.com/elastic/go-sysinfo" sigar "github.com/elastic/gosigar" ) @@ -403,7 +404,7 @@ func GetProcCPUPercentage(s0, s1 *Process) (normalizedPct, pct, totalPct float64 totalCPUDeltaMillis := int64(s1.CPU.Total - s0.CPU.Total) pct := float64(totalCPUDeltaMillis) / float64(timeDeltaMillis) - normalizedPct := pct / float64(runtime.NumCPU()) + normalizedPct := pct / float64(numcpu.NumCPU()) return common.Round(normalizedPct, common.DefaultDecimalPlacesCount), common.Round(pct, common.DefaultDecimalPlacesCount), common.Round(float64(s1.CPU.Total), common.DefaultDecimalPlacesCount) diff --git a/libbeat/processors/decode_xml/decode_xml_test.go b/libbeat/processors/decode_xml/decode_xml_test.go index 04c3c8847ed..83ef61ea226 100644 --- a/libbeat/processors/decode_xml/decode_xml_test.go +++ b/libbeat/processors/decode_xml/decode_xml_test.go @@ -176,6 +176,41 @@ func TestDecodeXML(t *testing.T) { }, }, }, + { + description: "Decoding with an array and mixed-case keys", + config: decodeXMLConfig{ + Field: "message", + ToLower: true, + }, + Input: common.MapStr{ + "message": ` + + + N/A + + + N/A + + + `, + }, + Output: common.MapStr{ + "message": common.MapStr{ + "auditbase": map[string]interface{}{ + "contextcomponents": map[string]interface{}{ + "component": []interface{}{ + map[string]interface{}{ + "relyingparty": "N/A", + }, + map[string]interface{}{ + "primaryauth": "N/A", + }, + }, + }, + }, + }, + }, + }, { description: "Decoding with multiple xml objects", config: decodeXMLConfig{ diff --git a/libbeat/reader/message.go b/libbeat/reader/message.go index 5798c3a9869..79116bfcfad 100644 --- a/libbeat/reader/message.go +++ b/libbeat/reader/message.go @@ -20,6 +20,7 @@ package reader import ( "time" + "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" ) @@ -75,3 +76,21 @@ func (m *Message) AddFlagsWithKey(key string, flags ...string) error { return common.AddTagsWithKey(m.Fields, key, flags) } + +// ToEvent converts a Message to an Event that can be published +// to the output. +func (m *Message) ToEvent() beat.Event { + + if len(m.Content) > 0 { + if m.Fields == nil { + m.Fields = common.MapStr{} + } + m.Fields["message"] = string(m.Content) + } + + return beat.Event{ + Timestamp: m.Ts, + Meta: m.Meta, + Fields: m.Fields, + } +} diff --git a/libbeat/reader/message_test.go b/libbeat/reader/message_test.go new file mode 100644 index 00000000000..c73576c4767 --- /dev/null +++ b/libbeat/reader/message_test.go @@ -0,0 +1,66 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package reader + +import ( + "testing" + + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" +) + +func TestToEvent(t *testing.T) { + testCases := map[string]struct { + msg Message + expected beat.Event + }{ + "empty message; emtpy event": { + Message{}, + beat.Event{}, + }, + "empty content, one field": { + Message{Fields: common.MapStr{"my_field": "my_value"}}, + beat.Event{Fields: common.MapStr{"my_field": "my_value"}}, + }, + "content, no field": { + Message{Content: []byte("my message")}, + beat.Event{Fields: common.MapStr{"message": "my message"}}, + }, + "content, one field": { + Message{Content: []byte("my message"), Fields: common.MapStr{"my_field": "my_value"}}, + beat.Event{Fields: common.MapStr{"message": "my message", "my_field": "my_value"}}, + }, + "content, message field": { + Message{Content: []byte("my message"), Fields: common.MapStr{"message": "my_message_value"}}, + beat.Event{Fields: common.MapStr{"message": "my message"}}, + }, + "content, meta, message field": { + Message{Content: []byte("my message"), Fields: common.MapStr{"my_field": "my_value"}, Meta: common.MapStr{"meta": "id"}}, + beat.Event{Fields: common.MapStr{"message": "my message", "my_field": "my_value"}, Meta: common.MapStr{"meta": "id"}}, + }, + } + + for name, test := range testCases { + t.Run(name, func(t *testing.T) { + require.Equal(t, test.expected, test.msg.ToEvent()) + }) + } + +} diff --git a/libbeat/reader/readfile/bench_test.go b/libbeat/reader/readfile/bench_test.go new file mode 100644 index 00000000000..b1f6e7667f6 --- /dev/null +++ b/libbeat/reader/readfile/bench_test.go @@ -0,0 +1,83 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package readfile + +import ( + "bytes" + "encoding/hex" + "fmt" + "io" + "io/ioutil" + "math/rand" + "testing" + + "golang.org/x/text/encoding" +) + +func BenchmarkEncoderReader(b *testing.B) { + const ( + bufferSize = 1024 + lineMaxLimit = 1000000 // never hit by the input data + ) + + runBench := func(name string, lineMaxLimit int, lines []byte) { + b.Run(name, func(b *testing.B) { + b.ReportAllocs() + for bN := 0; bN < b.N; bN++ { + reader, err := NewEncodeReader(ioutil.NopCloser(bytes.NewReader(lines)), Config{encoding.Nop, bufferSize, LineFeed, lineMaxLimit}) + if err != nil { + b.Fatal("failed to initialize reader:", err) + } + // Read decodec lines and test + size := 0 + for i := 0; ; i++ { + msg, err := reader.Next() + if err != nil { + if err == io.EOF { + b.ReportMetric(float64(i), "processed_lines") + break + } else { + b.Fatal("unexpected error:", err) + } + } + size += msg.Bytes + } + b.ReportMetric(float64(size), "processed_bytes") + } + }) + } + + runBench("buffer-sized lines", lineMaxLimit, createBenchmarkLines(100, 1020)) + runBench("short lines", lineMaxLimit, createBenchmarkLines(100, 10)) + runBench("long lines", lineMaxLimit, createBenchmarkLines(100, 10_000)) + // short lineMaxLimit to exercise skipUntilNewLine + runBench("skip lines", 1024, createBenchmarkLines(100, 10_000)) +} + +func createBenchmarkLines(numLines int, lineLength int) []byte { + buf := bytes.NewBuffer(nil) + for i := 0; i < numLines; i++ { + line := make([]byte, hex.DecodedLen(lineLength)) + if _, err := rand.Read(line); err != nil { + panic(fmt.Sprintf("failed to generate random input: %v", err)) + } + buf.WriteString(hex.EncodeToString(line)) + buf.WriteRune('\n') + } + return buf.Bytes() +} diff --git a/libbeat/reader/readfile/line.go b/libbeat/reader/readfile/line.go index c36b524dde2..78331a7d246 100644 --- a/libbeat/reader/readfile/line.go +++ b/libbeat/reader/readfile/line.go @@ -30,12 +30,11 @@ import ( const unlimited = 0 -// lineReader reads lines from underlying reader, decoding the input stream +// LineReader reads lines from underlying reader, decoding the input stream // using the configured codec. The reader keeps track of bytes consumed // from raw input stream for every decoded line. type LineReader struct { reader io.ReadCloser - bufferSize int maxBytes int // max bytes per line limit to avoid OOM with malformatted files nl []byte decodedNl []byte @@ -44,10 +43,11 @@ type LineReader struct { inOffset int // input buffer read offset byteCount int // number of bytes decoded from input buffer into output buffer decoder transform.Transformer + tempBuffer []byte logger *logp.Logger } -// New creates a new reader object +// NewLineReader creates a new reader object func NewLineReader(input io.ReadCloser, config Config) (*LineReader, error) { encoder := config.Codec.NewEncoder() @@ -64,13 +64,13 @@ func NewLineReader(input io.ReadCloser, config Config) (*LineReader, error) { return &LineReader{ reader: input, - bufferSize: config.BufferSize, maxBytes: config.MaxBytes, decoder: config.Codec.NewDecoder(), nl: nl, decodedNl: terminator, inBuffer: streambuf.New(nil), outBuffer: streambuf.New(nil), + tempBuffer: make([]byte, config.BufferSize), logger: logp.NewLogger("reader_line"), }, nil } @@ -133,18 +133,17 @@ func (r *LineReader) advance() error { r.inOffset = newOffset } - buf := make([]byte, r.bufferSize) - // Try to read more bytes into buffer - n, err := r.reader.Read(buf) + n, err := r.reader.Read(r.tempBuffer) if err == io.EOF && n > 0 { // Continue processing the returned bytes. The next call will yield EOF with 0 bytes. err = nil } - // Appends buffer also in case of err - r.inBuffer.Append(buf[:n]) + // Write to buffer also in case of err + r.inBuffer.Write(r.tempBuffer[:n]) + if err != nil { return err } @@ -170,7 +169,7 @@ func (r *LineReader) advance() error { // If newLine is not found and the incoming data buffer exceeded max bytes limit, then skip until the next newLine if idx == -1 && r.inBuffer.Len() > r.maxBytes { - skipped, err := r.skipUntilNewLine(buf) + skipped, err := r.skipUntilNewLine() if err != nil { r.logger.Error("Error skipping until new line, err:", err) return err @@ -204,7 +203,7 @@ func (r *LineReader) advance() error { return err } -func (r *LineReader) skipUntilNewLine(buf []byte) (int, error) { +func (r *LineReader) skipUntilNewLine() (int, error) { // The length of the line skipped skipped := r.inBuffer.Len() @@ -221,14 +220,14 @@ func (r *LineReader) skipUntilNewLine(buf []byte) (int, error) { // Read until the new line is found for idx := -1; idx == -1; { - n, err := r.reader.Read(buf) + n, err := r.reader.Read(r.tempBuffer) // Check bytes read for newLine if n > 0 { - idx = bytes.Index(buf[:n], r.nl) + idx = bytes.Index(r.tempBuffer[:n], r.nl) if idx != -1 { - r.inBuffer.Append(buf[idx+len(r.nl) : n]) + r.inBuffer.Write(r.tempBuffer[idx+len(r.nl) : n]) skipped += idx } else { skipped += n @@ -249,14 +248,13 @@ func (r *LineReader) skipUntilNewLine(buf []byte) (int, error) { func (r *LineReader) decode(end int) (int, error) { var err error - buffer := make([]byte, 1024) inBytes := r.inBuffer.Bytes() start := 0 for start < end { var nDst, nSrc int - nDst, nSrc, err = r.decoder.Transform(buffer, inBytes[start:end], false) + nDst, nSrc, err = r.decoder.Transform(r.tempBuffer, inBytes[start:end], false) if err != nil { // Check if error is different from destination buffer too short if err != transform.ErrShortDst { @@ -270,7 +268,7 @@ func (r *LineReader) decode(end int) (int, error) { } start += nSrc - r.outBuffer.Write(buffer[:nDst]) + r.outBuffer.Write(r.tempBuffer[:nDst]) } r.byteCount += start diff --git a/libbeat/reader/readfile/metafields.go b/libbeat/reader/readfile/metafields.go index 8d6c34eca63..734069b5950 100644 --- a/libbeat/reader/readfile/metafields.go +++ b/libbeat/reader/readfile/metafields.go @@ -51,7 +51,9 @@ func (r *FileMetaReader) Next() (reader.Message, error) { message.Fields.DeepUpdate(common.MapStr{ "log": common.MapStr{ "offset": r.offset, - "path": r.path, + "file": common.MapStr{ + "path": r.path, + }, }, }) return message, err diff --git a/libbeat/reader/readfile/metafields_test.go b/libbeat/reader/readfile/metafields_test.go index eb198a776c0..978591c1b1b 100644 --- a/libbeat/reader/readfile/metafields_test.go +++ b/libbeat/reader/readfile/metafields_test.go @@ -60,7 +60,9 @@ func TestMetaFieldsOffset(t *testing.T) { if len(msg.Content) != 0 { expectedFields = common.MapStr{ "log": common.MapStr{ - "path": path, + "file": common.MapStr{ + "path": path, + }, "offset": offset, }, } diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index 2c57769dadc..6c18412767b 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -12029,19 +12029,6 @@ type: long -- -*`docker.diskio.reads`*:: -+ --- - -deprecated:[6.4] - -Number of current reads per second - - -type: scaled_float - --- - [float] === write @@ -12111,19 +12098,6 @@ type: long -- -*`docker.diskio.writes`*:: -+ --- - -deprecated:[6.4] - -Number of current writes per second - - -type: scaled_float - --- - [float] === summary @@ -12193,19 +12167,6 @@ type: long -- -*`docker.diskio.total`*:: -+ --- - -deprecated:[6.4] - -Number of reads and writes per second - - -type: scaled_float - --- - [float] === event @@ -12703,104 +12664,6 @@ type: keyword -- -[float] -=== in - -Incoming network stats per second. - - - -*`docker.network.in.bytes`*:: -+ --- -Total number of incoming bytes. - - -type: long - -format: bytes - --- - -*`docker.network.in.dropped`*:: -+ --- -Total number of dropped incoming packets. - - -type: scaled_float - --- - -*`docker.network.in.errors`*:: -+ --- -Total errors on incoming packets. - - -type: long - --- - -*`docker.network.in.packets`*:: -+ --- -Total number of incoming packets. - - -type: long - --- - -[float] -=== out - -Outgoing network stats per second. - - - -*`docker.network.out.bytes`*:: -+ --- -Total number of outgoing bytes. - - -type: long - -format: bytes - --- - -*`docker.network.out.dropped`*:: -+ --- -Total number of dropped outgoing packets. - - -type: scaled_float - --- - -*`docker.network.out.errors`*:: -+ --- -Total errors on outgoing packets. - - -type: long - --- - -*`docker.network.out.packets`*:: -+ --- -Total number of outgoing packets. - - -type: long - --- - [float] === inbound diff --git a/metricbeat/mb/module/wrapper.go b/metricbeat/mb/module/wrapper.go index 8d18dfbe552..c3d279d2859 100644 --- a/metricbeat/mb/module/wrapper.go +++ b/metricbeat/mb/module/wrapper.go @@ -251,14 +251,14 @@ func (msw *metricSetWrapper) fetch(ctx context.Context, reporter reporter) { err := fetcher.Fetch(reporter.V2()) if err != nil { reporter.V2().Error(err) - logp.Info("Error fetching data for metricset %s.%s: %s", msw.module.Name(), msw.Name(), err) + logp.Err("Error fetching data for metricset %s.%s: %s", msw.module.Name(), msw.Name(), err) } case mb.ReportingMetricSetV2WithContext: reporter.StartFetchTimer() err := fetcher.Fetch(ctx, reporter.V2()) if err != nil { reporter.V2().Error(err) - logp.Info("Error fetching data for metricset %s.%s: %s", msw.module.Name(), msw.Name(), err) + logp.Err("Error fetching data for metricset %s.%s: %s", msw.module.Name(), msw.Name(), err) } default: panic(fmt.Sprintf("unexpected fetcher type for %v", msw)) diff --git a/metricbeat/module/docker/diskio/_meta/fields.yml b/metricbeat/module/docker/diskio/_meta/fields.yml index 71f9e22859a..74532058ec3 100644 --- a/metricbeat/module/docker/diskio/_meta/fields.yml +++ b/metricbeat/module/docker/diskio/_meta/fields.yml @@ -28,17 +28,12 @@ Total time to service IO requests, in nanoseconds - name: wait_time type: long - description: > + description: > Total time requests spent waiting in queues for service, in nanoseconds - name: queued type: long description: > Total number of queued requests - - name: reads - type: scaled_float - deprecated: 6.4 - description: > - Number of current reads per second - name: write type: group description: > @@ -63,17 +58,12 @@ Total time to service IO requests, in nanoseconds - name: wait_time type: long - description: > + description: > Total time requests spent waiting in queues for service, in nanoseconds - name: queued type: long description: > Total number of queued requests - - name: writes - type: scaled_float - deprecated: 6.4 - description: > - Number of current writes per second - name: summary type: group description: > @@ -98,14 +88,9 @@ Total time to service IO requests, in nanoseconds - name: wait_time type: long - description: > + description: > Total time requests spent waiting in queues for service, in nanoseconds - name: queued type: long description: > Total number of queued requests - - name: total - type: scaled_float - deprecated: 6.4 - description: > - Number of reads and writes per second diff --git a/metricbeat/module/docker/diskio/data.go b/metricbeat/module/docker/diskio/data.go index 04665ca85cc..4d5ae9b0e5c 100644 --- a/metricbeat/module/docker/diskio/data.go +++ b/metricbeat/module/docker/diskio/data.go @@ -30,9 +30,6 @@ func eventsMapping(r mb.ReporterV2, blkioStatsList []BlkioStats) { func eventMapping(r mb.ReporterV2, stats *BlkioStats) { fields := common.MapStr{ - "reads": stats.reads, - "writes": stats.writes, - "total": stats.totals, "read": common.MapStr{ "ops": stats.serviced.reads, "bytes": stats.servicedBytes.reads, diff --git a/metricbeat/module/docker/fields.go b/metricbeat/module/docker/fields.go index 500a172a399..9c88da1e5b9 100644 --- a/metricbeat/module/docker/fields.go +++ b/metricbeat/module/docker/fields.go @@ -32,5 +32,5 @@ func init() { // AssetDocker returns asset data. // This is the base64 encoded zlib format compressed contents of module/docker. func AssetDocker() string { - return "eJzsXE1v4zjSvudXFPIeXqCR2NjFYA8+LDCb7kUHOz0ddCe7h8HAQ1Nlu9YSqSYpu92/fkFSkm2JkvwhO8kgPuQQWlVPfRfJkm9hgesRRJIvUF0BGDIxjuD6vfvH9RVAhJorSg1JMYK/XwEA+EXQhhkNXMYxcoMRTJVM8rXBFYDCGJnGEczYFYBGY0jM9Ah+u9Y6vv7d/m8ulRlzKaY0G8GUxRqvAKaEcaRHjtMtCJbgFj77MevUUlUyS/P/BDDaz72YSpUw+29gInKASRviGthEZiYn+/8aVCYEiRlwKQwjgUoPcirbaLYRld8sV0LAWsBtKbKkBQkaRbxkbj+7aiw+VVi70JKEiWhnrQC3wPVKqupaC0T7ufMEwcyZgRXTgN+RZ9bkJMDMsSbHIIxLITMYxhUxg4eBes8MwmqOHsFGhRZfzikMw3pBpvvUTsHaUw5zpXTMokih1hjmTemxbO8foCTdIDL9qGo37KuHiUs/MOSx0OCf24iUlGY8rWpiAyyWYhZY7MDmPo/SsNiDk1NgcewcZEox6sJfGxx1B+DqHNi+5qg2iFxMzdkSYYIoCs8FqYDPmZhhBJoER79AUoQNbNisR4++T9gMHc1BPe+l2SkZ70smDCUIdw9P/SS7BSqB8SDlJii/5izGaDyNJat+wdeGEaSoOIrqaoeKHvxDVk/WnFYkEjkY0CnjGDZUDldIlbxAzGBxsZh+YASTtfNSkSUTVPYBazIuVVOOySUzxBdhVwyETVeqeXgCR28/3eq1NvjsanXZxyP3CrZazKG1wX4JLtGC/RTXyCXs2zVyYI5smHGmUT23TnNNWihtzuugvgQfqOE9xfJOqrOlhC6dOn++uD4fyyjKNJu1QnsWe1fwnWJeuzR41yiBnPwXa0v+n+NL+vRuRiPtcbdJ1GqYFy3WTQ/2bA7YbtEPD+lfd9CVwR0wVHkaQHpB8qSNN+kF3A8/99ODKmThXe0R26ufOc+SLHabAEtXQ5QpEjNnyJim5fYhdADRBHQbrEzPsevaGPEo0Bt4k7WpbZA7ARZB1fTwHgL8wz7qwB+PXdUPMTqhH6RbnimFwuQ6Tm31Qy5rRz1bnReqJXEc2zRxBmS+lLgcZGTBDO4/g8JvGWqjb2wkCyakx1m3TQF0xcj0gBK6YBbAQKdWkZattTUJ+JZhhtq6UiHI3uDdo3Uj9KXfTfr2jEohGpNROHm3VKUIU4XcJp0R/G3w07EJfC//LE2uqBYuvaRNR/jV5c3jUL+UxGnRGxSvIHfmen5Lnm/JM6BJ5xzPnD3bPbT0zixJmFqfr+9k4rWmUtvYyxSVOzB/tSnV9aKFEV5Hbt1S+lt+fcuvdTDu2OuZ0mstqwVctMCJy92zmWNv9qt0Dj9b6Pu2+oNFFKJaXlT3ODjgmVHk7+nZklHMJjEG+U6VTHoXU2aKh9lZ2v2xe5yje9z6mT8OA0zITby4HF31gw0Oxi3N8yBp5Sqr9eKE1qFOrKsFqHlZl9h74CjEv39flMb9TLGjGGMUTbK2uh88A4XqOehJUvybKZKZtkSGSxZnuIVrV7Ybmx1RRFY6KYCM3vXsQq45stjM+Rz5ooe0tkWtfoK688DHrW9GzDBYURyDFPEaJrjJCH52LKqMEWmbNxRacXeI5t/74+OHn395/Hj38cPdv/4AEtqozEUTzJn24xSZxshW/0lGceTUlj9LSeVq5vDMPGUUk5hpo5AtgrFEwuCs1pd12J9LwTPXTVkGGEHVaOerDdvG8rSByyicP0NhdHQGccRyZR86SYQiGgemx6BttGwPSFV9oIjClLaMocwlkDhG7VhkZtIslKJ6yE3bUBr4lKb5TmZc86BtJOEIOU4pNXcta42N9R6ynqPTz41RQ5N1ROjYgueBxWxtUyZFKAxNqT7c1hVJ+S7uPG4DT4K+ZQXWDUiY0dIm6jSvXuE5t22YKTsjyvsNsLzOOsA3QFMgYz3abRxduVrNic/9Fjzf/3rhIlLITbx2DFFUU9oZx2HdkK7dSZZzsR5R90xsjwOifnrQzV96lzzUD5ekTFbbJkLf85e1FmAXhcJZFrNQaup5QtViYXEMnPE5Rh6WBqa15OSO44ysO1lDu1WAj9kE42Ov8E+YGfV8O8BdbliVxPSkMYF7MZVFwocJs82k7S6NSfVoOIwk1wPfTw64TIYoZiRwqHCKCgXHIUtp6NfHChNpcMxSGi//MvjrT8P/G0ak05itb/0Y2+2KIrylzRsLp74DUPTQfYX15yUq56Y74+4HB3fKbE9+hqiqHkd5RoE3OuqY8rc/LgCq+T2TOiptZJpeRFU5p71QhU7wzoHJVdo2VZ3jvCrvUYpdrtQm2E6Fcbi8HcRy+ExUozY8l3qmSzCRO5dBB+e6T45CP+2tzwzvjqw/AXVtrY8TlqYkZvmXr99dH6baL2yVayt/gc31cq7AOm3pfHVgV90GRU1ZwyEil0lCve2C7xw14+b23EGPgP+QiOSq6lVdOfaoGO3h3sp7bZhAmf/rhyWXgPaAbJGbq1PBJVRFS2ZwvJJqYR1Ooxk0X2AEsLfh7sCc84acN2g0nXinjOIBl1nDuUzrDUsrmH8ysnU/s7EQTsIxNcVBv2rJk5RjF0aidG8dz5evX3cyxaGtzvOGYY5coXYlzHqQ23K0bKyDp9qdzgOdU8174v7UgLig2jhM7+bY+7L6k/anPMfbPWHfn8Hqn9j3AnXgvQN4eXb2bx802RZeWiBVlFrrwAQam6xPacF+9SSO78HCjWmwhTmpTy6AlqQdq4b+PHy5GY7MEy767wWXiS2VuSHy7m5zyX9oGD/X9E+196dCMEezOUoi1b5f7AjtI5DlHDcIU8YXWE+YWzcCSsnakQT0tn305N1F6N6Q8i9cYEvbjmnr7uYyAfM5MzP5ZwwYWQj2YgOmRPhyAmZ/SJcLmHZMmwIzkVnDz50cc30RriP+Vxh2f2rE3cRWr1ReT5z0VVj6M/hbQTlPQek1QBrqxp8wQPoqJP0HyFsBObGAVHZt4/rbFOH4KPdhEzRsv11dM4vWCZH0kPPzrpr2UBzfNYxl8z65Pd51sMuiPtk9ve9mN47JYM88fyGD7YyJJ71a8e5Th6T2r/89jLThWuyIq6g5ul/rgofNXG2Z4W+AS6VQp9KPoBoJw1RJPvwtpej3ocDw+PEGZ68wNwCL0lQy8pOg+e8h7A1fOwn+FwAA//+qunky" + return "eJzsnE9v47oRwO/5FIP0UOAhsdGipxwKvGa32KBv3wa7SXt4ePCjqbE9tURqScpe76cv+EeyLVGW/8hOgq4Pe4ismR+HM8MhOd5bmOPqDhLJ56iuAAyZFO/g+p37w/UVQIKaK8oNSXEHf78CAPAPQRtmNHCZpsgNJjBRMgvPBlcAClNkGu9gyq4ANBpDYqrv4LdrrdPr3+3fZlKZEZdiQtM7mLBU4xXAhDBN9J3TdAuCZbjBZz9mlVupShZ5+EuE0X4exESqjNk/AxOJAyZtiGtgY1mYIPbPGlQhBIkpcCkMI4FKD4KUTZpNouqb1ZMY2A64DUNWsiBDo4hXyu1n24zlp461jZZlTCRbz0q4Oa6WUtWf7UC0n3svEMyMGVgyDfgNeWGnnASYGTbGMYhzKWQG41wJM3gY1DtmEJYz9ARrE1q+oCmOYb2g0H1ap1TtJce1Uj5iSaJQa4zrpvxYtQ+PUIluGTJ9r1s37quHDZe+Y8xjocU/N4mUlGY0qVtiDZZKMY087GBznydpWOrh5ARYmjoHmVCKuvTXFkfdAlyeg+1LoFoTuZiasQXCGFGUngtSAZ8xMcUENAmO/gFJEZ9gw6Y9evRDxqboZA6aeS8vTsl4nwthKEO4f3zuJ9nNUQlMBzk30fFrzlJMRpNUsvoX/NpwBzkqjqL+tMNEj/4layc7nXZIJAIM6JxxjE9UwBVSZa+QGSwXS+k7JjBeOS8VRTZGZV+wU8alassxYWSG+DzuipGw6Uo1j8/g5O1nW73SBl/crC77eHJvYGvFgLYL+zW4xA72U1wjjLBv1whgTmxccaFRvbRNgyUtyi7ndaivwQcavKfMvBvV2VJCl02dP1/cnk9VFBWaTXeivch81/hOmV77aPBT6wjk+L/YeOT/OLqkT29nNNKee9eIdk7Mqx7WTQ/z2R6w3UM/PKR/3aKrgjsyUdVpAOk5yZM23qTn8DD81E8NqpDFd7VHbK9+5rzIitRtAqxcDUmhSEzdRKY0qbYPsQOINtBNWJmfY9e1nsSjoNd445VpbJA7Acugant5jwH8w77q4I9nV81DjE70g2zLC6VQmGDj3K5+yGXjqGej8kK1II4jmybOQOaXEpeDjCyVwcMnUPi1QG30jY1kwYT0nM25KUGXjMwFKEsu0Lm1o9Vqp5oEfC2wQG09qRzH3uzu1eYc9AW+zt5eUTWIaC5aKmo4YS/JyAl+c9noOOrXko4svUHxBjJSsPOPlPQjJTVgdJFlTK3OVyEx8VbTky1BZY7KHe2+2TTlqqZyEt5Gvtow+o+c9SNnbYHgYntjfuy1bl3O4RvLvq8q31uimNTqlrLHW2OvjBJ/ScsWjFI2TjGqd6Jk1vswZaF4XJ2V3Z+6pxm6161v+bMQwIxcu4NLe3U/WHMwbmWeh2SnVllPwSesxk1hXatqw8u6hr0HRzn8h3flarPfVGwZxhhF42LXUho9AIP6IdhJo/g3UyQLbYUMFywtcINre2w3kGCOIrGjkwLI6G3PLsc1Q5aaGZ8hn/eQ1jakNY/Ptl74sPHNhBkGS0pTkCJdwRjXGcE3DiW1HhJt84ZCO9wtoeF7f3x4//MvTx/uP7y//9cfQEIbVbhoghnT/i690JjYBXVcUJo4s4V3Kaudyx+emSeMUhJTbRSyeTSWSBicNkqdjvnnUvDCFShWASZQn7TzrQ2bk+VlA5dJPH/GwujoDOKEBWMf2kaCIhlFWodgV1/RHkh1e6BI4pI2JkOZS5A4RbtZZGHyIpaieshNmygteqqp+UZm1PCgTZJ4hBxnlIa7VmuNjfUesp6T0891QUuRdUTo2AXPg6VsZVMmJSgMTajZ2dQVSWFjdB63gWdBX4uSdQ0JU1rYRJ2H1Sve5LSJmbMzUj6swcI664BvgCZAxnq024u55Wo5Iz7zu9qwpfSDS0ghN+nKKURRT2ln7IV0HZp2d1Y1RXqi7obIHrsDfeuYa77zLnmoHy5ImYKlZ9gGbjXfNUqAbQqF0yJlsdTUc3uiZWFpCpzxGSYeSwPTWnJyJ1xGNp2spdwq4VM2xvTY+9sTGga93g64y3UqkpicdEf8ICayTPgwZraYtNWlMbm+Gw4TyfXA15MDLrMhiikJHCqcoELBcchyGvrnI4WZNDhiOY0Wfxn89W/DPw0T0nnKVre+h+l2SQne0rpd/dQG8LKG7iusPy1QOTfd6nU+OLhzZmvyM0RV/YjHK4q08zeZQuv/BaDaf2TQpNJG5vlFTBU07UXlupYuwORW2l2mOsd5VahRyl2u1CZaTsU5XN6OshzeENNqDa+lmekyzOTW/crBue6jk9BPeeszw09Hrj8Rc208H2Usz0lMw5evf7o+zLSf2TJYK/x6ydVyboF11tLh6cA+dRsUNWEth4hcZhn1tgu+d9KMa9pyBz0C/kMikcu6V3Xl2KNitIerIO+1cQFV/m8ellwC7RHZPExXp4ErVEULZnC0lGpuHU6jGcRM28q+i7uDOeiGoBs0mk7eCaN0wGXRci6zoyOxA+afjOy6X9hYiCfhlNrioF+zhCTl1MVJlO6t4vn85ctWpji01HnZMAzkCrVbwqwHuS3Hjo119FS703mgs6V1T+6PLcSl1NZOatfE3NesP2t/ynP8vGfs2wvM+kf2raSONJ3D65tn33reNrfw2gKpZtRGBSbQ2GR9Sgn2qxdxfA0WL0yjJcxJdXIJWol2qlrqczGWRctPkY85XRJcZnZFDPYORZz/heT2z4DdQXn9xKs7fF+qkaZe81M5UiezPToSdal9YtC0JssZn2MzQW7cACglG0cQ/aF58e7ic2+k8IULmGs308ZdTa8B8qkwU/l/ESCyHOmrC5CK7PUEyP5IlwuQdqbaojpq9o/G46NaJsdo2H6LbruKnRd4+SHHG11r2mO5u4pv7AzvU9vTfYe6IulT3fO7bnWjlAz2rPMXMrhbMfGs11m8/9gxUvuv/61q3nJqecRJ4Qzd/6QBj+u2pyrD3wCXSqHOpe8QMhKGuZJ8+FtOye9DgfHusDVnr5hrwHJpqhT5Rp3wW8W98bUbwf8CAAD//+ANZsY=" } diff --git a/metricbeat/module/docker/network/_meta/fields.yml b/metricbeat/module/docker/network/_meta/fields.yml index 035047eb091..68af440a9bf 100644 --- a/metricbeat/module/docker/network/_meta/fields.yml +++ b/metricbeat/module/docker/network/_meta/fields.yml @@ -9,52 +9,6 @@ type: keyword description: > Network interface name. - - name: in - type: group - deprecated: 6.4 - description: > - Incoming network stats per second. - fields: - - name: bytes - type: long - format: bytes - description: > - Total number of incoming bytes. - - name: dropped - type: scaled_float - description: > - Total number of dropped incoming packets. - - name: errors - type: long - description: > - Total errors on incoming packets. - - name: packets - type: long - description: > - Total number of incoming packets. - - name: out - type: group - deprecated: 6.4 - description: > - Outgoing network stats per second. - fields: - - name: bytes - type: long - format: bytes - description: > - Total number of outgoing bytes. - - name: dropped - type: scaled_float - description: > - Total number of dropped outgoing packets. - - name: errors - type: long - description: > - Total errors on outgoing packets. - - name: packets - type: long - description: > - Total number of outgoing packets. - name: inbound type: group description: > diff --git a/metricbeat/module/docker/network/data.go b/metricbeat/module/docker/network/data.go index b4a2b90c405..c537032abb1 100644 --- a/metricbeat/module/docker/network/data.go +++ b/metricbeat/module/docker/network/data.go @@ -33,20 +33,6 @@ func eventMapping(r mb.ReporterV2, stats *NetStats) { RootFields: stats.Container.ToMapStr(), MetricSetFields: common.MapStr{ "interface": stats.NameInterface, - // Deprecated - "in": common.MapStr{ - "bytes": stats.RxBytes, - "dropped": stats.RxDropped, - "errors": stats.RxErrors, - "packets": stats.RxPackets, - }, - // Deprecated - "out": common.MapStr{ - "bytes": stats.TxBytes, - "dropped": stats.TxDropped, - "errors": stats.TxErrors, - "packets": stats.TxPackets, - }, "inbound": common.MapStr{ "bytes": stats.Total.RxBytes, "dropped": stats.Total.RxDropped, diff --git a/metricbeat/module/system/load/load.go b/metricbeat/module/system/load/load.go index dd10d24cef1..0a991542a7d 100644 --- a/metricbeat/module/system/load/load.go +++ b/metricbeat/module/system/load/load.go @@ -20,12 +20,11 @@ package load import ( - "runtime" - "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/metric/system/cpu" + "github.com/elastic/beats/v7/libbeat/metric/system/numcpu" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" ) @@ -60,7 +59,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { normAvgs := load.NormalizedAverages() event := common.MapStr{ - "cores": runtime.NumCPU(), + "cores": numcpu.NumCPU(), "1": avgs.OneMinute, "5": avgs.FiveMinute, "15": avgs.FifteenMinute, diff --git a/monitors.d/plaintodos.yml b/monitors.d/plaintodos.yml new file mode 100644 index 00000000000..5927ab74a0e --- /dev/null +++ b/monitors.d/plaintodos.yml @@ -0,0 +1,12 @@ +- name: Todos + id: todos + type: browser + enabled: true + schedule: "@every 3m" + tags: todos-app + params: + url: "https://elastic.github.io/synthetics-demo/" + source: + zip_url: + url: "https://github.com/elastic/synthetics-demo/archive/refs/heads/main.zip" + folder: "todos/synthetics-tests" diff --git a/testing/environments/docker/kafka/Dockerfile b/testing/environments/docker/kafka/Dockerfile index 484b294c39a..ff38db49e39 100644 --- a/testing/environments/docker/kafka/Dockerfile +++ b/testing/environments/docker/kafka/Dockerfile @@ -22,7 +22,11 @@ ADD healthcheck.sh /healthcheck.sh EXPOSE 9092 EXPOSE 2181 -# Healthcheck creates an empty topic foo. As soon as a topic is created, it assumes broke is available -HEALTHCHECK --interval=1s --retries=600 CMD /healthcheck.sh +# healthcheck.sh tries to create and delete an empty kafka topic (the topic +# string is based on the timestamp), and reports healthy if topic creation +# was successful. +# With these parameters, Docker will consider the container unhealthy if the +# Kafka server is unresponsive for 3 minutes. +HEALTHCHECK --start-period=10s --interval=5s --timeout=5s --retries=36 CMD /healthcheck.sh ENTRYPOINT ["/run.sh"] diff --git a/testing/environments/docker/kafka/healthcheck.sh b/testing/environments/docker/kafka/healthcheck.sh index feebbb8786d..99e533c4634 100755 --- a/testing/environments/docker/kafka/healthcheck.sh +++ b/testing/environments/docker/kafka/healthcheck.sh @@ -8,5 +8,5 @@ if [[ $rc != 0 ]]; then exit $rc fi -${KAFKA_HOME}/bin/kafka-topic.sh --zookeeper=127.0.0.1:2181 --delete --topic "${TOPIC}" +${KAFKA_HOME}/bin/kafka-topics.sh --zookeeper=127.0.0.1:2181 --delete --topic "${TOPIC}" exit 0 diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index 367c8059a37..9bcda5fe195 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -83,6 +83,10 @@ - Disable monitoring during fleet-server bootstrapping. {pull}27222[27222] - Change output.elasticsearch.proxy_disabled flag to output.elasticsearch.proxy_disable so fleet uses it. {issue}27670[27670] {pull}27671[27671] - Add validation for certificate flags to ensure they are absolute paths. {pull}27779[27779] +- Migrate state on upgrade {pull}27825[27825] +- Add "_monitoring" suffix to monitoring instance names to remove ambiguity with the status command. {issue}25449[25449] +- Ignore ErrNotExists when fixing permissions. {issue}27836[27836] {pull}27846[27846] +- Snapshot artifact lookup will use agent.download proxy settings. {issue}27903[27903] {pull}27904[27904] ==== New features diff --git a/x-pack/elastic-agent/pkg/agent/application/application.go b/x-pack/elastic-agent/pkg/agent/application/application.go index 7806eb78688..e2f7a55ce3e 100644 --- a/x-pack/elastic-agent/pkg/agent/application/application.go +++ b/x-pack/elastic-agent/pkg/agent/application/application.go @@ -15,6 +15,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/upgrade" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" @@ -30,7 +31,7 @@ type Application interface { } type reexecManager interface { - ReExec(argOverrides ...string) + ReExec(callback reexec.ShutdownCallbackFn, argOverrides ...string) } type upgraderControl interface { diff --git a/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_settings.go b/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_settings.go index e45ef26724f..efed0be97f7 100644 --- a/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_settings.go +++ b/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_settings.go @@ -9,6 +9,7 @@ import ( "fmt" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/storage/store" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" @@ -16,7 +17,7 @@ import ( ) type reexecManager interface { - ReExec(argOverrides ...string) + ReExec(cb reexec.ShutdownCallbackFn, argOverrides ...string) } // Settings handles settings change coming from fleet and updates log level. @@ -61,7 +62,7 @@ func (h *Settings) Handle(ctx context.Context, a fleetapi.Action, acker store.Fl h.log.Errorf("failed to commit acker after acknowledging action with id '%s'", action.ActionID) } - h.reexec.ReExec() + h.reexec.ReExec(nil) return nil } diff --git a/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_upgrade.go b/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_upgrade.go index b0e2b65ff3a..2c39907d16d 100644 --- a/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_upgrade.go +++ b/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_upgrade.go @@ -38,7 +38,8 @@ func (h *Upgrade) Handle(ctx context.Context, a fleetapi.Action, acker store.Fle return fmt.Errorf("invalid type, expected ActionUpgrade and received %T", a) } - return h.upgrader.Upgrade(ctx, &upgradeAction{action}, true) + _, err := h.upgrader.Upgrade(ctx, &upgradeAction{action}, true) + return err } type upgradeAction struct { diff --git a/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go b/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go index b21bb9b8c46..5ccc870d948 100644 --- a/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go +++ b/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go @@ -5,6 +5,7 @@ package reexec import ( + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" ) @@ -12,7 +13,7 @@ import ( type ExecManager interface { // ReExec asynchronously re-executes command in the same PID and memory address // as the currently running application. - ReExec(argOverrides ...string) + ReExec(callback ShutdownCallbackFn, argOverrides ...string) // ShutdownChan returns the shutdown channel the main function should use to // handle shutdown of the current running application. @@ -31,6 +32,9 @@ type manager struct { complete chan bool } +// ShutdownCallbackFn is called once everything is shutdown and allows cleanup during reexec process. +type ShutdownCallbackFn func() error + // NewManager returns the reexec manager. func NewManager(log *logger.Logger, exec string) ExecManager { return &manager{ @@ -42,11 +46,18 @@ func NewManager(log *logger.Logger, exec string) ExecManager { } } -func (m *manager) ReExec(argOverrides ...string) { +func (m *manager) ReExec(shutdownCallback ShutdownCallbackFn, argOverrides ...string) { go func() { close(m.trigger) <-m.shutdown + if shutdownCallback != nil { + if err := shutdownCallback(); err != nil { + // panic; because there is no going back, everything is shutdown + panic(errors.New(errors.TypeUnexpected, err, "failure occured during shutdown cleanup")) + } + } + if err := reexec(m.logger, m.exec, argOverrides...); err != nil { // panic; because there is no going back, everything is shutdown panic(err) diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go index 424cac6c9ff..915106ad0e3 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go @@ -12,8 +12,11 @@ import ( "path/filepath" "strings" + "github.com/otiai10/copy" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" @@ -62,7 +65,7 @@ type Action interface { } type reexecManager interface { - ReExec(argOverrides ...string) + ReExec(callback reexec.ShutdownCallbackFn, argOverrides ...string) } type acker interface { @@ -101,8 +104,9 @@ func (u *Upgrader) Upgradeable() bool { return u.upgradeable } -// Upgrade upgrades running agent -func (u *Upgrader) Upgrade(ctx context.Context, a Action, reexecNow bool) (err error) { +// Upgrade upgrades running agent, function returns shutdown callback if some needs to be executed for cases when +// reexec is called by caller. +func (u *Upgrader) Upgrade(ctx context.Context, a Action, reexecNow bool) (_ reexec.ShutdownCallbackFn, err error) { // report failed defer func() { if err != nil { @@ -113,14 +117,14 @@ func (u *Upgrader) Upgrade(ctx context.Context, a Action, reexecNow bool) (err e }() if !u.upgradeable { - return fmt.Errorf( + return nil, fmt.Errorf( "cannot be upgraded; must be installed with install sub-command and " + "running under control of the systems supervisor") } if u.caps != nil { if _, err := u.caps.Apply(a); err == capabilities.ErrBlocked { - return nil + return nil, nil } } @@ -129,16 +133,16 @@ func (u *Upgrader) Upgrade(ctx context.Context, a Action, reexecNow bool) (err e sourceURI, err := u.sourceURI(a.Version(), a.SourceURI()) archivePath, err := u.downloadArtifact(ctx, a.Version(), sourceURI) if err != nil { - return err + return nil, err } newHash, err := u.unpack(ctx, a.Version(), archivePath) if err != nil { - return err + return nil, err } if newHash == "" { - return errors.New("unknown hash") + return nil, errors.New("unknown hash") } if strings.HasPrefix(release.Commit(), newHash) { @@ -147,32 +151,35 @@ func (u *Upgrader) Upgrade(ctx context.Context, a Action, reexecNow bool) (err e u.ackAction(ctx, action) } u.log.Warn("upgrading to same version") - return nil + return nil, nil } if err := copyActionStore(newHash); err != nil { - return errors.New(err, "failed to copy action store") + return nil, errors.New(err, "failed to copy action store") } if err := ChangeSymlink(ctx, newHash); err != nil { rollbackInstall(ctx, newHash) - return err + return nil, err } if err := u.markUpgrade(ctx, newHash, a); err != nil { rollbackInstall(ctx, newHash) - return err + return nil, err } if err := InvokeWatcher(u.log); err != nil { rollbackInstall(ctx, newHash) - return errors.New("failed to invoke rollback watcher", err) + return nil, errors.New("failed to invoke rollback watcher", err) } + cb := shutdownCallback(u.log, paths.Home(), release.Version(), a.Version(), release.TrimCommit(newHash)) if reexecNow { - u.reexec.ReExec() + u.reexec.ReExec(cb) + return nil, nil } - return nil + + return cb, nil } // Ack acks last upgrade action @@ -277,3 +284,79 @@ func copyActionStore(newHash string) error { return nil } + +// shutdownCallback returns a callback function to be executing during shutdown once all processes are closed. +// this goes through runtime directory of agent and copies all the state files created by processes to new versioned +// home directory with updated process name to match new version. +func shutdownCallback(log *logger.Logger, homePath, prevVersion, newVersion, newHash string) reexec.ShutdownCallbackFn { + if release.Snapshot() { + // SNAPSHOT is part of newVersion + prevVersion += "-SNAPSHOT" + } + + return func() error { + runtimeDir := filepath.Join(homePath, "run") + processDirs, err := readProcessDirs(log, runtimeDir) + if err != nil { + return err + } + + oldHome := homePath + newHome := filepath.Join(filepath.Dir(homePath), fmt.Sprintf("%s-%s", agentName, newHash)) + for _, processDir := range processDirs { + newDir := strings.ReplaceAll(processDir, prevVersion, newVersion) + newDir = strings.ReplaceAll(newDir, oldHome, newHome) + if err := copyDir(processDir, newDir); err != nil { + return err + } + } + return nil + } +} + +func readProcessDirs(log *logger.Logger, runtimeDir string) ([]string, error) { + pipelines, err := readDirs(log, runtimeDir) + if err != nil { + return nil, err + } + + processDirs := make([]string, 0) + for _, p := range pipelines { + dirs, err := readDirs(log, p) + if err != nil { + return nil, err + } + + processDirs = append(processDirs, dirs...) + } + + return processDirs, nil +} + +// readDirs returns list of absolute paths to directories inside specified path. +func readDirs(log *logger.Logger, dir string) ([]string, error) { + dirEntries, err := os.ReadDir(dir) + if err != nil && !os.IsNotExist(err) { + return nil, err + } + + dirs := make([]string, 0, len(dirEntries)) + for _, de := range dirEntries { + if !de.IsDir() { + continue + } + + dirs = append(dirs, filepath.Join(dir, de.Name())) + } + + return dirs, nil +} + +func copyDir(from, to string) error { + return copy.Copy(from, to, copy.Options{ + OnSymlink: func(_ string) copy.SymlinkAction { + return copy.Shallow + }, + Sync: true, + }) +} diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade_test.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade_test.go new file mode 100644 index 00000000000..81f57c85734 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade_test.go @@ -0,0 +1,56 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package upgrade + +import ( + "fmt" + "io/ioutil" + "os" + "path/filepath" + "strings" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +func TestShutdownCallback(t *testing.T) { + l, _ := logger.New("test", false) + tmpDir, err := ioutil.TempDir("", "shutdown-test-") + require.NoError(t, err) + defer os.RemoveAll(tmpDir) + + // make homepath agent consistent (in a form of elastic-agent-hash) + homePath := filepath.Join(tmpDir, fmt.Sprintf("%s-%s", agentName, release.ShortCommit())) + + filename := "file.test" + newCommit := "abc123" + sourceVersion := "7.14.0" + targetVersion := "7.15.0" + + content := []byte("content") + newHome := strings.ReplaceAll(homePath, release.ShortCommit(), newCommit) + sourceDir := filepath.Join(homePath, "run", "default", "process-"+sourceVersion) + targetDir := filepath.Join(newHome, "run", "default", "process-"+targetVersion) + + require.NoError(t, os.MkdirAll(sourceDir, 0755)) + require.NoError(t, os.MkdirAll(targetDir, 0755)) + + cb := shutdownCallback(l, homePath, sourceVersion, targetVersion, newCommit) + + oldFilename := filepath.Join(sourceDir, filename) + err = ioutil.WriteFile(oldFilename, content, 0640) + require.NoError(t, err, "preparing file failed") + + err = cb() + require.NoError(t, err, "callback failed") + + newFilename := filepath.Join(targetDir, filename) + newContent, err := ioutil.ReadFile(newFilename) + require.NoError(t, err, "reading file failed") + require.Equal(t, content, newContent, "contents are not equal") +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/run.go b/x-pack/elastic-agent/pkg/agent/cmd/run.go index cf24a932a91..d598460b22b 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/run.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/run.go @@ -172,7 +172,7 @@ func run(streams *cli.IOStreams, override cfgOverrider) error { case sig := <-signals: if sig == syscall.SIGHUP { rexLogger.Infof("SIGHUP triggered re-exec") - rex.ReExec() + rex.ReExec(nil) } else { breakout = true } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/status.go b/x-pack/elastic-agent/pkg/agent/cmd/status.go index e14311f3e8a..d78e64d1e45 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/status.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/status.go @@ -10,6 +10,7 @@ import ( "fmt" "io" "os" + "text/tabwriter" "time" "gopkg.in/yaml.v2" @@ -96,14 +97,16 @@ func humanOutput(w io.Writer, status *client.AgentStatus) error { fmt.Fprint(w, "Applications: (none)\n") } else { fmt.Fprint(w, "Applications:\n") + tw := tabwriter.NewWriter(w, 4, 1, 2, ' ', 0) for _, app := range status.Applications { - fmt.Fprintf(w, " * %s\t(%s)\n", app.Name, app.Status) + fmt.Fprintf(tw, " * %s\t(%s)\n", app.Name, app.Status) if app.Message == "" { - fmt.Fprint(w, " (no message)\n") + fmt.Fprint(tw, "\t(no message)\n") } else { - fmt.Fprintf(w, " %s\n", app.Message) + fmt.Fprintf(tw, "\t%s\n", app.Message) } } + tw.Flush() } return nil } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/status_test.go b/x-pack/elastic-agent/pkg/agent/cmd/status_test.go new file mode 100644 index 00000000000..6c4aebed58b --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/status_test.go @@ -0,0 +1,125 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package cmd + +import ( + "os" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" +) + +var testStatus = &client.AgentStatus{ + Status: client.Healthy, + Message: "", + Applications: []*client.ApplicationStatus{{ + ID: "id_1", + Name: "filebeat", + Status: client.Healthy, + Message: "Running", + Payload: nil, + }, { + ID: "id_2", + Name: "metricbeat", + Status: client.Healthy, + Message: "Running", + Payload: nil, + }, { + ID: "id_3", + Name: "filebeat_monitoring", + Status: client.Healthy, + Message: "Running", + Payload: nil, + }, { + ID: "id_4", + Name: "metricbeat_monitoring", + Status: client.Healthy, + Message: "Running", + Payload: nil, + }, + }, +} + +func ExamplehumanOutput() { + humanOutput(os.Stdout, testStatus) + // Output: + // Status: HEALTHY + // Message: (no message) + // Applications: + // * filebeat (HEALTHY) + // Running + // * metricbeat (HEALTHY) + // Running + // * filebeat_monitoring (HEALTHY) + // Running + // * metricbeat_monitoring (HEALTHY) + // Running +} + +func ExamplejsonOutput() { + jsonOutput(os.Stdout, testStatus) + // Output: + // { + // "Status": 2, + // "Message": "", + // "Applications": [ + // { + // "ID": "id_1", + // "Name": "filebeat", + // "Status": 2, + // "Message": "Running", + // "Payload": null + // }, + // { + // "ID": "id_2", + // "Name": "metricbeat", + // "Status": 2, + // "Message": "Running", + // "Payload": null + // }, + // { + // "ID": "id_3", + // "Name": "filebeat_monitoring", + // "Status": 2, + // "Message": "Running", + // "Payload": null + // }, + // { + // "ID": "id_4", + // "Name": "metricbeat_monitoring", + // "Status": 2, + // "Message": "Running", + // "Payload": null + // } + // ] + // } +} + +func ExampleyamlOutput() { + yamlOutput(os.Stdout, testStatus) + // Output: + // status: 2 + // message: "" + // applications: + // - id: id_1 + // name: filebeat + // status: 2 + // message: Running + // payload: {} + // - id: id_2 + // name: metricbeat + // status: 2 + // message: Running + // payload: {} + // - id: id_3 + // name: filebeat_monitoring + // status: 2 + // message: Running + // payload: {} + // - id: id_4 + // name: metricbeat_monitoring + // status: 2 + // message: Running + // payload: {} +} diff --git a/x-pack/elastic-agent/pkg/agent/control/server/server.go b/x-pack/elastic-agent/pkg/agent/control/server/server.go index de7d5ca0f65..56f43a245fd 100644 --- a/x-pack/elastic-agent/pkg/agent/control/server/server.go +++ b/x-pack/elastic-agent/pkg/agent/control/server/server.go @@ -110,7 +110,7 @@ func (s *Server) Status(_ context.Context, _ *proto.Empty) (*proto.StatusRespons // Restart performs re-exec. func (s *Server) Restart(_ context.Context, _ *proto.Empty) (*proto.RestartResponse, error) { - s.rex.ReExec() + s.rex.ReExec(nil) return &proto.RestartResponse{ Status: proto.ActionStatus_SUCCESS, }, nil @@ -128,7 +128,7 @@ func (s *Server) Upgrade(ctx context.Context, request *proto.UpgradeRequest) (*p Error: "cannot be upgraded; perform upgrading using Fleet", }, nil } - err := u.Upgrade(ctx, &upgradeRequest{request}, false) + cb, err := u.Upgrade(ctx, &upgradeRequest{request}, false) if err != nil { return &proto.UpgradeResponse{ Status: proto.ActionStatus_FAILURE, @@ -139,7 +139,7 @@ func (s *Server) Upgrade(ctx context.Context, request *proto.UpgradeRequest) (*p // this ensures that the upgrade response over GRPC is returned go func() { <-time.After(time.Second) - s.rex.ReExec() + s.rex.ReExec(cb) }() return &proto.UpgradeResponse{ Status: proto.ActionStatus_SUCCESS, diff --git a/x-pack/elastic-agent/pkg/agent/install/perms_unix.go b/x-pack/elastic-agent/pkg/agent/install/perms_unix.go index ff5cbe52763..9a9a2638dfc 100644 --- a/x-pack/elastic-agent/pkg/agent/install/perms_unix.go +++ b/x-pack/elastic-agent/pkg/agent/install/perms_unix.go @@ -7,6 +7,7 @@ package install import ( + "errors" "io/fs" "os" "path/filepath" @@ -29,6 +30,8 @@ func recursiveRootPermissions(path string) error { } // remove any world permissions from the file err = os.Chmod(name, info.Mode().Perm()&0770) + } else if errors.Is(err, fs.ErrNotExist) { + return nil } return err }) diff --git a/x-pack/elastic-agent/pkg/agent/install/perms_windows.go b/x-pack/elastic-agent/pkg/agent/install/perms_windows.go index d755dc03265..8ca5fd3057e 100644 --- a/x-pack/elastic-agent/pkg/agent/install/perms_windows.go +++ b/x-pack/elastic-agent/pkg/agent/install/perms_windows.go @@ -7,6 +7,7 @@ package install import ( + "errors" "io/fs" "path/filepath" @@ -30,6 +31,8 @@ func recursiveSystemAdminPermissions(path string) error { inherit = false } err = systemAdministratorsOnly(name, inherit) + } else if errors.Is(err, fs.ErrNotExist) { + return nil } return err }) diff --git a/x-pack/elastic-agent/pkg/agent/operation/operator.go b/x-pack/elastic-agent/pkg/agent/operation/operator.go index 922246050dd..2cd68512606 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operator.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operator.go @@ -305,9 +305,11 @@ func (o *Operator) getApp(p Descriptor) (Application, error) { var err error monitor := o.monitor + appName := p.BinaryName() if app.IsSidecar(p) { // make watchers unmonitorable monitor = noop.NewMonitor() + appName += "_monitoring" } if p.ServicePort() == 0 { @@ -315,7 +317,7 @@ func (o *Operator) getApp(p Descriptor) (Application, error) { a, err = process.NewApplication( o.bgContext, p.ID(), - p.BinaryName(), + appName, o.pipelineID, o.config.LoggingConfig.Level.String(), desc, @@ -331,7 +333,7 @@ func (o *Operator) getApp(p Descriptor) (Application, error) { a, err = service.NewApplication( o.bgContext, p.ID(), - p.BinaryName(), + appName, o.pipelineID, o.config.LoggingConfig.Level.String(), p.ServicePort(), diff --git a/x-pack/elastic-agent/pkg/agent/program/supported.go b/x-pack/elastic-agent/pkg/agent/program/supported.go index 2e4289149f3..9da40a4ae16 100644 --- a/x-pack/elastic-agent/pkg/agent/program/supported.go +++ b/x-pack/elastic-agent/pkg/agent/program/supported.go @@ -25,7 +25,7 @@ func init() { // spec/metricbeat.yml // spec/osquerybeat.yml // spec/packetbeat.yml - unpacked := packer.MustUnpack("eJzMWll3q7iWfu+fUa+3B4bjVNFr3QdDiskOKeMTSegNSbaxLbArxgP06v/eS2IwYCc5yalatx/OyrEQ0tbWHr79bf7nl8N+Qf8r3qf/cVi8nhav/1mk/Jf//oWkdo6/71YzYAZTEHCaYU5X+w2BswfPsc9krpYY+RpG3iRCvhJDnET63WcZLXcreN6tPMvLw7l38Cw/j+AowRrIMRwp0xQcI+gfMJwZzPVVPPcO1nq88taq7a3PKy/trXnEjq1EwCiZ6/MIquXH77MN0k1O04CTbGb4bm6+/K5+D4EPQ+AvQ8VwZ+Xu8vRoGt5qz6wUfKOOUTAHbJGmcub6+0h/evDsw8SzxusImfkU1TpZeweLKxOagQNGTw9i3+nc3BDdHCE9PCHtsqf6TI571njlOVzBUHnwHHzAECjtuBuentfmnmSmytyniRyzxiuijZaRZhxxetlX+h2diD4Wz3PPURP6uGvnUsdW4sfdCqcXjtHsOt6RrRmbzs0CQ/XEUrCMNTB6Xu3aZ9U/8xWjrbjPTaSBkqpGQh0u535pHdfnlU75EZ+7c5QVTUFOdMyRlvPF9+t5mn9y3bUp7OXIxjv5Dk75N6QHCk1BQr7vVgtdqXWC98QNOeWGFsGL2ju3G3DigA1zjOKerut9lAUy+fUdnBAXcFr25Mqlnc9aWQ7MAcX17GaJ4YVHenii2Y3eb/at1jNU5ppqdb6rbjp3mXsOP8Yp2DDb2GFobzHyy+e1+etyttdjBxyf1+YBw1HGnNXOd/N6n8CYzMf/8B7HqwiOtp6TJFTJ+WK+2i60ek9XOXgW48SxS+bwDdVAQtNg5xfnla/7HDu89IuzkCGLNTuNtd+zqTXOiGNkVA8Tqq2yyWz3z1/+vQomi4ztd+ssH4SSEI621DH2JJutXjSwYcjfM3c7iTR1+7w2OUnDM9H4kVlqiWGg0pQri9k+oVm4x6m9YcK0r2vk2AGalUk33Efay4P3GOnPj6tJBAMlhsYRafxIXaAgPRxRB5TPq13uOeCIXfMUw5FipZcTVo1zhMJddb3mNkK+HsNvD57lnb47fE1Tu1jMDbtRzVS5vj/VAyVCIZ9qlxMujI78yp9TsXbhiTUPMRypi8fdylsbJ+rOTiG8JFQP91Fh2Nd3jJI5toLnxoFo9NQ952Q9EmNrYUZM40fsGLoIqd726QHZlxlNjYymdu79jvfEASWyL6288v/NHvaFiutiDqDIEWe/0Lv7pMEOw+BV6k8PE+KcH6y1ssIo4ZFqpDG88MbUm5DjpR29oIBHOihiFI68el6dBiaNWXsidKY8Xcy969hayYVJNe9M5+M11UNh5kUzxhyeY2iowhaeyvGEOkbJbCF/oETwcqjv+BuGwVK4JW7CiWsmzFk9eJZ/384aORy7wHrrsrln+e3aXbmmc7W9k3peyZyQ08zrjHn5FIEz1v0EOy+DcZ9TzVBFSqJFRwdv6LE/f/QQo3G9nqnEUOVEB8rzeqw9PY4n1PU50sExhiNhUwfyuJtM5yZfOGCDNGEjL/X5TGn7z+vxumsH9OqbzR4JTVnZCe3ivCpJW/tYX0Pc7T3e188duds0dT+81+My1CJ9EJbfC+2OTCsr5vIzntV2lNoHBkF7JqGf1i7GUl/CzhWM/OVwLtXAAcNAIbr3IEKyiDG0Tml1CuEktdfEAdv6rMNUlHtuWDD4Is9EoH0e+lMvhbu+SpyerG+n3PqsVAMFS0FhSX+oU+LmVlddn+zDBmUVw9GZobBsZR6kKCkHwnuq8RNZ7SZMSzjZ7FZExFg93E2s8NdqzXCQgi6cpEyJLZGCav3pyt57/LZ6ssyEpLNV7NjlXAMjsYawETFnOT+vfA0cIiTie1BiaBeRTD37DdFGAg4mwm9EbPTdvGBwJG1smop5ieFZvxuexRKaKlpg0UmTrpZrviCL+CZdifABfR6hWZOiZOiLUpCw8b5yibVJekgzCzhzwXma8gOZj1oz+AMKcw24t5ZZdD19eVlPrfGaakBhaHxkDsipc0mY83LEcJREQm2PahrBS3mLZtWEpHaGhftks+58hWbgZg/hilikjWJ0wAhz8qhuMfRVXHyIkp35y8WebYEJbMP9rrDH583v5ydXWQvE20f9Qk9hOZXhBawxtBUr87lEB1m4FCi2uUakBbsIjjIsXdJX8WxfMHiRrizdDiVLqocFhnZeoZtdF/nsSRryRYN6XZHaXx48kc70J+lOMRz9KdyzDR/AONPU2GAUlMJla5c8EW4Is0mJwyW0EOESI19Bmp2KENOEKYEGBbIiGisrd+qg7iatDMLAAHHnnhOcqMuXIo3crQpkavvtwXNrmVEXHd7KSlLjRLtI0QHfIg2cxTNY+G1lVN0r31Z/2yqpsj3XP0lkrxkFLXw2lJU5xpI4vGSPXeRr7oWtPq/Njk798qvnuOrc5zg1CjyTNlAImyawTVMpTY38Jqz3KqagPbNVQwARDiI9rM5gG1Lua7oY3Js+kLep0obnGFRpb4Xvfug0W/tuQquQjWTBQcDHXvhu5Krsuqu7PELmGSOvZzMCXhKNVZBM2ijtV08O0GSFXad96SfnfoUmY0I2OwmoJaGvGyjY4cfBPpylQMBUJdLHQr5Nz/466zAYnp/Xpord8UAWCZO3RAtexTk8JzxFWs7poGIU8WpaVx1IDw5EZ+JcsoIUY7fnpyeq81K897w2ywUKOnp4r7psKlNQYmCcGArPrJP+PnzPEVDabmPVNbX7nEBDw8CQ87ry1vBgG6EwaePTfHSMoMqpbiaR9vLl/aep/F2KFP43Q6WE6U95pF3EXesRCjfxuP+Mlk/tOSK0V2n6klf2Ee4YvMLdeo2U6AL2+qNuDCJZKNJ5ax/TudnYzhWyaMF5ikw1ygI1us7bMTc8I61T6rXrJgpzzT+pZhyvY3mC0zy5/r76yHRu5hSFnfdHnDn4QPSrfZHySQugrWKHK10b6NhqPvAp8XtEtd4+wq+u8QGG5+tccIzR6vpM40dh61eZqrKvin8/D5NbPDF+8/4lzqjibJuXK3ZG5md8qvP2pGHCmndx5p8EnB/ER4WUOylzg7e6Z7iF3X5Xlg4ma8dufFn4HdXDE01f+hhBS3gERVny9OC5uWGt7jIp1z2s0b+MVVnyxSK/T9KGFXJfvTSoPw1yfK0i8rYaSKvq1rMPooKtrsxSc6KF3LuBdBVB2RKdq303jUmzW9gNCavU6usTYjfm90H1dA3J/fQ3NMFBxZJ3qp2/Zn+nhUofylBB2Fonb4X+2rUaCNzI2ciCRNXp/HaXqJTkeWGmxAGcWaOWBG/WmqY3FdEKzdrz1BX+1SVqgrohKJciPJK7+pHkImntIGsI79GZaJd9pG+PMZzd26sJK8cnq53b7Lsncp1wiR2QRggcmHufoL0lXG/k2BE9UAbk6o2eJOl8n1Q9NnYzzYKSjN89R9vQqM+RR2jckbuBk0NSv1+5X/cfEsbjD4njzhk7RPjwubKKHaNk4927DYJBZf+mnD9IzKtUA21597Umw10o9VNrTFNRQoCSOvYGz750riFMk79Fyf61Bsi1lKhtqGaYvE/Z/yebCR80Dv6VrM01tSWL+DW/Q8HMHZDQLKzohDqnxb2xTj4bUCoxvOTdxiBO7QPVqjmfpV8+07jszBWlWRbDUTZNL6J8OvwBQx5lILvNtQ19knAxXlNMBUaBEsny2DiiBlbYxiZ27CPWXh4aFnHQfLxHodzPi6qhxyjcIQFHNPCtGyvuN8N8UWYuqC7yVcIlrCl+O07Odxpfm36ceY9Rfe+996DpHWa1D1GbnJPuZa6LIBMliMh5qYCcN03DzRt5cBAXb+S7Czvb8oIvkFyHWxnbYVFi/8W+JGAjTcE2Rk/ZVOqGvUYQv0ZzKiCopK5EaRhbdG+t/tn6XbrIX9f0juN9h0ChKd/Uhlh3/etOuFZzovc7+yVGoUoFTnaUj7nMhi/NQk6QKfmQu047/pmvBy4nrLE9SemRSD7kbGAHrBmkw3WzSDXOGPkbse4f8/DX7y/g5WXLHz/Hgfb1RFMglF8w2zgR3vAM4TLSkoSkTDhUZayZeaIVIGvbNnUSl8ml187qtd7UE3ZlADhiyyiFsWGoHBdQPVxbMKYIJBlGswehP6KFMuFP05nkTkQAnGY8J9ZoG6OgujPL+7Al03WuGI62GK0eBrxpjlFYCGMd1IsNX7fs8pCNo91+9cArsCbqzCxsOQHJUwhgXdsrPf9V/OE7HO+QK7xtz1Rff2j2gdiGQlTjEKNA6fN8cu/rnp1A8s4XH81d8oUTcOrOZOJrAj0tpA3vsSX/tr2Hys/MgmgBp3oggOW6Ae3vfqkikgAKubjrHld8/uo52jtcY4jbWhyjRKGpLWxC6glpXMFQLd/iVNvzNi23RsbBuOShrwXe3ZYe0tmeOcmSpiDDKGl53NvkZxbCztD62+v0+kVQ0967n7y6rbebr1HeS3hvFKE3X6Jci89+QXJTwLxlp0LvR6oJ4AOWTONKbBsFhowv3HHPDpo76PKCXUAweTRmf1RF+z+m68P+Vkd1ES32eNyt/F6BLwG55ED7rUxcEE25x4VLvohAY8vghV95MDWJNbCMkF9EQ961tpE2TgxAfGUrjcwiJz19goftvDf+8RbtEMz80Du9L9+Uv4Qr/voatwXWj5yBoYC3YLZqtb8L0ESMiDTj3MrU2MWAvOndoXblEYe21XCQpItxWl6vlxvaPPmZNnpv3R/kJHt51AEJdoAkfuT574LG3jmPjS/8FIisgGOBYbinhQSOPwQid4c/j4vX4h6K1IMLg6BY9LvoJ6rbKkb+aNhJ/0QX/fMIstsRh/ZRWhoER2Z11keynOrPfbN77rNPdLh7H7HJc7tPJzLUz7sfrhklRYDTbDuxsjaS36dheww3P2IHfHseIibHyOqs2Fpe49lI76CFxtodIVdwIik+xDBQquxSUXkRxErblbnTkf8bO1GtLf1gN2JAudyl2/JhZOl6799Vwn3uIxZaPj9GWdcL9zHdLu5xKC+OvYk1oPRKOddMIi3nzBmUcgXNw8rdPyjjxJybuQK2nYn8ivHWaWXbo1Bt+Vd7/xOW/tw3y7cMveFYtH/mr/MoP8lX9OHSm1zFOYLBK75y8x+kw69wh8M+R52q2n7E/4sPiCe//O+//V8AAAD//0oTUkc=") + unpacked := packer.MustUnpack("eJzMWll3q7iWfu+fUa+3B4bjVNFr3QdDiskOKeMTSegNSbbBFtgV4wF69X/vJWawk5zkVK3bD2flWAhpa2sP3/42//PL8bCi/xUekv84rl7Pq9f/zBP+y3//QhIzw9/3mwXQvTnwOE0xp5vDlsDFg2OZF7KUC4xcBSNnFiBXCiGOAvXus5QW+w287DeO4WT+0jk6hpsFcBJhBWQYTqR5Ak4BdI8YLjRmuzJeOkcjnm6cWDad+LJxksGaJ2yZUgC0gtkuD6BcfPw+2yJV5zTxOEkXmmtn+svv8ncfuNAH7tqXNHtR7K9Pj7rmbA7MSMA3amk5s8AOKTJntnsI1KcHxzzOHGMaB0jP5qjWSewcDS7NaAqOGD09iH3nS31LVH2CVP+MlOuBqoty3DGmG8fiEobSg2PhI4ZAasdt//wc6weS6jKzn2blmDHdEGWyDhTthJProdLv5EzUqXieOZYc0cd9O5daphQ+7jc4uXKMFt14T7ZmbL7UcwzlM0vAOlTA5Hmzb59V//RXjHbiPreBAgoqaxG1eDn3S+vYLq90yk/40p8jbWgCMqJijpSMr75352n+levGurCXE5vuy3dwwr8h1ZNoAiLyfb9ZqVKtE3wgts8p15QAXuXBuW2PEwtsmaXl93Rd7yOtkM67d3BEbMBpMZArK+180cpyZBbIu7PrBYZXHqj+maY3er/Zt1pPk5mty9X5Ot307jJzLH4KE7BlprbH0Nxh5BbPsf7renFQQwucnmP9iOEkZdZm79pZvY+nzZbTfziP000AJzvHiiIqZXy13OxWSr2nLR0dg3FimQWz+JYqIKKJt3fzy8ZVXY4tXrj5RciQhoqZhMrv6dyYpsTSUqr6EVU26Wyx/+cv/14Fk1XKDvs4zUahxIeTHbW0A0kXmxcFbBlyD8zezQJF3j3HOieJfyEKPzFDLjD0ZJpwabU4RDT1Dzgxt0yYdrdGhi2gGGnphodAeXlwHgP1+XEzC6AnhVA7IYWfqA0kpPoTaoHiebPPHAucsK2fQziRjOR6xrJ2CZC/r65X3wXIVUP47cExnPN3i8c0MfPVUjMb1cyl7v256kkB8vlcuZ5xrvXkl/6ci7VzR6x5DOFEXj3uN06snam9OPvwGlHVPwS5ZnbvaAWzTAkvtSNR6Ll/zlk8EWOxMCOm8BO2NFWEVGf39IDM64ImWkoTM3N+xwdigQKZ11be8v/NHuaViutiFqDIEme/0rv7JN4eQ++11J/qR8S6PBixtMEo4oGsJSG88sbUm5DjJD29II8HKshD5E+cel6dBmaNWTsidCY8WS2dbiyWMmFSzTvz5TSmqi/MPG/GmMUzDDVZ2MJTMZ1RSyuYKeT3pABej/Udf8PQWwu3xE04sfWIWZsHx3Dv21kjh2XmWG1dNnMMt127L9d8Kbd3Us8rmOVzmjq9MSebI3DBqhth62U07nKqaLJISTTv6eANPQ7nTx5CNK3X06UQypyoQHqOp8rT43RGbZcjFZxCOBE2dSSP+9l8qfOVBbZIETbyUp9PL23/OZ7GfTugnW82e0Q0YUUvtIvzyiRp7SPuQtztPd7Xzx252zR1P7zX42WoReooLL8X2q0yrWyYzS94UdtRYh4ZBO2ZhH5au5iW+hJ2LmHkrsdzqQKOGHoSUZ0HEZJFjKF1SqtTCCeJGRML7OqzjlNR5th+zuBLeSYCzcvYnwYp3HZlYg1kfTvl1melCshZAnKj9Ic6JW5vddX3ySFskDYhnFwY8otW5lGKKuVA+EAVfiab/YwpESfb/YaIGKv6+5nh/1qt6Y9S0JWThEmhIVJQrT9VOjiP3zZPhh6RZLEJLbNYKmAi1hA2Iuasl5eNq4BjgER89woMzTwoU89hS5SJgIOR8BsRG107yxmclDY2T8S8SHOM3zXHYBFNJMUz6KxJV+uYr8gqvElXInxAlwdo0aSoMvQFCYjY9FC5RKyTAdJMPc5scJkn/EiWk9YM/oDCXD3uxGUWjecvL/HcmMZUARJD0xOzQEata8SslxOGkygQanuUkwBei1s0K0ckMVMs3Cdd9OdLNAU3ewhXxCJt5JMjRpiTR3mHoSvj/EOUbC1fruZiB3RgavZ3iT0+b3+/PNlSLBDvEPULPfnFvAwvIMbQlIzU5SU6SP21QLHNNSLF2wdwkuLSJV0ZLw45g9fSlUu3Q9Gaqn6OoZlV6GbfRz4Hkvh81aBeW6T2lwdHpDP1qXSnEE7+FO7Zhg+gXWiibTHyCuGytUueCdeE2STE4iW0EOESI1dCipmIENOEKYEGBbIiCisqd+qh7iatjMLACHFnjuWdqc3XIo3crQrK1Pbbg2PXMqM+OryVlSTamfaRogW+BQq4iGcwd9vKqLpXvqv+tlVSZXu2ey6RvaLlNHfZWFZmaWti8YI99pGvfhC2+hzrPZ26xVfP0enc5TjRcrwobSAXNk1gm6YSmmjZTVgfVExee2ajhgAiHASqX53B1Eq5u3Qxujd1JG9TpY3PMarS3grfw9Cpt/bdhFYhG0m9o4CPg/DdyFXZdV93WYD0C0bOwGYEvCQKqyBZaaN0WD1ZQCkr7Drtl35yGVZoZUxIF2cBtUroa3sStvhptA9nCRAwVQrUqZBvO7C/3joM+pfnWJexPR3JUsLkHVG8V3EOx/LPgZJxOqoYRbya11UHUr0jUZk4V1lBirHb89MzVXkh3nuO9WKFvJ4e3qsum8oUFBhoZ4b8C+ulvw/fswSUNttY1aV2lxOoKRho5by+vDU82AXIj9r4tJycAihzqupRoLx8ef95Uv4uRAr/m6FSxNSnLFCu4q7VAPnbcDp8Roun9hwBOsg0eckq+/D3DHZwt14jIaqAve6kH4NI6ot03trHfKk3ttNBFsW7zJEuB6knB928PbP9C1J6pV67biQxW/+TKtqpGzucGXJPAbzuurEswkkWdb87v5kv9Ywiv7fmhDMLH4na2RwpnhQPmjK2uNS3i579ZiM/E78nVBnsI3ytixnQv3RzwSlEm+6Zwk/C/juZqlKwiok/D51bjDF90yZK7FHF3jZXV4xNmbPxuc7ls4Yda97FqXsWEH8UMyVS7EuZGwzWP8MtFHf7svRwWjt249/CF6nqn2nyMsQNSsQDKEqVpwfHzjRjc5dd6fYwJv8ypmXNV6vsPnHrV2h+89JUAomX4a6yyNoKIakqXsc8iqq2ujJDzojic+cG5lWkZUt+bg791Faa3cpsiFmpVt+QJLsxvw8qqi5MD1Pi2ARHVUzWq4D+mv2tFj59KEMFa2udvJUOatdqYHEjZyMLEpWo9dtd8rIk1HM9IRbgzJi0xHiz1jy5qZI2aNGep676O5eoSeuGtFyLkEnu6qckHElrB2lDgk8uRLkeAnV3CuHi3l5NWDk9Ge3cZt8DKdfx19gCSYDAkdn3SdtbEvZGjj1RPWlEuN7oqSSi7xOtp8Zu5qlXkOm752ibHPU5sgBNe3I3EHNM9A+r+W7/MYk8/ZBM7p2xR46Pn0ub0NIKNt2/2zQYVftvyvmDZL1MFdCWfF9rPNyFVz+1xjwRZQUoqGVu8eJL5xpDt/K3KOO/1hTpyovahmrWyfmU/X+ywfBBM+FfyeR0qS1aha/ZHVpmaYGIpn5FMdQ5LRyM9fLZiGYJ4TXrNwtxYh6pUs35LCXzmWZmb64o19IQTtJ5chUl1fEP6PMgBeltrm0olYiL8Zp2yjHypKAsmbUTamCFqW1Dyzxh5eWhYRZHDcl7tMr9vChraoj8PRJwRAHf+rHifoPMFaXniqoiX0W8hDX5b6fZ5U4zbDuMM++xrO+99x40vcO2DiFqk3OSQ5nrAshEWSJyXiIg500jcftGHhzFxRv57sLOtrzgK1Suw42U7bEou/9iXxKwkSZgF6KndF7qhr0GEL8GSyogaElniXIxNOjB2Pyz9btklb3G9I7jfYdAognf1oZYfwlQd8eVmie93+0vMPJlKnCyJX3MbzYcaupzgvSSI7nrtNOf+aLgesYKO5CEnkjJkVw0bIGYQTpeNw1k7YKRuxXr/rH0f/3+Al5edvzxc7zoUE80AUL5OTO1M+EN9+CvAyWKSMKEQ1XGmupnWgGytpVTJ/EyuQxaXIN2nHzGdhkATtjQCmFsGEqnFZSPXVtGF4EkxWjxIPRHFL9M+PNkUfIpIgDOU54RY7ILkVfdmeF82KbpO1cIJzuMNg8jLjXDyM+FsY7qxYbDW/e5ycbRbr+E4BVYE3Vm6rc8QcldCGBd2yu9/FWc4ju875g/vG3ZVF+EKOaRmJpEZO0YIk8acn/l3t2evUDyzlcgzV3yleVxai/KxNcEepqXNnzARvm37UdUfqbnRPE4VT0BLOMGtL/79YpIAsjn4q4H/PHlq+do7zDGELe1OEaRRBNT2ESpJ6RwCUO5eItnbc/btOEaGUfjJTfdFXh323xIZQdmRWuagBSjqOV2b5Ofngs7Q/G313n3lVDT8rufvPrtuJsvVN5LeG8UoTdfp3TF57AguSlg3rJTofcTVQTwAWumcCk0tRxDxlf2dGAHzR30ucI+IJg9aos/qqL9H/P4eLjVUV1Eiz0e9xt3UOCXgLzkRYftTZwTRbrHj5d8EYHajsEr73gwOQoVsA6QmwdjLra2kTZOjEB8ZSuNzCInPX2Cm+29N/3xtu0YzPzQO4Ov4aS/hD/++hq3BdaPnIEhj7dgtmq/vwvQRIwIFO3SytTYxYi8Gdyh0vGIY9tqOEjSxzgtrzfIDW2e/ExrfbDuD3KSgzxqgQhboCR+yvPfBY2Dc54aX/gpEFkBxxxD/0DzEjj+EIjcH/88rV7zeyhS9a4Mgnw17KyfqWrKGLmTcXf9E531zyPIfpccmqfS0iA4MaO3PirLqeHcNzvqLvtE13vwYVt5bvvpTMb6efdjNq2gCHCa7mZG2kby+zTsgOHmJ2yBb89jxGRpaZ0VW8trPBupPbTQWLsl5PLOJMHHEHpSlV0qKi+AWGo7NXe69H9jd6q1pR/sRowol7t0WzaOLH3v/btKuM992EKL58cg7XvhIaS71T0O5cUyt6ECpEEpZ+tRoGScWaNSLqeZX7n7B2WcmHMzV8C2Cym/bLx12rLtkctm+Vd5/7OW4dw3y7cUveFYdHjmr/MoP8lXDOHSm1zFJYDeK+64+Q/S4Ve4w3Gfo05VbT/i/8VHxbNf/vff/i8AAP//tGNZYA==") SupportedMap = make(map[string]Spec) for f, v := range unpacked { diff --git a/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go b/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go index acf6b32328f..a08295ba49b 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go +++ b/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go @@ -7,9 +7,9 @@ package snapshot import ( "encoding/json" "fmt" - gohttp "net/http" "strings" + "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download/http" @@ -27,7 +27,7 @@ func NewDownloader(config *artifact.Config, versionOverride string) (download.Do } func snapshotConfig(config *artifact.Config, versionOverride string) (*artifact.Config, error) { - snapshotURI, err := snapshotURI(versionOverride) + snapshotURI, err := snapshotURI(versionOverride, config) if err != nil { return nil, fmt.Errorf("failed to detect remote snapshot repo, proceeding with configured: %v", err) } @@ -43,7 +43,7 @@ func snapshotConfig(config *artifact.Config, versionOverride string) (*artifact. }, nil } -func snapshotURI(versionOverride string) (string, error) { +func snapshotURI(versionOverride string, config *artifact.Config) (string, error) { version := release.Version() if versionOverride != "" { if strings.HasSuffix(versionOverride, "-SNAPSHOT") { @@ -52,8 +52,13 @@ func snapshotURI(versionOverride string) (string, error) { version = versionOverride } + client, err := config.HTTPTransportSettings.Client(httpcommon.WithAPMHTTPInstrumentation()) + if err != nil { + return "", err + } + artifactsURI := fmt.Sprintf("https://artifacts-api.elastic.co/v1/search/%s-SNAPSHOT/elastic-agent", version) - resp, err := gohttp.Get(artifactsURI) + resp, err := client.Get(artifactsURI) if err != nil { return "", err } diff --git a/x-pack/elastic-agent/pkg/release/version.go b/x-pack/elastic-agent/pkg/release/version.go index 05f0063afdf..4cc161a9899 100644 --- a/x-pack/elastic-agent/pkg/release/version.go +++ b/x-pack/elastic-agent/pkg/release/version.go @@ -27,6 +27,15 @@ var allowEmptyPgp string // with upgrade without requiring Agent to be installed correctly var allowUpgrade string +// TrimCommit trims commit up to 6 characters. +func TrimCommit(commit string) string { + hash := commit + if len(hash) > hashLen { + hash = hash[:hashLen] + } + return hash +} + // Commit returns the current build hash or unknown if it was not injected in the build process. func Commit() string { return libbeatVersion.Commit() @@ -34,11 +43,7 @@ func Commit() string { // ShortCommit returns commit up to 6 characters. func ShortCommit() string { - hash := Commit() - if len(hash) > hashLen { - hash = hash[:hashLen] - } - return hash + return TrimCommit(Commit()) } // BuildTime returns the build time of the binaries. diff --git a/x-pack/elastic-agent/spec/filebeat.yml b/x-pack/elastic-agent/spec/filebeat.yml index 6f47c1ebdee..af9fdf89e75 100644 --- a/x-pack/elastic-agent/spec/filebeat.yml +++ b/x-pack/elastic-agent/spec/filebeat.yml @@ -75,6 +75,7 @@ rules: - gcp-pubsub - http_endpoint - httpjson + - journald - kafka - log - mqtt diff --git a/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc b/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc index 6b5444be055..0585f10d46e 100644 --- a/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc @@ -466,7 +466,7 @@ Available transforms for request: [`append`, `delete`, `set`]. Can read state from: [`.last_response.*`, `.last_event.*`, `.cursor.*`, `.header.*`, `.url.*`, `.body.*`]. -Can write state to: [`header.*`, `url.params.*`, `body.*`]. +Can write state to: [`body.*`, `header.*`, `url.*`]. ["source","yaml",subs="attributes"] ---- @@ -566,6 +566,11 @@ Required if using split type of `string`. This is the sub string used to split Valid when used with `type: map`. When not empty, defines a new field where the original key value will be stored. +[float] +==== `response.split[].ignore_empty_value` + +If set to true, empty or missing value will be ignored and processing will pass on to the next nested split operation instead of failing with an error. Default: `false`. + [float] ==== `response.split[].split` diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index b30193416cc..2fc7721ea27 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -41,7 +41,7 @@ filebeat.modules: - module: activemq # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -49,7 +49,7 @@ filebeat.modules: # Application logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -462,7 +462,7 @@ filebeat.modules: - module: azure # All logs activitylogs: - enabled: true + enabled: false var: # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub eventhub: "insights-operational-logs" @@ -505,7 +505,7 @@ filebeat.modules: #------------------ Barracuda Web Application Firewall Module ------------------ - module: barracuda waf: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -524,7 +524,7 @@ filebeat.modules: # var.tz_offset: local spamfirewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -545,7 +545,7 @@ filebeat.modules: #-------------------------- Blue Coat Director Module -------------------------- - module: bluecoat director: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -566,7 +566,7 @@ filebeat.modules: #--------------------------------- CEF Module --------------------------------- - module: cef log: - enabled: true + enabled: false var: syslog_host: localhost syslog_port: 9003 @@ -582,7 +582,7 @@ filebeat.modules: #------------------------------ Checkpoint Module ------------------------------ - module: checkpoint firewall: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -605,7 +605,7 @@ filebeat.modules: #-------------------------------- Cisco Module -------------------------------- - module: cisco asa: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -631,7 +631,7 @@ filebeat.modules: #var.external_zones: [ "External" ] ftd: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -657,7 +657,7 @@ filebeat.modules: #var.external_zones: [ "External" ] ios: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -674,7 +674,7 @@ filebeat.modules: #var.paths: nexus: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -693,7 +693,7 @@ filebeat.modules: # var.tz_offset: local meraki: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -712,7 +712,7 @@ filebeat.modules: # var.tz_offset: local umbrella: - enabled: true + enabled: false #var.input: aws-s3 # AWS SQS queue url @@ -727,7 +727,7 @@ filebeat.modules: #var.api_timeout: 120s amp: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson @@ -747,7 +747,7 @@ filebeat.modules: - module: coredns # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -757,39 +757,16 @@ filebeat.modules: - module: crowdstrike falcon: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: -#------------------------------ Cyber-Ark Module ------------------------------ -# The cyberark module is deprecated and will be removed in future releases. -# Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. -- module: cyberark - corepas: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9527 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #----------------------------- CyberArk PAS Module ----------------------------- - module: cyberarkpas audit: - enabled: true + enabled: false # Set which input to use between tcp (default), udp, or file. # @@ -815,7 +792,7 @@ filebeat.modules: #---------------------------- CylanceProtect Module ---------------------------- - module: cylance protect: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -837,32 +814,32 @@ filebeat.modules: - module: elasticsearch # Server log server: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: @@ -871,7 +848,7 @@ filebeat.modules: - module: envoyproxy # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -880,7 +857,7 @@ filebeat.modules: #--------------------- Big-IP Access Policy Manager Module --------------------- - module: f5 bigipapm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -899,7 +876,7 @@ filebeat.modules: # var.tz_offset: local bigipafm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -920,7 +897,7 @@ filebeat.modules: #------------------------------- Fortinet Module ------------------------------- - module: fortinet firewall: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -943,7 +920,7 @@ filebeat.modules: #var.external_interfaces: [ "WAN" ] clientendpoint: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -962,7 +939,7 @@ filebeat.modules: # var.tz_offset: local fortimail: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -981,7 +958,7 @@ filebeat.modules: # var.tz_offset: local fortimanager: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1002,7 +979,7 @@ filebeat.modules: #--------------------- Google Cloud Platform (GCP) Module --------------------- - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1030,7 +1007,7 @@ filebeat.modules: #var.internal_networks: [ "private" ] firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1057,7 +1034,7 @@ filebeat.modules: #var.internal_networks: [ "private" ] audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1077,7 +1054,7 @@ filebeat.modules: #--------------------------- Google_workspace Module --------------------------- - module: google_workspace saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1085,7 +1062,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1093,7 +1070,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1101,7 +1078,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1109,7 +1086,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1117,7 +1094,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1126,120 +1103,11 @@ filebeat.modules: # var.interval: 2h -#----------------------------- Googlecloud Module ----------------------------- -# googlecloud module is deprecated, please use gcp instead -- module: gcp - vpcflow: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be - # configured to use this topic as a sink for VPC flow logs. - var.topic: gcp-vpc-flowlogs - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-vpc-flowlogs-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - firewall: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-firewall - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-firewall-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - audit: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-audit - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-audit - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - -#-------------------------------- Gsuite Module -------------------------------- -# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. -- module: gsuite - saml: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - user_accounts: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - login: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - admin: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - drive: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - groups: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - #------------------------------- HAProxy Module ------------------------------- - module: haproxy # All logs log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: @@ -1252,7 +1120,7 @@ filebeat.modules: - module: ibmmq # All logs errorlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1325,7 +1193,7 @@ filebeat.modules: #------------------------- Imperva SecureSphere Module ------------------------- - module: imperva securesphere: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1346,7 +1214,7 @@ filebeat.modules: #---------------------------- Infoblox NIOS Module ---------------------------- - module: infoblox nios: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1367,7 +1235,7 @@ filebeat.modules: #------------------------------- Iptables Module ------------------------------- - module: iptables log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: @@ -1379,7 +1247,7 @@ filebeat.modules: #---------------------------- Juniper JUNOS Module ---------------------------- - module: juniper junos: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1398,7 +1266,7 @@ filebeat.modules: # var.tz_offset: local netscreen: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1417,7 +1285,7 @@ filebeat.modules: # var.tz_offset: local srx: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -1433,7 +1301,7 @@ filebeat.modules: - module: kafka # All logs log: - enabled: true + enabled: false # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. @@ -1447,7 +1315,7 @@ filebeat.modules: - module: kibana # Server logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1455,7 +1323,7 @@ filebeat.modules: # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1483,7 +1351,7 @@ filebeat.modules: - module: microsoft # ATP configuration defender_atp: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -1496,7 +1364,7 @@ filebeat.modules: # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" m365_defender: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -1513,7 +1381,7 @@ filebeat.modules: #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" dhcp: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1536,7 +1404,7 @@ filebeat.modules: - module: misp threat: - enabled: true + enabled: false # API key to access MISP #var.api_key @@ -1567,7 +1435,7 @@ filebeat.modules: - module: mssql # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1602,7 +1470,7 @@ filebeat.modules: #--------------------------- MySQL Enterprise Module --------------------------- - module: mysqlenterprise audit: - enabled: true + enabled: false # Sets the input type. Currently only supports file #var.input: file @@ -1616,7 +1484,7 @@ filebeat.modules: - module: nats # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1625,7 +1493,7 @@ filebeat.modules: #------------------------------- NetFlow Module ------------------------------- - module: netflow log: - enabled: true + enabled: false var: netflow_host: localhost netflow_port: 2055 @@ -1638,7 +1506,7 @@ filebeat.modules: #-------------------------- Arbor Peakflow SP Module -------------------------- - module: netscout sightline: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1693,7 +1561,7 @@ filebeat.modules: #------------------------------ Office 365 Module ------------------------------ - module: o365 audit: - enabled: true + enabled: false # Set the application_id (also known as client ID): var.application_id: "" @@ -1740,7 +1608,7 @@ filebeat.modules: #--------------------------------- Okta Module --------------------------------- - module: okta system: - enabled: true + enabled: false # You must configure the URL with your Okta domain and provide an # API token to access the logs API. #var.url: https://yourOktaDomain/api/v1/logs @@ -1749,7 +1617,7 @@ filebeat.modules: #-------------------------------- Oracle Module -------------------------------- - module: oracle database_audit: - enabled: true + enabled: false # Set which input to use between syslog or file (default). #var.input: file @@ -1759,9 +1627,9 @@ filebeat.modules: #var.paths: ["/home/user/oracleauditlogs/*.aud"] #------------------------------- Osquery Module ------------------------------- -- module: osquery - result: - enabled: true +#- module: osquery + #result: + #enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1775,7 +1643,7 @@ filebeat.modules: #--------------------------------- Panw Module --------------------------------- - module: panw panos: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: @@ -1797,7 +1665,7 @@ filebeat.modules: - module: pensando # Firewall logs dfw: - enabled: true + enabled: false var.syslog_host: 0.0.0.0 var.syslog_port: 9001 @@ -1822,7 +1690,7 @@ filebeat.modules: #---------------------- Proofpoint Email Security Module ---------------------- - module: proofpoint emailsecurity: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1844,7 +1712,7 @@ filebeat.modules: - module: rabbitmq # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1853,7 +1721,7 @@ filebeat.modules: #-------------------------- Radware DefensePro Module -------------------------- - module: radware defensepro: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1894,7 +1762,7 @@ filebeat.modules: #----------------------------- Google Santa Module ----------------------------- - module: santa log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: @@ -1902,7 +1770,7 @@ filebeat.modules: #--------------------------- Snort/Sourcefire Module --------------------------- - module: snort log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1923,7 +1791,7 @@ filebeat.modules: #--------------------------------- Snyk Module --------------------------------- - module: snyk audit: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # @@ -1952,7 +1820,7 @@ filebeat.modules: #var.email_address: "" vulnerabilities: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # How often the API should be polled. Data from the Snyk API is automatically updated @@ -2027,7 +1895,7 @@ filebeat.modules: #----------------------------- Sonicwall-FW Module ----------------------------- - module: sonicwall firewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2048,7 +1916,7 @@ filebeat.modules: #-------------------------------- Sophos Module -------------------------------- - module: sophos xg: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -2072,7 +1940,7 @@ filebeat.modules: utm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2093,7 +1961,7 @@ filebeat.modules: #-------------------------------- Squid Module -------------------------------- - module: squid log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2115,7 +1983,7 @@ filebeat.modules: - module: suricata # All logs eve: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -2124,7 +1992,7 @@ filebeat.modules: #----------------------------- Threatintel Module ----------------------------- - module: threatintel abuseurl: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -2136,7 +2004,7 @@ filebeat.modules: var.interval: 10m abusemalware: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -2148,7 +2016,7 @@ filebeat.modules: var.interval: 10m malwarebazaar: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -2160,7 +2028,7 @@ filebeat.modules: var.interval: 10m misp: - enabled: true + enabled: false # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson @@ -2189,7 +2057,7 @@ filebeat.modules: var.interval: 5m otx: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -2216,7 +2084,7 @@ filebeat.modules: var.interval: 5m anomali: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -2238,7 +2106,7 @@ filebeat.modules: var.interval: 5m anomalithreatstream: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: http_endpoint @@ -2263,7 +2131,7 @@ filebeat.modules: # var.ssl_key: path/to/ssl_key.pem recordedfuture: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -2297,7 +2165,7 @@ filebeat.modules: #---------------------------- Apache Tomcat Module ---------------------------- - module: tomcat log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2333,83 +2201,83 @@ filebeat.modules: #--------------------------------- Zeek Module --------------------------------- - module: zeek capture_loss: - enabled: true + enabled: false connection: - enabled: true + enabled: false dce_rpc: - enabled: true + enabled: false dhcp: - enabled: true + enabled: false dnp3: - enabled: true + enabled: false dns: - enabled: true + enabled: false dpd: - enabled: true + enabled: false files: - enabled: true + enabled: false ftp: - enabled: true + enabled: false http: - enabled: true + enabled: false intel: - enabled: true + enabled: false irc: - enabled: true + enabled: false kerberos: - enabled: true + enabled: false modbus: - enabled: true + enabled: false mysql: - enabled: true + enabled: false notice: - enabled: true + enabled: false ntp: - enabled: true + enabled: false ntlm: - enabled: true + enabled: false ocsp: - enabled: true + enabled: false pe: - enabled: true + enabled: false radius: - enabled: true + enabled: false rdp: - enabled: true + enabled: false rfb: - enabled: true + enabled: false signature: - enabled: true + enabled: false sip: - enabled: true + enabled: false smb_cmd: - enabled: true + enabled: false smb_files: - enabled: true + enabled: false smb_mapping: - enabled: true + enabled: false smtp: - enabled: true + enabled: false snmp: - enabled: true + enabled: false socks: - enabled: true + enabled: false ssh: - enabled: true + enabled: false ssl: - enabled: true + enabled: false stats: - enabled: true + enabled: false syslog: - enabled: true + enabled: false traceroute: - enabled: true + enabled: false tunnel: - enabled: true + enabled: false weird: - enabled: true + enabled: false x509: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -2419,14 +2287,14 @@ filebeat.modules: - module: zookeeper # All logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -2435,7 +2303,7 @@ filebeat.modules: #--------------------------------- Zoom Module --------------------------------- - module: zoom webhook: - enabled: true + enabled: false # The type of input to use #var.input: http_endpoint @@ -2456,7 +2324,7 @@ filebeat.modules: #----------------------------- Zscaler NSS Module ----------------------------- - module: zscaler zia: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 995cc2a7a0e..adfb028469c 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -24,7 +24,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cisco" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/coredns" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/crowdstrike" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberark" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberarkpas" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cylance" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/envoyproxy" @@ -32,7 +31,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/fortinet" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gcp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/google_workspace" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gsuite" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/ibmmq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/imperva" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/infoblox" diff --git a/x-pack/filebeat/input/awss3/config.go b/x-pack/filebeat/input/awss3/config.go index 4e887003477..404997ddc60 100644 --- a/x-pack/filebeat/input/awss3/config.go +++ b/x-pack/filebeat/input/awss3/config.go @@ -12,6 +12,7 @@ import ( "github.com/elastic/beats/v7/libbeat/common/cfgtype" "github.com/elastic/beats/v7/libbeat/common/match" + "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/reader/parser" "github.com/elastic/beats/v7/libbeat/reader/readfile" "github.com/elastic/beats/v7/libbeat/reader/readfile/encoding" @@ -50,7 +51,8 @@ func defaultConfig() config { func (c *config) Validate() error { if c.QueueURL == "" && c.BucketARN == "" { - return fmt.Errorf("queue_url or bucket_arn must provided") + logp.NewLogger(inputName).Warnf("neither queue_url nor bucket_arn were provided, input %s will stop", inputName) + return nil } if c.QueueURL != "" && c.BucketARN != "" { diff --git a/x-pack/filebeat/input/awss3/config_test.go b/x-pack/filebeat/input/awss3/config_test.go index 9fdf4c1dffb..cd75d4df19c 100644 --- a/x-pack/filebeat/input/awss3/config_test.go +++ b/x-pack/filebeat/input/awss3/config_test.go @@ -92,7 +92,7 @@ func TestConfig(t *testing.T) { }, }, "", - func(queueURL, s3Bucketr string) config { + func(queueURL, s3Bucket string) config { c := makeConfig(queueURL, "") regex := match.MustCompile("/CloudTrail/") c.FileSelectors = []fileSelectorConfig{ @@ -112,8 +112,10 @@ func TestConfig(t *testing.T) { "queue_url": "", "bucket_arn": "", }, - "queue_url or bucket_arn must provided", - nil, + "", + func(queueURL, s3Bucket string) config { + return makeConfig("", "") + }, }, { "error on both queueURL and s3Bucket", diff --git a/x-pack/filebeat/input/httpjson/internal/v2/config_response.go b/x-pack/filebeat/input/httpjson/internal/v2/config_response.go index 0bb51910387..1bc3056ab17 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/config_response.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/config_response.go @@ -24,13 +24,14 @@ type responseConfig struct { } type splitConfig struct { - Target string `config:"target" validation:"required"` - Type string `config:"type"` - Transforms transformsConfig `config:"transforms"` - Split *splitConfig `config:"split"` - KeepParent bool `config:"keep_parent"` - KeyField string `config:"key_field"` - DelimiterString string `config:"delimiter"` + Target string `config:"target" validation:"required"` + Type string `config:"type"` + Transforms transformsConfig `config:"transforms"` + Split *splitConfig `config:"split"` + KeepParent bool `config:"keep_parent"` + KeyField string `config:"key_field"` + DelimiterString string `config:"delimiter"` + IgnoreEmptyValue bool `config:"ignore_empty_value"` } func (c *responseConfig) Validate() error { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/pagination.go b/x-pack/filebeat/input/httpjson/internal/v2/pagination.go index de6261b3fd0..6ea063a10af 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/pagination.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/pagination.go @@ -19,7 +19,7 @@ const paginationNamespace = "pagination" func registerPaginationTransforms() { registerTransform(paginationNamespace, appendName, newAppendPagination) registerTransform(paginationNamespace, deleteName, newDeletePagination) - registerTransform(paginationNamespace, setName, newSetPagination) + registerTransform(paginationNamespace, setName, newSetRequestPagination) } type pagination struct { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/request.go b/x-pack/filebeat/input/httpjson/internal/v2/request.go index 6c223d746a9..921b13b9ab7 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/request.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/request.go @@ -22,7 +22,7 @@ const requestNamespace = "request" func registerRequestTransforms() { registerTransform(requestNamespace, appendName, newAppendRequest) registerTransform(requestNamespace, deleteName, newDeleteRequest) - registerTransform(requestNamespace, setName, newSetRequest) + registerTransform(requestNamespace, setName, newSetRequestPagination) } type httpClient struct { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/split.go b/x-pack/filebeat/input/httpjson/internal/v2/split.go index 9cb686e63ad..56c89f7f9ef 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/split.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/split.go @@ -21,18 +21,24 @@ var ( errExpectedSplitString = errors.New("split was expecting field to be a string") ) +// split is a split processor chain element. Split processing is executed +// by applying elements of the chain's linked list to an input until completed +// or an error state is encountered. type split struct { - log *logp.Logger - targetInfo targetInfo - kind string - transforms []basicTransform - child *split - keepParent bool - keyField string - isRoot bool - delimiter string + log *logp.Logger + targetInfo targetInfo + kind string + transforms []basicTransform + child *split + keepParent bool + ignoreEmptyValue bool + keyField string + isRoot bool + delimiter string } +// newSplitResponse returns a new split based on the provided config and +// logging to the provided logger, tagging the split as the root of the chain. func newSplitResponse(cfg *splitConfig, log *logp.Logger) (*split, error) { if cfg == nil { return nil, nil @@ -42,11 +48,13 @@ func newSplitResponse(cfg *splitConfig, log *logp.Logger) (*split, error) { if err != nil { return nil, err } - // we want to be able to identify which split is the root of the chain + // We want to be able to identify which split is the root of the chain. split.isRoot = true return split, nil } +// newSplit returns a new split based on the provided config and +// logging to the provided logger. func newSplit(c *splitConfig, log *logp.Logger) (*split, error) { ti, err := getTargetInfo(c.Target) if err != nil { @@ -71,22 +79,27 @@ func newSplit(c *splitConfig, log *logp.Logger) (*split, error) { } return &split{ - log: log, - targetInfo: ti, - kind: c.Type, - keepParent: c.KeepParent, - keyField: c.KeyField, - delimiter: c.DelimiterString, - transforms: ts, - child: s, + log: log, + targetInfo: ti, + kind: c.Type, + keepParent: c.KeepParent, + ignoreEmptyValue: c.IgnoreEmptyValue, + keyField: c.KeyField, + delimiter: c.DelimiterString, + transforms: ts, + child: s, }, nil } +// run runs the split operation on the contents of resp, sending successive +// split results on ch. ctx is passed to transforms that are called during +// the split. func (s *split) run(ctx *transformContext, resp transformable, ch chan<- maybeMsg) error { root := resp.body() return s.split(ctx, root, ch) } +// split recursively executes the split processor chain. func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybeMsg) error { v, err := root.GetValue(s.targetInfo.Name) if err != nil && err != common.ErrKeyNotFound { @@ -94,6 +107,12 @@ func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybe } if v == nil { + if s.ignoreEmptyValue { + if s.child != nil { + return s.child.split(ctx, root, ch) + } + return nil + } if s.isRoot { return errEmptyRootField } @@ -109,6 +128,12 @@ func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybe } if len(varr) == 0 { + if s.ignoreEmptyValue { + if s.child != nil { + return s.child.split(ctx, root, ch) + } + return nil + } if s.isRoot { return errEmptyRootField } @@ -130,6 +155,12 @@ func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybe } if len(vmap) == 0 { + if s.ignoreEmptyValue { + if s.child != nil { + return s.child.split(ctx, root, ch) + } + return nil + } if s.isRoot { return errEmptyRootField } @@ -151,6 +182,12 @@ func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybe } if len(vstr) == 0 { + if s.ignoreEmptyValue { + if s.child != nil { + return s.child.split(ctx, root, ch) + } + return nil + } if s.isRoot { return errEmptyRootField } @@ -169,6 +206,8 @@ func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybe return errors.New("unknown split type") } +// sendMessage sends an array or map split result value, v, on ch after performing +// any necessary transformations. If key is "", the value is an element of an array. func (s *split) sendMessage(ctx *transformContext, root common.MapStr, key string, v interface{}, ch chan<- maybeMsg) error { obj, ok := toMapStr(v) if !ok { @@ -220,6 +259,8 @@ func toMapStr(v interface{}) (common.MapStr, bool) { return common.MapStr{}, false } +// sendMessage sends a string split result value, v, on ch after performing any +// necessary transformations. If key is "", the value is an element of an array. func (s *split) sendMessageSplitString(ctx *transformContext, root common.MapStr, v string, ch chan<- maybeMsg) error { clone := root.Clone() _, _ = clone.Put(s.targetInfo.Name, v) diff --git a/x-pack/filebeat/input/httpjson/internal/v2/split_test.go b/x-pack/filebeat/input/httpjson/internal/v2/split_test.go index 2c53d0fcbe1..c385771667b 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/split_test.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/split_test.go @@ -354,6 +354,270 @@ func TestSplit(t *testing.T) { {"@timestamp": "1234567890", "items": "Line 3"}, }, }, + { + name: "An empty array in an object", + config: &splitConfig{ + Target: "body.response", + Type: "array", + Split: &splitConfig{ + Target: "body.Event.Attributes", + IgnoreEmptyValue: true, + KeepParent: true, + Split: &splitConfig{ + Target: "body.Event.OtherAttributes", + KeepParent: true, + }, + }, + }, + ctx: emptyTransformContext(), + resp: transformable{ + "body": common.MapStr{ + "response": []interface{}{ + map[string]interface{}{ + "Event": map[string]interface{}{ + "timestamp": "1606324417", + "Attributes": []interface{}{}, + "OtherAttributes": []interface{}{ + map[string]interface{}{ + "key": "value", + }, + map[string]interface{}{ + "key2": "value2", + }, + }, + }, + }, + }, + }, + }, + expectedMessages: []common.MapStr{ + { + "Event": common.MapStr{ + "timestamp": "1606324417", + "Attributes": []interface{}{}, + "OtherAttributes": common.MapStr{ + "key": "value", + }, + }, + }, + { + "Event": common.MapStr{ + "timestamp": "1606324417", + "Attributes": []interface{}{}, + "OtherAttributes": common.MapStr{ + "key2": "value2", + }, + }, + }, + }, + expectedErr: nil, + }, + { + name: "A missing array in an object", + config: &splitConfig{ + Target: "body.response", + Type: "array", + Split: &splitConfig{ + Target: "body.Event.Attributes", + IgnoreEmptyValue: true, + KeepParent: true, + Split: &splitConfig{ + Target: "body.Event.OtherAttributes", + KeepParent: true, + }, + }, + }, + ctx: emptyTransformContext(), + resp: transformable{ + "body": common.MapStr{ + "response": []interface{}{ + map[string]interface{}{ + "Event": map[string]interface{}{ + "timestamp": "1606324417", + "OtherAttributes": []interface{}{ + map[string]interface{}{ + "key": "value", + }, + map[string]interface{}{ + "key2": "value2", + }, + }, + }, + }, + }, + }, + }, + expectedMessages: []common.MapStr{ + { + "Event": common.MapStr{ + "timestamp": "1606324417", + "OtherAttributes": common.MapStr{ + "key": "value", + }, + }, + }, + { + "Event": common.MapStr{ + "timestamp": "1606324417", + "OtherAttributes": common.MapStr{ + "key2": "value2", + }, + }, + }, + }, + expectedErr: nil, + }, + { + name: "An empty map in an object", + config: &splitConfig{ + Target: "body.response", + Type: "array", + Split: &splitConfig{ + Target: "body.Event.Attributes", + Type: "map", + IgnoreEmptyValue: true, + KeepParent: true, + Split: &splitConfig{ + Type: "map", + Target: "body.Event.OtherAttributes", + KeepParent: true, + }, + }, + }, + ctx: emptyTransformContext(), + resp: transformable{ + "body": common.MapStr{ + "response": []interface{}{ + map[string]interface{}{ + "Event": map[string]interface{}{ + "timestamp": "1606324417", + "Attributes": map[string]interface{}{}, + "OtherAttributes": map[string]interface{}{ + // Only include a single item here to avoid + // map iteration order flakes. + "1": map[string]interface{}{ + "key": "value", + }, + }, + }, + }, + }, + }, + }, + expectedMessages: []common.MapStr{ + { + "Event": common.MapStr{ + "timestamp": "1606324417", + "Attributes": common.MapStr{}, + "OtherAttributes": common.MapStr{ + "key": "value", + }, + }, + }, + }, + expectedErr: nil, + }, + { + name: "A missing map in an object", + config: &splitConfig{ + Target: "body.response", + Type: "array", + Split: &splitConfig{ + Target: "body.Event.Attributes", + Type: "map", + IgnoreEmptyValue: true, + KeepParent: true, + Split: &splitConfig{ + Type: "map", + Target: "body.Event.OtherAttributes", + KeepParent: true, + }, + }, + }, + ctx: emptyTransformContext(), + resp: transformable{ + "body": common.MapStr{ + "response": []interface{}{ + map[string]interface{}{ + "Event": map[string]interface{}{ + "timestamp": "1606324417", + "OtherAttributes": map[string]interface{}{ + // Only include a single item here to avoid + // map iteration order flakes. + "1": map[string]interface{}{ + "key": "value", + }, + }, + }, + }, + }, + }, + }, + expectedMessages: []common.MapStr{ + { + "Event": common.MapStr{ + "timestamp": "1606324417", + "OtherAttributes": common.MapStr{ + "key": "value", + }, + }, + }, + }, + expectedErr: nil, + }, + { + name: "An empty string", + config: &splitConfig{ + Target: "body.items", + Type: "string", + DelimiterString: "\n", + IgnoreEmptyValue: true, + Split: &splitConfig{ + Target: "body.other_items", + Type: "string", + DelimiterString: "\n", + }, + }, + ctx: emptyTransformContext(), + resp: transformable{ + "body": common.MapStr{ + "@timestamp": "1234567890", + "items": "", + "other_items": "Line 1\nLine 2\nLine 3", + }, + }, + expectedMessages: []common.MapStr{ + {"@timestamp": "1234567890", "items": "", "other_items": "Line 1"}, + {"@timestamp": "1234567890", "items": "", "other_items": "Line 2"}, + {"@timestamp": "1234567890", "items": "", "other_items": "Line 3"}, + }, + }, + { + name: "A missing string", + config: &splitConfig{ + Target: "body.items", + Type: "string", + DelimiterString: "\n", + IgnoreEmptyValue: true, + Split: &splitConfig{ + Target: "body.other_items", + Type: "string", + DelimiterString: "\n", + }, + }, + ctx: emptyTransformContext(), + resp: transformable{ + "body": common.MapStr{ + "@timestamp": "1234567890", + "other_items": "Line 1\nLine 2\nLine 3", + }, + }, + expectedMessages: []common.MapStr{ + {"@timestamp": "1234567890", "other_items": "Line 1"}, + {"@timestamp": "1234567890", "other_items": "Line 2"}, + {"@timestamp": "1234567890", "other_items": "Line 3"}, + }, + }, } for _, tc := range cases { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/transform_set.go b/x-pack/filebeat/input/httpjson/internal/v2/transform_set.go index 26a389c01da..c38f1719faf 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/transform_set.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/transform_set.go @@ -39,7 +39,7 @@ type set struct { func (set) transformName() string { return setName } -func newSetRequest(cfg *common.Config, log *logp.Logger) (transform, error) { +func newSetRequestPagination(cfg *common.Config, log *logp.Logger) (transform, error) { set, err := newSet(cfg, log) if err != nil { return nil, err @@ -52,6 +52,8 @@ func newSetRequest(cfg *common.Config, log *logp.Logger) (transform, error) { set.runFunc = setHeader case targetURLParams: set.runFunc = setURLParams + case targetURLValue: + set.runFunc = setURLValue default: return nil, fmt.Errorf("invalid target type: %s", set.targetInfo.Type) } @@ -75,28 +77,6 @@ func newSetResponse(cfg *common.Config, log *logp.Logger) (transform, error) { return &set, nil } -func newSetPagination(cfg *common.Config, log *logp.Logger) (transform, error) { - set, err := newSet(cfg, log) - if err != nil { - return nil, err - } - - switch set.targetInfo.Type { - case targetBody: - set.runFunc = setBody - case targetHeader: - set.runFunc = setHeader - case targetURLParams: - set.runFunc = setURLParams - case targetURLValue: - set.runFunc = setURLValue - default: - return nil, fmt.Errorf("invalid target type: %s", set.targetInfo.Type) - } - - return &set, nil -} - func newSet(cfg *common.Config, log *logp.Logger) (set, error) { c := &setConfig{} if err := cfg.Unpack(c); err != nil { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/transform_set_test.go b/x-pack/filebeat/input/httpjson/internal/v2/transform_set_test.go index a011302da33..6a3a2d8915c 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/transform_set_test.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/transform_set_test.go @@ -41,72 +41,40 @@ func TestNewSet(t *testing.T) { expectedErr: "invalid target: cursor.foo", }, { - name: "newSetRequest targets body", - constructor: newSetRequest, + name: "newSetRequestPagination targets body", + constructor: newSetRequestPagination, config: map[string]interface{}{ "target": "body.foo", }, expectedTarget: targetInfo{Name: "foo", Type: "body"}, }, { - name: "newSetRequest targets header", - constructor: newSetRequest, + name: "newSetRequestPagination targets header", + constructor: newSetRequestPagination, config: map[string]interface{}{ "target": "header.foo", }, expectedTarget: targetInfo{Name: "foo", Type: "header"}, }, { - name: "newSetRequest targets url param", - constructor: newSetRequest, + name: "newSetRequestPagination targets url param", + constructor: newSetRequestPagination, config: map[string]interface{}{ "target": "url.params.foo", }, expectedTarget: targetInfo{Name: "foo", Type: "url.params"}, }, { - name: "newSetRequest targets something else", - constructor: newSetRequest, - config: map[string]interface{}{ - "target": "cursor.foo", - }, - expectedErr: "invalid target: cursor.foo", - }, - { - name: "newSetPagination targets body", - constructor: newSetPagination, - config: map[string]interface{}{ - "target": "body.foo", - }, - expectedTarget: targetInfo{Name: "foo", Type: "body"}, - }, - { - name: "newSetPagination targets header", - constructor: newSetPagination, - config: map[string]interface{}{ - "target": "header.foo", - }, - expectedTarget: targetInfo{Name: "foo", Type: "header"}, - }, - { - name: "newSetPagination targets url param", - constructor: newSetPagination, - config: map[string]interface{}{ - "target": "url.params.foo", - }, - expectedTarget: targetInfo{Name: "foo", Type: "url.params"}, - }, - { - name: "newSetPagination targets url value", - constructor: newSetPagination, + name: "newSetRequestPagination targets url value", + constructor: newSetRequestPagination, config: map[string]interface{}{ "target": "url.value", }, expectedTarget: targetInfo{Type: "url.value"}, }, { - name: "newSetPagination targets something else", - constructor: newSetPagination, + name: "newSetRequestPagination targets something else", + constructor: newSetRequestPagination, config: map[string]interface{}{ "target": "cursor.foo", }, diff --git a/x-pack/filebeat/input/httpjson/internal/v2/transform_test.go b/x-pack/filebeat/input/httpjson/internal/v2/transform_test.go index dbc788e6001..2ac43b3faf9 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/transform_test.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/transform_test.go @@ -46,7 +46,7 @@ func TestTransformableClone(t *testing.T) { } func TestNewTransformsFromConfig(t *testing.T) { - registerTransform("test", setName, newSetRequest) + registerTransform("test", setName, newSetRequestPagination) t.Cleanup(func() { registeredTransforms = newRegistry() }) cases := []struct { @@ -126,7 +126,7 @@ func TestNewBasicTransformsFromConfig(t *testing.T) { return fakeTransform{}, nil } - registerTransform("test", setName, newSetRequest) + registerTransform("test", setName, newSetRequestPagination) registerTransform("test", "fake", fakeConstr) t.Cleanup(func() { registeredTransforms = newRegistry() }) diff --git a/x-pack/filebeat/magefile.go b/x-pack/filebeat/magefile.go index 9c7f436e2e4..c4532d5f56a 100644 --- a/x-pack/filebeat/magefile.go +++ b/x-pack/filebeat/magefile.go @@ -45,12 +45,12 @@ func Build() error { // GolangCrossBuild builds the Beat binary inside of the golang-builder. // Do not use directly, use crossBuild instead. func GolangCrossBuild() error { - return devtools.GolangCrossBuild(devtools.DefaultGolangCrossBuildArgs()) + return filebeat.GolangCrossBuild() } // CrossBuild cross-builds the beat for all target platforms. func CrossBuild() error { - return devtools.CrossBuild() + return filebeat.CrossBuild() } // BuildGoDaemon builds the go-daemon binary (use crossBuildGoDaemon). @@ -130,6 +130,7 @@ func ExportDashboard() error { // Config generates both the short and reference configs. func Config() { mg.Deps(configYML, devtools.GenerateDirModulesD) + mg.SerialDeps(devtools.ValidateDirModulesD, devtools.ValidateDirModulesDDatasetsDisabled) } func configYML() error { diff --git a/x-pack/filebeat/module/activemq/_meta/config.yml b/x-pack/filebeat/module/activemq/_meta/config.yml index 593c6c1632d..8c965bd1a8e 100644 --- a/x-pack/filebeat/module/activemq/_meta/config.yml +++ b/x-pack/filebeat/module/activemq/_meta/config.yml @@ -1,7 +1,7 @@ - module: activemq # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Application logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/aws/_meta/docs.asciidoc b/x-pack/filebeat/module/aws/_meta/docs.asciidoc index a36b1bd599b..f852da55a41 100644 --- a/x-pack/filebeat/module/aws/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/aws/_meta/docs.asciidoc @@ -192,6 +192,29 @@ Required when using temporary security credentials. *`var.role_arn`*:: AWS IAM Role to assume. +[float] +=== config behaviour +Beware that in case both `var.queue_url` and `var.bucket_arn` are not set +instead of failing to start Filebeat with a config validation error, only the +specific fileset input will be stopped and a warning printed: +``` +2021-08-26T14:33:03.661-0600 WARN [aws-s3] awss3/config.go:54 neither queue_url nor bucket_arn were provided, input aws-s3 will stop +2021-08-26T14:33:10.668-0600 INFO [input.aws-s3] compat/compat.go:111 Input aws-s3 starting {"id": "29F3565F5B2A7070"} +2021-08-26T14:33:10.668-0600 INFO [input.aws-s3] compat/compat.go:124 Input 'aws-s3' stopped {"id": "29F3565F5B2A7070"} +``` + +This behaviour is required in order to reduce destruction of existing Filebeat setup +where not all AWS module's filesets are defined and will change in next major release. + +Setting `enabled: false` in the unused fileset will silence the warning and it is +the suggested setup. For example (assuming `cloudtrail` as unused fileset): +``` +- module: aws + cloudtrail: + enabled: false + +``` + [float] === cloudtrail fileset diff --git a/x-pack/filebeat/module/aws/_meta/kibana/7/map/0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json b/x-pack/filebeat/module/aws/_meta/kibana/7/map/0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json index 5082eae2c9e..3f128a002ea 100644 --- a/x-pack/filebeat/module/aws/_meta/kibana/7/map/0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json +++ b/x-pack/filebeat/module/aws/_meta/kibana/7/map/0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json @@ -1,8 +1,154 @@ { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"19047c4c-18d7-4aec-b0ce-98de2828244d\",\"label\":\"Hits\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"id\":\"1e82f50f-424a-4718-905b-ad45db14db62\",\"geoField\":\"source.geo.location\",\"requestType\":\"point\",\"resolution\":\"COARSE\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"applyGlobalQuery\":true},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"label\":\"count\",\"name\":\"doc_count\",\"origin\":\"source\"},\"color\":\"Blues\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#167a6d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"label\":\"count\",\"name\":\"doc_count\",\"origin\":\"source\"},\"minSize\":4,\"maxSize\":32,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}}}},\"id\":\"1d457cd4-01be-4f96-95fd-af4ac535ebea\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\"}]", - "mapStateJSON": "{\"zoom\":3.9,\"center\":{\"lon\":13.666,\"lat\":50.97903},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"filebeat-*\",\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"fileset.name\",\"value\":\"elb\",\"params\":{\"query\":\"elb\"}},\"query\":{\"match\":{\"fileset.name\":{\"query\":\"elb\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"settings\":{\"autoFitToDataBounds\":false}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "19047c4c-18d7-4aec-b0ce-98de2828244d", + "label": "Hits", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": {}, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "1d457cd4-01be-4f96-95fd-af4ac535ebea", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "geoField": "source.geo.location", + "id": "1e82f50f-424a-4718-905b-ad45db14db62", + "indexPatternRefName": "layer_1_source_index_pattern", + "requestType": "point", + "resolution": "COARSE", + "type": "ES_GEO_GRID" + }, + "style": { + "properties": { + "fillColor": { + "options": { + "color": "Blues", + "field": { + "label": "count", + "name": "doc_count", + "origin": "source" + }, + "fieldMetaOptions": { + "isEnabled": false, + "sigma": 3 + } + }, + "type": "DYNAMIC" + }, + "icon": { + "options": { + "value": "airfield" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "field": { + "label": "count", + "name": "doc_count", + "origin": "source" + }, + "fieldMetaOptions": { + "isEnabled": false, + "sigma": 3 + }, + "maxSize": 32, + "minSize": 4 + }, + "type": "DYNAMIC" + }, + "lineColor": { + "options": { + "color": "#167a6d" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 50.97903, + "lon": 13.666 + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "fileset.name", + "negate": false, + "params": { + "query": "elb" + }, + "type": "phrase", + "value": "elb" + }, + "query": { + "match": { + "fileset.name": { + "query": "elb", + "type": "phrase" + } + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false + }, + "timeFilters": { + "from": "now-15m", + "to": "now" + }, + "zoom": 3.9 + }, "title": "ELB Requests Geolocation [Filebeat AWS] ECS", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/aws/_meta/kibana/7/map/513a3d70-4482-11ea-ad63-791a5dc86f10.json b/x-pack/filebeat/module/aws/_meta/kibana/7/map/513a3d70-4482-11ea-ad63-791a5dc86f10.json index 558f5987a06..94698371beb 100644 --- a/x-pack/filebeat/module/aws/_meta/kibana/7/map/513a3d70-4482-11ea-ad63-791a5dc86f10.json +++ b/x-pack/filebeat/module/aws/_meta/kibana/7/map/513a3d70-4482-11ea-ad63-791a5dc86f10.json @@ -1,8 +1,189 @@ { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"842c201e-96d7-413d-8688-de5ee4f8a1e0\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"97903038-e08d-4451-bbd2-eb92c894bdf5\",\"type\":\"ES_SEARCH\",\"geoField\":\"destination.geo.location\",\"filterByMapBounds\":true,\"tooltipProperties\":[],\"topHitsSize\":1,\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#1EA593\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#167a6d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":5}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}}}},\"id\":\"401944dd-a371-4698-be17-bc4542e9a5d4\",\"label\":\"vpc flow action accept\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"query\":{\"query\":\"aws.vpcflow.action : \\\"ACCEPT\\\" \",\"language\":\"kuery\"}},{\"sourceDescriptor\":{\"id\":\"9c0e7cce-4f21-4bcd-bb50-ae36c0fffffb\",\"type\":\"ES_SEARCH\",\"geoField\":\"source.geo.location\",\"filterByMapBounds\":true,\"tooltipProperties\":[],\"topHitsSize\":1,\"indexPatternRefName\":\"layer_2_source_index_pattern\",\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#f00f0b\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#7a1a18\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":5}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}}}},\"id\":\"b1d44a5c-3a04-4c80-8080-57585b02fd48\",\"label\":\"vpc flow action reject\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"query\":{\"query\":\"aws.vpcflow.action : \\\"REJECT\\\" \",\"language\":\"kuery\"}}]", - "mapStateJSON": "{\"zoom\":0.47,\"center\":{\"lon\":-108.92402,\"lat\":0},\"timeFilters\":{\"from\":\"now-15d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "842c201e-96d7-413d-8688-de5ee4f8a1e0", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": {}, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "401944dd-a371-4698-be17-bc4542e9a5d4", + "label": "vpc flow action accept", + "maxZoom": 24, + "minZoom": 0, + "query": { + "language": "kuery", + "query": "aws.vpcflow.action : \"ACCEPT\" " + }, + "sourceDescriptor": { + "applyGlobalQuery": true, + "filterByMapBounds": true, + "geoField": "destination.geo.location", + "id": "97903038-e08d-4451-bbd2-eb92c894bdf5", + "indexPatternRefName": "layer_1_source_index_pattern", + "scalingType": "LIMIT", + "sortField": "@timestamp", + "sortOrder": "desc", + "tooltipProperties": [], + "topHitsSize": 1, + "type": "ES_SEARCH" + }, + "style": { + "properties": { + "fillColor": { + "options": { + "color": "#1EA593" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "airfield" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 5 + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#167a6d" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + }, + { + "alpha": 0.75, + "id": "b1d44a5c-3a04-4c80-8080-57585b02fd48", + "label": "vpc flow action reject", + "maxZoom": 24, + "minZoom": 0, + "query": { + "language": "kuery", + "query": "aws.vpcflow.action : \"REJECT\" " + }, + "sourceDescriptor": { + "applyGlobalQuery": true, + "filterByMapBounds": true, + "geoField": "source.geo.location", + "id": "9c0e7cce-4f21-4bcd-bb50-ae36c0fffffb", + "indexPatternRefName": "layer_2_source_index_pattern", + "scalingType": "LIMIT", + "sortField": "@timestamp", + "sortOrder": "desc", + "tooltipProperties": [], + "topHitsSize": 1, + "type": "ES_SEARCH" + }, + "style": { + "properties": { + "fillColor": { + "options": { + "color": "#f00f0b" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "airfield" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 5 + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#7a1a18" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 0, + "lon": -108.92402 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false + }, + "timeFilters": { + "from": "now-15d", + "to": "now" + }, + "zoom": 0.47 + }, "title": "VPC Flow Action Geo Location[Filebeat AWS]", "uiStateJSON": { "isLayerTOCOpen": false, diff --git a/x-pack/filebeat/module/aws/_meta/kibana/7/map/dae24080-739a-11ea-a345-f985c61fe654.json b/x-pack/filebeat/module/aws/_meta/kibana/7/map/dae24080-739a-11ea-a345-f985c61fe654.json index 1908bdc747b..a1b23ec8fbe 100644 --- a/x-pack/filebeat/module/aws/_meta/kibana/7/map/dae24080-739a-11ea-a345-f985c61fe654.json +++ b/x-pack/filebeat/module/aws/_meta/kibana/7/map/dae24080-739a-11ea-a345-f985c61fe654.json @@ -1,8 +1,148 @@ { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"2c7b49fb-3fb5-4e18-b27f-fabe930971f3\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"7bfe2df9-9398-4f1a-8cf7-b57aa5f3f31e\",\"geoField\":\"source.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"LIMIT\",\"topHitsSize\":1,\"type\":\"ES_SEARCH\",\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"a10fa758-30ad-4e2a-bf9d-472e133a7f17\",\"label\":\"CloudTrail Soure Location\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[],\"query\":{\"query\":\"event.dataset:aws.cloudtrail\",\"language\":\"kuery\"}}]", - "mapStateJSON": "{\"zoom\":1.97,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "2c7b49fb-3fb5-4e18-b27f-fabe930971f3", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": {}, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "a10fa758-30ad-4e2a-bf9d-472e133a7f17", + "joins": [], + "label": "CloudTrail Soure Location", + "maxZoom": 24, + "minZoom": 0, + "query": { + "language": "kuery", + "query": "event.dataset:aws.cloudtrail" + }, + "sourceDescriptor": { + "applyGlobalQuery": true, + "filterByMapBounds": true, + "geoField": "source.geo.location", + "id": "7bfe2df9-9398-4f1a-8cf7-b57aa5f3f31e", + "indexPatternRefName": "layer_1_source_index_pattern", + "scalingType": "LIMIT", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [], + "topHitsSize": 1, + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#54B399" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#41937c" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 19.94277, + "lon": 0 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false + }, + "timeFilters": { + "from": "now-15m", + "to": "now" + }, + "zoom": 1.97 + }, "title": "CloudTrail Source Location [Filebeat AWS]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/azure/_meta/config.yml b/x-pack/filebeat/module/azure/_meta/config.yml index fdea9b1f252..02f06ae956d 100644 --- a/x-pack/filebeat/module/azure/_meta/config.yml +++ b/x-pack/filebeat/module/azure/_meta/config.yml @@ -1,7 +1,7 @@ - module: azure # All logs activitylogs: - enabled: true + enabled: false var: # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub eventhub: "insights-operational-logs" diff --git a/x-pack/filebeat/module/barracuda/_meta/config.yml b/x-pack/filebeat/module/barracuda/_meta/config.yml index 36ecc93be83..c6e7a48e75b 100644 --- a/x-pack/filebeat/module/barracuda/_meta/config.yml +++ b/x-pack/filebeat/module/barracuda/_meta/config.yml @@ -1,6 +1,6 @@ - module: barracuda waf: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -19,7 +19,7 @@ # var.tz_offset: local spamfirewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/bluecoat/_meta/config.yml b/x-pack/filebeat/module/bluecoat/_meta/config.yml index b4c71666b1c..76056292f7b 100644 --- a/x-pack/filebeat/module/bluecoat/_meta/config.yml +++ b/x-pack/filebeat/module/bluecoat/_meta/config.yml @@ -1,6 +1,6 @@ - module: bluecoat director: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/cef/_meta/config.yml b/x-pack/filebeat/module/cef/_meta/config.yml index 1b9ff319441..53a29aa10ba 100644 --- a/x-pack/filebeat/module/cef/_meta/config.yml +++ b/x-pack/filebeat/module/cef/_meta/config.yml @@ -1,6 +1,6 @@ - module: cef log: - enabled: true + enabled: false var: syslog_host: localhost syslog_port: 9003 diff --git a/x-pack/filebeat/module/checkpoint/_meta/config.yml b/x-pack/filebeat/module/checkpoint/_meta/config.yml index 8ed0c7d11c2..69357058b66 100644 --- a/x-pack/filebeat/module/checkpoint/_meta/config.yml +++ b/x-pack/filebeat/module/checkpoint/_meta/config.yml @@ -1,6 +1,6 @@ - module: checkpoint firewall: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index 3af897a1225..3fd735c050d 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -1,6 +1,6 @@ - module: cisco asa: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -26,7 +26,7 @@ #var.external_zones: [ "External" ] ftd: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -52,7 +52,7 @@ #var.external_zones: [ "External" ] ios: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -69,7 +69,7 @@ #var.paths: nexus: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -88,7 +88,7 @@ # var.tz_offset: local meraki: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -107,7 +107,7 @@ # var.tz_offset: local umbrella: - enabled: true + enabled: false #var.input: aws-s3 # AWS SQS queue url @@ -122,7 +122,7 @@ #var.api_timeout: 120s amp: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index f41b0383a11..e321a6cf3a2 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -187,3 +187,15 @@ default_field: false description: > The WebVPN group name the user belongs to + + - name: termination_initiator + type: keyword + default_field: false + description: > + Interface name of the side that initiated the teardown + + - name: tunnel_type + type: keyword + default_field: false + description: > + SA type (remote access or L2L) diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log index 0c3aef67223..e1666f72432 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log @@ -17,7 +17,7 @@ May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10 May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839) -May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 +May 5 18:29:32 dev01: %ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006 May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111 @@ -83,3 +83,10 @@ Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unaccept Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group "inbound" +Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group "OUTSIDE_in" +Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944 +May 5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269 +May 5 19:02:25 dev01: %ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018 +May 5 19:02:25 dev01: %ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466 +May 5 19:02:25 dev01: %ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054 diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index cbe5e2b82eb..8866c2baa1b 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -31,6 +31,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, + "network.community_id": "1:Fw2gM6G3TtQ3pHWsZKBU6LW96pQ=", "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", @@ -91,6 +92,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 162, + "network.community_id": "1:IVpSg0ysDmubwwgwjXBIZ47C7h0=", "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", @@ -338,7 +340,9 @@ "input.type": "log", "log.level": "informational", "log.offset": 770, - "network.transport": "tcp flow", + "network.community_id": "1:fZKugXq2jG4PzddJfuy6XDBSNb4=", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "fw111", "observer.hostname": "dev01", "observer.ingress.interface.name": "fw111", @@ -395,6 +399,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 932, + "network.community_id": "1:RAjPAJDWj8kCZQnmEJzqMl9E6h8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "fw109", @@ -446,6 +451,7 @@ "input.type": "log", "log.level": "debug", "log.offset": 1119, + "network.community_id": "1:7GE6gaRtd6w4KEJWhDLHwfgp1Do=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "fw111", @@ -619,6 +625,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1722, + "network.community_id": "1:adLbp2MSbpgtKlYEN938sSARKPs=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "dev01", @@ -860,6 +867,7 @@ "log.level": "informational", "log.offset": 2298, "network.bytes": 0, + "network.community_id": "1:4wndP8OTPk0tlCwv5mj9vURDLQ0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "fw111", @@ -916,6 +924,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2462, + "network.community_id": "1:N0ZlFq5yxkndvN9h3uigv6XgVms=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -945,7 +954,7 @@ }, { "cisco.asa.destination_interface": "out111", - "cisco.asa.message_id": "302012", + "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "fw111", "destination.address": "192.168.2.2", "destination.ip": "192.168.2.2", @@ -954,13 +963,13 @@ "event.category": [ "network" ], - "event.code": 302012, + "event.code": 305012, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2021-05-05T18:29:32.000-02:00", "event.kind": "event", "event.module": "cisco", - "event.original": "%ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", + "event.original": "%ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", "event.severity": 6, "event.start": "2021-05-05T20:29:32.000Z", "event.timezone": "-02:00", @@ -973,6 +982,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2623, + "network.community_id": "1:PyQWTuzAdzYav2//+TQFcJTt2os=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "out111", @@ -1024,6 +1034,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 2768, + "network.community_id": "1:adLbp2MSbpgtKlYEN938sSARKPs=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "dev01", @@ -1072,6 +1083,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2904, + "network.community_id": "1:hoENwaIuofrQAf7gW+y4f0XXbxc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "out111", @@ -1123,6 +1135,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 3029, + "network.community_id": "1:+xI89PlchTpu6dxTMHpkmkd99Ns=", "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1189,6 +1202,7 @@ "log.level": "critical", "log.offset": 3172, "network.bytes": 64585, + "network.community_id": "1:eOIoJBMMmanddR7cRZ0I9vTVI7o=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "net", @@ -1245,6 +1259,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 3328, + "network.community_id": "1:QsMj86uzy+H1c1pPwrevpSOTh6Q=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1305,6 +1320,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 3491, + "network.community_id": "1:QsMj86uzy+H1c1pPwrevpSOTh6Q=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1362,6 +1378,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 3654, + "network.community_id": "1:mPK7q/c5ZVhrh2fX6Uqp5314u3M=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "out111", @@ -1461,6 +1478,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 3935, + "network.community_id": "1:CQXm0MA6TgkTzvcatvgQvikqqes=", "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", @@ -1512,6 +1530,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4053, + "network.community_id": "1:CctaOB5wLrJrIATPwYjXODlSpRk=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "dev01", @@ -1562,6 +1581,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4197, + "network.community_id": "1:ghA7Jv5D0sCP4HhHb948hjqh3H4=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "dev01", @@ -1612,6 +1632,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4337, + "network.community_id": "1:daEI7UiyuAFNVP1xsUsb/AHJ/1I=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "dev01", @@ -1661,6 +1682,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4472, + "network.community_id": "1:1Rjth0DOphFZyLUBP572S4VdEu0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "net", @@ -1711,6 +1733,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4631, + "network.community_id": "1:1Rjth0DOphFZyLUBP572S4VdEu0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "net", @@ -1816,6 +1839,7 @@ "log.level": "informational", "log.offset": 4949, "network.bytes": 0, + "network.community_id": "1:A692g/lxHLbLsT0d0M1RFfiHIs0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "net", @@ -1871,6 +1895,7 @@ "log.level": "informational", "log.offset": 5142, "network.bytes": 0, + "network.community_id": "1:pcILvYGm5J7rxuqU5/TRGZGGe3E=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "unknown", @@ -2002,6 +2027,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5571, + "network.community_id": "1:XgYjYk8hbPPlEnBcHqCD172wQQE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "fw111", @@ -2055,6 +2081,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5743, + "network.community_id": "1:a99mceIcFv0NTz6Aw/+bwE1TnPA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "fw111", @@ -2174,6 +2201,7 @@ "input.type": "log", "log.level": "debug", "log.offset": 6256, + "network.community_id": "1:pXZbIlTv2J4XdRhqORC4IQqpKKg=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "net", @@ -2292,6 +2320,7 @@ "input.type": "log", "log.level": "error", "log.offset": 6722, + "network.community_id": "1:4MHSMLtBw+4q7Wke3ztBRVwtgt0=", "network.direction": "inbound", "network.iana_number": 1, "network.transport": "icmp", @@ -2384,6 +2413,7 @@ "input.type": "log", "log.level": "error", "log.offset": 7071, + "network.community_id": "1:frDwW4LN1XFwCsYClx5AmXSlEBE=", "network.direction": "inbound", "network.transport": "sctp", "observer.egress.interface.name": "fw111", @@ -2433,6 +2463,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 7178, + "network.community_id": "1:gZP3lWRSgL55d5cZvFu18yXen5M=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "out111", @@ -2688,6 +2719,7 @@ "log.level": "informational", "log.offset": 7808, "network.bytes": 245, + "network.community_id": "1:GUlUhGicslkTpg27XLqbp4L0H68=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "server.deflan", @@ -2749,6 +2781,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 8003, + "network.community_id": "1:B0rqhFg9+Gx1GmU4JRhiyO3+xmE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "srv", @@ -3437,6 +3470,7 @@ "input.type": "log", "log.level": "error", "log.offset": 9934, + "network.community_id": "1:9NRUY+1nxDxjlLBwQoakpBYA9sc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3704,6 +3738,122 @@ "forwarded" ] }, + { + "cisco.asa.message_id": "602303", + "cisco.asa.tunnel_type": "LAN-to-LAN", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "event.action": "created", + "event.code": 602303, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created.", + "event.outcome": "success", + "event.severity": 6, + "event.timezone": "-02:00", + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 10775, + "network.direction": "outbound", + "network.type": "ipsec", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "91.240.17.178" + ], + "related.user": [ + "admin" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "admin" + }, + { + "cisco.asa.message_id": "602304", + "cisco.asa.tunnel_type": "LAN-to-LAN", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "event.action": "deleted", + "event.category": [ + "network" + ], + "event.code": 602304, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted.", + "event.outcome": "success", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "deletion", + "info", + "user" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 10937, + "network.direction": "outbound", + "network.type": "ipsec", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "91.240.17.178" + ], + "related.user": [ + "admin" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "admin" + }, { "cisco.asa.message_id": "750002", "destination.address": "192.168.2.2", @@ -4117,5 +4267,356 @@ "cisco-asa", "forwarded" ] + }, + { + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group \"inbound\"", + "event.outcome": "failure", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "denied", + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 12205, + "network.community_id": "1:Uo11LCySQ1S0c9jtHZVIb4Pm/2k=", + "network.iana_number": 47, + "observer.egress.interface.name": "inside", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "100.66.124.24", + "172.31.98.44" + ], + "service.type": "cisco", + "source.address": "100.66.124.24", + "source.ip": "100.66.124.24", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "OUTSIDE_in", + "cisco.asa.source_interface": "OUTSIDE", + "destination.address": "fe00:afa0::1", + "destination.ip": "fe00:afa0::1", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group \"OUTSIDE_in\"", + "event.outcome": "failure", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "denied", + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 12341, + "network.community_id": "1:VA3lwFPBuRus2kxMs1BexFp+gp4=", + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "OUTSIDE", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", + "fe00:afa0::1" + ], + "service.type": "cisco", + "source.address": "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", + "source.as.number": 16509, + "source.as.organization.name": "Amazon.com, Inc.", + "source.geo.city_name": "Stockholm", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "SE", + "source.geo.country_name": "Sweden", + "source.geo.location.lat": 59.3333, + "source.geo.location.lon": 18.05, + "source.geo.region_iso_code": "SE-AB", + "source.geo.region_name": "Stockholm", + "source.ip": "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "123364823", + "cisco.asa.destination_interface": "identity", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "OUTSIDE", + "destination.address": "85.0.0.1", + "destination.as.number": 3303, + "destination.as.organization.name": "Bluewin", + "destination.geo.city_name": "Kolliken", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", + "destination.geo.location.lat": 47.3388, + "destination.geo.location.lon": 8.0264, + "destination.geo.region_iso_code": "CH-AG", + "destination.geo.region_name": "Aargau", + "destination.ip": "85.0.0.1", + "destination.port": 500, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302016, + "event.dataset": "cisco.asa", + "event.duration": 332660000000000, + "event.end": "2020-04-27T02:03:03.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944", + "event.severity": 4, + "event.start": "2020-04-23T07:38:43.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 12518, + "network.bytes": 4671944, + "network.community_id": "1:rwM9yFUsWh6N2utKviU7S94dS9U=", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "identity", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "82.0.0.1", + "85.0.0.1" + ], + "service.type": "cisco", + "source.address": "82.0.0.1", + "source.as.number": 5089, + "source.as.organization.name": "Virgin Media Limited", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4964, + "source.geo.location.lon": -0.1224, + "source.ip": "82.0.0.1", + "source.port": 500, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.burst.avg_rate": "5", + "cisco.asa.burst.configured_avg_rate": "4", + "cisco.asa.burst.configured_rate": "8", + "cisco.asa.burst.cumulative_count": "19269", + "cisco.asa.burst.current_rate": "0", + "cisco.asa.burst.id": "rate-2", + "cisco.asa.burst.object": "Scanning", + "cisco.asa.message_id": "733100", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 733100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 12677, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.burst.avg_rate": "5", + "cisco.asa.burst.configured_avg_rate": "5", + "cisco.asa.burst.configured_rate": "10", + "cisco.asa.burst.cumulative_count": "6018", + "cisco.asa.burst.current_rate": "0", + "cisco.asa.burst.id": "rate-1", + "cisco.asa.burst.object": "192.168.0.1", + "cisco.asa.message_id": "733100", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 733100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 12907, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.burst.avg_rate": "20", + "cisco.asa.burst.configured_avg_rate": "5", + "cisco.asa.burst.configured_rate": "10", + "cisco.asa.burst.cumulative_count": "12466", + "cisco.asa.burst.current_rate": "8", + "cisco.asa.burst.id": "rate-1", + "cisco.asa.burst.object": "Port-5432 5432", + "cisco.asa.message_id": "733100", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 733100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 13142, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.burst.avg_rate": "5", + "cisco.asa.burst.configured_avg_rate": "5", + "cisco.asa.burst.configured_rate": "10", + "cisco.asa.burst.cumulative_count": "3054", + "cisco.asa.burst.current_rate": "63", + "cisco.asa.burst.id": "rate-1", + "cisco.asa.burst.object": "RDP 3389", + "cisco.asa.message_id": "733100", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 733100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 13384, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 39e67069061..9335237a31b 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -4,7 +4,7 @@ "cisco.asa.destination_interface": "Inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "Outside", - "cisco.asa.source_username": "(LOCAL\\Elastic)", + "cisco.asa.source_username": "LOCAL\\Elastic", "cisco.asa.termination_user": "zzzzzz", "destination.address": "10.233.123.123", "destination.ip": "10.233.123.123", @@ -33,6 +33,7 @@ "log.level": "informational", "log.offset": 0, "network.bytes": 148, + "network.community_id": "1:9aBQ+NznvYals1agEGRVJm37dvQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "Inside", @@ -48,10 +49,14 @@ "10.123.123.123", "10.233.123.123" ], + "related.user": [ + "Elastic" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 53723, + "source.user.name": "Elastic", "tags": [ "cisco-asa", "forwarded" @@ -85,6 +90,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 200, + "network.community_id": "1:kV/6Jt4iMhVyUT1AW+UO0itOhqU=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "Outside", @@ -135,6 +141,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 381, + "network.community_id": "1:7nrIUULEgk5A+nhbh4kNmEkwL3o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -159,7 +166,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "Inside_access_in", "cisco.asa.source_interface": "Inside", - "cisco.asa.source_username": "(LOCAL\\Elastic)", + "cisco.asa.source_username": "LOCAL\\Elastic", "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "destination.port": 57621, @@ -184,6 +191,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 545, + "network.community_id": "1:LM0R4Wi8tEf+1pe2ukofXQKxfMc=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "Outside", @@ -198,10 +206,14 @@ "related.ip": [ "10.123.123.123" ], + "related.user": [ + "Elastic" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 57621, + "source.user.name": "Elastic", "tags": [ "cisco-asa", "forwarded" @@ -329,6 +341,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 989, + "network.community_id": "1:/zjqku0IM1BTHL37aH0DvJSecYY=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "identity", @@ -377,6 +390,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1171, + "network.community_id": "1:F0lY+M777B6QL2SDSKa9RfuUJ7s=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -425,6 +439,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1334, + "network.community_id": "1:F0lY+M777B6QL2SDSKa9RfuUJ7s=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -474,6 +489,7 @@ "input.type": "log", "log.level": "error", "log.offset": 1514, + "network.community_id": "1:kRCfRJ9T/IeRNAhAhzOsF6EjIV4=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -533,6 +549,7 @@ "input.type": "log", "log.level": "alert", "log.offset": 1723, + "network.community_id": "1:cJpy7sqGDQbchRUXDtR8k10HinM=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "outside", diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 59fdb927a87..81c80ebf991 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -27,6 +27,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 0, + "network.community_id": "1:ygCOhTlTMVGn+PXlTgyzRveBJ9g=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -86,6 +87,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 150, + "network.community_id": "1:aH+Rcp4nenimMGZQ733uys/x0js=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -148,6 +150,7 @@ "log.level": "informational", "log.offset": 345, "network.bytes": 38110, + "network.community_id": "1:nawleoAMDhKg7pshv6H5enEaKV8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -209,6 +212,7 @@ "log.level": "informational", "log.offset": 535, "network.bytes": 44010, + "network.community_id": "1:XqwLVHNEt7Z1fB2ZZXj1piBH4PM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -270,6 +274,7 @@ "log.level": "informational", "log.offset": 725, "network.bytes": 7652, + "network.community_id": "1:Q18EvtK0EmoGK6hViBJu2B9syjc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -331,6 +336,7 @@ "log.level": "informational", "log.offset": 913, "network.bytes": 7062, + "network.community_id": "1:k3K4xSa45aJwCWLM9eIJsqCydLQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -392,6 +398,7 @@ "log.level": "informational", "log.offset": 1101, "network.bytes": 5738, + "network.community_id": "1:Qq/qwMDt7lmCdvQnPYJ86wHp5mY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -453,6 +460,7 @@ "log.level": "informational", "log.offset": 1290, "network.bytes": 4176, + "network.community_id": "1:ezm9yQGN1cdh1QEJ2nw19295QfU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -514,6 +522,7 @@ "log.level": "informational", "log.offset": 1478, "network.bytes": 1715, + "network.community_id": "1:dV1ILqqOHNIkUwdYUt2iodkCTIg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -575,6 +584,7 @@ "log.level": "informational", "log.offset": 1666, "network.bytes": 45595, + "network.community_id": "1:M9jSkRNBaw+CV8aYYGLeh+1c4LQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -636,6 +646,7 @@ "log.level": "informational", "log.offset": 1853, "network.bytes": 27359, + "network.community_id": "1:kcIahkhuYMj1cJNDgmYdpgb8b5o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -697,6 +708,7 @@ "log.level": "informational", "log.offset": 2043, "network.bytes": 4457, + "network.community_id": "1:Oll9UOQVtF14Vb1gAqDgbQ8GVN0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -758,6 +770,7 @@ "log.level": "informational", "log.offset": 2231, "network.bytes": 26709, + "network.community_id": "1:SRok/PbYRZCXwEJ9MQDvhiR0OZc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -819,6 +832,7 @@ "log.level": "informational", "log.offset": 2420, "network.bytes": 22097, + "network.community_id": "1:agnIkBJhbPXkAM0Ai6Q8vvm22FM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -880,6 +894,7 @@ "log.level": "informational", "log.offset": 2609, "network.bytes": 2209, + "network.community_id": "1:dyOBaLTo8f2aK6FSqmPQ8iEKQCM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -941,6 +956,7 @@ "log.level": "informational", "log.offset": 2798, "network.bytes": 10404, + "network.community_id": "1:JG3x+PLXI8vDNUP0xc2b7cGmtO8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1002,6 +1018,7 @@ "log.level": "informational", "log.offset": 2987, "network.bytes": 123694, + "network.community_id": "1:aVhOiCMAQUL3DYMg+b1hd6++Tsw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1063,6 +1080,7 @@ "log.level": "informational", "log.offset": 3177, "network.bytes": 35835, + "network.community_id": "1:yvanaru1i/rrH9fF3MeSmHfJVH0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1124,6 +1142,7 @@ "log.level": "informational", "log.offset": 3367, "network.bytes": 0, + "network.community_id": "1:h36yIuCF0zHqn+9q0Z5lLEIz2FE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1178,6 +1197,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3552, + "network.community_id": "1:tCQw5Th130a6dZONq7h6PjILJZY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -1237,6 +1257,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3703, + "network.community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1298,6 +1319,7 @@ "log.level": "informational", "log.offset": 3896, "network.bytes": 148, + "network.community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1357,6 +1379,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4071, + "network.community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1418,6 +1441,7 @@ "log.level": "informational", "log.offset": 4264, "network.bytes": 164, + "network.community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1472,6 +1496,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4439, + "network.community_id": "1:IqCv9QrYpJkgySoRM91LE2Ao1Ug=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1531,6 +1556,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4589, + "network.community_id": "1:sxPO5rXtxG30Oh+QP2ncQZ0N1U8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1586,6 +1612,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4784, + "network.community_id": "1:MZcBg2aQ/SdpVmPXf2Ze+Ng4g9Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1645,6 +1672,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4934, + "network.community_id": "1:G5HU7oEz3i/eGfSUoq5HuDVo7u4=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1705,6 +1733,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5129, + "network.community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1765,6 +1794,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5326, + "network.community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1826,6 +1856,7 @@ "log.level": "informational", "log.offset": 5519, "network.bytes": 111, + "network.community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1886,6 +1917,7 @@ "log.level": "informational", "log.offset": 5696, "network.bytes": 237, + "network.community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1940,6 +1972,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5871, + "network.community_id": "1:/KJCwT2FUqlgb+8c7f4b8fvqWFE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1999,6 +2032,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6021, + "network.community_id": "1:gFO9U+lgj3sty9R349zScds2rBg=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2054,6 +2088,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6218, + "network.community_id": "1:kpfWE+K4tPLbC1LWM9M8v5zQqyk=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2113,6 +2148,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6369, + "network.community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2173,6 +2209,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6566, + "network.community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2234,6 +2271,7 @@ "log.level": "informational", "log.offset": 6759, "network.bytes": 87, + "network.community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2294,6 +2332,7 @@ "log.level": "informational", "log.offset": 6935, "network.bytes": 221, + "network.community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2348,6 +2387,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7110, + "network.community_id": "1:J8j4D9Hm6tPmF+enIkcOgaYzEg4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2407,6 +2447,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7260, + "network.community_id": "1:2VKYvyM6qODR0XAXnVUFrYSP/IU=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2467,6 +2508,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7455, + "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2527,6 +2569,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7652, + "network.community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2588,6 +2631,7 @@ "log.level": "informational", "log.offset": 7849, "network.bytes": 101, + "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2648,6 +2692,7 @@ "log.level": "informational", "log.offset": 8026, "network.bytes": 126, + "network.community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2702,6 +2747,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8203, + "network.community_id": "1:TO0ui5exOUfDCukU8mR9bJIjkLY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2761,6 +2807,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8353, + "network.community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2823,6 +2870,7 @@ "log.level": "informational", "log.offset": 8548, "network.bytes": 862, + "network.community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -2882,6 +2930,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8733, + "network.community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2943,6 +2992,7 @@ "log.level": "informational", "log.offset": 8930, "network.bytes": 104, + "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3003,6 +3053,7 @@ "log.level": "informational", "log.offset": 9107, "network.bytes": 176, + "network.community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3057,6 +3108,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9284, + "network.community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3116,6 +3168,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9434, + "network.community_id": "1:2YT6PqWSIyoyRYVbl2cIXiGcMsw=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3171,6 +3224,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9625, + "network.community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3230,6 +3284,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9775, + "network.community_id": "1:XheyUG03AcgRSOyMnpafZQNi3wY=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3285,6 +3340,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9966, + "network.community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3344,6 +3400,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10116, + "network.community_id": "1:cKgOVwHWv3CzYQlpMkVbynKHE30=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3404,6 +3461,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10307, + "network.community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -3465,6 +3523,7 @@ "log.level": "informational", "log.offset": 10500, "network.bytes": 104, + "network.community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3519,6 +3578,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10675, + "network.community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3578,6 +3638,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10825, + "network.community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3633,6 +3694,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11018, + "network.community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3692,6 +3754,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11168, + "network.community_id": "1:wH3OQfGQv6qlex3KDY6fleRZ3W4=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3752,6 +3815,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11361, + "network.community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -3814,6 +3878,7 @@ "log.level": "informational", "log.offset": 11554, "network.bytes": 593, + "network.community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3868,6 +3933,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11738, + "network.community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3927,6 +3993,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11888, + "network.community_id": "1:9aaIbdVfxtctEtHtisDVEKYc8wI=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3988,6 +4055,7 @@ "log.level": "informational", "log.offset": 12081, "network.bytes": 375, + "network.community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -4042,6 +4110,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12256, + "network.community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4101,6 +4170,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12406, + "network.community_id": "1:CUxMKGQ8Da35o4Z5ZJ3cqjyBcjE=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4130,20 +4200,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8267, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4151,7 +4230,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12599, + "network.community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4160,7 +4244,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1454, "tags": [ "cisco-asa", "forwarded" @@ -4194,6 +4285,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12769, + "network.community_id": "1:24J8khLuXWoetlU/J6WYj+4RnIU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4253,6 +4345,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12920, + "network.community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4282,20 +4375,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8268, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4303,7 +4405,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13115, + "network.community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4312,7 +4419,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1455, "tags": [ "cisco-asa", "forwarded" @@ -4320,20 +4434,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8269, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4341,7 +4464,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13285, + "network.community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4350,7 +4478,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1456, "tags": [ "cisco-asa", "forwarded" @@ -4358,20 +4493,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8270, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4379,7 +4523,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13455, + "network.community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4388,7 +4537,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1457, "tags": [ "cisco-asa", "forwarded" @@ -4396,20 +4552,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8271, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4417,7 +4582,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13625, + "network.community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4426,7 +4596,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1458, "tags": [ "cisco-asa", "forwarded" @@ -4434,20 +4611,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8272, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4455,7 +4641,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13795, + "network.community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4464,7 +4655,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1459, "tags": [ "cisco-asa", "forwarded" @@ -4472,20 +4670,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8273, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4493,7 +4700,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13965, + "network.community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4502,7 +4714,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1460, "tags": [ "cisco-asa", "forwarded" @@ -4543,6 +4762,7 @@ "log.level": "informational", "log.offset": 14135, "network.bytes": 575, + "network.community_id": "1:pux42VCSy7BX42P3cpyd4c/X1M8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4604,6 +4824,7 @@ "log.level": "informational", "log.offset": 14320, "network.bytes": 5391, + "network.community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4658,6 +4879,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14509, + "network.community_id": "1:mWEQuMzgDppOFGfUpnRU2SOVLC4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4717,6 +4939,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14660, + "network.community_id": "1:WPQ7PgW0xK/OsH/dwOA4osO4W+M=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4775,6 +4998,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 14855, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4832,6 +5056,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15020, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4889,6 +5114,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15185, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4946,6 +5172,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15350, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5003,6 +5230,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15515, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5060,6 +5288,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15680, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5117,6 +5346,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15845, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5174,6 +5404,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16010, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5231,6 +5462,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16175, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5288,6 +5520,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16340, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5345,6 +5578,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16505, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5402,6 +5636,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16670, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5459,6 +5694,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16835, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5513,6 +5749,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17000, + "network.community_id": "1:ZuhnndzENnR8d8NKvStxJffM+XM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -5572,6 +5809,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17150, + "network.community_id": "1:7t0ua2FV3S8YYwDwaXzw5Tm8M80=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -5627,6 +5865,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17343, + "network.community_id": "1:ZhyIop0bR8c1qT9K7cSplqrW0ew=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -5686,6 +5925,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17494, + "network.community_id": "1:vvawE2mM1hKl2WU/GmHBmMoI3G8=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 5b15b5338d8..1ae3aa1f563 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -62,6 +62,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 174, + "network.community_id": "1:bEmZObpc4rxeHLkGwSyEBNS+Sxg=", "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index adfb513bdb9..e959ed69145 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -76,6 +76,7 @@ "log.file.path": "hostnames.log", "log.level": "informational", "log.offset": 169, + "network.community_id": "1:TIG5OyXflKDSW/Fgd/O5r5A7Zk4=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "MYHOSTNAME", diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index bf0c3a439e7..09357b0121b 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -79,6 +79,7 @@ "log.file.path": "not-ip.log", "log.level": "informational", "log.offset": 201, + "network.community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "localhost", @@ -138,6 +139,7 @@ "log.file.path": "not-ip.log", "log.level": "warning", "log.offset": 360, + "network.community_id": "1:d9RGgqBro5rzu16MqJQFehDRaKY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "wan", diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log b/x-pack/filebeat/module/cisco/asa/test/sample.log index 73ea89341b0..6553ffa18ef 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log @@ -70,3 +70,18 @@ Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username) +Jan 13 2021 19:12:37: %ASA-5-304001: USER001@192.168.0.1(LOCAL\USER001) Accessed URL 172.17.6.211:http://testingserver.com/somewebpage.html +Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\USER001) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (USER001) +Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\user@domain.tld) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (user@domain.tld) +Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\USER001) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER001) type 3 code 3 +Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\user@domain.tld) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (user@domain.tld) type 3 code 3 +Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(AD\USER002) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER002) type 3 code 3 +Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:192.168.0.1/59677(LOCAL\USER001) to OUTSIDE:75.0.0.1/18449 duration 0:00:00 +Jan 15 2021 19:12:37: %ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::2205:baff:fe9d:f637/0 laddr fe80::2205:baff:fe9d:f637/0 type 134 code 0 +Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 251933191 for OUTSIDE:fe00::fede:bbe1/62477 (fe00::fede:bbe1/62477) to OUTSIDE:2a03:2880:f253:cb:face:b00c:0:43fe/443 (2a03:2880:f253:cb:face:b00c:0:43fe/443) (soc@danskecommodities.com) +Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:81.0.0.1/50120(LOCAL\domain\USER001) to OUTSIDE:181.0.0.1/50120 duration 0:02:05 +Jan 15 2021 19:12:37: %ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:81.0.0.1/50120(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\USER001) +Jan 15 2021 19:12:37: %ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:81.0.0.1/63790 (82.0.0.1/63790)(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\USER001) +Jan 15 2021 19:12:37: %ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:81.0.0.1/63790(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\USER001) +Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:81.0.0.1/50120 (82.0.0.1/50120)(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\USER001) +Jul 29 2021 08:35:29: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 12.12.12.12 and 12.12.12.12 (user= 12.12.12.12) has been deleted. diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 33522a3339c..50e7be1889e 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -29,6 +29,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 0, + "network.community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -79,6 +80,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 139, + "network.community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -130,6 +132,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 294, + "network.community_id": "1:/AVpSqNe7QhujyFPgKMbMS9Ct44=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -181,6 +184,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 465, + "network.community_id": "1:462QRxMFThXYxhSyvR50cIDJegg=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -236,6 +240,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 632, + "network.community_id": "1:c8hH08+kxqP8+dYZZFCsPYYf0oo=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -287,6 +292,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 812, + "network.community_id": "1:oGT+RQ2PYVsSEX/LuKvEW6O6Jiw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -340,6 +346,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 938, + "network.community_id": "1:4NJbCZhuyrAJcj7S647C7IIhAM8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -388,6 +395,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1106, + "network.community_id": "1:ay9S7HyVcpV47ArwMPDsxLg6wBU=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -441,6 +449,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1233, + "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -491,6 +500,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1401, + "network.community_id": "1:fZibb4nXPyoJv3pk+hIlafmMMMY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -545,6 +555,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1527, + "network.community_id": "1:KAOD4KM9MUK44UkzQPDM20+aGPI=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -600,6 +611,7 @@ "log.level": "informational", "log.offset": 1692, "network.bytes": 140, + "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -631,6 +643,7 @@ "destination.address": "10.123.1.35", "destination.ip": "10.123.1.35", "destination.port": 52925, + "destination.user.name": "user2", "event.action": "flow-expiration", "event.category": [ "network" @@ -655,6 +668,7 @@ "log.level": "informational", "log.offset": 1844, "network.bytes": 9999999, + "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -666,14 +680,20 @@ "10.123.1.35", "192.0.2.222" ], + "related.user": [ + "user1", + "user2" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 53, + "source.user.name": "user1", "tags": [ "cisco-asa", "forwarded" - ] + ], + "user.name": "user2" }, { "@timestamp": "2011-06-04T21:59:52.000-02:00", @@ -702,6 +722,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2008, + "network.community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "FJSG2NRFW01", @@ -750,6 +771,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2163, + "network.community_id": "1:EsAlPGwbpvnOIWG+1RbOLtWOWaI=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -804,6 +826,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2289, + "network.community_id": "1:m/dSB7tetihSecuyjm6x4Rl/8I8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -853,6 +876,7 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 2454, + "network.community_id": "1:cjsjwTI1K/FNwJ9mwZX971rPjfo=", "network.direction": "inbound", "network.iana_number": 17, "network.protocol": "dns", @@ -903,6 +927,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 2563, + "network.community_id": "1:Zboag8BrI6OW/Oo2vWMZ2CJe4tM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -953,6 +978,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 2722, + "network.community_id": "1:Ne/QE55iCFiCg5J75DhSp3KZzQI=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1003,6 +1029,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 2883, + "network.community_id": "1:nVqNkC3HBTw1Le7RJD28aYfCDTg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1053,6 +1080,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3044, + "network.community_id": "1:c82bgYlFS2zsrs3He7w3jq7x6jY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1103,6 +1131,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3205, + "network.community_id": "1:iQJvtLpa8CzCZimwacqAWJp9sZg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1153,6 +1182,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3366, + "network.community_id": "1:CHFAR3iwADiL0sMiLhocbg8YF4o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1203,6 +1233,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3527, + "network.community_id": "1:fW9fDNL4osH5ogPXIzh5huGyJLU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1253,6 +1284,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3688, + "network.community_id": "1:VqbI7AJvRLmCOZAb2tHFFBTeRZ8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1303,6 +1335,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3847, + "network.community_id": "1:TUJhCk7pGNvVhgiAnf4YJJaoCpo=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -1353,6 +1386,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4004, + "network.community_id": "1:EItD1g2bG+b/iorMXbZ/3Bvjam8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1401,6 +1435,7 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 4163, + "network.community_id": "1:a6VFmKsjwlqdlhQIeSm95/lkWlY=", "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", @@ -1448,6 +1483,7 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 4274, + "network.community_id": "1:96NZ3spb6QBXPZwoL7NadaqTMac=", "network.direction": "inbound", "network.iana_number": 17, "network.protocol": "dns", @@ -1498,6 +1534,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4383, + "network.community_id": "1:DbXtTF7Tt+LJ0/omdap4K0RmodY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1548,6 +1585,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4542, + "network.community_id": "1:8enMIE4IqhVXWyyRuJRvdyDxiBA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1598,6 +1636,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4703, + "network.community_id": "1:3vGj3wfvZB2f5kZmDflH/qfkWYE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1648,6 +1687,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4862, + "network.community_id": "1:Wjdn68t3gwpMPxbO1bBTBvMkQKE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1698,6 +1738,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 5018, + "network.community_id": "1:OHPCPPOkvDP3KMLJodW8pdmntUw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1748,6 +1789,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 5174, + "network.community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1798,6 +1840,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 5321, + "network.community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1848,6 +1891,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 5468, + "network.community_id": "1:IOafOGWxFLefP+hvoAc06Z1pBj8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1898,6 +1942,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 5631, + "network.community_id": "1:89qba0kw6T/uGNWcSzTTYvNoLeY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1949,6 +1994,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 5792, + "network.community_id": "1:3EQcjAJCGY7yJRip464V5VZ2h00=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2001,6 +2047,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 5963, + "network.community_id": "1:xQpx+K3UkeF1wQfNjT+9cuVvkHo=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2053,6 +2100,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 6138, + "network.community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2104,6 +2152,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 6288, + "network.community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2271,6 +2320,7 @@ "log.level": "informational", "log.offset": 6778, "network.bytes": 14804, + "network.community_id": "1:tVS/eeyng4tH7pSAcq77I2cbedw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2326,6 +2376,7 @@ "log.level": "informational", "log.offset": 6943, "network.bytes": 134781, + "network.community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2381,6 +2432,7 @@ "log.level": "informational", "log.offset": 7109, "network.bytes": 134781, + "network.community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2430,6 +2482,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7275, + "network.community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "network.iana_number": 6, "network.transport": "tcp", "observer.ingress.interface.name": "outside", @@ -2478,6 +2531,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7417, + "network.community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "network.iana_number": 6, "network.transport": "tcp", "observer.ingress.interface.name": "outside", @@ -2528,6 +2582,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 7559, + "network.community_id": "1:BouUIZD+TqJZdYklL1aMrJfnbQ0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2581,6 +2636,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7710, + "network.community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2635,6 +2691,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7884, + "network.community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2691,6 +2748,7 @@ "log.level": "informational", "log.offset": 8058, "network.bytes": 11420, + "network.community_id": "1:kugTIYv6tVeitQAN8XRNgUPvZiw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2745,6 +2803,7 @@ "log.level": "informational", "log.offset": 8223, "network.bytes": 1416, + "network.community_id": "1:n1IQHcbrWLb1u8dflqz8hfEElA0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3180,6 +3239,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 9335, + "network.community_id": "1:buRYH8vRkdq5apZqKHNDfmztnUo=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3281,6 +3341,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 9599, + "network.community_id": "1:XKWgpeop6LmXORBjS+D+pjammJ4=", "network.iana_number": 1, "network.transport": "icmp", "observer.ingress.interface.name": "inside", @@ -3334,6 +3395,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 9735, + "network.community_id": "1:ZWjuP5bJeA+f0NH342ubXOWI+Lc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3396,6 +3458,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 9986, + "network.community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outsidet", @@ -3454,6 +3517,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 10285, + "network.community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outsidet", @@ -3623,6 +3687,7 @@ "cisco.asa.message_id": "302013", "cisco.asa.source_interface": "internet", "cisco.asa.source_username": "LOCAL\\username", + "cisco.asa.termination_user": "username", "destination.address": "1.2.3.4", "destination.geo.city_name": "Moscow", "destination.geo.continent_name": "Europe", @@ -3634,7 +3699,6 @@ "destination.geo.region_name": "Moscow", "destination.ip": "1.2.3.4", "destination.port": 80, - "destination.user.name": "username", "event.action": "firewall-rule", "event.category": [ "network" @@ -3654,6 +3718,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 10899, + "network.community_id": "1:iwVZPCmO/50L3MVqIW0tC5ED+bg=", "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3674,10 +3739,1090 @@ "source.ip": "10.2.3.4", "source.nat.ip": "1.2.3.4", "source.port": 49926, + "source.user.name": "username", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.message_id": "304001", + "destination.address": "172.17.6.211", + "destination.ip": "172.17.6.211", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: USER001@192.168.0.1(LOCAL\\USER001) Accessed URL 172.17.6.211:http://testingserver.com/somewebpage.html", + "event.outcome": "success", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "notification", + "log.offset": 11080, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "172.17.6.211", + "192.168.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "192.168.0.1", + "source.ip": "192.168.0.1", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.domain": "testingserver.com", + "url.extension": "html", + "url.original": "http://testingserver.com/somewebpage.html", + "url.path": "/somewebpage.html", + "url.scheme": "http" + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.connection_id": "195207391", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.mapped_destination_ip": "81.0.0.1", + "cisco.asa.mapped_destination_port": 443, + "cisco.asa.mapped_source_ip": "62.0.0.1", + "cisco.asa.mapped_source_port": 34534, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\USER001", + "cisco.asa.termination_user": "USER001", + "destination.address": "81.0.0.1", + "destination.as.number": 15704, + "destination.as.organization.name": "Xtra Telecom S.A.", + "destination.geo.city_name": "Madrid", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", + "destination.geo.location.lat": 40.4143, + "destination.geo.location.lon": -3.7016, + "destination.geo.region_iso_code": "ES-M", + "destination.geo.region_name": "Madrid", + "destination.ip": "81.0.0.1", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\\USER001) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (USER001)", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "notification", + "log.offset": 11220, + "network.community_id": "1:80+NOqHrJ3D1YMNcnBpJC7S6Pkg=", + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "62.0.0.1", + "81.0.0.1", + "85.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "85.0.0.1", + "source.as.number": 3303, + "source.as.organization.name": "Bluewin", + "source.geo.city_name": "Kolliken", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "CH", + "source.geo.country_name": "Switzerland", + "source.geo.location.lat": 47.3388, + "source.geo.location.lon": 8.0264, + "source.geo.region_iso_code": "CH-AG", + "source.geo.region_name": "Aargau", + "source.ip": "85.0.0.1", + "source.nat.ip": "62.0.0.1", + "source.nat.port": "34534", + "source.port": 12312, + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.connection_id": "195207391", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.mapped_destination_ip": "81.0.0.1", + "cisco.asa.mapped_destination_port": 443, + "cisco.asa.mapped_source_ip": "62.0.0.1", + "cisco.asa.mapped_source_port": 34534, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\user@domain.tld", + "cisco.asa.termination_user": "user@domain.tld", + "destination.address": "81.0.0.1", + "destination.as.number": 15704, + "destination.as.organization.name": "Xtra Telecom S.A.", + "destination.geo.city_name": "Madrid", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", + "destination.geo.location.lat": 40.4143, + "destination.geo.location.lon": -3.7016, + "destination.geo.region_iso_code": "ES-M", + "destination.geo.region_name": "Madrid", + "destination.ip": "81.0.0.1", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\\user@domain.tld) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (user@domain.tld)", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "notification", + "log.offset": 11404, + "network.community_id": "1:80+NOqHrJ3D1YMNcnBpJC7S6Pkg=", + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain.tld" + ], + "related.ip": [ + "62.0.0.1", + "81.0.0.1", + "85.0.0.1" + ], + "related.user": [ + "user@domain.tld" + ], + "service.type": "cisco", + "source.address": "85.0.0.1", + "source.as.number": 3303, + "source.as.organization.name": "Bluewin", + "source.geo.city_name": "Kolliken", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "CH", + "source.geo.country_name": "Switzerland", + "source.geo.location.lat": 47.3388, + "source.geo.location.lon": 8.0264, + "source.geo.region_iso_code": "CH-AG", + "source.geo.region_name": "Aargau", + "source.ip": "85.0.0.1", + "source.nat.ip": "62.0.0.1", + "source.nat.port": "34534", + "source.port": 12312, + "source.user.domain": "domain.tld", + "source.user.name": "user@domain.tld", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.destination_username": "LOCAL\\USER001", + "cisco.asa.icmp_code": 3, + "cisco.asa.icmp_type": 3, + "cisco.asa.mapped_source_ip": "81.0.0.1", + "cisco.asa.message_id": "302020", + "cisco.asa.source_username": "USER001", + "destination.address": "85.0.0.1", + "destination.as.number": 3303, + "destination.as.organization.name": "Bluewin", + "destination.geo.city_name": "Kolliken", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", + "destination.geo.location.lat": 47.3388, + "destination.geo.location.lon": 8.0264, + "destination.geo.region_iso_code": "CH-AG", + "destination.geo.region_name": "Aargau", + "destination.ip": "85.0.0.1", + "destination.user.name": "USER001", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\\USER001) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER001) type 3 code 3", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "notification", + "log.offset": 11604, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "81.0.0.1", + "85.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "USER001" + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.destination_username": "LOCAL\\user@domain.tld", + "cisco.asa.icmp_code": 3, + "cisco.asa.icmp_type": 3, + "cisco.asa.mapped_source_ip": "81.0.0.1", + "cisco.asa.message_id": "302020", + "cisco.asa.source_username": "user@domain.tld", + "destination.address": "85.0.0.1", + "destination.as.number": 3303, + "destination.as.organization.name": "Bluewin", + "destination.geo.city_name": "Kolliken", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", + "destination.geo.location.lat": 47.3388, + "destination.geo.location.lon": 8.0264, + "destination.geo.region_iso_code": "CH-AG", + "destination.geo.region_name": "Aargau", + "destination.ip": "85.0.0.1", + "destination.user.domain": "domain.tld", + "destination.user.name": "user@domain.tld", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\\user@domain.tld) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (user@domain.tld) type 3 code 3", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "notification", + "log.offset": 11765, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain.tld" + ], + "related.ip": [ + "81.0.0.1", + "85.0.0.1" + ], + "related.user": [ + "user@domain.tld" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.user.domain": "domain.tld", + "source.user.name": "user@domain.tld", + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "user@domain.tld" + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.destination_username": "AD\\USER002", + "cisco.asa.icmp_code": 3, + "cisco.asa.icmp_type": 3, + "cisco.asa.mapped_source_ip": "81.0.0.1", + "cisco.asa.message_id": "302020", + "cisco.asa.source_username": "USER002", + "destination.address": "85.0.0.1", + "destination.as.number": 3303, + "destination.as.organization.name": "Bluewin", + "destination.geo.city_name": "Kolliken", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", + "destination.geo.location.lat": 47.3388, + "destination.geo.location.lon": 8.0264, + "destination.geo.region_iso_code": "CH-AG", + "destination.geo.region_name": "Aargau", + "destination.ip": "85.0.0.1", + "destination.user.domain": "AD", + "destination.user.name": "USER002", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(AD\\USER002) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER002) type 3 code 3", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "notification", + "log.offset": 11942, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "AD" + ], + "related.ip": [ + "81.0.0.1", + "85.0.0.1" + ], + "related.user": [ + "USER002" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.user.name": "USER002", + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "USER002" + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "305012", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\USER001", + "destination.address": "75.0.0.1", + "destination.as.number": 7018, + "destination.as.organization.name": "AT&T Services, Inc.", + "destination.geo.city_name": "Carson City", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 39.1507, + "destination.geo.location.lon": -119.7459, + "destination.geo.region_iso_code": "US-NV", + "destination.geo.region_name": "Nevada", + "destination.ip": "75.0.0.1", + "destination.port": 18449, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 305012, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2021-01-15T19:12:37.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:192.168.0.1/59677(LOCAL\\USER001) to OUTSIDE:75.0.0.1/18449 duration 0:00:00", + "event.severity": 6, + "event.start": "2021-01-15T21:12:37.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 12100, + "network.community_id": "1:kOYfvYjW0lZrPxD+ArQ6vDYnS7g=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.0.1", + "75.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "192.168.0.1", + "source.ip": "192.168.0.1", + "source.port": 59677, + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.icmp_code": 0, + "cisco.asa.icmp_type": 134, + "cisco.asa.mapped_source_ip": "fe80::2205:baff:fe9d:f637", + "cisco.asa.message_id": "302021", + "destination.address": "ff02::1", + "destination.ip": "ff02::1", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::2205:baff:fe9d:f637/0 laddr fe80::2205:baff:fe9d:f637/0 type 134 code 0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 12259, + "network.community_id": "1:bHWN9qumWIGMl/MbjgS2bQi/Jsw=", + "network.iana_number": 1, + "network.transport": "icmp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "fe80::2205:baff:fe9d:f637", + "ff02::1" + ], + "service.type": "cisco", + "source.address": "fe80::2205:baff:fe9d:f637", + "source.ip": "fe80::2205:baff:fe9d:f637", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.connection_id": "251933191", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.mapped_destination_ip": "2a03:2880:f253:cb:face:b00c:0:43fe", + "cisco.asa.mapped_destination_port": 443, + "cisco.asa.mapped_source_ip": "fe00::fede:bbe1", + "cisco.asa.mapped_source_port": 62477, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.termination_user": "soc@danskecommodities.com", + "destination.address": "2a03:2880:f253:cb:face:b00c:0:43fe", + "destination.as.number": 32934, + "destination.as.organization.name": "Facebook, Inc.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IE", + "destination.geo.country_name": "Ireland", + "destination.geo.location.lat": 53.0, + "destination.geo.location.lon": -8.0, + "destination.ip": "2a03:2880:f253:cb:face:b00c:0:43fe", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built inbound TCP connection 251933191 for OUTSIDE:fe00::fede:bbe1/62477 (fe00::fede:bbe1/62477) to OUTSIDE:2a03:2880:f253:cb:face:b00c:0:43fe/443 (2a03:2880:f253:cb:face:b00c:0:43fe/443) (soc@danskecommodities.com)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 12425, + "network.community_id": "1:lOTrEnVpsUc4jukAUBxF/BkD8jE=", + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "2a03:2880:f253:cb:face:b00c:0:43fe", + "fe00::fede:bbe1" + ], + "service.type": "cisco", + "source.address": "fe00::fede:bbe1", + "source.ip": "fe00::fede:bbe1", + "source.port": 62477, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "305012", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\domain\\USER001", + "destination.address": "181.0.0.1", + "destination.as.number": 7303, + "destination.as.organization.name": "Telecom Argentina S.A.", + "destination.geo.continent_name": "South America", + "destination.geo.country_iso_code": "AR", + "destination.geo.country_name": "Argentina", + "destination.geo.location.lat": -34.6033, + "destination.geo.location.lon": -58.3817, + "destination.ip": "181.0.0.1", + "destination.port": 50120, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 305012, + "event.dataset": "cisco.asa", + "event.duration": 125000000000, + "event.end": "2021-01-15T19:12:37.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:81.0.0.1/50120(LOCAL\\domain\\USER001) to OUTSIDE:181.0.0.1/50120 duration 0:02:05", + "event.severity": 6, + "event.start": "2021-01-15T21:10:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 12678, + "network.community_id": "1:R7zADbxzUGXOH0O/Hzma4ba6iHU=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain" + ], + "related.ip": [ + "181.0.0.1", + "81.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.port": 50120, + "source.user.domain": "domain", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.connection_id": "261246338", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\domain\\USER001", + "cisco.asa.termination_initiator": "OUTSIDE", + "cisco.asa.termination_user": "domain\\USER001", + "destination.address": "40.0.0.1", + "destination.as.number": 4249, + "destination.as.organization.name": "Eli Lilly and Company", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "40.0.0.1", + "destination.port": 443, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302014, + "event.dataset": "cisco.asa", + "event.duration": 125000000000, + "event.end": "2021-01-15T19:12:37.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:81.0.0.1/50120(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\\USER001)", + "event.reason": "TCP FINs", + "event.severity": 6, + "event.start": "2021-01-15T21:10:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 12842, + "network.bytes": 9610, + "network.community_id": "1:Wki7xXtyiCACPfXpHuQV+NLf33o=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain" + ], + "related.ip": [ + "40.0.0.1", + "81.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.port": 50120, + "source.user.domain": "domain", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.connection_id": "261311655", + "cisco.asa.destination_interface": "INSIDE", + "cisco.asa.mapped_destination_ip": "192.168.0.1", + "cisco.asa.mapped_destination_port": 53, + "cisco.asa.mapped_source_ip": "82.0.0.1", + "cisco.asa.mapped_source_port": 63790, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\domain\\USER001", + "cisco.asa.termination_user": "domain\\USER001", + "destination.address": "192.168.0.1", + "destination.ip": "192.168.0.1", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:81.0.0.1/63790 (82.0.0.1/63790)(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\\USER001)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 13053, + "network.community_id": "1:BIxqdLncXeXXZrNudh3yrj2zmZc=", + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "INSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain" + ], + "related.ip": [ + "192.168.0.1", + "81.0.0.1", + "82.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.nat.ip": "82.0.0.1", + "source.port": 63790, + "source.user.domain": "domain", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.connection_id": "261311655", + "cisco.asa.destination_interface": "INSIDE", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\domain\\USER001", + "cisco.asa.termination_user": "domain\\USER001", + "destination.address": "192.168.0.1", + "destination.ip": "192.168.0.1", + "destination.port": 53, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302016, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2021-01-15T19:12:37.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:81.0.0.1/63790(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\\USER001)", + "event.severity": 6, + "event.start": "2021-01-15T21:12:37.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 13254, + "network.bytes": 139, + "network.community_id": "1:BIxqdLncXeXXZrNudh3yrj2zmZc=", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "INSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain" + ], + "related.ip": [ + "192.168.0.1", + "81.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.port": 63790, + "source.user.domain": "domain", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.connection_id": "261246338", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.mapped_destination_ip": "40.0.0.1", + "cisco.asa.mapped_destination_port": 443, + "cisco.asa.mapped_source_ip": "82.0.0.1", + "cisco.asa.mapped_source_port": 50120, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\domain\\USER001", + "cisco.asa.termination_user": "domain\\USER001", + "destination.address": "40.0.0.1", + "destination.as.number": 4249, + "destination.as.organization.name": "Eli Lilly and Company", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "40.0.0.1", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:81.0.0.1/50120 (82.0.0.1/50120)(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\\USER001)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 13443, + "network.community_id": "1:Wki7xXtyiCACPfXpHuQV+NLf33o=", + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain" + ], + "related.ip": [ + "40.0.0.1", + "81.0.0.1", + "82.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.nat.ip": "82.0.0.1", + "source.port": 50120, + "source.user.domain": "domain", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-07-29T08:35:29.000-02:00", + "cisco.asa.message_id": "602304", + "cisco.asa.tunnel_type": "LAN-to-LAN", + "destination.address": "12.12.12.12", + "destination.as.number": 32328, + "destination.as.organization.name": "Alascom, Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "12.12.12.12", + "event.action": "deleted", + "event.category": [ + "network" + ], + "event.code": 602304, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 12.12.12.12 and 12.12.12.12 (user= 12.12.12.12) has been deleted.", + "event.outcome": "success", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "deletion", + "info", + "user" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 13641, + "network.direction": "outbound", + "network.type": "ipsec", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "12.12.12.12" + ], + "related.user": [ + "12.12.12.12" + ], + "service.type": "cisco", + "source.address": "12.12.12.12", + "source.as.number": 32328, + "source.as.organization.name": "Alascom, Inc.", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "12.12.12.12", "tags": [ "cisco-asa", "forwarded" ], - "user.name": "username" + "user.name": "12.12.12.12" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index b7ffbc2b460..a1e5fe24bef 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded zlib format compressed contents of module/cisco. func AssetCisco() string { - return "eJzs/W1zGzmSII6/30+B64j/2e5Q09Pubu9N3+5eaCX1tG5st9ay3fu/mIgKEAWSGKOAMoAixf70v0AC9cAqFElRQEneHb9w2BKZyEwAiXzO79Bnuv0ZEaaJ/CeEDDOc/owu/H9zqolipWFS/Iz+7Z8QQuitzCtO0UIqtMIi50ws3ceRoGYj1WeU0zUjFHG51LN/QmjBKM/1z/8E37Z/vkMCF9SvOcNF2fwGIbMt6c9oqWTV/aminGJNf0ZzanDn5zld4IqbDJb4GS0w13Tn1wPs6z8dKkqsdEvE+dubBvP6T01BF0BNhGEF1QYXZSawkJoSKXK988maqBwb2vvFHgTtnw8r2sJHTKCrUpIV6izUYhlEjq6pMJldPmN5EKnPdLuRqv+7A3idI13N0fUlkgtkVtQtc4ZyWlKRW1ZK4X4GixzAMaeGErtSPPws3yzwGr8C8w1W1C9F82Mxiso0i1TLsmaNA7gQKQQlRqpsWcXG5i8fW3yadZD2e8jEQqoCWwDIwL04gCpcWkAzfP5PO2oCYaXw1uIJCwDWt1YiYENzi1kk9NcVF1ThOePMMBomYcGxMVTQBxBRI95briakwJwRJivtLtABnDXBYtZZPB7fL9tfW6xxfaE7fMewPJpTx25mmP3NGchUeoeLklMgSZeUsAUjKGcK9mgL2B9DGuEUh4maSxn43QGi/t19Ca0xryhiC0+CoDlaME7RBmsESyKpkJBHcd8DyCyA8KHhUizvh+eFrISxbAegDY5MINwy8T7IlUoSqnV8BBvADZK7B4SJJafunBx9nhuksVlFRzhniwVV9iTXjGRRkW/ub9ZI+Og0tDLCnQ+pUC5JVVBhdPPGPYwWIouyMlTNJn9/zpBmBeNYgUSUJeJ0TXnvHTxD88qgSrAv7h4XFTfMypvmYxrZB5+JteTrgw9+Qy29M1QJzDNWBkkd/PgIKmuY6PqmJrbempXUR28EJoat+/rjA2Thted7peA2UJGXkgmDmEZuqeNkYIOfV/4znOdqXNSc+oBy3lgXTBiqFpjQnSfevvL346y9O7Oc6VJqFvftvMCGLqVif+D6+bRr7T6M37ytL/E3ltHfXNgd/OYAyjWPLeFToY4bxgcUgBR0iUUxc7I5uk1QH/YGPJpjTXN7eLSsFKEIi9wCMkw4Blwf0ho9O2YFJmmUXsx5w/O35xeouV9HIkZGhMajIUa4rPKMSTKJ4toVCte/XcBZbRRS+wM41RotlCyOMBJa5PVKKpMlIeHWgu5+KAEhO1euxPZaTCdRavzjCQ1PAcupMMxsZ0X+UzwS3l7+hFZYrwLb8BAc9Qp/H/HQ/Hr+fXQsF4Dlq59eR8Xz1U+vT8QU3mysyIqtvck13aEFC9GvneQVDBA3zXmu13Qk9jwr93NI7KMh8XmfjorU9yE6JcZg8tkapJhxPcNlyRnB8dWrDmDnfu2gfnVXcskMulGANqs9xIe0hSAB8F+aZwU48eMRcYPNquYzvaOkMnjOwRDKOUdmhQ24iOr1vbbo7e35NkDkCdRZlbS2ouLuj4WMClpIta21tf7pop6CIz3lIfx1pUvvAhn3iT1Y+6zxdh6QzYoKhIXfGWvDPnxbplWKSgymSYRnhCol1WRO4dptAKseJZIcfvB3RmQe8fqCtwXwsHD9p+dMLHe0jOMxNStFsclWlTBMLGearqliZhtR9nuISFFdcVPLf7cususiRZdMG6rGHwB0AU549EZuvrtQzDCC+f0IY4LA85YpWlqjJq2nr5E4LZV2i9zaJyJufzAR2kysqTZs6SNLCpPPEP/QujoU0hjDHmLuETG34Gq060X6gr7HfXD5WfXmNAp0VRRYxbwZDmBNhawMkQWtvXxxkVe0oDmLrA+9p0QWBRU5wIXwnqJa8rWLiXWjf1sEIh/eqONcl2OUxD7/LB+efn+c7DMVfyuoyDPDivBluH/+xO9WLehL1AUTmLM/aG7ZTrjUB7Wc0VNvsDLJ8bUaZxNdPUEfYyK3SrlUUT3yl00crYEPALVTkwtsyAr+M9Qpd3WcNiD39vrD+ytk7BEih8yC3pb4L8Uk8A3TpnZz7mDWl6SdK1GJex4lQ8kKglipUW/WeRj2XwubC2YUzfahe5oBEvJ9w1oea3R9+Uwf4OHXteWek/uRjs7Merkj+GmfWSzyjDNBZ1gtXRg87jt48eYaNaD77LzgssrRByexr3+78JqsMz0hp/AAi+dlluOdtEb00ONw1UZzJXeaaidY+k8DHrpETN3FIZyIuWfdXyBJEmS7z6S8PUe/MEU3mPP92ZTNYaNa4+UgV3F89/ayAXauwcTDRt6xzagKbkuTzFEtFuzuSDT8W/Yz0lTrvhq5F8ff4OeY+/UQXhiq0P/PInwsohC4zJqoeAzO3bpgaBtpr7W9BZcbtNd6bnMomyBqXNwuO9HZhyCoKk4z+88YSL3rJJueE0K1RhdSGCW5k8x2sa5iZK1fts+D29vdSlOVAlcL1+HFnK7mw+COnUdh2N3oydDshujvgWuBy5LmWX1lygCevR8eFDBGYaHde+B5d31TO1fvgYs1+o7m2t6c95NwHrU5w9ja9y2A7SCl7QRMRp1APUx25EvkjdxNALnPbnaxeqwt7WJ/7L528U6xuV2cDu6wt5Eg7y+OHgCqmcsjtNKiLgd4iebSCGosposFIzP0mwCZs6Zq+x2XmzNk/+qBK2ROFTb0DK3YcmUfG/i4/c8xZBHn+t/GoMyHEbbN8zdO2S+tyf0zWjNV6TP/mT59Rsm/Y3GGqCF76fGploEyiROp+ejTORu9B8jC8KbvxYSRooQilwAWkKZzPA7XF29vxotWdhYcxC5OX9CCOpbXI3SmESufbt511kY7a4d0AVxmihKpehUgBxF5gIaPtWZLQXN0eX6D+osHWdnai1nYXkyJrl8e2eU7NiWXy6WzGO015pJgjnCVM2N/s4+cmvz+I3gkDfd9JdvnsGU85MDASeGMCoN0BRrwouJ825wesZeKUrE143RJZ5Lf8wyfuBfgasWgWep2eatfkhUWy1pD9/qm5LkrGjmOCEE3T5AIQTeHiZhXSpuZnP+dkr4US3cpao+KWxbEPuCBNlgJJpZ7L7TDmE1zbLrYWiUAXV+ehK7PRM5UP0aQVPb49GeHLKCvKRVHYCvFgi0rRfPHQbhdv4P7YbTxevk4+OI1VXhJH8ToR0O+w+wAHZhzuem4I/ec8KLi2LA1zYisxHTCxEiDOSJ1sVQH9xUzGmkmiIvBemkDRX9WNa8jghSr/QQaqoquy2MS0s7Pz5uaZvCHKPqlArNq2UVoH94bOl+XYubqdO/lp3moHvk7nVsFwRXwAhWNW2dOrWWpkZH/1MfXuaUXpovNw93SvzBFS7mhqjYML+mCCk2fiK/6lw+XX5ev2iL8D1/1P3zV//BVf9W+avRRU3R1cet/NRPYzFj5Dxf2iS7sEDufsG+7Qbfz+3scgX/4vQ/jtHss+nz+h1f8H17xf3jFdxY86BXXlFSDhHy3XtCB1S7YW+493nhNH5h76+Giq/EKpf8invmUKN7XM7/XrE6F6H9bs5pJHdWsvv7t9oi+eU3YAgyPjLN76ApHKuBWq3FmjYW+9/IuMIEE/PuazrdXF/fbqHohZCTarBhZuXfJm/mKLqjS6HknLfoM3b57e3OGbv//t2dQZqhlD+xCKrN6MUPnLXDXjQthtMIq9w3v1ozQM4RRqaSRRPIzBK+Hq5xEctF/5qxdtdWGFkjLhbFAZujaoJwKaeiO3eUfV4Ir3fDefbWvGjgyZ4OD6OvOZ41pPOvdHrmmaqOYscJBVXRwXoebdHpDyO4RGraa2ayocrfL6w5ohTWaUyqQnGuqdnoMNWb7TkLlIWKGl28vKeN3C7AWeFdLHF99bP39bS8L3e9etW+Fe2TgfrDm8We6teZzpV14keDSVJ7/Cm+aiwNmNpEF1ZZoSMftgUbojVyiS2p1CRUmxMEalM6cSs5u601LWmTAHuHE3Pcs13VzLgNharlATGiDhanR0EEcAzUxxyB4qGLmQyeaaZdA2Hhximt3pnPyY/SOmt+ZEfYZ8Ls/GxyNhli9khXPkaBreDmbc1dipSl6Sw22qGHXW6Vd6vkbudQvbzD5TI1+MQB/CV2G+PasicJi9J46YeFOuOigOQsycmjuHcfJQ93lLmmpKAEb1WKS0wUT0AiJA1qu7r3AZRirQi+HtWYxT6Df47f+nl9ffu97NjrHWm0L1fVFmECehNsvNdgIoA4quP1pgc/Z7SixMoxUHCv4vt/Y2ejJGIA+6aSETsYA8vhJGd2S9bR78uofe7J/TwJVHZE25GHXV87/ngEh/W15Mtit8SlCLzlqijrd9yniZtmW6v4/DDNtsKEF7aUAPBHkIMkuIxwPmq08CfSoMIOy+ieB2CrQuuNJIMbEaYil1ZhqyfF0T1pO8SnSIy3bFtQFaWLZUCN6TcjODLRftNgM9JCBkvAwK6KnhwygH7Aixrk4cExOwkXR8aoE2efYNSAzEvtQgIP3Zh+ZQq2uBmGemv66E+OuUXshBbGPAzbyqVu2I+JmzdKKwy53L+wybFE3p/MH8o1cuhBPnURUiZwqcJZSL6gGpC/YHc2RppBbuPPl3TX0uMFSb8IA9oMNlmYTBqDvtSlDT2B8/9JpB3NA1z14cj8eDLIYkpzLX6U2XRHJ+yeynmbif6lDx6bjQ/p6+DvopH8Md/e33+8y9vpm/WNTqTJ23fvMHVBv5NfK3HW/Q2l09r7+78veQaA/iWzoywXnSOt6y3KE0ZKtqWicZF+vImCCM8oe3wLJn6Ly93VENEYdGrLcZop+SbDX3eAhbDDQ7asqr9zS6AYu0pn3ZhuMPmxLishggApYIZSZFVXo47Uw379GUqFfuMTmh1ft5AgfIIOamWETwSHdp6i7XzHdEAZNZ3xG8C8Ecw8nsY7rlb96B4NUG6wGNcjRtI6OROuQ3eXk9c2nHX0PQ5Vmf0tRndviHlGPNlQ40J35GVAeptiSQbmL+86utnKAD6n0rz2JEdc3n14HWBDOyUERWNBgNORyjNenPahDxfHU12dFcU7VJLHrX2EpdH35kCipw7cbLAUwp8VKn7STjZMsuZ8N14rWdatowUWxpsuF5Bwmx32NAthy7xFybuyZYxoRx7p6QmVHUX0j+2oL2sPoJ2jxFWT+VFTVQmpIdiukQPPtYNNQnblsAWpWlHzr98l+2LXcxWSFNMspev4nZFaqQq9++ukFFEBr6jsPF32/1y4nnoTyegQndCmFpulYQb6aU+EK4WufQlXMndCDseJBCOg5nss17TCDiWBmZS3etFEUF6P3h3w1x+aRWUVzVvX1tBiM+iakOTaOBbZAzPytevWn7/+snUh/WYIArZH+24Cav1l78A3eUoVeoStBcKkr32XWmpT3kush6A8MfgRyK0Or/PAK/asl9wz98AP6V0SkgsYusE1u0TP0P7n53/aDTKNdpnwT3EIh80Cd9hOxdcWGZgRzPsfkc1oN2CFXFwxg4yeHMt2Oi/E9dIKIwuHIYExLan0QBihiDhgDptpIZTVrsXVah/3FGnPmxjigEFLI9dG2LwyngDwMQjgueXH3Rgwgx4gF+uuwJ2w0sgtbLnH+VN45jw7S7A+KCmrUsLE7gpHP/Q+DLeye+1oI22cfm1ajdeOX7LbN0K9yY7dmaHMygaSyxpiR6DOl5QGmPYkX7ythmpshn61ZnuWpoq5NR/QlFVCorKGsqnJ2tLcL10yZCnNrtO/43kXAxeGHlLvau3YSvr/q15dIWWmtwaECTMNqSU3zsYOc0CpR0tOjc6Juk7CPEypJKGgo+Nv5Tu9pIQ1Ft/681x2h5tsxQYmgwYsLxHwFgRe/UqZLzlJmNjxpc16zgdr/JHQzK3MTnne4dfYNqMs0/amrrRb/hPzXiDA68bJgg5FqE8ToYWCrVOjm4vzG676+KJcVbihI4In86tIgqqfh/vCdMcAQH7YYRM6VumvKV+1XWoPd6Tlgmc/Qq59eow3wvaBYwGyaoK8AnPqgJrX+I7ShynV6RNBZBWuDpOiVi+wy8dHVxK+biYG7miJs63n3u1Q5MM41hyArIblcbvuBuAVTAy0WoZ8QWWGFiXFMtJd6C/iD01ygSvicHr7jMx+tqI1d0O0C9SmDCHtil2BRFG42bx1GUHgzKtNAsvbUSkxAY3UxCj9dGklCoJMpQNQGixyrHAmpCjcDMGDLqyLIn9xnOZzMIlnNB0/SvZjUYt0g85KzBQWKAwa+pkSKfETBbrc70yaln2UPQUwQWZScmuABGHWiYlDgjWI9MdipN1PmkQ7yrV07eJzHjvLuyRw9foUUZhVpm9r61Fg5L22WU/5IjL8SeQq2W5B/SJG628IesWhXr1VMl177oc/hgYhKdqPPkaF3xl8+tKZKd8op8n15YIH9fehh21Ici8y2TI9IldPgENo4p9gn2fhnSjcr1jpGnWnTfLAbXx++VkoWM4BaQVG+JlRgxaRT64uKG/adYVQhXJa8rn5pe9kUWOBlqDQXIQ7hnZ22PnUPL8TMM43kRrjImMFF2fcMeoyh5amSw+QjZjQiK2atG5lTPUNvK23ATOoCdQMLR/JysaEnbtJeAbZYWLzXdApNCDa5XtDxDlpBUUHcgcACpuuuWW41GzgPYUF2WwuyDz3mhYm8K5majMJ2P10s6M6eRGb4tu57ZSToaxYp1w9zr2804qaPunDOrDRu5NlssGSTTiar2BKoGChyD4XY8D/2VQEN8ktFq8mOkj3d7hS18nGDNQIk8pFzA8h9H5upEZWCHYYmkGnLwiR4fZdFClxhFG58oCm05zKmKNoF+io61AS6UucVeRwTsmc+Bt+YwXN5rzfnVLF5SK6dEixoH4heN4TYjiBMBkp8DMVaVzx12GnEipKVIbKgLx0OjfECWdmDBpjIngvHgh0DcuSA0DUddCCejLB6dV8E2Ins7HP5pC1eHPQOdK90U+lioUHcqaSELVhr+IS1W989f+RMeV05fTZTYAMaFyPL24KJ2kWV+yBLEG9vNk+1CZ92rfSuJSgV+u3Wp8YyXScE9P1qyPeF7c2sQDtVkrqUmkUUHEedLTCnRe46TEEqf313R7vwVNwMe5Q/ligSVUEVI/eVRUHaJqhi20NYt5KtuRlOLLn7PSBtTUUulU+Y3UuZnP/9EbrX1KHdQCf5LmLpa8EH7LYSdD9iTtKn7FX3zfBC+qp/L2a8l2uFm9xiIQ3CMJnDIhlOoOVymdWJKo8i1OuDeG+hPkXPlB3Z9xdIt4Ku1btDPbtYlZIzsk19e/bIhRtAwDfXFnw7IpeD860SM/B9xSkgFhanUhh6l1pjbRC6Fs5f1/ZDxXmu7V/wqMJAQ0Ao1ADmwOPsZsFm/aG0CWTBWOCyHjzb9ArBxig2rwztSIhhjr4fY2u19e7zFxYduuwPbXu41eIGGk9/c8AQ7OcX+enKHf0tYNw2syvqhoO6zflSa6pm6Ja2UyJmeEmhlbfPdF9IVeMwgF2DcXo7cVMm3Pc7fSukQnMlN/Z39U+9runMrtF+0tf5DVYmtpuuARzbo+LvVH9a9XR3qplInfBKyZL6gGKqt/hcIMypMk12kWoX9T9z4S0vPjpNACAJKaAw50hI8Z2iJQVLZl/2A5gNUz459Yjdxl4xzRjal8xF2Orwz4CyDTMrryw7WY8uYcE5VJsIJMV3S2n/veclcCNqAopjQrpxJxj4EhCwSMoFstLBMKpn6LaVKf3BBt3KqjQYX7hyvkpbI8aVjLpkm9yLX894jAivtKkPpP/PYJvgK0zbnfQ10d6/YRVf+O24CjS59uNuWNiid22Z0illzw4ZXhbLS8ACYa0lYeAvtbsRtCdhw96wz/RnhFG52mpGMEc505/PUKlgJgpMb3sWVpSxwqfUXt7zoXd1NgoX1MDIfqyhi5eGRg6uFwGRRWGlmNwJ2g9La3YG0aHh0+Teg8fS+Dp7mOBhcuKbyKKshncwwbZhtGEilxufT0ukILQ0Z00mxSgzBmQuKs636EuFuXN+5rLATHipIToLcTnydHW9nrHUpT2kW5XwDROfae5rgepEdKzBO+UNFPubbxrUZizft3F80BUiqajrTnZybok+AjV6v90+Fl6/ld7zim6H7XqaoLObR5doNMKIi9WvCdi6879f0/4hsqa9YDz9HW9I/gVWa66xonlFKKojRzTsbtNUMcyzwGua7BG5hSVrtbn/PnYeQPvCjPoFKPmsT2o5EMNj7Fe3D90K61VzQ61aGKgyrMjKZf7WNTZNmeFFDanXIswS0iwz04rYbzX/H1aaIivPBWKQc1cJwilW9kfQCK9FzRcQtkPwXGHn4eiDE36DyZZP/MUispjXI4zlYufB8mWj6h6vF8zYndrT19VGAIFxj980AdLAlbhwq7uejOOeUmfBJXeNN+xzXubrS/TOSZrnvnEDctP2OqNHX4T1aueAfgxffsf9fH0JLPUlb42YGHoPdiNyLg3QkTBzh8jKgg3TYSN1rbcpe9nvRnV9gbZTF/b6sUfmUSe+dBftcOLry4OabCz/3AFN1iL2SuStRjtDF64+0/c75e4X+7VZQFDtfuL7b7w7bl6ZpnJTmuYxqgSn2nFGugdlI9EaK4bnfFAF6JoyMIFKjkcEgaZCJ+2PsrOhXVXVrTyzkspqGHV9IbP7fPvy+qavQyPfMtZ5FMbqsk8cKHh0LWQbaXFIomth0C1bCgzCYuSIllKlbF77bCC/7CG9qXU3CV0d4Z8Wke68b3vKchk4OO9++4CYILzKqRVnfpCt/foMPb+qBxjfOIeIAwvSexb2i0BkbvLYJjin2qcljBnTn63KfQJe9yjF67gx3/mn4T3Tn/eEXI1iyyVV6UbYhVn2qRsL8Di4Ec2K6pXkuT09zlYfmTS6E3qfwLMwjL17qfz8vdMxXjTNOK4vw2UkR0fniSzKbOK8K9gVn3sFY1ydf09X8+8sOlJAferCzebOKzJmpXm19JGyxrqYN9JSKug8YOV6jd/IlDg/iPxRFMBhV/0FzD53D5ElYqQ18nMrRDF6i0ndTzms3FoRNKkdI8V3tYKq9kshZ2tGH2qtKNbRc4O1waaKpTg3/ijM+KOZHXbxubxDLH85/n7Zl7WaAkOL0cdB42N3FywW4atbv2OJp+8NDvnlcO7eKc8ZE7KKFePs1JHoZfQ7ZSVpTKfDwCP7Y2TAqTsz7hyJc86t3EO6IoRqvag4urLrIyJzqu2RqJv9hi0LJnJ6F5kBnGlzmub5QNkCC4Mppmok5lRBfLPAinHI4Al48Fz8XSwRBiZ+Z78bpEwkOIdy7poLPZJG7FdHz5t8zpIqXfqiWydhBizzKkKbEF93eHoxUmTo3FzD9zh1QolTvpokL++rcp+2v8RMaJRTgxkPOBnmsjKd742QJvnkuZm1xxY3eWyAx/hDamhR8mTZPOcopwvsQ0C+82Udw/fZmlYrXlPF8RYKuYz0jyt6HriR9hdgdftv00VdBe589dowU0FjRhQkrLUNhg2bHnpdo0axOv4dgmNjmkBWEVkU9j6lOUYXDjpinWTfUsk1y53/rO4iV1A9mgiVS3J6oPH+3rJfGG+1RtLNywurBnclJD09jqyvV08r6/8u5yf6nU4m7//KuQ/AhG9XydI1zr2EhGK387c31+h6oFB10UjWtdZXl+zHIGJhV1MNu4xqSN/HH+Zzq8PKvRMR2VzmqSu+BhV3faXD44IsLiPq0Sp+twQXMpig8rzjAvalwy6BtomHsCXLm1DOiBOviG01DsrAI7z88ZS8hu6ySvlM1dO9bz667jl1IAqSNe4oqbpeBJf6Naeh8ta6C9O+xI0JHCFBr3i+6xBpqivxGjOOh4EM1LjCEdRXLqhSI5MW3B06xdcfL+7mjZXCN4ByAdgBST7dQLPlbEQisiKbV3m+je6fYUUWtQ6oA7fS9LRG53u9VPEhKiYjdjnoldhlupqiIIHpbvaq67mKq5yZprKu7YvmMQoNtmsrNpwoacML+4l0WWKxObiezCq/+HSFnvtaiU8Vt7rynHEo4IA8sKu7Umr7yRfou6GjQfSjMJ+F3IgdQ0hTUkEzi/Uu9JFJmwRP4ILrp4Ve1FXu73xp0hu6xGSLPo6aa5zNFX6Mony/8A6LmUAFZmKhcEH3pmOUWMHU3vR9EnaUyxtYFr2TuUuObtsCdrLOAkihA9oXpApYRqSykHb7xr2jG/RrJcCUfCtzytFzJtazb88Qk+QMze1f1P6FBeZbzfTs23B80ZAyW3A8mJwfW4fa1fAvbhAsCr4ukJPbeviVXOxt1GBkUkzdT+cez7oNgqbKHuQgQusirtztYfbp7e9YUfTBJQB/++2nt7+fv7/69luXc7vGCrPRM7mR6nPMkuWDF+z3esFuhG3UCYZFbCXC1+zE7VLSPAeY2Odim8CEWUhFhWYkpgDpuJISYFzE94IE4gOxgGYbzIbDiR/sHYDe57GB2usTu0RdV/NEl8LMc21U7Mp3qNdO5hDrvqXR3tG65iOdk/TUYpd2MNhApfHFJm3di693sSAWbNTRVJOazBF7KqnBbkQBMvvlPWGhfHI/wfs7LizyXv9/P1y1VZnd5L9HOWJ5x0fvEdmL5KMcjjqOuw8/KSdI2trZ2Y5d+tw0Ge11lh30yXwBbrfByT0cma5bVrMp4mFQ9LXAjFte181cbrzMuL7s1rZBJy5rDhq6DLQwGM8qrHOuM6sinkDPKYnXkG7tq48uZFFUou+JGmAnTmvc9FDs3tE78xca1qkb3PRpmvVDcbvFIv93GY6atbgZbNgpkuHB2A0X3kFOV7pkhMloWaJTWfCA/QYrMQw6PHXUtSjKTKYSxrfv3t6g35wftU1KDSPyZdJUgtv/eIO+VFSN9G6tuMgU7XfqTJvc0HGIbtH7uugsmNbVaOkk4kPaBSpjjxGwQMuTHEeHoJpAcOzBcPP4Axowx6pIsFsWbAL3Ai4jFiA3QKs82lTaHZhxu13tgM6x6WuFD4U7p4KsCqxilZU0cLclHowvfnD0CZNBOlUUmNkq+lkgdBG3gKoBvFhCq6UEYOX87wmgljj6JAzXcSr68YKge8ZiPzi+c1tBreoZHWmRYQKDUeKXn1jYWkQ03juA58ty/aO4M6vo7zsRGTEqy3XUvusd6BbyaZGnIwCvOY4uMURGxZKJiEWRQ9ApcqNFtsj0hhkSXX6IbMHlRuMifu5KF7Yw63TQE0RdiMiYSClOmCipKubbaAnvA9gl+ZwG+BrzFGeFlVmppJFZ/JAUQF//mIHHMT5snuxucrnM8hTMtoDj578RkRX4LjMmlttgF7A90ZwmeBQKJhIhzUQ6pEuuMz7nWeyw6A7sPyUEHr0zeAd27F6IXdixq3q7sH9KCPt1Qtj/nBD2/0oI+89pYBtZcjynKURKAz2+eSayouKgfM+3Cd7JGnj5OYFeUlScLYsyjfZttUzMl7GTkDxklkIp0fQLie8bEZl2CYkJdlArksaatIDTWJN6q6sywSxSIpqy6iSmqpHGmh70LoEIMdJYwywVbDBrkgCvBLsTWEhNSYJDuH5tuZLoUVi/lqVZUZwncKvJoswIT+DDtoATBEkArppvTXy3qIWsk0AuqyxBTIMoZhjBPEEBkc7wkgqyjZh11YUtMN/+QfN5CrzXGbQBTQLZtYNJg7VLrE0Cfb4s16/T+KB1Nmfmz0kajRGdxZ0V1wOsZHRRrZNcc4BKiYpf5aadjz/arK0OYGpWzs8f3znigIPalwS46yYfr4NcB/aCcZrChtHZIsUmskXM4uxdwCl0A52xEpIUsySijpXrH3NtykEz/0iwtSJJYHO2oCnMGA2O5oLmLFrB6C5sJtKckkLmFaeayBTc9sDZMoFskqXeYBN15n8HeiiDPApgRZdMG4Xje0Ja2Ak0PkXLVKxWyXitoRO5SiRfXWa+O+IJoBtFcZFAkXSlQKnQTqdcb1aS6cxNmI0PfYsVTnLA85FC2BiQ126+fWy4TBssos85zrWZVyrWsMAaKnWzglJAraLjGl+PrmuSY4OFyQ2L+MOuT+00sA/mEud57DvA8thh1bp1UIK3iBUZUVIWSboSWcAJzDRWZGmSI33HoxRsLj9Hb89U6vgtS1mpS8UiA+XYMFNFzz7jTNB4LXZaqDrqRJ0GLhTfxndrcem6nmYLLqM/5w3wBCn/1uaNLnUs0AQSx9rQCVCNnpvA5TLJ0RXLJBe4lCq2ACvm1TLFNSuYJinEQqGTHNgUcyAENdBcKTrc6DLcNYCOnfHnoMZOxxObTWwLJElFmXQDoKNbojK+ZiQVW2aBeVwPhrsRVMV/s8rMDeWNDjbqZOoWrBvxmuSQJSjc9DNxYgsDDza2NCgz50iKji7W2v4yI6tYdf4D0PSuZNEDASVVxVJhYQY9d2NA3iQBHP/pdZ3IPn7sTQGNAFjJZYZ1GXFgQBe0wrGhKop5Cv1OUQJ8cF1HEwGPz2QLOW4L1w5kqfIEGMd3ZOoEvmHtfMMJ8gE0jZ0I4AYeJzBONP0S/wCEGrRGg5rAlNJsmUDw6jK2l00rkuIeKJJHV6S1IqGuuBEAm3gjtrowKx29q+aaiNiFEsFpsQ8F6pp0xibfLE38Y+WAxo/oNTM9Y8PdltG7tVb5PEkeeqV4grew0lRlOYtd9Z5kbEUdGUrBBkO0wUVsb/A6Y0IbvEigGayZMinU8HUpErRuMlJVIqabNdQWLdBR9LwyEr2vBBos3WSPJByW9wlzlqMLRXNm0AVWue9mqKH9exgdNzkrIZfGJoQCGBiij6C/AZEchUp1mnwIJtJx7qooudzSwWDBg/xbyCpaU+8jz5jlofMZwbwzRZf0DhW432ihjcWKZdUfBpIcSc40DGeoV/dbDw2UkK7KUiqDho1HEdqssEHMoFLRxdhReEBa7n2GUIQY762OBgXEhO/sPtIXmjOReiJ/B1W7WhdPjYxcUrOiatZ+Xq9kNXjREBJ0TVUzjshIVGKlKXpLDYaJ4O6u4oYFz9/IpX5548peX6BLP+LrDJlVYEoRNAN+T/3oY0BboHfU/M6MoDq8z8NDnYR5CxjZ3dwiWNwRqylWZDVjggXxg5m7E/TX7olPmIUByRAvOa4EzPpdVjDHtW7iHm7g3uvXvoem9O24G5qaJtx+fvGIsW83IotY03Rc51VYFn2gdwZuxZi7YIpp1CMCqR1c9w4mVAs+MvESuucmHAcO/XM1NUjRLxXVZk/T7tOzle/fK9+pDDCWx63qJHbfI9Xkne66U/bh5DCC2NjOz6FDu/45SHnM2f+H5xvaxa4va6EAa4fPBlgN8ZJ473mE7eMyx5oil67dYIMGt6rZJf+Nx8FXNKPgG8ylcu3rg2xECGukKYVxZ3j/vCqFhcZkgvG+gw7TbmkBam97aEilYALaPqRLqgrm1I2pkG6XdIM52JpxuqSI0zXlCGvNlsJtXDuvP3z0oSXzI8pvWH/PSZ8/yqRni1kl2JeK9sck4vDl6+B7WsfE06ag1BoNy92FJFIICrkVaMPMakxQIBSoDGk0dkVPKi+6t2lh2QnypHmiuFwygjmyGIyYPoDF42IHS42MaXw83pWrrQ6j10ln28heVmvsBx5zhnW2ksltAmfENeYazFJphxpZqdgdwRPuB4DcpbHYwpvmB7EQTrGanXMtrSG+c98uIViOfvXfmKFzsW3+N4BuwJbXwiCcz4gsyspQFRbDSdz4lrB05tk3/b2AGYs7G8LM36pXf/r+z9b2vexsR82xb4Jo+3OaxY2YHeu4wVuq0D83Pjn90qMByIVvfez6n/RnXrQ475z6vftxYvLyIdn2rD8wxa4zQ+9++3BlaaeKOucJ+EtzpomiJRZka7VKr57xfi4IAg6doQ9vf0bXwvzw6gxdv7u8+s+f0cdrYV7/iJ5vVlskKDMrqhBZSe1HpUmlKDHwqe9f/5//8eJZkCPUrBLKuD4/QKbOChwex6MTn757XvNbdxava6TCVzx/Wkh3ZdMBzE9sGHf0Ax/Ct6eYttbJJ6ZMhTl6c/4uiOwfUtB0vqzTTsb/k4LOwry16H41IhQIOSw8YQue4hu8Zx+W2NANfoQR6XC6b9B5nivw07pTHkKneXpJUZ4a53xoLOT64u2Ne5VGw2MF1hNGP3acSk5T9W83ur6xqIx4vywPT5wEEYWHdu1xHtaaWOama00rIDro4jxn9sOYtwHbziz/8Ds34QGwJiFccOlv+OXuERig0uZaJ9Hrjn3SMHrnMbyRyjQieSB0cwiwwQYwsz0sefXEvHf0MLGsH5OarLdjjBc0ZDdO5cX12IHli7WWhFmV0/mNBjoOsnJZYbGks8Z0IlIs2LJSNEfzLcCkIoesobCcKU9sPTAoGh3RloOLLhL0O+ARdf9uCVd0B4CihTQ085nd8fOM4rM2FzrDmUvFTwC6NCoN8EWCI7FIUC3MU1yHVP1PygRMxXlWe+LSqeV9C97SMeuv1nUmPIIGe2VWVAlq0IdtSc/Qx/oZewMOsB/QTe0AG7wEv41pavWongmUiRHTuEba+8XPEOY8qEyU7QchwQ0rSMxbU2XfQCaMRNrAY84E+ng9KlAIJMgmk1fRRbYFKssEY98sYEV17IxeCzZBiYt7EWOnooO/PQG2brRCxqlYRp8UCThb5SOhFjqigTqVB/NOAEYgAukEC4TRL1JtsMqHc7oROl9CspdC2N74O8ilm1OzoVSEVc/IXRPvG+OWBvNuqM4hg6BlPGRGDChkwue5QlpCwYwVS37ERpjENcdiijj+EQ7KOkGk46IcELjrsmwjKWtrwS7BgN19eWJHKimBLgTreP3gjovYY2UYqThWCPpFoxqJ51d3P7+RS7lYhKe/U5KZFU2+vTvIfrALutvYwfvK4m3RPa/Migrjk8VH0dZVzM4JxyX0uCXHUf+oqRpFWFaGyGk57ZccR/i2IoRqPYIzdB4/rTnaaYkngBeyKu5Sqi0KFCYMcJtCOO3gSHs4WqkEAT5dSmHfFSu3Qsph80U0UJR2qVrH60c38m5i5LqWQs0AZzRv6PF+mJ4+zATSzFQB+YmguIB6Ee2hrrBGOJelfV3MijKF5Ea0W+YYZ/CdFLIYyauFmRyauRb10yoRVrlnIrfyRyrdMACjXxin6NwjNhuw4Rhnr2gIc3dyNGG8of9R0hVGWXDrsxbiciFEY4ARMevdH8AIl6936+s1YnNiPCF0LlNWDwSIn9MVXjNZgXZJZFEqWbCRDEU6NXJXAs85FJEt0MV+3JhYN2InIZJ9DHe0ThREYAfDqMNlTkAwsH6DX+rd7byy7X0bPXZtmWUlTL+cLbZGn0MZeEZOMeuP0oLgPV5SQRUjNUnAEEj066cWMLOCpzY02w15ZGfk+5k2ajz4WdN0StutR6Pp1X6avHrh1kpIV9A0bYxwwwqqrVx32p6iJR0NIvldiNYU4uBGQOPBB26DOvJondK7+9GO1g/H0fR9pqMNOT2aNO8wPkThgDaguBUIRwiDr5e6VwepU5PunbtoUWhTh3cuWi/VaQTIATneCJCv9zj+cHjLYo02mGbLjpOPalIJEvOOHSE/Jj2OMWkbHMZGqYcStJ6fOnrlTmVWWUHNSj5ClATveJKRQ8N/bHTDoZeSkkm9TnuiOu8l9/5ai8iec5nIE/Kfs5/+9Cf0/M3l+c0LdMm0YWJZMb2iOZTCB3HhcimT9wXaFwmDbNmFw8NvM3xwJGNMycRexX31n3ZXQxg0NwY88tGGPt/nuhBI+2/qfjuOP8ApFDPFItQmvc0UwzxWd7oeIe9xzirtVkBSIc0KxrFy4smKTXuHCLzr4fIquOea5VN2Gulmyn+0B6H2Ivb6YraXPF2dxbnYd9chrOErDTv+X+8kgt8MzoJ33NBOWUYedmVKlTIxYBCyAVZLtcSC/bEnq1qkOwrHMvsETnfP1Ai7F0wFa0kTdf35xS4Hr4Vr8eV6F+1kNf9KMTcrghVFpaK5LJjAwYK7jni6wYZRYfTB9HiOp6T2DX5UYl3rR1omOrj26jyzgqvEykAzpJbU/WJ1wmZHXtgcI1EXNKcKG5pn0ZLK9pwPK3x+qVdsgmc3Sq5Z3jQP85/DZcm9pjo4GL75j33WdnXasILTEsnyiahslvS9/sx2hMzg8FDInFwzFz1f9RX3kRZwjdIZcyj4fTVPegc6U+dLnUroZYBQp6OCxoo10kYqJ/EttIIaDKs9g0/N7KeehakvWJ5zOp2UewvrHSvnAtvbkXsnybl6PMY05N741TodhsS2js6eoZJju2X2fZYKUUHUthzz8kMq5AT25BEZdKqxLX+V2qC3mKyYGDHpcpxIcnzT5/VHAZn+paJWfFj9yDU50zP0Jscl+gT/cfpRLoWrO/3b8PFEK7ymVnPiFCv0paJqi6AHoS6l0LTWqMLFqZbeDL4zjbz0PfCIhaxY3QVSOPJdX75xPGuSJkC1PUDvfXPUYzGFKU9pHWb9M163lt5pYmRtQ//wMo1UJUTQjtVnzcvjIs+ujdRIjZ2HmHkLM/1GYLRhIpcbjXRJCVswYn9zFqoT9HmywwtiyXP4tjk36Dl0hKWCtM8QhC5fdLiFKgHv+Bu6xGSLPurdxrdNBLboF9JGz661K0xgsI+89l1TC1CBWjU4ZPZFHHC86QMQqP7fqTSFcp4h+3bJTq9Qj3Xndep1gGKgMHjQ/HdOIHaavN4xUn2Gr3e917LuCkgf7wI6pGYah10TMNjdmzYh023DYIfCDSkOFz9D2UDMkYCjFW5Ack4XTHhfPQgn6OpX4HKk6SBgd1KhWCLcWgdMT/2LLRgbn21q2n0vpZHelI0P2xhMVsXELfDbVYHhaGAddbcjyZCXORPxJohFvRuWZCgqTPt4BoRUt2wHtsW10W7L+wNTOwdYp337DmBdYlWfKfvjs5aUzYoNWqkjezusLeuS348iz0SfWeLaWki1Tbfh/6JLLP7tYMeYGpHdLuq1eh56mixb/uUlQD9A26OpRAOq6n7r+6kaPQUZFUbJ8hTRkctqPnAuHHXG/ZrW2qYHyhEAR1fdMe09vJBFicW2uY9w7WCcvrNX1lTZZyhjYiHDSgHWn1PXCB2QHz0rssZsQ9N2RV98SZUj8EvF+Rb9R4U5WzCao0uoe3bOwSAqGzrPiJSf2SMF3X+nc+TWb+1nzMe0+ejdZttweFkZULlPHGF6+K6/b5bwU3a8O9r55Gfow7Z0pLeeA8sct4Pjm6foIovaTLaHtsXBOSLUMx1qW9tHZgpXXaNc7mLnPIulVLW3H0LM79+MbHmnV07k41Tzokw7h2gPK+zKBz33NZpKykSayC5Sdh27H6jEJuyaJCLDOma0vwNY+XL6yJArxSNucwdqxF1pjNGsUrG8IR2YmqoML+PZlC3o6M/TLuio6Y+7oP2pTyBY6J2hAlSr+MaJhR/tNDeK3krRXqpMbI3KLTFFLeGOzP0Ay4J69dL/+8Kj8NL/w+c1hdz+mFMVzs7z5Dxi9NwR0w2eg8e1M2ptQE7uB6JZk4qJBVVqJO46pHsSurqK/0HWB92zEyBZ9yVedLYhcKUgrC2TXqnAEpMdvysXt7fH7gNkEKvuj/5Khwla4wM/Wbmiahp/hNXZfcbT8wsY/fgCXcD6YdSoMhM1Sxnh8wVVfvgn3cnC3NOclyYNHXcY2dlwu+gz3ekUvXen2R+neiXv3xolvNvolv0R9tawz4lkyvVfr5CgS2mY28ByhfXIBChNpm4r1NlKt/j4cEG71ckmQA0SXHpnrG6cXtffhBNSNFtOUVGx29+omXr4YXTQspUmTOsqutIJkCFZKp237mExFMCQKpXUBzrYlK70vLKLo1sITu+TTpNkSDSdwX0U+fktpHbuf4w60vM0JO8vPffgOC5CtebZOuWL3g+pekd2EJk8s0cPV9HbNOpUgNln6i3qRM0NvmnHlXQfJJCtPyIN8Tqp0PXt+V/f3qAb+06h38TI9JUW20SV1Kdg+2Ejw9iCGCIrSj7rk5zIxwnhtD3IQkPnmn6dTYswSAP1IwhbKbhHy6WKDZpCPoKS6/BouoKMGg2As8GmmmzCZxfLNeYsdwcxgERfEE7W1XqfIASOfaZb3RfbkU5+nUAaGfbKmFJnDGbQJgENW5mCIQQ/gdvElqKufJGKme2BG0VkUSTtE3ck3g4P7xAKl+BvmKK8b2nGdrFsOBaZ1o818Nau7GT4757aukYriK0rNc5KyaZIqw4h7DBAgAEgFbYGgK1khYUYNM5I3W7KrwqIjMRsJ2rb3Dwsfubh72/O3/l372Vv+eZBMVL1ff/Re7Yx/TlbS16lYsB5PcdZ+Dk3zWTsepxvJZjR6LlDQr+Abh1Q2FtP1O2BR4B0kBpeJZJmbzyuHwUzPl1gtlt0sKYKMgUWFUdECkJLYw3lW7eHI+0VNpuU0tcx3hrs9Qhti2gplUHS8vfXfz8PpeAG2R773Em1nD7Bsl9gsONinWPX7CTYKOYvV7/dXN+gt/iuYCJvxnqHt9XSNnka5s4QxRGyPBkD6vaR1ahP4ZLF6OnZrsoxW0xXsPnYRfg1ycnVjh1nmZfK15e+S6/HYi+GfLpNeeReATXFxX/5uuGmMEfkQ00y9u0Gf4k1oR8pu9GPqwYrvgnqFq649wzpKpCijjX6F22UFMt/m3NMPnOmDc3/5aX/2VnzWyYWlIR/tWCKbjAPKjJ4zjvfQVjkSEs0ciwVXTJt1NZa9lMKixKblW/W3+CA+jgMkASn1FRoukJoV69FpOp0IW/0yQZzKkwnJ6XG2w9knDXT1Ga9yz+O+xjeOV3gipsM7sTPaIH5TinyDkm7GfzvOskR9aTIdmR8W7ZmFF4sGIFBAnNKBZJz6BvRaejV7IvG9yCmf7EPkDK89Y3L2GItEquThU7dJmlEoii8QQXVGi99XyIirfyGAWYhRfKNXKJLSmQ+EvbxsKL7qFzP54gJTD2Ep5RGUIRpXzS5QExog4Wp0Qjb+Iad9Ijnw3cqqIrDPWTWujWuzqkdT4BW1raFCbu/MyOo1vXuH56CIOiaqm6DihIrTdFbajBo6r7mtlnq+Ru51C9vXFLtiwH4S58O1qoVGL2nTli4Ey46aI50kqHrJC6ch0WbC71Mqzz7PX7r7/n15fc+4OLavrXWNfQEuMPEIC6Xbr+GfW2AOphk7U8LfE7vzh2y3/cbOxs9GQPQJ52U0MkYQB4/KaNbsp52T179Y0/274ldNc2GPOz6yvnfs2CvqyeD3TpVqPRhqCmaMiv24WxLdf8fhhnYfukK7h+GHK5yZjLoR/0U0ds1nJ4QYquIE3WjIsbEaYil1ZhqyfF0T1pOTxoWm5ZtC0rz1EUg42GLbttE10iS5gM9ZKAkPMyK6OkhA+gHrIhxLk5fZ94fjBtkn2PXgMxI7EMBDt6bfWQKtdpHBxo1WjX0+x9td43aCymIfRywkU/dsh0RN9CkLqE47HL3wi7jkl869/mNXPqxrr6KAXrJWRNEUS+oBqQv2B3NkaYwaXfny7tr6HGDpd6EAewHGyzNJgxA32tThp7A+P6l0w7mgK578OR+PIjYYmHPufy1ziv1J5L3T6Smouk8zOVSh45Nx4f09fCXnXLABl8aZez1zfrHth/gyHXvM3dAvZFfK3PXr1Oz9/V/X/Ymrn3yPO7LBedI63rLcoTRkq2paJxkX68iYFl0mv8irQWSP0Xl7+uIaIw6NGS5zRT9kmCvu8FD2GCg2zfzu/I9xW7gIp15b7bBrsKa4KEEmdM6efTjtTDfv0ZSoV+4xOaHV7tpXkSKBVtWajy/paX7FHX3K6YbwqBPtWwSLOMJemaMZcfU1URfu4NBqg1WeTKlbv+keqeQfNrR9zBSlONhapprreofUY+2b4YJJ1W3XT6kYksmMK+/s6utHOBDKv1rT2LE9c2n1wEWoGA3WRSBBQ1GQy7HeH3agzpUHE99fVYU5wnL63dMO1gKXV8+JErq8O0GSwHMabHSJ+1k4yRL7mfDTQ5uq2jBRbGmy4XkHPqmfo0C2HLvEXJu7JljGhHHuno8XEdRfSOH4yzGGf0ELb6CzJ+KqlpIberCvfl2sGnNJC4LULOi5Fu/T/bDkMxMMVkhzXKKnv8JmZWq0KuffnqBNtiPEqpX2cOJJ6G8HsEJP1cnGSvIV3Mq3FCV2qfQ9F21V1kHIaDneC7XtMMMFi7RqcWbNoriYvT+kK/m2Dwyq2jOTmqacIhR34Q0x8axwBaImbrvD4j0l65NaI30cJzV3xDUi2ypQq/QlSC41BXHTbOye8n1EPQHBj8CuZWhVX54hf7VknuGfvgB/SsiUll92fUcqIep/U9u/rf9INNolynh9hdC5vTJ2rpiQzOCOZ9j8jl96VNOhTT1aDSwKywT65oXME3GptLB4UjezAiODDTcxhwwdnPsjVRWsxZbp3XYX3SaUYSQQmghK5HbF4bDQAYNHQGOS17cvREDyDFigf467AkbjezClkucP5V3zqODNPsDhlEqRgJWhzeFux8GW9g997UQts8+Nq1GKxf1ts3Qr3Jjt2ZoczKBpLLGmJHoM6XlAaY9iRfvK2GaG0yRrVMOPL+qJQ+MpXLzqQVM4u/YhWumYGTq9eWu710EXBzdme7ADEeFv+rXl0hZaa3BoTKcLTI6/b/hRLJ65kfnxO48kpF8uSShoKHgb5tfvYdu+M2MZqIo9oOARgSl/VMHYr6CwItfKdMlZ6m7lzxZc16zVIWwD0yRPq1p1LHnHW6dfQPqiUD+1NVWi39C/mtEGJ14GYwLmiRGDyOApEI3F+c3XvclWFj2sKKUqq/xIngiv7o0iOppuD8+uqcKDPHQqFs0NOWr9iutwe70HLDMZ+jVT6/RBvheUCwQ5jzsK6irnxeo9R+hDVXUgcUGcYq1QVL0ykV2mfjoauLXzcTAXU0RtvW8+12qHBgHWU2UrITkcrntB+IWTA20WIR+QmSFFSbGMZFC+yKLhZvgjirhc3r4js98tKI2dkG3C9SnDCLsm7ZgLYrCKplS1GEEhTejMg0ka0+txAQ0VhejEN7nIAmpVA1RGyxyrHIkpCowZ3+E8nulKoL8yX2Ww8ksOm4W3h4mtVg3yLzkbEGB4oCBrymRIh9RsNvtzrSZoKF9iCAmiCxKTk3wAIw6UTEo8OONprXByjzSQb61aweP89hR3j2Zo8evkCJ6J+R8kCDx4KYHIn8kxl+JPAXbLcg/pHik7jn16rWK6dJrP/Q5PBBRyW70OYJh3H4EuW+HW2OX78sDC+zvQw/btj8K/OEgFSVS5TRP9w76JBv/TOlmxVrHqDNtmg924+vD10rJYgZQKyjK14QKrJh0an1RccO+M4wqhMuS19UvbS+bAgu8DJXmIsQhvFPbiw4ph6tGzDzTSG6Ei4wZXJR9z6DHuJ6aNLx9RiOyYta6kTnVM/S20gbMpC5Q1z1rJC8XG3riJu0VYIuFxXtNp9CEYJPrBR3v3NA0QdyBwFa1ztma5VazgfMQFmS3tSD70GNemMi7kqnJKGz308WC7uxJZIZvHbHaCj2rr1mk4IDu941G3PQD3b5reTYbLNl2V6tiS6Ai+ijOhv+xrwpokF8qWk12lOzpdqeolY8bDGNPq24Dri6aJSAXa9RDw9SISsEOQxPItGVhEry+yyIFrmWWANUyS6E9lzFF0S7QWKM+WqgJdKXOK/I4JmTPfAy+MYPn8l5vzqli85BcOyVY0D4QvW4IsR1BmAyU+BiKta74IzXNl5UhsqAvHQ6N8eIHuAxOCBaeBTsG5MgBoWuqmEndGnSs+7Rf3RcBjo0m7bl8Jh7c5l7pptLFQoO4kxt13xo+Ye3WBXPGeqp4XTl9NlNgAxoXI8sHk2GbSbBBvENTZBJuwqddK71rCUqFfrv1qbFM1wkBfb8arF/v0FiVpC6lZhEFx1FnC8xpkbfdhZu7O9qFp+ImS9e66J6iSFQFVYzcVxYFaZto8vMRlWzNzXBiyd3vAWlrKnKYk3xQbsn53x+he00d2pXD6bRdxNLXgg/YDfOA9yLmJH3KXnXfjE6C9WLGe7lWuMktFtIg3ExSCyfQcrnM6kSVRxHq9UG8t1CfomfKjuz7C6RbQdfqYdvvRvGXnJHtFNN2RuTCDSDgm2sLvh2RyxVPmTcdZuD7yjf/D4tTKQy9S62xNghdt6MC6uqqPNf2L3hUMa8RCjWAOfA4kxUWS5oJukktC8YCl3TTCfWDEmKMYvPK0I6EGOboa4e61da7z9/IUOISRxN2Def4YELHJDcHDMF+fpFDpqu/BYxbqACzDKsbDuo250utqZqhW+o2pdJUzfCSQitvn+m+kKrGYQC7BuP0dgLfR+77nb4VUqG5khv7u/qnpJ7jaM2u0X7S1/kNVia2m64BHNuj4u+UHFSHTnWnJM/bGaSJrpQsqQ8opnqLzwXCnCrTZBepdlH/Mxfe8uKj0wQAkpACCnOOhBTfKVpSsGT2ZT9MMRdlt49+aBqK0+NeMhdhq8M/A8r8UI1W1qNLWHAO1SYCSfHdUtp/73kJQEnJAopjQrpxJxj4EhCwSMoFggnzjOoZum1lSn+wQbeyKg3GF66cr9LWiHEloy7ZJvfit5lmQnilTX0g/X8G2wRfYdrupK+J9v4Nq/jCb8dVoMm1H3fDwha9a8uUTil7dsjwslheAhYIay0JA3+p3Y2gPQkb9oZ9pj93BhnC4MIzVCqYiXKGqCHPwooyVjjWwOoDQSxYihqqNCqxhi5eGho5+GnSsiisFJM7QfthaQ01ZK+6596Dx9L4OnuY4GFy4pvIoqyGdzDBtmG0YSKXG59P66dNnjWZFKPMGJC5qDjfoi8V5s75mcsCMz+IF+iuF+Jy5Onqej0TDbAfjIZj4jPNfS1QnYiONXinvIFif/NNg9qM5fs2jg+6QiQVdd3JTs4t0UegRu+328fC67fSe17R7bBdTxN0pqpg/cFOqV2sfs3OmLz9mvYPkTXtBePp73hD8i+wWnONFc0rQlEdOaJhd5ubqZ8FXtNkj8jtzhj//vvYeQDtCzPqF6Dksz6p5UAMj7Ff3T50K6xXzQ21amGgyrAiK5f5W9fYNGWGFzWkXoswS0izzEwrYr/V/H9YaYqsPBeIQc5dJQinWNkfQSO8FjVfQFhPfq0LOw9HH5zwq4Z9np70i0VkMW/G9y52HixfNqru8Xqtmar01J6+rjYCCIx7/KYJkAauxIVb3fVkHPeUOgtuusG1zst8felHcKPnvnFDPZvSFf1a3F6E9WrngH6sAf/e/Xx92Z3v2oiJofdgNyLn0gAdCTN3iKws2DAdNlLXepuyl/1uVNcXaDt1Ya8fWzjje+JxxxfNwuj68qAmG8s/d0CTtYi9Enmr0c7QhavP9P1OufvFfm0WEFS7n/j+G++Om1emqdyUpnmMKsGpdpyR7kHZSLTGiuE5H1QBuqYMTKCS4xFBoKnQSfuj7GxoV1V1K8+spLIaRl1fyOw+3768vunr0Mi3jHUehbG67BMHCh5dC9lGWhyS6FoYdMuWAoOwGDmipVQpm9c+G8gve0hvat1NQldH+KdFpHOX4ZTlMnBw3v32ATFBeJVTK878IFv79Rl6fnWHi5LTn9GNc4g4sCC9Z2G/CETmJo9tgnOqfVrCmDH92arcJ+B1j1K8jhvznX8a3jP9eU/I1Si2XFKVboRdmGWfurEAjwNopytF9Ury3J4eZ6uPTBrdCb1P4FkYxt69VH7+3ukYL5pmHNeX4TKSo6PzRBZlNnHeFeyKz72CMa7Ov6er+XcWHSmgPnUB42ZkXpExK82rpY+UNdbFvJGWUkHnASvXa/xGpsRhlW+wepwMvWFXfStdsX+ILBEjrZGfWyGK0VtM6n7KYeXWiqBJ7RgpvqsVVLVfCjlbM/pQa0Wxjp4brA02VSzFufFHYcYfzeywi8/lHWL5y/H3y76s1RQYWow+Dhofu7tgsQhf3fodSzx9b3DIL4dz9055zpiQVawYZ6eORC+j3ykrSWM6HQYe2R8jA07dmXHnSJxzbuUe0hUhVOtFxdGVXR8RmVNtj0Td7DdsWTCR07vIDOBMm9M0zwfKFlgYTDFVIzGnCuKbBVaMQwZPwIPn4u9iiTAw8Tv73SBlIsE5lHPXXOiRNGK/Onre5HOWVOnSF906CTNgmVcR2oT4usPTi5EiQ+fmGr7HqRNKnPLVJHl5X5X7tP0lZkKjnBrMeMDJMJeV6XxvhDTJJ8/NrD22uMljAzzGH1JDi5Iny+Y5RzldYB8C8p0v6xi+z9a0WvGaKo63UMhlpH9c0fPAjbS/AKvbf5su6ipw56vXhpkKGjOiIGGtbTBs2PTQ6xo1itXx7xAcG9MEsorIorD3Kc0xunDQEesk+5ZKrlnu/Gd1F7mC6tFEqFyS0wON9/eW/cJ4qzWSbl5eWDW4KyHp6XFkfb16Wln/dzk/0e90Mnn/V859ACZ8u0qWrnHuJSQUu52/vblG1wOFqotGsq61vrpkPwYRC7uaathlVEP6Pv4wn1sdVu6diMjmMk9d8TWouOsrHR4XZHEZUY9W8bsluJDBBJXnHRewLx12CbRNPIQtWd6EckaceEVsq3FQBh7h5Y+n5DV0l1XKZ6qe7n3z0XXPqQNRkKxxR0nV9SK41K85DZW31l2Y9iVuTOAICXrF812HSFNdideYcTwMZKDGFY6gvnJBlRqZtODu0Cm+/nhxN2+sFL4BlAvADkjy6QaaLWcjEpEV2bzK8210/wwrsqh1QB24laanNTrf66WKD1ExGbHLQa/ELtPVFAUJTHezV13PVVzlzDSVdW1fNI9RaLBdW7HhREkbXthPpMsSi83B9WRW+cWnK/Tc10p8qrjVleeMQwEH5IFd3ZVS20++QN8NHQ2iH4X5LORG7BhCmpIKmlmsd6GPTNokeAIXXD8t9KKucn/nS5Pe0CUmW/Rx1FzjbK7wYxTl+4V3WMwEKjATC4ULujcdo8QKpvam75Owo1zewLLoncxdcnTbFrCTdRZACh3QviBVwDIilYW02zfuHd2gXysBpuRbmVOOnjOxnn17hpgkZ2hu/6L2Lyww32qmZ9+G44uGlNmC48Hk/Ng61K6Gf3GDYFHwdYGc3NbDr+Rib6MGI5Ni6n4693jWbRA0VfYgBxFaF3Hlbg+zT29/x4qiDy4B+NtvP739/fz91bffupzbNVaYjZ7JjVSfY5YsH7xgv9cLdiNso04wLGIrEb5mJ26XkuY5wMQ+F9sEJsxCKio0IzEFSMeVlADjIr4XJBAfiAU022A2HE78YO8A9D6PDdRen9gl6rqaJ7oUZp5ro2JXvkO9djKHWPctjfaO1jUf6Zykpxa7tIPBBiqNLzZp6158vYsFsWCjjqaa1GSO2FNJDXYjCpDZL+8JC+WT+wne33Fhkff6//vhqq3K7Cb/PcoRyzs+eo/IXiQf5XDUcdx9+Ek5QdLWzs527NLnpslor7PsoE/mC3C7DU7u4ch03bKaTREPg6KvBWbc8rpu5nLjZcb1Zbe2DTpxWXPQ0GWghcF4VmGdc51ZFfEEek5JvIZ0a199dCGLohJ9T9QAO3Fa46aHYveO3pm/0LBO3eCmT9OsH4rbLRb5v8tw1KzFzWDDTpEMD8ZuuPAOcrrSJSNMRssSncqCB+w3WIlh0OGpo65FUWYylTC+fff2Bv3m/KhtUmoYkS+TphLc/scb9KWiaqR3a8VFpmi/U2fa5IaOQ3SL3tdFZ8G0rkZLJxEf0i5QGXuMgAVanuQ4OgTVBIJjD4abxx/QgDlWRYLdsmATuBdwGbEAuQFa5dGm0u7AjNvtagd0jk1fK3wo3DkVZFVgFauspIG7LfFgfPGDo0+YDNKposDMVtHPAqGLuAVUDeDFElotJQAr539PALXE0SdhuI5T0Y8XBN0zFvvB8Z3bCmpVz+hIiwwTGIwSv/zEwtYiovHeATxflusfxZ1ZRX/ficiIUVmuo/Zd70C3kE+LPB0BeM1xdIkhMiqWTEQsihyCTpEbLbJFpjfMkOjyQ2QLLjcaF/FzV7qwhVmng54g6kJExkRKccJESVUx30ZLeB/ALsnnNMDXmKc4K6zMSiWNzOKHpAD6+scMPI7xYfNkd5PLZZanYLYFHD//jYiswHeZMbHcBruA7YnmNMGjUDCRCGkm0iFdcp3xOc9ih0V3YP8pIfDoncE7sGP3QuzCjl3V24X9U0LYrxPC/ueEsP9XQth/TgPbyJLjOU0hUhro8c0zkRUVB+V7vk3wTtbAy88J9JKi4mxZlGm0b6tlYr6MnYTkIbMUSommX0h834jItEtITLCDWpE01qQFnMaa1FtdlQlmkRLRlFUnMVWNNNb0oHcJRIiRxhpmqWCDWZMEeCXYncBCakoSHML1a8uVRI/C+rUszYriPIFbTRZlRngCH7YFnCBIAnDVfGviu0UtZJ0EclllCWIaRDHDCOYJCoh0hpdUkG3ErKsubIH59g+az1Pgvc6gDWgSyK4dTBqsXWJtEujzZbl+ncYHrbM5M39O0miM6CzurLgeYCWji2qd5JoDVEpU/Co37Xz80WZtdQBTs3J+/vjOEQcc1L4kwF03+Xgd5DqwF4zTFDaMzhYpNpEtYhZn7wJOoRvojJWQpJglEXWsXP+Ya1MOmvlHgq0VSQKbswVNYcZocDQXNGfRCkZ3YTOR5pQUMq841USm4LYHzpYJZJMs9QabqDP/O9BDGeRRACu6ZNooHN8T0sJOoPEpWqZitUrGaw2dyFUi+eoy890RTwDdKIqLBIqkKwVKhXY65XqzkkxnbsJsfOhbrHCSA56PFMLGgLx28+1jw2XaYBF9znGuzbxSsYYF1lCpmxWUAmoVHdf4enRdkxwbLExuWMQfdn1qp4F9MJc4z2PfAZbHDqvWrYMSvEWsyIiSskjSlcgCTmCmsSJLkxzpOx6lYHP5OXp7plLHb1nKSl0qFhkox4aZKnr2GWeCxmux00LVUSfqNHCh+Da+W4tL1/U0W3AZ/TlvgCdI+bc2b3SpY4EmkDjWhk6AavTcBC6XSY6uWCa5wKVUsQVYMa+WKa5ZwTRJIRYKneTAppgDIaiB5krR4UaX4a4BdOyMPwc1djqe2GxiWyBJKsqkGwAd3RKV8TUjqdgyC8zjejDcjaAq/ptVZm4ob3SwUSdTt2DdiNckhyxB4aafiRNbGHiwsaVBmTlHUnR0sdb2lxlZxarzH4CmdyWLHggoqSqWCgsz6LkbA/ImCeD4T6/rRPbxY28KaATASi4zrMuIAwO6oBWODVVRzFPod4oS4IPrOpoIeHwmW8hxW7h2IEuVJ8A4viNTJ/ANa+cbTpAPoGnsRAA38DiBcaLpl/gHINSgNRrUBKaUZssEgleXsb1sWpEU90CRPLoirRUJdcWNANjEG7HVhVnp6F0110TELpQITot9KFDXpDM2+WZp4h8rBzR+RK+Z6Rkb7raM3q21yudJ8tArxRO8hZWmKstZ7Kr3JGMr6shQCjYYog0uYnuD1xkT2uBFAs1gzZRJoYavS5GgdZORqhIx3ayhtmiBjqLnlZHofSXQYOkmeyThsLxPmLMcXSiaM4MusMp9N0MN7d/D6LjJWQm5NDYhFMDAEH0E/Q2I5ChUqtPkQzCRjnNXRcnllg4GCx7k30JW0Zp6H3nGLA+dzwjmnSm6pHeowP1GC20sViyr/jCQ5EhypmE4Q72633pooIR0VZZSGTRsPIrQZoUNYgaVii7GjsID0nLvM4QixHhvdTQoICZ8Z/eRvtCcidQT+Tuo2tW6eGpk5JKaFVWz9vN6JavBi4aQoGuqmnFERqISK03RW2owTAR3dxU3LHj+Ri71yxtX9voCXfoRX2fIrAJTiqAZ8HvqRx8D2gK9o+Z3ZgTV4X0eHuokzFvAyO7mFsHijlhNsSKrGRMsiB/M3J2gv3ZPfMIsDEiGeMlxJWDW77KCOa51E/dwA/dev/Y9NKVvx93Q1DTh9vOLR4x9uxFZxJqm4zqvwrLoA70zcCvG3AVTTKMeEUjt4Lp3MKFa8JGJl9A9N+E4cOifq6lBin6pqDZ7mnafnq18/175TmWAsTxuVSex+x6pJu90152yDyeHEcTGdn4OHdr1z0HKY87+Pzzf0C52fVkLBVg7fDbAaoiXxHvPI2wflznWFLl07QYbNLhVzS75bzwOvqIZBd9gLpVrXx9kI0JYI00pjDvD++dVKSw0JhOM9x10mHZLC1B720NDKgUT0PYhXVJVMKduTIV0u6QbzMHWjNMlRZyuKUdYa7YUbuPaef3how8tmR9RfsP6e076/FEmPVvMKsG+VLQ/JhGHL18H39M6Jp42BaXWaFjuLiSRQlDIrUAbZlZjggKhQGVIo7ErelJ50b1NC8tOkCfNE8XlkhHMkcVgxPQBLB4XO1hqZEzj4/GuXG11GL1OOttG9rJaYz/wmDOss5VMbhM4I64x12CWSjvUyErF7giecD8A5C6NxRbeND+IhXCK1eyca2kN8Z37dgnBcvSr/8YMnYtt878BdAO2vBYG4XxGZFFWhqqwGE7ixreEpTPPvunvBcxY3NkQZv5WvfrT93+2tu9lZztqjn0TRNuf0yxuxOxYxw3eUoX+ufHJ6ZceDUAufOtj1/+kP/OixXnn1O/djxOTlw/Jtmf9gSl2nRl699uHK0s7VdQ5T8BfmjNNFC2xIFurVXr1jPdzQRBw6Ax9ePszuhbmh1dn6Prd5dV//ow+Xgvz+kf0fLPaIkGZWVGFyEpqPypNKkWJgU99//r//I8Xz4IcoWaVUMb1+QEydVbg8Dgenfj03fOa37qzeF0jFb7i+dNCuiubDmB+YsO4ox/4EL49xbS1Tj4xZSrM0Zvzd0Fk/5CCpvNlnXYy/p8UdBbmrUX3qxGhQMhh4Qlb8BTf4D37sMSGbvAjjEiH032DzvNcgZ/WnfIQOs3TS4ry1DjnQ2Mh1xdvb9yrNBoeK7CeMPqx41Rymqp/u9H1jUVlxPtleXjiJIgoPLRrj/Ow1sQyN11rWgHRQRfnObMfxrwN2HZm+YffuQkPgDUJ4YJLf8Mvd4/AAJU21zqJXnfsk4bRO4/hjVSmEckDoZtDgA02gJntYcmrJ+a9o4eJZf2Y1GS9HWO8oCG7cSovrscOLF+stSTMqpzObzTQcZCVywqLJZ01phORYsGWlaI5mm8BJhU5ZA2F5Ux5YuuBQdHoiLYcXHSRoN8Bj6j7d0u4ojsAFC2koZnP7I6fZxSftbnQGc5cKn4C0KVRaYAvEhyJRYJqYZ7iOqTqf1ImYCrOs9oTl04t71vwlo5Zf7WuM+ERNNgrs6JKUIM+bEt6hj7Wz9gbcID9gG5qB9jgJfhtTFOrR/VMoEyMmMY10t4vfoYw50Flomw/CAluWEFi3poq+wYyYSTSBh5zJtDH61GBQiBBNpm8ii6yLVBZJhj7ZgErqmNn9FqwCUpc3IsYOxUd/O0JsHWjFTJOxTL6pEjA2SofCbXQEQ3UqTyYdwIwAhFIJ1ggjH6RaoNVPpzTjdD5EpK9FML2xt9BLt2cmg2lIqx6Ru6aeN8YtzSYd0N1DhkELeMhM2JAIRM+zxXSEgpmrFjyIzbCJK45FlPE8Y9wUNYJIh0X5YDAXZdlG0lZWwt2CQbs7ssTO1JJCXQhWMfrB3dcxB4rw0jFsULQLxrVSDy/uvv5jVzKxSI8/Z2SzKxo8u3dQfaDXdDdxg7eVxZvi+55ZVZUGJ8sPoq2rmJ2TjguocctOY76R03VKMKyMkROy2m/5DjCtxUhVOsRnKHz+GnN0U5LPAG8kFVxl1JtUaAwYYDbFMJpB0faw9FKJQjw6VIK+65YuRVSDpsvooGitEvVOl4/upF3EyPXtRRqBjijeUOP98P09GEmkGamCshPBMUF1ItoD3WFNcK5LO3rYlaUKSQ3ot0yxziD76SQxUheLczk0My1qJ9WibDKPRO5lT9S6YYBGP3COEXnHrHZgA3HOHtFQ5i7k6MJ4w39j5KuMMqCW5+1EJcLIRoDjIhZ7/4ARrh8vVtfrxGbE+MJoXOZsnogQPycrvCayQq0SyKLUsmCjWQo0qmRuxJ4zqGIbIEu9uPGxLoROwmR7GO4o3WiIAI7GEYdLnMCgoH1G/xS727nlW3v2+ixa8ssK2H65WyxNfocysAzcopZf5QWBO/xkgqqGKlJAoZAol8/tYCZFTy1odluyCM7I9/PtFHjwc+aplPabj0aTa/20+TVC7dWQrqCpmljhBtWUG3lutP2FC3paBDJ70K0phAHNwIaDz5wG9SRR+uU3t2PdrR+OI6m7zMdbcjp0aR5h/EhCge0AcWtQDhCGHy91L06SJ2adO/cRYtCmzq8c9F6qU4jQA7I8UaAfL3H8YfDWxZrtME0W3acfFSTSpCYd+wI+THpcYxJ2+AwNko9lKD1/NTRK3cqs8oKalbyEaIkeMeTjBwa/mOjGw69lJRM6nXaE9V5L7n311pE9pzLRJ6Q/5z99Kc/oedvLs9vXqBLpg0Ty4rpFc2hFD6IC5dLmbwv0L5IGGTLLhwefpvhgyMZY0om9iruq/+0uxrCoLkx4JGPNvT5PteFQNp/U/fbcfwBTqGYKRahNultphjmsbrT9Qh5j3NWabcCkgppVjCOlRNPVmzaO0TgXQ+XV8E91yyfstNIN1P+oz0ItRex1xezveTp6izOxb67DmENX2nY8f96JxH8ZnAWvOOGdsoy8rArU6qUiQGDkA2wWqolFuyPPVnVIt1ROJbZJ3C6e6ZG2L1gKlhLmqjrzy92OXgtXIsv17toJ6v5V4q5WRGsKCoVzWXBBA4W3HXE0w02jAqjD6bHczwltW/woxLrWj/SMtHBtVfnmRVcJVYGmiG1pO4XqxM2O/LC5hiJuqA5VdjQPIuWVLbnfFjh80u9YhM8u1FyzfKmeZj/HC5L7jXVwcHwzX/ss7ar04YVnJZIlk9EZbOk7/VntiNkBoeHQubkmrno+aqvuI+0gGuUzphDwe+redI70Jk6X+pUQi8DhDodFTRWrJE2UjmJb6EV1GBY7Rl8amY/9SxMfcHynNPppNxbWO9YORfY3o7cO0nO1eMxpiH3xq/W6TAktnV09gyVHNsts++zVIgKorblmJcfUiEnsCePyKBTjW35q9QGvcVkxcSISZfjRJLjmz6vPwrI9C8VteLD6keuyZmeoTc5LtEn+I/Tj3IpXN3p34aPJ1rhNbWaE6dYoS8VVVsEPQh1KYWmtUYVLk619GbwnWnkpe+BRyxkxeoukMKR7/ryjeNZkzQBqu0Beu+box6LKUx5Susw65/xurX0ThMjaxv6h5dppCohgnasPmteHhd5dm2kRmrsPMTMW5jpNwKjDRO53GikS0rYghH7m7NQnaDPkx1eEEuew7fNuUHPoSMsFaR9hiB0+aLDLVQJeMff0CUmW/RR7za+bSKwRb+QNnp2rV1hAoN95LXvmlqACtSqwSGzL+KA400fgED1/06lKZTzDNm3S3Z6hXqsO69TrwMUA4XBg+a/cwKx0+T1jpHqM3y9672WdVdA+ngX0CE10zjsmoDB7t60CZluGwY7FG5Icbj4GcoGYo4EHK1wA5JzumDC++pBOEFXvwKXI00HAbuTCsUS4dY6YHrqX2zB2PhsU9PueymN9KZsfNjGYLIqJm6B364KDEcD66i7HUmGvMyZiDdBLOrdsCRDUWHaxzMgpLplO7Atro12W94fmNo5wDrt23cA6xKr+kzZH5+1pGxWbNBKHdnbYW1Zl/x+FHkm+swS19ZCqm26Df8XXWLxbwc7xtSI7HZRr9Xz0NNk2fIvLwH6AdoeTSUaUFX3W99P1egpyKgwSpaniI5cVvOBc+GoM+7XtNY2PVCOADi66o5p7+GFLEosts19hGsH4/SdvbKmyj5DGRMLGVYKsP6cukbogPzoWZE1Zhuativ64kuqHIFfKs636D8qzNmC0RxdQt2zcw4GUdnQeUak/MweKej+O50jt35rP2M+ps1H7zbbhsPLyoDKfeII08N3/X2zhJ+y493Rzic/Qx+2pSO99RxY5rgdHN88RRdZ1GayPbQtDs4RoZ7pUNvaPjJTuOoa5XIXO+dZLKWqvf0QYn7/ZmTLO71yIh+nmhdl2jlEe1hhVz7oua/RVFIm0kR2kbLr2P1AJTZh1yQRGdYxo/0dwMqX00eGXCkecZs7UCPuSmOMZpWK5Q3pwNRUZXgZz6ZsQUd/nnZBR01/3AXtT30CwULvDBWgWsU3Tiz8aKe5UfRWivZSZWJrVG6JKWoJd2TuB1gW1KuX/t8XHoWX/h8+rynk9secqnB2nifnEaPnjphu8Bw8rp1RawNycj8QzZpUTCyoUiNx1yHdk9DVVfwPsj7onp0Aybov8aKzDYErBWFtmfRKBZaY7Phdubi9PXYfIINYdX/0VzpM0Bof+MnKFVXT+COszu4znp5fwOjHF+gC1g+jRpWZqFnKCJ8vqPLDP+lOFuae5rw0aei4w8jOhttFn+lOp+i9O83+ONUref/WKOHdRrfsj7C3hn1OJFOu/3qFBF1Kw9wGliusRyZAaTJ1W6HOVrrFx4cL2q1ONgFqkODSO2N14/S6/iackKLZcoqKit3+Rs3Uww+jg5atNGFaV9GVToAMyVLpvHUPi6EAhlSppD7QwaZ0peeVXRzdQnB6n3SaJEOi6Qzuo8jPbyG1c/9j1JGepyF5f+m5B8dxEao1z9YpX/R+SNU7soPI5Jk9eriK3qZRpwLMPlNvUSdqbvBNO66k+yCBbP0RaYjXSYWub8//+vYG3dh3Cv0mRqavtNgmqqQ+BdsPGxnGFsQQWVHyWZ/kRD5OCKftQRYaOtf062xahEEaqB9B2ErBPVouVWzQFPIRlFyHR9MVZNRoAJz/P+6upbdxGwjf+yt4TAA3Afq6dFHAzXa7ATat0TbYozCmaJswRQokZTn/vuDwYT1ot2hkpdhrAlMfZ4bDITnfjAXbzNbhs4vyAIKX3hAzIIaOcLaq1pccIUpsz17M0G1PZPkxgXTisXfW1qbg2IP2KkOjKq8hEAr/g9XEtzIyX5Tm9uUfVhRVVXXVOnH/ErfHES6E8hT8lmsmhifNqa9YWgGyMOatGt66L3sf/jnMNnK0smg91bioFZ8jrToH2CMgiABB5U8DKFa6AylHhTOuXW4qfBWBnHmznalsc9pYQs/Dz5+Wv4V9737w+bShWKWHd/+T12zjZl8clGiuJYBl7OMsQ5+b1Bk7tvNtJLeG3HgQ5hardSCxN3bUHQxPEHR2NqK5kjf7FLA+S25DusBdn3RwYBozBTaNIFRJymrrDsp/eh2eKa/Qttf0vl7w7sAeW2g7oLXSlign348/L3MpuFmxT213Sm/nT7AcEgx6V6xr8MVOsoVifv3l99XjijzBseKyTG2982p1c5s9DbPXRPHMtMI0RrO7NK0UPuUpi5OnZ3uWY7GZj7D51iT8OOWrhx29y7LglR/fhyq9AcVFhGI+pbxxrYA44+qL5w0nYo4sx5Hk1Ksb70vcEfqNshtDu2o8xadH3cqTexfENJkUdTDknbFaye1PawF0L7ixrHx3H/62SP/lcsNo/l8brlkLIhvIwFp0fkNAlsQocsYsNdtyY/WLO9nP6SxqsLtQrD9hIEMMI5B4KTUXTE+E9nwtqnSnCnmKJxNyJm0nJ+V0426oumuqtWZCdE/zeUvv4emn33/AJYAr9sENSp7DoN2NdbxOBuXm+ODEcl44F6AQspQEtIaUf1/yDdJYbec7RDOBbz1Bx8hrzUUB4cJxImh/YfYKbfxVhfbsulPLCB657MO4rQJLd8xkg1clOH0p4ovh+GHwFVCxOFB6jPSVKTyUVGKQm1iB5I4sD8AFvpOdsu/Jt7jCYa0O2Sirh3syGdtQ9e0E3Um1gjIUO4iIPyhN2BGqWrAF+UNBxeUWeQWNxbJQsaNqDvlaKLpnZTG9hQytQSO9/kTC7lrGmjnIAcsZFXx3WQXBCCe1nKiAFrPrcfyF+2NIMLfsaO93thI5PGYHhdnBN9//MAWaj+xISr5lxkZ/0K/6kF/2cChKZn3338n0mkYMVwOUKt3pCkNAWn7gujGEyS2XpwYryGzh0tT+51k30MA0zpO4/R4v5YQgtXIC4p4UIFuQzgo71YjIzep5eRsM1KTnmlqrI3cRnMMNzkPYRssOrS9N1FCQst++N6mgqouSm1oZPopaX+N+8T2jyzo0CS/GIogIofqtbFkeAEsgPIFoXfC90irq8Wb5tLp1M6xBJ/uKe59vCvOY1EY2DDMofiQU3MIlD4KBXLhxOeWqwb38We6larMqdgKpPIbx/d1/lMjj5vT5xaiVWvha31KXT6tz6AxVejIXgoMNkWAOqEPgAyIMKRI33ce6kb/ilNlyIZyk1wJk1omXYIGyUVuAV8Duyi9ZwnuwQB7wO96lBzJg4IE2humvka/vYxINmw2nOby+g+Hw5PwKuOFUnDbK9BTte3XbRkom7r76OwAA//8VqLns" + return "eJzsvW1zGzmSIPx9fwWuI56z3aGmp93d3pu+3b3QSupp3dhurWW797mYiAoQBZIYo4AygCLF/vUXSKBeWIUiKQooyXvjDw5bIhOZCSCR7/kd+ky3PyPCNJH/hJBhhtOf0YX/b041Uaw0TIqf0b/9E0IIvZV5xSlaSIVWWOSciaX7OBLUbKT6jHK6ZoQiLpd69k8ILRjluf75n+Db9s93SOCC+jVnuCib3yBktiX9GS2VrLo/VZRTrOnPaE4N7vw8pwtccZPBEj+jBeaa7vx6gH39p0NFiZVuiTh/e9NgXv+pKegCqIkwrKDa4KLMBBZSUyJFrnc+WROVY0N7v9iDoP3zYUVb+IgJdFVKskKdhVosg8jRNRUms8tnLA8i9ZluN1L1f3cAr3Okqzm6vkRygcyKumXOUE5LKnLLSincz2CRAzjm1FBiV4qHn+WbBV7jV2C+wYr6pWh+LEZRmWaRalnWrHEAFyKFoMRIlS2r2Nj85WOLT7MO0n4PmVhIVWALABm4FwdQhUsLaIbP/2lHTSCsFN5aPGEBwPrWSgRsaG4xi4T+uuKCKjxnnBlGwyQsODaGCvoAImrEe8vVhBSYM8Jkpd0FOoCzJljMOovH4/tl+2uLNa4vdIfvGJZHc+rYzQyzvzkDmUrvcFFyCiTpkhK2YATlTMEebQH7Y0gjnOIwUXMpA787QNS/uy+hNeYVRWzhSRA0RwvGKdpgjWBJJBUS8ijuewCZBRA+NFyK5f3wvJCVMJbtALTBkQmEWybeB7lSSUK1jo9gA7hBcveAMLHk1J2To89zgzQ2q+gI52yxoMqe5JqRLCryzf3NGgkfnYZWRrjzIRXKJakKKoxu3riH0UJkUVaGqtnk788Z0qxgHCuQiLJEnK4p772DZ2heGVQJ9sXd46Lihll503xMI/vgM7GWfH3wwW+opXeGKoF5xsogqYMfH0FlDRNd39TE1luzkvrojcDEsHVff3yALLz2fK8U3AYq8lIyYRDTyC11nAxs8PPKf4bzXI2LmlMfUM4b64IJQ9UCE7rzxNtX/n6ctXdnljNdSs3ivp0X2NClVOwPXD+fdq3dh/Gbt/Ul/sYy+psLu4PfHEC55rElfCrUccP4gAKQgi6xKGZONke3CerD3oBHc6xpbg+PlpUiFGGRW0CGCceA60Nao2fHrMAkjdKLOW94/vb8AjX360jEyIjQeDTECJdVnjFJJlFcu0Lh+rcLOKuNQmp/AKdao4WSxRFGQou8XkllsiQk3FrQ3Q8lIGTnypXYXovpJEqNfzyh4SlgORWGme2syH+KR8Lby5/QCutVYBsegqNe4e8jHppfz7+PjuUCsHz10+uoeL766fWJmMKbjRVZsbU3uaY7tGAh+rWTvIIB4qY5z/WajsSeZ+V+Dol9NCQ+79NRkfo+RKfEGEw+W4MUM65nuCw5Izi+etUB7NyvHdSv7koumUE3CtBmtYf4kLYQJAD+S/OsACd+PCJusFnVfKZ3lFQGzzkYQjnnyKywARdRvb7XFr29Pd8GiDyBOquS1lZU3P2xkFFBC6m2tbbWP13UU3CkpzyEv6506V0g4z6xB2ufNd7OA7JZUYGw8DtjbdiHb8u0SlGJwTSJ8IxQpaSazClcuw1g1aNEksMP/s6IzCNeX/C2AB4Wrv/0nInljpZxPKZmpSg22aoShonlTNM1VcxsI8p+DxEpqituavnv1kV2XaTokmlD1fgDgC7ACY/eyM13F4oZRjC/H2FMEHjeMkVLa9Sk9fQ1Eqel0m6RW/tExO0PJkKbiTXVhi19ZElh8hniH1pXh0IaY9hDzD0i5hZcjXa9SF/Q97gPLj+r3pxGga6KAquYN8MBrKmQlSGyoLWXLy7yihY0Z5H1ofeUyKKgIge4EN5TVEu+djGxbvRvi0Dkwxt1nOtyjJLY55/lw9Pvj5N9puJvBRV5ZlgRvgz3z5/43aoFfYm6YAJz9gfNLdsJl/qgljN66g1WJjm+VuNsoqsn6GNM5FYplyqqR/6yiaM18AGgdmpygQ1ZwX+GOuWujtMG5N5ef3h/hYw9QuSQWdDbEv+lmAS+YdrUbs4dzPqStHMlKnHPo2QoWUEQKzXqzToPw/5rYXPBjKLZPnRPM0BCvm9Yy2ONri+f6QM8/Lq23HNyP9LRmVkvdwQ/7TOLRZ5xJugMq6ULg8d9By/eXKMGdJ+dF1xWOfrgJPb1bxdek3WmJ+QUHmDxvMxyvJPWiB56HK7aaK7kTlPtBEv/acBDl4ipuziEEzH3rPsLJEmCbPeZlLfn6Bem6AZzvj+bsjlsVGu8HOQqju/eXjbAzjWYeNjIO7YZVcFtaZI5qsWC3R2Jhn/Lfkaaat1XI/fi+Bv8HHO/HsILQxX6/yzCxyIKgcusiYrH4NytC4a2kfZa21twuUF7rec2h7IJosbF7bITnX0IgqriNLP/jIHUu06y6TkhVGt0IYVRkjvJbBfrKkbW+mX7PLi93a00VSlwtXAdXszpaj4M7th5FIbdjZ4MzW6I/h64FrgsaZ7VV6YM4Nn74UEBYxQW2r0HnnfXN7Vz9R64WKPvaK7tzXk/CedRmzOMrX3fAtgOUtpOwGTUCdTDZEe+RN7I3QSQ++xmF6vH2tIu9sfuaxfvFJvbxengDnsbCfL+4ugBoJq5PEIrLepygJdoLo2gxmK6WDAyQ78JkDlrqrbfcbk5Q/avHrhC5lRhQ8/Qii1X9rGBj9v/HEMWca7/bQzKfBhh2zx/45T90prcP6M1U5U+85/p02eU/DsWZ4gaspcen2oZKJM4kZqPPp2z0XuALAxv+l5MGClKKHIJYAFpOsfjcH3x9ma8aGVnwUHs4vQFLahjeT1CZxqx8unmXWdttLN2SBfAZaYokapXAXIQkQdo+FhrthQ0R5fnN6i/eJCVrb2Yhe3FlOj65ZFdvmNTcrlcOovRXmMuCeYIVzkz9jf7yKnJ7z+CR9Jw31eyfQ5bxkMODJwUzqgwSFegAS8qzrfN6RF7qSgVWzNOl3Qm+T3P8Il7Aa5WDJqlbpe3+iVZYbGsNXSvb0qeu6KR44gQdPMEiRB0c5iIeaW0mcn53ynpS7F0l6L2qLhlQewDHmiDlWBiufdCO4zZNMemi61VAtD15Uno+kzkTPVjBEllj09/dsgC+ppScQS2UizYslI0fxyE2/U7uB9GG6+Xj4MvXlOFl/RBjH405DvMDtCBOZebjjtyzwkvKo4NW9OMyEpMJ0yMNJgjUhdLdXBfMaORZoK4GKyXNlD0Z1XzOiJIsdpPoKGq6Lo8JiHt/Py8qWkGf4iiXyowq5ZdhPbhvaHzdSlmrk73Xn6ah+qRv9O5VRBcAS9Q0bh15tRalhoZeSzLfTBUqknQv258jN2Kcs1y79BrQrMucEuxyuVm7zaYSgjKp1Pkb88BNHquaCHtFXYOSqnQm1dvXvxTHz0XDFiYLgoPDwb8whQt5Yaq2hy/pAsqNH0iEYJfPlx+XRECi/A/IgT/iBD8I0LwVUcI0EdN0dXFrf/VTGAzY+U/AgcnBg5C7HzCEYUG3c7v73EE/hFtOIzT7rHo8/kfsYh/xCL+EYvYWfBgLEJTUg3KINx6Qbdhu2Bvufd44zV9YO6th4uuxuvC/ovEQ1KieN94yF5nRipE/+HM+CqdGbsuAia7p/rhLoLr326P6LzYBL7AiMo4u4fec6QxYTU0Z6JZ6HsF0QITKOE4EoXm1bu9urjfoasXQkaizYqRlXtjvctC0QVVGj3vJNafodt3b2/O0O3/f3sGhapa9sAupDKrFzN03gJ3/dwQRiusct8ycc0IPUMYlUoaSSQ/Q/ASutpbJBf9J9seqK02tEBaLowFMkPXBuVUSEN3bEivKBBc6fYswlf7ao4jczY4iL5zwawx82c9SSDXVG0UM/bWqYoOzutwk05vKdo9QsNmRZsVVU5SeD0IrbBGc0oFknNN1U6XqsYFsZOSe4iY4eXbS8r43QKsBd7VeMdXH1t/f+PUQvf7n+1b4R453B+sqf+ZbhHTVipDgJrg0lSe/wpvmosDUo/IgmpLNCR090Aj9EYu0SW1epEKE+JgDYqvTiVnt3mrJS0yYI9wYu57luu6vZuBRAe5QExog4Wp0dBBHANVVccgeKjm6kMnHm6XQNh4cYpr16wLE2H0jprfmRH2GfC7PxscjYZYvZIVz5Gga9ACmnNXYqUpeksNtqhh152nXer5G7nUL28w+UyNfjEAfwl9qvj2rInjY/SeOmHhTrjooDkLMnJouh7HyUP9CS9pqSgBXcFiktMFE9BKiwNarnNCgcswVoVeDqsVY55Av8dv/T2/vvzed/10ek5t19UVaphApo3bLzXYCKAOegD40wKfs9tRYmUYqThW8H2/sbPRkzEAfdJJCZ2MAeTxkzK6Jetp9+TVP/Zk/54E6oIibcjDrq+c/z0DQvrb8mSwW+NThF5y1BR1uu9TxM2yLdX9fxhm2mBDC9pLInkiyEGaZkY4HrTreRLoUWEGjRmeBGKrQPOXJ4EYE6chllZjqiXH0z1pOcWnSI+0bFtQF3CKZUON6DUhOzPQwNNiM9BDBkrCw6yInh4ygH7Aihjn4sDJOgkXu47KIPscuwZkRmIfCnDw3uwjU6jV1SBkVdNf9/LcNWovpCD2ccBGPnXLdkTcrFlacdjl7oVdhi3q9ob+QL6RSxeuqhOiKpFTBc5S6gXVgPQFu6M50hSyU3e+vLuGHjdY6k0YwH6wwdJswgD0vTZl6AmM71867WAO6LoHT+7Hg0FGRpJz+avUpisief9E1vNw/C916Nh0fEhfD38HsxiO4e7+AQ5dxl7frH9sap3GrnufuQPqjfxambvu97iNzt7X/++yd5C0kEQ29OWCc6R1vWU5wmjJ1lQ0TrKvVxEwwSl3j2+B5E9R+fs6IhqjDg1ZbjNFvyTY627wEDYY6PZ1uVduaXQDF+nMe7MNRh+2JUVkMIIHrBDKzIoq9PFamO9fI6nQL1xi88OrdvaID5BB1dWwDeWQ7lPU3a+YbgiDpjM+I/gXgnmUk1jH9cpfvYNBqg1Wgyr2aFpHR6J1yO5y8vrm046+h6HOt7+lqM5tcY+oR9vnS3UnsECBoWJLBqU77ju72soBPqTSv/YkRlzffHodYEE4JwdFYEGD0ZDLMV6f9qAOFcdTX58VxTlVk8Suf4Wl0PXlQ6KkDt9usBTAnBYrfdJONk6y5H42XCta162iBRfFmi4XknOYPfg1CmDLvUfIubFnjmlEHOvqGacdRfWN7KstaA+jn6DFV5D5U1FVC6kh2a2QAs23g01DdRa2BahZUfKt3yf7Yde0GZOVSxd+/idkVqpCr3766QWU0Gvqe1cXfb/XLieehPJ6BCd0KYWm6VhBvppT4Vop1D6Fqpg7oQeD6YMQ0HM8l2vaYQYTwczKWrxpoyguRu8P+WqOzSOziuas6utpMRj1TUhzbBwLbIGY+Vv16k/f/1k7kf6yBAFaI/23ATV/g+4DeEsVeoWuBMGlrnyfYmtS3kuuh6A/MPgRyK0MrfLDK/Svltwz9MMP6F8RkQpaA8E2uUXP0H/n5n/aDzKNdpnyTXALhcwDNedPxNYVG5oRzPkck89pNWCHXF0wgI2fPct0O3DId2EKIgqHI4NBP6n1QRjBiTlgDJhqI5XVrMXWaR32F2vMmRsEgkJIIdeJ3b4wnALyMErjuOTF3RsxgBwjFuivw56w0cgubLnE+VN55zw6SLM/KCqoUcPRAAiGhvc/DLawe+5rIWyffWxajdYN8LLbNkO/yo3dmqHNyQSSyhpjRqLPlJYHmPYkXryvhGlKQjHYmuVZnirq2vTUX1IBRdcayqoqZ0d7u3DNlKkwt0b7ju9dBFwcfsy9qyO0zHBU+Kt+fYmUldYaHCrANKyW1DQfO8gJrRIlPT06J+qWD/s4oZKEgoaCv50Q9t61V7r1573uKTbfjglKBM1qXCDmKwi8+JUyXXKWMrPhSZvzmg3U/iehm1mZm/C8uzLhP9oyTX/qaqvFPyH/NSKMTrws2GAo3wQxehj5KxW6uTi/8bqvL8plhRsrE3giv7o0iOppuD98lw8wxIdNKpFzpe6a8lX7ldZgd3oOWOYz9Oqn12gDfC8oFjDdKOgrAKc+qEmt/whtqHK9QhF0icHaICl65SK7THx0NfHrZmLgrqYI23re/S5VDoxzjS7ISkgul9t+IG7B1ECLRegnRFZYYWIcE+2l3gL+4DQXqBI+p4fv+MxHK2pjF3S7QH3KIMKe2CVYFIWb7lyHERTejMo0kKw9tRIT0FhdjMLPJ0eSEOiFCxC1wSLHKkdCqsJNkQzY8qoI8if3WQ4ns0hW88GTdC8mtVg3yLzkbEGB4oCBrymRIh9RsNvtzrRJ6WfZQxATRBYlpyZ4AEadqBgUeKNYTwx26s2UeaSDfGvXDh7nsaO8ezJHj18hhVlF2qa2PjVWzkub5ZQ/EuOvRJ6C7RbkH1Kk7rawRyza1WsV06XXfuhzeCCikt3oc2TonfGXD62p0p1yinxfHlhgfx962LYUxyKzLdMjUuU0OMY4zin2STb+mdLNirWOUWfaNB/sxteHr5WSxQygVlCUrwkVWDHp1Pqi4oZ9ZxhVCJclr6tf2l42BRZ4GSrNRYhDeGenrU/djwwx80wjuREuMmZwUfY9gx5jaN+q5DD5iBmNyIpZ60bmVM/Q20obMJO6QN3Iy5G8XGzoiZu0V4AtFhbvNZ1CE4JNrhd0vINWUFQQdyCwgPnMa5ZbzQbOQ1iQ3daC7EOPeWEi70qmJqOw3U8XC7qzJ5EZvq37XhkJ+ppFyvX23Osbjbjpoy6cMyuNG3k2GyzZpJPJKrYEKgaK3EMhNvyPfVVAg/xS0Wqyo2RPtztFrXzcYI0AiXzk3ABy38dmakSlYIehCWTasjAJXt9lkQJXGKYcH2gK7bmMKYp2gb6KDjWBrtR5RR7HhOyZj8E3ZvBc3uvNOVVsHpJrpwQL2gei1w0htiMIk4ESH0Ox1hVPHXYasaJkZYgs6EuHQ2O8QFb2oAEmsufCsWDHgBw5IHRNB92UJyOsXt0XAXYiO/tcPmmLFwe9A90r3VS6WGgQdyopYQvWGj5h7dZPAhg5U15XTp/NFNiAxsXI8rZgonZR5T7IEsTbm81TbcKnXSu9awlKhX679amxTNcJAX2/GvJ9YXvzN9BOlaQupWYRBcdRZwvMaZG7DlOQyl/f3dEuPBU3w37rjyWKRFVQxch9ZVGQtgmq2PYQ1q1ka26GE0vufg9IW1ORS+UTZvdSJud/f4TuNXVoN9AVv4tY+lrwAbutBN2PmJP0KXvVfTO8kL7q34sZ7+Va4Sa3WEiDMEwZsUiGE2i5XGZ1osqjCPX6IN5bqE/RM2VH9v0F0q2ga/XuWNguVqXkjGxT3549cuEGEPDNtQXfjsjl4KyuxAx8X3EKiIXFqRSG3qXWWBuEroXz17X9UHGea/sXPKowEhMQCjWAOfA4u2nCWX+scQJZMBa4rEcXN71CsDGKzStDOxJimKPvByFbbb37/IVFhy77A+gebrW4kdjT3xwwBPv5RX4+d0d/Cxi3zRyOuuGgbnO+1JqqGbql7cSLGV5SaOXtM90XUtU4DGDXYJzeTtzEDPf9Tt8KqdBcyY39Xf1Tr2s6s2u0n/R1foOVie2mawDH9qj4O9Wfdz7dnWpmmie8UrKkPqCY6i0+FwhzqkyTXaTaRf3PXHjLi49OEwBIQgoozDkSUnynaEnBktmX/QBmw5RPTj2kubFXTDPI+CVzEbY6/DOgbMPMyivLTtajS1hwDtUmAknx3VLaf+95Cdy4nYDimJBu3AkGvgQELJJygax0MIzqGbptZUp/sEG3sioNxheunK/S1ohxJaMu2Sb34tczHiPCK23qA+n/M9gm+ArTdid9TbT3b1jFF347rgJNrv24Gxa26F1bpnRK2bNDhpfF8hKwQFhrSdxkI7sbQXsSNuwN+0x/RhiVq61mBHOUM/35DJUKZqLAJLpnYUUZK3xK7eU9H3pXZ6NwQQ1VGpVYQxcvDY0cXC8CIovCSjG5E7QfltbsDNVDw6fJvQePpfF19jDBw+TEN5FFWQ3vYIJtw2jDRC43Pp+WSEFoac6aTIpRZgzIXFScb9GXCnPn/MxlgZnwUkN0FuJy5Onqej1jqUt7SLcq4RsmPtPc1wLViehYg3fKGyj2N980qM1Yvm/j+KArRFJR153s5NwSfQRq9H67fSy8fiu95xXdDtv1NEFnN3ku0WiEERerXxOwded/v6b9Q2RNe8F4+jvekPwLrNZcY0XzilBUR45o2N2mqWKYZ4HXNNkjcgtL1mpz/33sPID2hRn1C1DyWZ/UciCGx9ivbh+6Fdar5oZatTBQZViRlcv8rWtsmjLDixpSr0WYJaRZZqYVsd9q/j+sNEVWngvEIOeuEoRTrOyPoBFei5ovIGyH4LnCzsPRByf8BlM6n/iLRWQxr8cxy8XOg+XLRtU9Xi+YFzy1p6+rjQAC4x6/aQKkgStx4VZ3PRnHPaXOgkvuGm/Y57zM15fonZM0z33jBuSm7XXGqL4I69XOAf0YvvyO+/n6EljqS94aMTH0HuxG5FwaoCNh5g6RlQUbpsNG6lpvU/ay343q+gJtpy7s9WOPzNZOfOku2kHL15cHNdlY/rkDmqxF7JXIW412hi5cfabvd8rdL/Zrs4Cg2v3E9994d9y8Mk3lpjTNY1QJTrXjjHQPykaiNVYMz/mgCtA1ZWAClRyPCAJNhU7aH2VnQ7uqqlt5ZiWV1TDq+kJm9/n25fVNX4dGvmWs8yiM1WWfOFDw6FrINtLikETXwqBbthQYhMXIES2lStm89tlAftlDelPrbhK6OsI/LSLd2eX2lOUycHDe/fYBMUF4lVMrzvwgW/v1GXp+VQ8wvnEOEQcWpPcs7BeByNzksU1wTrVPSxgzpj9blfsEvO5RitdxY77zT8N7pj/vCbkaxZZLqtKNsAuz7FM3FuBxcCOaFdUryXN7epytPjJpdCf0PoFnYRh791L5+XunY7xomnFcX4bLSI6OzhNZlNnEeVewKz73Csa4Ov+erubfWXSkgPrUhZvNnVdkzErzaukjZY11MW+kpVTQecDK9Rq/kSlxfhD5oyiAw676C5h97h4iS8RIa+TnVohi9BaTup9yWLm1ImhSO0aK72oFVe2XQs7WjD7UWlGso+cGa4NNFUtxbvxRmPFHMzvs4nN5h1j+cvz9si9rNQWGFqOPg8bH7i5YLMJXt37HEk/fGxzyy+HcvVOeMyZkFSvG2akj0cvod8pK0phOh4FH9sfIgFN3Ztw5EuecW7mHdEUI1XpRcXRl10dE5lTbI1E3+w1bFkzk9C4yAzjT5jTN84GyBRYGU0zVSMypgvhmgRXjkMET8OC5+LtYIgxM/M5+N0iZSHAO5dw1F3okjdivjp43+ZwlVbr0RbdOwgxY5lWENiG+7vD0YqTI0Lm5hu9x6oQSp3w1SV7eV+U+bX+JmdAopwYzHnAyzGVlOt8bIU3yyXMza48tbvLYAI/xh9TQouTJsnnOUU4X2IeAfOfLOobvszWtVrymiuMtFHIZ6R9X9DxwI+0vwOr236aLugrc+eq1YaaCxowoSFhrGwwbNj30ukaNYnX8OwTHxjSBrCKyKOx9SnOMLhx0xDrJvqWSa5Y7/1ndRa6gejQRKpfk9EDj/b1lvzDeao2km5cXVg3uSkh6ehxZX6+eVtb/Xc5P9DudTN7/lnMfgAnfrpKla5x7CQnFbudvb67R9UCh6qKRrGutry7Zj0HEwq6mGnYZ1ZC+jz/M51aHlXsnIrK5zFNXfA0q7vpKh8cFWVxG1KNV/G4JLmQwQeV5xwXsS4ddAm0TD2FLljehnBEnXhHbahyUgUd4+eMpeQ3dZZXymaqne998dN1z6kAUJGvcUVJ1vQgu9WtOQ+WtdRemfYkbEzhCgl7xfNch0lRX4jVmHA8DGahxhSOor1xQpUYmLbg7dIqvP17czRsrhW8A5QKwA5J8uoFmy9mIRGRFNq/yfBvdP8OKLGodUAdupelpjc73eqniQ1RMRuxy0Cuxy3Q1RUEC093sVddzFVc5M01lXdsXzWMUGmzXVmw4UdKGF/YT6bLEYnNwPZlVfvHpCj33tRKfKm515TnjUMABeWBXd6XU9pMv0HdDR4PoR2E+C7kRO4aQpqSCZhbrXegjkzYJnsAF108Lvair3N/50qQ3dInJFn0cNdc4myv8GEX5fuEdFjOBCszEQuGC7k3HKLGCqb3p+yTsKJc3sCx6J3OXHN22BexknQWQQge0L0gVsIxIZSHt9o17Rzfo10qAKflW5pSj50ysZ9+eISbJGZrbv6j9CwvMt5rp2bfh+KIhZbbgeDA5P7YOtavhX9wgWBR8XSAnt/XwK7nY26jByKSYup/OPZ51GwRNlT3IQYTWRVy528Ps09vfsaLog0sA/vbbT29/P39/9e23Lud2jRVmo2dyI9XnmCXLBy/Y7/WC3QjbqBMMi9hKhK/ZidulpHkOMLHPxTaBCbOQigrNSEwB0nElJcC4iO8FCcQHYgHNNpgNhxM/2DsAvc9jA7XXJ3aJuq7miS6FmefaqNiV71Cvncwh1n1Lo72jdc1HOifpqcUu7WCwgUrji03auhdf72JBLNioo6kmNZkj9lRSg92IAmT2y3vCQvnkfoL3d1xY5L3+/364aqsyu8l/j3LE8o6P3iOyF8lHORx1HHcfflJOkLS1s7Mdu/S5aTLa6yw76JP5Atxug5N7ODJdt6xmU8TDoOhrgRm3vK6budx4mXF92a1tg05c1hw0dBloYTCeVVjnXGdWRTyBnlMSryHd2lcfXciiqETfEzXATpzWuOmh2L2jd+YvNKxTN7jp0zTrh+J2i0X+7zIcNWtxM9iwUyTDg7EbLryDnK50yQiT0bJEp7LgAfsNVmIYdHjqqGtRlJlMJYxv3729Qb85P2qblBpG5MukqQS3//EGfamoGundWnGRKdrv1Jk2uaHjEN2i93XRWTCtq9HSScSHtAtUxh4jYIGWJzmODkE1geDYg+Hm8Qc0YI5VkWC3LNgE7gVcRixAboBWebSptDsw43a72gGdY9PXCh8Kd04FWRVYxSoraeBuSzwYX/zg6BMmg3SqKDCzVfSzQOgibgFVA3ixhFZLCcDK+d8TQC1x9EkYruNU9OMFQfeMxX5wfOe2glrVMzrSIsMEBqPELz+xsLWIaLx3AM+X5fpHcWdW0d93IjJiVJbrqH3XO9At5NMiT0cAXnMcXWKIjIolExGLIoegU+RGi2yR6Q0zJLr8ENmCy43GRfzclS5sYdbpoCeIuhCRMZFSnDBRUlXMt9ES3gewS/I5DfA15inOCiuzUkkjs/ghKYC+/jEDj2N82DzZ3eRymeUpmG0Bx89/IyIr8F1mTCy3wS5ge6I5TfAoFEwkQpqJdEiXXGd8zrPYYdEd2H9KCDx6Z/AO7Ni9ELuwY1f1dmH/lBD264Sw/zkh7P+REPaf08A2suR4TlOIlAZ6fPNMZEXFQfmebxO8kzXw8nMCvaSoOFsWZRrt22qZmC9jJyF5yCyFUqLpFxLfNyIy7RISE+ygViSNNWkBp7Em9VZXZYJZpEQ0ZdVJTFUjjTU96F0CEWKksYZZKthg1iQBXgl2J7CQmpIEh3D92nIl0aOwfi1Ls6I4T+BWk0WZEZ7Ah20BJwiSAFw135r4blELWSeBXFZZgpgGUcwwgnmCAiKd4SUVZBsx66oLW2C+/YPm8xR4rzNoA5oEsmsHkwZrl1ibBPp8Wa5fp/FB62zOzJ+TNBojOos7K64HWMnoolonueYAlRIVv8pNOx9/tFlbHcDUrJyfP75zxAEHtS8JcNdNPl4HuQ7sBeM0hQ2js0WKTWSLmMXZu4BT6AY6YyUkKWZJRB0r1z/m2pSDZv6RYGtFksDmbEFTmDEaHM0FzVm0gtFd2EykOSWFzCtONZEpuO2Bs2UC2SRLvcEm6sz/DvRQBnkUwIoumTYKx/eEtLATaHyKlqlYrZLxWkMncpVIvrrMfHfEE0A3iuIigSLpSoFSoZ1Oud6sJNOZmzAbH/oWK5zkgOcjhbAxIK/dfPvYcJk2WESfc5xrM69UrGGBNVTqZgWlgFpFxzW+Hl3XJMcGC5MbFvGHXZ/aaWAfzCXO89h3gOWxw6p166AEbxErMqKkLJJ0JbKAE5hprMjSJEf6jkcp2Fx+jt6eqdTxW5ayUpeKRQbKsWGmip59xpmg8VrstFB11Ik6DVwovo3v1uLSdT3NFlxGf84b4AlS/q3NG13qWKAJJI61oROgGj03gctlkqMrlkkucClVbAFWzKtlimtWME1SiIVCJzmwKeZACGqguVJ0uNFluGsAHTvjz0GNnY4nNpvYFkiSijLpBkBHt0RlfM1IKrbMAvO4Hgx3I6iK/2aVmRvKGx1s1MnULVg34jXJIUtQuOln4sQWBh5sbGlQZs6RFB1drLX9ZUZWser8B6DpXcmiBwJKqoqlwsIMeu7GgLxJAjj+0+s6kX382JsCGgGwkssM6zLiwIAuaIVjQ1UU8xT6naIE+OC6jiYCHp/JFnLcFq4dyFLlCTCO78jUCXzD2vmGE+QDaBo7EcANPE5gnGj6Jf4BCDVojQY1gSml2TKB4NVlbC+bViTFPVAkj65Ia0VCXXEjADbxRmx1YVY6elfNNRGxCyWC02IfCtQ16YxNvlma+MfKAY0f0WtmesaGuy2jd2ut8nmSPPRK8QRvYaWpynIWu+o9ydiKOjKUgg2GaIOL2N7gdcaENniRQDNYM2VSqOHrUiRo3WSkqkRMN2uoLVqgo+h5ZSR6Xwk0WLrJHkk4LO8T5ixHF4rmzKALrHLfzVBD+/cwOm5yVkIujU0IBTAwRB9BfwMiOQqV6jT5EEyk49xVUXK5pYPBggf5t5BVtKbeR54xy0PnM4J5Z4ou6R0qcL/RQhuLFcuqPwwkOZKcaRjOUK/utx4aKCFdlaVUBg0bjyK0WWGDmEGloouxo/CAtNz7DKEIMd5bHQ0KiAnf2X2kLzRnIvVE/g6qdrUunhoZuaRmRdWs/bxeyWrwoiEk6JqqZhyRkajESlP0lhoME8HdXcUNC56/kUv98saVvb5Al37E1xkyq8CUImgG/J760ceAtkDvqPmdGUF1eJ+HhzoJ8xYwsru5RbC4I1ZTrMhqxgQL4gczdyfor90TnzALA5IhXnJcCZj1u6xgjmvdxD3cwL3Xr30PTenbcTc0NU24/fziEWPfbkQWsabpuM6rsCz6QO8M3Ioxd8EU06hHBFI7uO4dTKgWfGTiJXTPTTgOHPrnamqQol8qqs2ept2nZyvfv1e+UxlgLI9b1UnsvkeqyTvddafsw8lhBLGxnZ9Dh3b9c5DymLP/D883tItdX9ZCAdYOnw2wGuIl8d7zCNvHZY41RS5du8EGDW5Vs0v+G4+Dr2hGwTeYS+Xa1wfZiBDWSFMK487w/nlVCguNyQTjfQcdpt3SAtTe9tCQSsEEtH1Il1QVzKkbUyHdLukGc7A143RJEadryhHWmi2F27h2Xn/46ENL5keU37D+npM+f5RJzxazSrAvFe2PScThy9fB97SOiadNQak1Gpa7C0mkEBRyK9CGmdWYoEAoUBnSaOyKnlRedG/TwrIT5EnzRHG5ZARzZDEYMX0Ai8fFDpYaGdP4eLwrV1sdRq+TzraRvazW2A885gzrbCWT2wTOiGvMNZil0g41slKxO4In3A8AuUtjsYU3zQ9iIZxiNTvnWlpDfOe+XUKwHP3qvzFD52Lb/G8A3YAtr4VBOJ8RWZSVoSoshpO48S1h6cyzb/p7ATMWdzaEmb9Vr/70/Z+t7XvZ2Y6aY98E0fbnNIsbMTvWcYO3VKF/bnxy+qVHA5AL3/rY9T/pz7xocd459Xv348Tk5UOy7Vl/YIpdZ4be/fbhytJOFXXOE/CX5kwTRUssyNZqlV494/1cEAQcOkMf3v6MroX54dUZun53efWfP6OP18K8/hE936y2SFBmVlQhspLaj0qTSlFi4FPfv/5f/+3FsyBHqFkllHF9foBMnRU4PI5HJz5997zmt+4sXtdIha94/rSQ7sqmA5if2DDu6Ac+hG9PMW2tk09MmQpz9Ob8XRDZP6Sg6XxZp52M/yMFnYV5a9H9akQoEHJYeMIWPMU3eM8+LLGhG/wII9LhdN+g8zxX4Kd1pzyETvP0kqI8Nc750FjI9cXbG/cqjYbHCqwnjH7sOJWcpurfbnR9Y1EZ8X5ZHp44CSIKD+3a4zysNbHMTdeaVkB00MV5zuyHMW8Dtp1Z/uF3bsIDYE1CuODS3/DL3SMwQKXNtU6i1x37pGH0zmN4I5VpRPJA6OYQYIMNYGZ7WPLqiXnv6GFiWT8mNVlvxxgvaMhunMqL67EDyxdrLQmzKqfzGw10HGTlssJiSWeN6USkWLBlpWiO5luASUUOWUNhOVOe2HpgUDQ6oi0HF10k6HfAI+r+3RKu6A4ARQtpaOYzu+PnGcVnbS50hjOXip8AdGlUGuCLBEdikaBamKe4Dqn6n5QJmIrzrPbEpVPL+xa8pWPWX63rTHgEDfbKrKgS1KAP25KeoY/1M/YGHGA/oJvaATZ4CX4b09TqUT0TKBMjpnGNtPeLnyHMeVCZKNsPQoIbVpCYt6bKvoFMGIm0gcecCfTxelSgEEiQTSavootsC1SWCca+WcCK6tgZvRZsghIX9yLGTkUHf3sCbN1ohYxTsYw+KRJwtspHQi10RAN1Kg/mnQCMQATSCRYIo1+k2mCVD+d0I3S+hGQvhbC98XeQSzenZkOpCKuekbsm3jfGLQ3m3VCdQwZBy3jIjBhQyITPc4W0hIIZK5b8iI0wiWuOxRRx/CMclHWCSMdFOSBw12XZRlLW1oJdggG7+/LEjlRSAl0I1vH6wR0XscfKMFJxrBD0i0Y1Es+v7n5+I5dysQhPf6ckMyuafHt3kP1gF3S3sYP3lcXbontemRUVxieLj6Ktq5idE45L6HFLjqP+UVM1irCsDJHTctovOY7wbUUI1XoEZ+g8flpztNMSTwAvZFXcpVRbFChMGOA2hXDawZH2cLRSCQJ8upTCvitWboWUw+aLaKAo7VK1jtePbuTdxMh1LYWaAc5o3tDj/TA9fZgJpJmpAvITQXEB9SLaQ11hjXAuS/u6mBVlCsmNaLfMMc7gOylkMZJXCzM5NHMt6qdVIqxyz0Ru5Y9UumEARr8wTtG5R2w2YMMxzl7REObu5GjCeEP/o6QrjLLg1mctxOVCiMYAI2LWuz+AES5f79bXa8TmxHhC6FymrB4IED+nK7xmsgLtksiiVLJgIxmKdGrkrgSecygiW6CL/bgxsW7ETkIk+xjuaJ0oiMAOhlGHy5yAYGD9Br/Uu9t5Zdv7Nnrs2jLLSph+OVtsjT6HMvCMnGLWH6UFwXu8pIIqRmqSgCGQ6NdPLWBmBU9taLYb8sjOyPczbdR48LOm6ZS2W49G06v9NHn1wq2VkK6gadoY4YYVVFu57rQ9RUs6GkTyuxCtKcTBjYDGgw/cBnXk0Tqld/ejHa0fjqPp+0xHG3J6NGneYXyIwgFtQHErEI4QBl8vda8OUqcm3Tt30aLQpg7vXLReqtMIkANyvBEgX+9x/OHwlsUabTDNlh0nH9WkEiTmHTtCfkx6HGPSNjiMjVIPJWg9P3X0yp3KrLKCmpV8hCgJ3vEkI4eG/9johkMvJSWTep32RHXeS+79tRaRPecykSfkP2c//elP6Pmby/ObF+iSacPEsmJ6RXMohQ/iwuVSJu8LtC8SBtmyC4eH32b44EjGmJKJvYr76j/troYwaG4MeOSjDX2+z3UhkPbf1P12HH+AUyhmikWoTXqbKYZ5rO50PULe45xV2q2ApEKaFYxj5cSTFZv2DhF418PlVXDPNcun7DTSzZT/aA9C7UXs9cVsL3m6Ootzse+uQ1jDVxp2/L/eSQS/GZwF77ihnbKMPOzKlCplYsAgZAOslmqJBftjT1a1SHcUjmX2CZzunqkRdi+YCtaSJur684tdDl4L1+LL9S7ayWr+lWJuVgQrikpFc1kwgYMFdx3xdIMNo8Log+nxHE9J7Rv8qMS61o+0THRw7dV5ZgVXiZWBZkgtqfvF6oTNjrywOUaiLmhOFTY0z6Ille05H1b4/FKv2ATPbpRcs7xpHuY/h8uSe011cDB88x/7rO3qtGEFpyWS5RNR2Szpe/2Z7QiZweGhkDm5Zi56vuor7iMt4BqlM+ZQ8PtqnvQOdKbOlzqV0MsAoU5HBY0Va6SNVE7iW2gFNRhWewafmtlPPQtTX7A853Q6KfcW1jtWzgW2tyP3TpJz9XiMaci98at1OgyJbR2dPUMlx3bL7PssFaKCqG055uWHVMgJ7MkjMuhUY1v+KrVBbzFZMTFi0uU4keT4ps/rjwIy/UtFrfiw+pFrcqZn6E2OS/QJ/uP0o1wKV3f6t+HjiVZ4Ta3mxClW6EtF1RZBD0JdSqFprVGFi1MtvRl8Zxp56XvgEQtZsboLpHDku75843jWJE2AanuA3vvmqMdiClOe0jrM+me8bi2908TI2ob+4WUaqUqIoB2rz5qXx0WeXRupkRo7DzHzFmb6jcBow0QuNxrpkhK2YMT+5ixUJ+jzZIcXxJLn8G1zbtBz6AhLBWmfIQhdvuhwC1UC3vE3dInJFn3Uu41vmwhs0S+kjZ5da1eYwGAfee27phagArVqcMjsizjgeNMHIFD9v1NpCuU8Q/btkp1eoR7rzuvU6wDFQGHwoPnvnEDsNHm9Y6T6DF/veq9l3RWQPt4FdEjNNA67JmCwuzdtQqbbhsEOhRtSHC5+hrKBmCMBRyvcgOScLpjwvnoQTtDVr8DlSNNBwO6kQrFEuLUOmJ76F1swNj7b1LT7XkojvSkbH7YxmKyKiVvgt6sCw9HAOupuR5IhL3Mm4k0Qi3o3LMlQVJj28QwIqW7ZDmyLa6PdlvcHpnYOsE779h3AusSqPlP2x2ctKZsVG7RSR/Z2WFvWJb8fRZ6JPrPEtbWQaptuw/9Fl1j828GOMTUiu13Ua/U89DRZtvzLS4B+gLZHU4kGVNX91vdTNXoKMiqMkuUpoiOX1XzgXDjqjPs1rbVND5QjAI6uumPae3ghixKLbXMf4drBOH1nr6ypss9QxsRChpUCrD+nrhE6ID96VmSN2Yam7Yq++JIqR+CXivMt+o8Kc7ZgNEeXUPfsnINBVDZ0nhEpP7NHCrr/TufIrd/az5iPafPRu8224fCyMqBynzjC9PBdf98s4afseHe088nP0Idt6UhvPQeWOW4HxzdP0UUWtZlsD22Lg3NEqGc61La2j8wUrrpGudzFznkWS6lqbz+EmN+/GdnyTq+cyMep5kWZdg7RHlbYlQ967ms0lZSJNJFdpOw6dj9QiU3YNUlEhnXMaH8HsPLl9JEhV4pH3OYO1Ii70hijWaVieUM6MDVVGV7Gsylb0NGfp13QUdMfd0H7U59AsNA7QwWoVvGNEws/2mluFL2Vor1UmdgalVtiilrCHZn7AZYF9eql//eFR+Gl/4fPawq5/TGnKpyd58l5xOi5I6YbPAePa2fU2oCc3A9EsyYVEwuq1EjcdUj3JHR1Ff+DrA+6ZydAsu5LvOhsQ+BKQVhbJr1SgSUmO35XLm5vj90HyCBW3R/9lQ4TtMYHfrJyRdU0/girs/uMp+cXMPrxBbqA9cOoUWUmapYywucLqvzwT7qThbmnOS9NGjruMLKz4XbRZ7rTKXrvTrM/TvVK3r81Sni30S37I+ytYZ8TyZTrv14hQZfSMLeB5QrrkQlQmkzdVqizlW7x8eGCdquTTYAaJLj0zljdOL2uvwknpGi2nKKiYre/UTP18MPooGUrTZjWVXSlEyBDslQ6b93DYiiAIVUqqQ90sCld6XllF0e3EJzeJ50myZBoOoP7KPLzW0jt3P8YdaTnaUjeX3ruwXFchGrNs3XKF70fUvWO7CAyeWaPHq6it2nUqQCzz9Rb1ImaG3zTjivpPkggW39EGuJ1UqHr2/O/vr1BN/adQr+JkekrLbaJKqlPwfbDRoaxBTFEVpR81ic5kY8Twml7kIWGzjX9OpsWYZAG6kcQtlJwj5ZLFRs0hXwEJdfh0XQFGTUaAGeDTTXZhM8ulmvMWe4OYgCJviCcrKv1PkEIHPtMt7ovtiOd/DqBNDLslTGlzhjMoE0CGrYyBUMIfgK3iS1FXfkiFTPbAzeKyKJI2ifuSLwdHt4hFC7B3zBFed/SjO1i2XAsMq0fa+CtXdnJ8N89tXWNVhBbV2qclZJNkVYdQthhgAADQCpsDQBbyQoLMWickbrdlF8VEBmJ2U7Utrl5WPzMw9/fnL/z797L3vLNg2Kk6vv+o/dsY/pztpa8SsWA83qOs/BzbprJ2PU430owo9Fzh4R+Ad06oLC3nqjbA48A6SA1vEokzd54XD8KZny6wGy36GBNFWQKLCqOiBSElsYayrduD0faK2w2KaWvY7w12OsR2hbRUiqDpOXvr/9+HkrBDbI99rmTajl9gmW/wGDHxTrHrtlJsFHMX65+u7m+QW/xXcFE3oz1Dm+rpW3yNMydIYojZHkyBtTtI6tRn8Ili9HTs12VY7aYrmDzsYvwa5KTqx07zjIvla8vfZdej8VeDPl0m/LIvQJqiov/8nXDTWGOyIeaZOzbDf4Sa0I/UnajH1cNVnwT1C1cce8Z0lUgRR1r9C/aKCmW/zbnmHzmTBua/8tL/7Oz5rdMLCgJ/2rBFN1gHlRk8Jx3voOwyJGWaORYKrpk2qitteynFBYlNivfrL/BAfVxGCAJTqmp0HSF0K5ei0jV6ULe6JMN5lSYTk5KjbcfyDhrpqnNepd/HPcxvHO6wBU3GdyJn9EC851S5B2SdjP433WSI+pJke3I+LZszSi8WDACgwTmlAok59A3otPQq9kXje9BTP9iHyBleOsbl7HFWiRWJwuduk3SiERReIMKqjVe+r5ERFr5DQPMQorkG7lEl5TIfCTs42FF91G5ns8RE5h6CE8pjaAI075ocoGY0AYLU6MRtvENO+kRz4fvVFAVh3vIrHVrXJ1TO54AraxtCxN2f2dGUK3r3T88BUHQNVXdBhUlVpqit9Rg0NR9zW2z1PM3cqlf3rik2hcD8Jc+HaxVKzB6T52wcCdcdNAc6SRD10lcOA+LNhd6mVZ59nv81t/z68vvfcDFtX1rrWvoCXCHiUFcLt1+DfvaAHUwydqfFvic3p07ZL/vN3Y2ejIGoE86KaGTMYA8flJGt2Q97Z68+see7N8Tu2qaDXnY9ZXzv2fBXldPBrt1qlDpw1BTNGVW7MPZlur+PwwzsP3SFdw/DDlc5cxk0I/6KaK3azg9IcRWESfqRkWMidMQS6sx1ZLj6Z60nJ40LDYt2xaU5qmLQMbDFt22ia6RJM0HeshASXiYFdHTQwbQD1gR41ycvs68Pxg3yD7HrgGZkdiHAhy8N/vIFGq1jw40arRq6Pc/2u4atRdSEPs4YCOfumU7Im6gSV1Ccdjl7oVdxiW/dO7zG7n0Y119FQP0krMmiKJeUA1IX7A7miNNYdLuzpd319DjBku9CQPYDzZYmk0YgL7Xpgw9gfH9S6cdzAFd9+DJ/XgQscXCnnP5a51X6k8k759ITUXTeZjLpQ4dm44P6evhLzvlgA2+NMrY65v1j20/wJHr3mfugHojv1bmrl+nZu/r/3fZm7j2yfO4LxecI63rLcsRRku2pqJxkn29ioBl0Wn+i7QWSP4Ulb+vI6Ix6tCQ5TZT9EuCve4GD2GDgW7fzO/K9xS7gYt05r3ZBrsKa4KHEmRO6+TRj9fCfP8aSYV+4RKbH17tpnkRKRZsWanx/JaW7lPU3a+YbgiDPtWySbCMJ+iZMZYdU1cTfe0OBqk2WOXJlLr9k+qdQvJpR9/DSFGOh6lprrWqf0Q92r4ZJpxU3Xb5kIotmcC8/s6utnKAD6n0rz2JEdc3n14HWICC3WRRBBY0GA25HOP1aQ/qUHE89fVZUZwnLK/fMe1gKXR9+ZAoqcO3GywFMKfFSp+0k42TLLmfDTc5uK2iBRfFmi4XknPom/o1CmDLvUfIubFnjmlEHOvq8XAdRfWNHI6zGGf0E7T4CjJ/KqpqIbWpC/fm28GmNZO4LEDNipJv/T7ZD0MyM8VkhTTLKXr+J2RWqkKvfvrpBdpgP0qoXmUPJ56E8noEJ/xcnWSsIF/NqXBDVWqfQtN31V5lHYSAnuO5XNMOM1i4RKcWb9ooiovR+0O+mmPzyKyiOTupacIhRn0T0hwbxwJbIGbqvj8g0l+6NqE10sNxVn9DUC+ypQq9QleC4FJXHDfNyu4l10PQHxj8CORWhlb54RX6V0vuGfrhB/SviEhl9WXXc6Aepvbfufmf9oNMo12mhNtfCJnTJ2vrig3NCOZ8jsnn9KVPORXS1KPRwK6wTKxrXsA0GZtKB4cjeTMjODLQcBtzwNjNsTdSWc1abJ3WYX/RaUYRQgqhhaxEbl8YDgMZNHQEOC55cfdGDCDHiAX667AnbDSyC1sucf5U3jmPDtLsDxhGqRgJWB3eFO5+GGxh99zXQtg++9i0Gq1c1Ns2Q7/Kjd2aoc3JBJLKGmNGos+UlgeY9iRevK+EaW4wRbZOOfD8qpY8MJbKzacWMIm/YxeumYKRqdeXu753EXBxdGe6AzMcFf6qX18iZaW1BofKcLbI6PT/hhPJ6pkfnRO780hG8uWShIKGgr9tfvUeuuE3M5qJotgPAhoRlPZPHYj5CgIvfqVMl5yl7l7yZM15zVIVwj4wRfq0plHHnne4dfYNqCcC+VNXWy3+CfmvEWF04mUwLmiSGD2MAJIK3Vyc33jdl2Bh2cOKUqq+xovgifzq0iCqp+H++OieKjDEQ6Nu0dCUr9qvtAa703PAMp+hVz+9Rhvge0GxQJjzsK+grn5eoNZ/hDZUUQcWG8Qp1gZJ0SsX2WXio6uJXzcTA3c1RdjW8+53qXJgHGQ1UbISksvlth+IWzA10GIR+gmRFVaYGMdECu2LLBZugjuqhM/p4Ts+89GK2tgF3S5QnzKIsG/agrUoCqtkSlGHERTejMo0kKw9tRIT0FhdjEJ4n4MkpFI1RG2wyLHKkZCqwJz9EcrvlaoI8if3WQ4ns+i4WXh7mNRi3SDzkrMFBYoDBr6mRIp8RMFutzvTZoKG9iGCmCCyKDk1wQMw6kTFoMCPN5rWBivzSAf51q4dPM5jR3n3ZI4ev0KK6J2Q80GCxIObHoj8kRh/JfIUbLcg/5Dikbrn1KvXKqZLr/3Q5/BARCW70ecIhnH7EeS+HW6NXb4vDyywvw89bNv+KPCHg1SUSJXTPN076JNs/DOlmxVrHaPOtGk+2I2vD18rJYsZQK2gKF8TKrBi0qn1RcUN+84wqhAuS15Xv7S9bAos8DJUmosQh/BObS86pByuGjHzTCO5ES4yZnBR9j2DHuN6atLw9hmNyIpZ60bmVM/Q20obMJO6QF33rJG8XGzoiZu0V4AtFhbvNZ1CE4JNrhd0vHND0wRxBwJb1Tpna5ZbzQbOQ1iQ3daC7EOPeWEi70qmJqOw3U8XC7qzJ5EZvnXEaiv0rL5mkYIDut83GnHTD3T7ruXZbLBk212tii2BiuijOBv+x74qoEF+qWg12VGyp9udolY+bjCMPa26Dbi6aJaAXKxRDw1TIyoFOwxNINOWhUnw+i6LFLiWWQJUyyyF9lzGFEW7QGON+mihJtCVOq/I45iQPfMx+MYMnst7vTmnis1Dcu2UYEH7QPS6IcR2BGEyUOJjKNa64o/UNF9WhsiCvnQ4NMaLH+AyOCFYeBbsGJAjB4SuqWImdWvQse7TfnVfBDg2mrTn8pl4cJt7pZtKFwsN4k5u1H1r+IS1WxfMGeup4nXl9NlMgQ1oXIwsH0yGbSbBBvEOTZFJuAmfdq30riUoFfrt1qfGMl0nBPT9arB+vUNjVZK6lJpFFBxHnS0wp0Xedhdu7u5oF56Kmyxd66J7iiJRFVQxcl9ZFKRtosnPR1SyNTfDiSV3vwekranIYU7yQbkl539/hO41dWhXDqfTdhFLXws+YDfMA96LmJP0KXvVfTM6CdaLGe/lWuEmt1hIg3AzSS2cQMvlMqsTVR5FqNcH8d5CfYqeKTuy7y+QbgVdq4dtvxvFX3JGtlNM2xmRCzeAgG+uLfh2RC5XPGXedJiB7yvf/D8sTqUw9C61xtogdN2OCqirq/Jc27/gUcW8RijUAObA40xWWCxpJugmtSwYC1zSTSfUD0qIMYrNK0M7EmKYo68d6lZb7z5/I0OJSxxN2DWc44MJHZPcHDAE+/lFDpmu/hYwbqECzDKsbjio25wvtaZqhm6p25RKUzXDSwqtvH2m+0KqGocB7BqM09sJfB+573f6VkiF5kpu7O/qn5J6jqM1u0b7SV/nN1iZ2G66BnBsj4q/U3JQHTrVnZI8b2eQJrpSsqQ+oJjqLT4XCHOqTJNdpNpF/c9ceMuLj04TAEhCCijMORJSfKdoScGS2Zf9MMVclN0++qFpKE6Pe8lchK0O/wwo80M1WlmPLmHBOVSbCCTFd0tp/73nJQAlJQsojgnpxp1g4EtAwCIpFwgmzDOqZ+i2lSn9wQbdyqo0GF+4cr5KWyPGlYy6ZJvci99mmgnhlTb1gfT/GWwTfIVpu5O+Jtr7N6ziC78dV4Em137cDQtb9K4tUzql7Nkhw8tieQlYIKy1JAz8pXY3gvYkbNgb9pn+3BlkCIMLz1CpYCbKGaKGPAsryljhWAOrDwSxYClqqNKoxBq6eGlo5OCnScuisFJM7gTth6U11JC96p57Dx5L4+vsYYKHyYlvIouyGt7BBNuG0YaJXG58Pq2fNnnWZFKMMmNA5qLifIu+VJg752cuC8z8IF6gu16Iy5Gnq+v1TDTAfjAajonPNPe1QHUiOtbgnfIGiv3NNw1qM5bv2zg+6AqRVNR1Jzs5t0QfgRq9324fC6/fSu95RbfDdj1N0JmqgvUHO6V2sfo1O2Py9mvaP0TWtBeMp7/jDcm/wGrNNVY0rwhFdeSIht1tbqZ+FnhNkz0itztj/PvvY+cBtC/MqF+Aks/6pJYDMTzGfnX70K2wXjU31KqFgSrDiqxc5m9dY9OUGV7UkHotwiwhzTIzrYj9VvP/YaUpsvJcIAY5d5UgnGJlfwSN8FrUfAFhPfm1Luw8HH1wwq8a9nl60i8WkcW8Gd+72HmwfNmousfrtWaq0lN7+rraCCAw7vGbJkAauBIXbnXXk3HcU+osuOkG1zov8/WlH8GNnvvGDfVsSlf0a3F7EdarnQP6sQb8e/fz9WV3vmsjJobeg92InEsDdCTM3CGysmDDdNhIXettyl72u1FdX6Dt1IW9fmzhjO+Jxx1fNAuj68uDmmws/9wBTdYi9krkrUY7QxeuPtP3O+XuF/u1WUBQ7X7i+2+8O25emaZyU5rmMaoEp9pxRroHZSPRGiuG53xQBeiaMjCBSo5HBIGmQiftj7KzoV1V1a08s5LKahh1fSGz+3z78vqmr0Mj3zLWeRTG6rJPHCh4dC1kG2lxSKJrYdAtWwoMwmLkiJZSpWxe+2wgv+whval1NwldHeGfFpHOXYZTlsvAwXn32wfEBOFVTq0484Ns7ddn6PnVHS5KTn9GN84h4sCC9J6F/SIQmZs8tgnOqfZpCWPG9Gercp+A1z1K8TpuzHf+aXjP9Oc9IVej2HJJVboRdmGWferGAjwOoJ2uFNUryXN7epytPjJpdCf0PoFnYRh791L5+XunY7xomnFcX4bLSI6OzhNZlNnEeVewKz73Csa4Ov+erubfWXSkgPrUBYybkXlFxqw0r5Y+UtZYF/NGWkoFnQesXK/xG5kSh1W+wepxMvSGXfWtdMX+IbJEjLRGfm6FKEZvMan7KYeVWyuCJrVjpPiuVlDVfinkbM3oQ60VxTp6brA22FSxFOfGH4UZfzSzwy4+l3eI5S/H3y/7slZTYGgx+jhofOzugsUifHXrdyzx9L3BIb8czt075TljQlaxYpydOhK9jH6nrCSN6XQYeGR/jAw4dWfGnSNxzrmVe0hXhFCtFxVHV3Z9RGROtT0SdbPfsGXBRE7vIjOAM21O0zwfKFtgYTDFVI3EnCqIbxZYMQ4ZPAEPnou/iyXCwMTv7HeDlIkE51DOXXOhR9KI/eroeZPPWVKlS1906yTMgGVeRWgT4usOTy9Gigydm2v4HqdOKHHKV5Pk5X1V7tP2l5gJjXJqMOMBJ8NcVqbzvRHSJJ88N7P22OImjw3wGH9IDS1Kniyb5xzldIF9CMh3vqxj+D5b02rFa6o43kIhl5H+cUXPAzfS/gKsbv9tuqirwJ2vXhtmKmjMiIKEtbbBsGHTQ69r1ChWx79DcGxME8gqIovC3qc0x+jCQUesk+xbKrlmufOf1V3kCqpHE6FySU4PNN7fW/YL463WSLp5eWHV4K6EpKfHkfX16mll/d/l/ES/08nk/W859wGY8O0qWbrGuZeQUOx2/vbmGl0PFKouGsm61vrqkv0YRCzsaqphl1EN6fv4w3xudVi5dyIim8s8dcXXoOKur3R4XJDFZUQ9WsXvluBCBhNUnndcwL502CXQNvEQtmR5E8oZceIVsa3GQRl4hJc/npLX0F1WKZ+perr3zUfXPacOREGyxh0lVdeL4FK/5jRU3lp3YdqXuDGBIyToFc93HSJNdSVeY8bxMJCBGlc4gvrKBVVqZNKCu0On+Prjxd28sVL4BlAuADsgyacbaLacjUhEVmTzKs+30f0zrMii1gF14FaantbofK+XKj5ExWTELge9ErtMV1MUJDDdzV51PVdxlTPTVNa1fdE8RqHBdm3FhhMlbXhhP5EuSyw2B9eTWeUXn67Qc18r8aniVleeMw4FHJAHdnVXSm0/+QJ9N3Q0iH4U5rOQG7FjCGlKKmhmsd6FPjJpk+AJXHD9tNCLusr9nS9NekOXmGzRx1FzjbO5wo9RlO8X3mExE6jATCwULujedIwSK5jam75Pwo5yeQPLoncyd8nRbVvATtZZACl0QPuCVAHLiFQW0m7fuHd0g36tBJiSb2VOOXrOxHr27Rlikpyhuf2L2r+wwHyrmZ59G44vGlJmC44Hk/Nj61C7Gv7FDYJFwdcFcnJbD7+Si72NGoxMiqn76dzjWbdB0FTZgxxEaF3Elbs9zD69/R0rij64BOBvv/309vfz91fffutybtdYYTZ6JjdSfY5Zsnzwgv1eL9iNsI06wbCIrUT4mp24XUqa5wAT+1xsE5gwC6mo0IzEFCAdV1ICjIv4XpBAfCAW0GyD2XA48YO9A9D7PDZQe31il6jrap7oUph5ro2KXfkO9drJHGLdtzTaO1rXfKRzkp5a7NIOBhuoNL7YpK178fUuFsSCjTqaalKTOWJPJTXYjShAZr+8JyyUT+4neH/HhUXe6//vh6u2KrOb/PcoRyzv+Og9InuRfJTDUcdx9+En5QRJWzs727FLn5smo73OsoM+mS/A7TY4uYcj03XLajZFPAyKvhaYccvrupnLjZcZ15fd2jboxGXNQUOXgRYG41mFdc51ZlXEE+g5JfEa0q199dGFLIpK9D1RA+zEaY2bHordO3pn/kLDOnWDmz5Ns34obrdY5P8uw1GzFjeDDTtFMjwYu+HCO8jpSpeMMBktS3QqCx6w32AlhkGHp466FkWZyVTC+Pbd2xv0m/OjtkmpYUS+TJpKcPsfb9CXiqqR3q0VF5mi/U6daZMbOg7RLXpfF50F07oaLZ1EfEi7QGXsMQIWaHmS4+gQVBMIjj0Ybh5/QAPmWBUJdsuCTeBewGXEAuQGaJVHm0q7AzNut6sd0Dk2fa3woXDnVJBVgVWsspIG7rbEg/HFD44+YTJIp4oCM1tFPwuELuIWUDWAF0totZQArJz/PQHUEkefhOE6TkU/XhB0z1jsB8d3biuoVT2jIy0yTGAwSvzyEwtbi4jGewfwfFmufxR3ZhX9fSciI0ZluY7ad70D3UI+LfJ0BOA1x9ElhsioWDIRsShyCDpFbrTIFpneMEOiyw+RLbjcaFzEz13pwhZmnQ56gqgLERkTKcUJEyVVxXwbLeF9ALskn9MAX2Oe4qywMiuVNDKLH5IC6OsfM/A4xofNk91NLpdZnoLZFnD8/DcisgLfZcbEchvsArYnmtMEj0LBRCKkmUiHdMl1xuc8ix0W3YH9p4TAo3cG78CO3QuxCzt2VW8X9k8JYb9OCPufE8L+Hwlh/zkNbCNLjuc0hUhpoMc3z0RWVByU7/k2wTtZAy8/J9BLioqzZVGm0b6tlon5MnYSkofMUiglmn4h8X0jItMuITHBDmpF0liTFnAaa1JvdVUmmEVKRFNWncRUNdJY04PeJRAhRhprmKWCDWZNEuCVYHcCC6kpSXAI168tVxI9CuvXsjQrivMEbjVZlBnhCXzYFnCCIAnAVfOtie8WtZB1EshllSWIaRDFDCOYJygg0hleUkG2EbOuurAF5ts/aD5Pgfc6gzagSSC7djBpsHaJtUmgz5fl+nUaH7TO5sz8OUmjMaKzuLPieoCVjC6qdZJrDlApUfGr3LTz8UebtdUBTM3K+fnjO0cccFD7kgB33eTjdZDrwF4wTlPYMDpbpNhEtohZnL0LOIVuoDNWQpJilkTUsXL9Y65NOWjmHwm2ViQJbM4WNIUZo8HRXNCcRSsY3YXNRJpTUsi84lQTmYLbHjhbJpBNstQbbKLO/O9AD2WQRwGs6JJpo3B8T0gLO4HGp2iZitUqGa81dCJXieSry8x3RzwBdKMoLhIokq4UKBXa6ZTrzUoynbkJs/Ghb7HCSQ54PlIIGwPy2s23jw2XaYNF9DnHuTbzSsUaFlhDpW5WUAqoVXRc4+vRdU1ybLAwuWERf9j1qZ0G9sFc4jyPfQdYHjusWrcOSvAWsSIjSsoiSVciCziBmcaKLE1ypO94lILN5efo7ZlKHb9lKSt1qVhkoBwbZqro2WecCRqvxU4LVUedqNPAheLb+G4tLl3X02zBZfTnvAGeIOXf2rzRpY4FmkDiWBs6AarRcxO4XCY5umKZ5AKXUsUWYMW8Wqa4ZgXTJIVYKHSSA5tiDoSgBporRYcbXYa7BtCxM/4c1NjpeGKziW2BJKkok24AdHRLVMbXjKRiyywwj+vBcDeCqvhvVpm5obzRwUadTN2CdSNekxyyBIWbfiZObGHgwcaWBmXmHEnR0cVa219mZBWrzn8Amt6VLHogoKSqWCoszKDnbgzImySA4z+9rhPZx4+9KaARACu5zLAuIw4M6IJWODZURTFPod8pSoAPrutoIuDxmWwhx23h2oEsVZ4A4/iOTJ3AN6ydbzhBPoCmsRMB3MDjBMaJpl/iH4BQg9ZoUBOYUpotEwheXcb2smlFUtwDRfLoirRWJNQVNwJgE2/EVhdmpaN31VwTEbtQIjgt9qFAXZPO2OSbpYl/rBzQ+BG9ZqZnbLjbMnq31iqfJ8lDrxRP8BZWmqosZ7Gr3pOMragjQynYYIg2uIjtDV5nTGiDFwk0gzVTJoUavi5FgtZNRqpKxHSzhtqiBTqKnldGoveVQIOlm+yRhMPyPmHOcnShaM4MusAq990MNbR/D6PjJmcl5NLYhFAAA0P0EfQ3IJKjUKlOkw/BRDrOXRUll1s6GCx4kH8LWUVr6n3kGbM8dD4jmHem6JLeoQL3Gy20sVixrPrDQJIjyZmG4Qz16n7roYES0lVZSmXQsPEoQpsVNogZVCq6GDsKD0jLvc8QihDjvdXRoICY8J3dR/pCcyZST+TvoGpX6+KpkZFLalZUzdrP65WsBi8aQoKuqWrGERmJSqw0RW+pwTAR3N1V3LDg+Ru51C9vXNnrC3TpR3ydIbMKTCmCZsDvqR99DGgL9I6a35kRVIf3eXiokzBvASO7m1sEiztiNcWKrGZMsCB+MHN3gv7aPfEJszAgGeIlx5WAWb/LCua41k3cww3ce/3a99CUvh13Q1PThNvPLx4x9u1GZBFrmo7rvArLog/0zsCtGHMXTDGNekQgtYPr3sGEasFHJl5C99yE48Chf66mBin6paLa7GnafXq28v175TuVAcbyuFWdxO57pJq80113yj6cHEYQG9v5OXRo1z8HKY85+//wfEO72PVlLRRg7fDZAKshXhLvPY+wfVzmWFPk0rUbbNDgVjW75L/xOPiKZhR8g7lUrn19kI0IYY00pTDuDO+fV6Ww0JhMMN530GHaLS1A7W0PDakUTEDbh3RJVcGcujEV0u2SbjAHWzNOlxRxuqYcYa3ZUriNa+f1h48+tGR+RPkN6+856fNHmfRsMasE+1LR/phEHL58HXxP65h42hSUWqNhubuQRApBIbcCbZhZjQkKhAKVIY3GruhJ5UX3Ni0sO0GeNE8Ul0tGMEcWgxHTB7B4XOxgqZExjY/Hu3K11WH0OulsG9nLao39wGPOsM5WMrlN4Iy4xlyDWSrtUCMrFbsjeML9AJC7NBZbeNP8IBbCKVazc66lNcR37tslBMvRr/4bM3Quts3/BtAN2PJaGITzGZFFWRmqwmI4iRvfEpbOPPumvxcwY3FnQ5j5W/XqT9//2dq+l53tqDn2TRBtf06zuBGzYx03eEsV+ufGJ6dfejQAufCtj13/k/7MixbnnVO/dz9OTF4+JNue9Qem2HVm6N1vH64s7VRR5zwBf2nONFG0xIJsrVbp1TPezwVBwKEz9OHtz+hamB9enaHrd5dX//kz+ngtzOsf0fPNaosEZWZFFSIrqf2oNKkUJQY+9f3r//XfXjwLcoSaVUIZ1+cHyNRZgcPjeHTi03fPa37rzuJ1jVT4iudPC+mubDqA+YkN445+4EP49hTT1jr5xJSpMEdvzt8Fkf1DCprOl3Xayfg/UtBZmLcW3a9GhAIhh4UnbMFTfIP37MMSG7rBjzAiHU73DTrPcwV+WnfKQ+g0Ty8pylPjnA+NhVxfvL1xr9JoeKzAesLox45TyWmq/u1G1zcWlRHvl+XhiZMgovDQrj3Ow1oTy9x0rWkFRAddnOfMfhjzNmDbmeUffucmPADWJIQLLv0Nv9w9AgNU2lzrJHrdsU8aRu88hjdSmUYkD4RuDgE22ABmtoclr56Y944eJpb1Y1KT9XaM8YKG7MapvLgeO7B8sdaSMKtyOr/RQMdBVi4rLJZ01phORIoFW1aK5mi+BZhU5JA1FJYz5YmtBwZFoyPacnDRRYJ+Bzyi7t8t4YruAFC0kIZmPrM7fp5RfNbmQmc4c6n4CUCXRqUBvkhwJBYJqoV5iuuQqv9JmYCpOM9qT1w6tbxvwVs6Zv3Vus6ER9Bgr8yKKkEN+rAt6Rn6WD9jb8AB9gO6qR1gg5fgtzFNrR7VM4EyMWIa10h7v/gZwpwHlYmy/SAkuGEFiXlrquwbyISRSBt4zJlAH69HBQqBBNlk8iq6yLZAZZlg7JsFrKiOndFrwSYocXEvYuxUdPC3J8DWjVbIOBXL6JMiAWerfCTUQkc0UKfyYN4JwAhEIJ1ggTD6RaoNVvlwTjdC50tI9lII2xt/B7l0c2o2lIqw6hm5a+J9Y9zSYN4N1TlkELSMh8yIAYVM+DxXSEsomLFiyY/YCJO45lhMEcc/wkFZJ4h0XJQDAnddlm0kZW0t2CUYsLsvT+xIJSXQhWAdrx/ccRF7rAwjFccKQb9oVCPx/Oru5zdyKReL8PR3SjKzosm3dwfZD3ZBdxs7eF9ZvC2655VZUWF8svgo2rqK2TnhuIQet+Q46h81VaMIy8oQOS2n/ZLjCN9WhFCtR3CGzuOnNUc7LfEE8EJWxV1KtUWBwoQBblMIpx0caQ9HK5UgwKdLKey7YuVWSDlsvogGitIuVet4/ehG3k2MXNdSqBngjOYNPd4P09OHmUCamSogPxEUF1Avoj3UFdYI57K0r4tZUaaQ3Ih2yxzjDL6TQhYjebUwk0Mz16J+WiXCKvdM5Fb+SKUbBmD0C+MUnXvEZgM2HOPsFQ1h7k6OJow39D9KusIoC2591kJcLoRoDDAiZr37Axjh8vVufb1GbE6MJ4TOZcrqgQDxc7rCayYr0C6JLEolCzaSoUinRu5K4DmHIrIFutiPGxPrRuwkRLKP4Y7WiYII7GAYdbjMCQgG1m/wS727nVe2vW+jx64ts6yE6ZezxdbocygDz8gpZv1RWhC8x0sqqGKkJgkYAol+/dQCZlbw1IZmuyGP7Ix8P9NGjQc/a5pOabv1aDS92k+TVy/cWgnpCpqmjRFuWEG1letO21O0pKNBJL8L0ZpCHNwIaDz4wG1QRx6tU3p3P9rR+uE4mr7PdLQhp0eT5h3Ghygc0AYUtwLhCGHw9VL36iB1atK9cxctCm3q8M5F66U6jQA5IMcbAfL1HscfDm9ZrNEG02zZcfJRTSpBYt6xI+THpMcxJm2Dw9go9VCC1vNTR6/cqcwqK6hZyUeIkuAdTzJyaPiPjW449FJSMqnXaU9U573k3l9rEdlzLhN5Qv5z9tOf/oSev7k8v3mBLpk2TCwrplc0h1L4IC5cLmXyvkD7ImGQLbtwePhthg+OZIwpmdiruK/+0+5qCIPmxoBHPtrQ5/tcFwJp/03db8fxBziFYqZYhNqkt5limMfqTtcj5D3OWaXdCkgqpFnBOFZOPFmxae8QgXc9XF4F91yzfMpOI91M+Y/2INRexF5fzPaSp6uzOBf77jqENXylYcf/651E8JvBWfCOG9opy8jDrkypUiYGDEI2wGqplliwP/ZkVYt0R+FYZp/A6e6ZGmH3gqlgLWmirj+/2OXgtXAtvlzvop2s5l8p5mZFsKKoVDSXBRM4WHDXEU832DAqjD6YHs/xlNS+wY9KrGv9SMtEB9denWdWcJVYGWiG1JK6X6xO2OzIC5tjJOqC5lRhQ/MsWlLZnvNhhc8v9YpN8OxGyTXLm+Zh/nO4LLnXVAcHwzf/sc/ark4bVnBaIlk+EZXNkr7Xn9mOkBkcHgqZk2vmouervuI+0gKuUTpjDgW/r+ZJ70Bn6nypUwm9DBDqdFTQWLFG2kjlJL6FVlCDYbVn8KmZ/dSzMPUFy3NOp5Nyb2G9Y+VcYHs7cu8kOVePx5iG3Bu/WqfDkNjW0dkzVHJst8y+z1IhKojalmNefkiFnMCePCKDTjW25a9SG/QWkxUTIyZdjhNJjm/6vP4oINO/VNSKD6sfuSZneobe5LhEn+A/Tj/KpXB1p38bPp5ohdfUak6cYoW+VFRtEfQg1KUUmtYaVbg41dKbwXemkZe+Bx6xkBWru0AKR77ryzeOZ03SBKi2B+i9b456LKYw5Smtw6x/xuvW0jtNjKxt6B9eppGqhAjasfqseXlc5Nm1kRqpsfMQM29hpt8IjDZM5HKjkS4pYQtG7G/OQnWCPk92eEEseQ7fNucGPYeOsFSQ9hmC0OWLDrdQJeAdf0OXmGzRR73b+LaJwBb9Qtro2bV2hQkM9pHXvmtqASpQqwaHzL6IA443fQAC1f87laZQzjNk3y7Z6RXqse68Tr0OUAwUBg+a/84JxE6T1ztGqs/w9a73WtZdAenjXUCH1EzjsGsCBrt70yZkum0Y7FC4IcXh4mcoG4g5EnC0wg1IzumCCe+rB+EEXf0KXI40HQTsTioUS4Rb64DpqX+xBWPjs01Nu++lNNKbsvFhG4PJqpi4BX67KjAcDayj7nYkGfIyZyLeBLGod8OSDEWFaR/PgJDqlu3Atrg22m15f2Bq5wDrtG/fAaxLrOozZX981pKyWbFBK3Vkb4e1ZV3y+1HkmegzS1xbC6m26Tb8X3SJxb8d7BhTI7LbRb1Wz0NPk2XLv7wE6AdoezSVaEBV3W99P1WjpyCjwihZniI6clnNB86Fo864X9Na2/RAOQLg6Ko7pr2HF7Iosdg29xGuHYzTd/bKmir7DGVMLGRYKcD6c+oaoQPyo2dF1phtaNqu6IsvqXIEfqk436L/qDBnC0ZzdAl1z845GERlQ+cZkfIze6Sg++90jtz6rf2M+Zg2H73bbBsOLysDKveJI0wP3/X3zRJ+yo53Rzuf/Ax92JaO9NZzYJnjdnB88xRdZFGbyfbQtjg4R4R6pkNta/vITOGqa5TLXeycZ7GUqvb2Q4j5/ZuRLe/0yol8nGpelGnnEO1hhV35oOe+RlNJmUgT2UXKrmP3A5XYhF2TRGRYx4z2dwArX04fGXKleMRt7kCNuCuNMZpVKpY3pANTU5XhZTybsgUd/XnaBR01/XEXtD/1CQQLvTNUgGoV3zix8KOd5kbRWynaS5WJrVG5JaaoJdyRuR9gWVCvXvp/X3gUXvp/+LymkNsfc6rC2XmenEeMnjtiusFz8Lh2Rq0NyMn9QDRrUjGxoEqNxF2HdE9CV1fxP8j6oHt2AiTrvsSLzjYErhSEtWXSKxVYYrLjd+Xi9vbYfYAMYtX90V/pMEFrfOAnK1dUTeOPsDq7z3h6fgGjH1+gC1g/jBpVZqJmKSN8vqDKD/+kO1mYe5rz0qSh4w4jOxtuF32mO52i9+40++NUr+T9W6OEdxvdsj/C3hr2OZFMuf7rFRJ0KQ1zG1iusB6ZAKXJ1G2FOlvpFh8fLmi3OtkEqEGCS++M1Y3T6/qbcEKKZsspKip2+xs1Uw8/jA5attKEaV1FVzoBMiRLpfPWPSyGAhhSpZL6QAeb0pWeV3ZxdAvB6X3SaZIMiaYzuI8iP7+F1M79j1FHep6G5P2l5x4cx0Wo1jxbp3zR+yFV78gOIpNn9ujhKnqbRp0KMPtMvUWdqLnBN+24ku6DBLL1R6QhXicVur49/+v/5e7qehs5ufD9+yu4TCS/idSvm64qudluN9Kma7Ub7eXomME2MgMjYDzOv684MHg+sLtKZsZVbxOZeYDD4QDnec7TiqzcPkU+yzPVV05oJ2JSvwbtl1ql0aIbojtG9+ZVl8jf5oSn1SBLFZ2Lep1RIgzTQEMJwpMXvBDlMs0HopBXCHI9jqgKcvbQgJgt2Gq2Cp9tlAcQPPeGmADRd4SzqVpfcoQ4Ynv2YvpueyTLbxJIR257Z21pMo41aCdpGqdyigGh8C9YTXwrG+aL0ty+/MOKoqooJtWJ+0bcHke4EEpT8GuumeifNMe+YqkFyMyYaxW8dV/2Pvxr6G3D0Uqi9VTjrFR8jrTqFGCPgCACBJU+DeCw0h1IORDOmFpuKnwVgZx5s51JtjluLKHm4ddPyz/Cvnff+3zcUKzS/bv/0TXbuNlnByWqqQZg2dRxlqHOTayM3ZTzrSS3htx4EOYW1TqQ2NtU1O01TxB0sjeimsibfQpYnyW3IV3grks6ODCNmQKbShCqJGWldQflv/wcnpFXqOspva8feHdgb0poO6Cl0pYoN74ff12mUnCTwz623Sm9nT/Bsk8w6FyxrsGLnSSFYn7/7fPqcUWe4Fhwmcey3ulpdX2bPQ2zU0TxTLdCNwa9u9StGD6lKYujp2d7lmO2mY+weW0SftPlycOOzmVZ8MqP74NKb0BxEaGYb1KurBXQ9Lj4z/OGIzFH5sNIcuzVjfcl7gh9pezGUK4aT/HxUbfw5N4FMVUiRR0MeWesVnL7y1oA3QtuLMvf3Ye/LeJ/udwwmv7XhmtWg0gGMrAWrd8QkDkxipwxS8223Fj94k72czqLEuwuiPVHDKSPYQASL6XmgumJ0J6vRZVuqZDHeDIiZ9K2clJON+6GqruqWGsmRPs0n7b0Dp5u+v0HXAK4Yh9co+Q5NNreWIfrpCc3x3snlvODcwEKIUtJQGuI+fc53yCN1ba+QzQT+NYT5hh5rakoIFw4jgTtC2av0MpfVWjPrjuVjOANl70ftxVg6Y6ZZPCqBKcvWfNiOHwYfANUFAeKj5FemcJDiRKD3DQKJHdkeQAu8J3slH1PvscVDmt1SEZZHdyjjbENqm8n6G5UC8iD2EGD+IPShB2hKAVbkD8VFFxukVdQWZSFaiqqppCvhaJ7lmfjW0jfGjTS608k7LZlrJmDHLCcmYIfLk9BMMJRLaeZgBqz67H9hftjSDC37Gjvd7YQKTxmB5nZwXc//jQGmo/sSHK+ZcY2/qCr+pBe9nDIcmZ99d/R5jW2GK4GKFW6VRWGgLT8wHVlCJNbLk8FVpDZwqUp/c+TbqCCcZwncfs9XsoJQUrlBoh7UoCsQTorbKkRkZvV8/I2GKiJzzWlVkfuIjiHG5yHsJWWLVpf7KihIGW3fG+cgqLMcm5KZfggan2L+8X3jDbr0ES8GIsgIoTqt7JlfgCUQHgCUbvge6VVM483y6fVrethCTraV7P3+aIwj3HayIZhBsXPhIJbuORBMJAL1y6nXFW4lz/LvVR1cordgBQew/D+7pUj8rg5fX4xKKUWvta11OXT6hw6Q5UezYVgY30kmAPqEPiACEOKyE33sW7DX3GTWXMh3EivBcikE8/BAmWDsgBvgN0ev2gJ78ECecDveJceyICBB1oZpv+PfH0fk2jYbDhN4fUVDPsn5zfADafiuFHGp2hfq9tWUjJx97+/AwAA//8ypVmA" } diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml index 88f1d922df1..5e9678f9adb 100644 --- a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml @@ -126,3 +126,9 @@ default_field: false description: > The WebVPN group name the user belongs to + + - name: termination_initiator + type: keyword + default_field: false + description: > + Interface name of the side that initiated the teardown diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 9f144579c5e..5b4432fe41b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -5,7 +5,7 @@ "cisco.ftd.destination_interface": "Inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "Outside", - "cisco.ftd.source_username": "(LOCAL\\Elastic)", + "cisco.ftd.source_username": "LOCAL\\Elastic", "cisco.ftd.termination_user": "zzzzzz", "destination.address": "10.233.123.123", "destination.ip": "10.233.123.123", @@ -34,6 +34,7 @@ "log.level": "informational", "log.offset": 0, "network.bytes": 148, + "network.community_id": "1:9aBQ+NznvYals1agEGRVJm37dvQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "Inside", @@ -49,10 +50,14 @@ "10.123.123.123", "10.233.123.123" ], + "related.user": [ + "Elastic" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 53723, + "source.user.name": "Elastic", "tags": [ "cisco-ftd", "forwarded" @@ -87,6 +92,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 200, + "network.community_id": "1:kV/6Jt4iMhVyUT1AW+UO0itOhqU=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "Outside", @@ -138,6 +144,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 381, + "network.community_id": "1:7nrIUULEgk5A+nhbh4kNmEkwL3o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -163,7 +170,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "Inside_access_in", "cisco.ftd.source_interface": "Inside", - "cisco.ftd.source_username": "(LOCAL\\Elastic)", + "cisco.ftd.source_username": "LOCAL\\Elastic", "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "destination.port": 57621, @@ -188,6 +195,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 545, + "network.community_id": "1:LM0R4Wi8tEf+1pe2ukofXQKxfMc=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "Outside", @@ -202,10 +210,14 @@ "related.ip": [ "10.123.123.123" ], + "related.user": [ + "Elastic" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 57621, + "source.user.name": "Elastic", "tags": [ "cisco-ftd", "forwarded" diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 21e4da22dbc..4aa3fad3d8b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -26,6 +26,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, + "network.community_id": "1:ygCOhTlTMVGn+PXlTgyzRveBJ9g=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -84,6 +85,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 150, + "network.community_id": "1:aH+Rcp4nenimMGZQ733uys/x0js=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -145,6 +147,7 @@ "log.level": "informational", "log.offset": 345, "network.bytes": 38110, + "network.community_id": "1:nawleoAMDhKg7pshv6H5enEaKV8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -205,6 +208,7 @@ "log.level": "informational", "log.offset": 535, "network.bytes": 44010, + "network.community_id": "1:XqwLVHNEt7Z1fB2ZZXj1piBH4PM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -265,6 +269,7 @@ "log.level": "informational", "log.offset": 725, "network.bytes": 7652, + "network.community_id": "1:Q18EvtK0EmoGK6hViBJu2B9syjc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -325,6 +330,7 @@ "log.level": "informational", "log.offset": 913, "network.bytes": 7062, + "network.community_id": "1:k3K4xSa45aJwCWLM9eIJsqCydLQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -385,6 +391,7 @@ "log.level": "informational", "log.offset": 1101, "network.bytes": 5738, + "network.community_id": "1:Qq/qwMDt7lmCdvQnPYJ86wHp5mY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -445,6 +452,7 @@ "log.level": "informational", "log.offset": 1290, "network.bytes": 4176, + "network.community_id": "1:ezm9yQGN1cdh1QEJ2nw19295QfU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -505,6 +513,7 @@ "log.level": "informational", "log.offset": 1478, "network.bytes": 1715, + "network.community_id": "1:dV1ILqqOHNIkUwdYUt2iodkCTIg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -565,6 +574,7 @@ "log.level": "informational", "log.offset": 1666, "network.bytes": 45595, + "network.community_id": "1:M9jSkRNBaw+CV8aYYGLeh+1c4LQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -625,6 +635,7 @@ "log.level": "informational", "log.offset": 1853, "network.bytes": 27359, + "network.community_id": "1:kcIahkhuYMj1cJNDgmYdpgb8b5o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -685,6 +696,7 @@ "log.level": "informational", "log.offset": 2043, "network.bytes": 4457, + "network.community_id": "1:Oll9UOQVtF14Vb1gAqDgbQ8GVN0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -745,6 +757,7 @@ "log.level": "informational", "log.offset": 2231, "network.bytes": 26709, + "network.community_id": "1:SRok/PbYRZCXwEJ9MQDvhiR0OZc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -805,6 +818,7 @@ "log.level": "informational", "log.offset": 2420, "network.bytes": 22097, + "network.community_id": "1:agnIkBJhbPXkAM0Ai6Q8vvm22FM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -865,6 +879,7 @@ "log.level": "informational", "log.offset": 2609, "network.bytes": 2209, + "network.community_id": "1:dyOBaLTo8f2aK6FSqmPQ8iEKQCM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -925,6 +940,7 @@ "log.level": "informational", "log.offset": 2798, "network.bytes": 10404, + "network.community_id": "1:JG3x+PLXI8vDNUP0xc2b7cGmtO8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -985,6 +1001,7 @@ "log.level": "informational", "log.offset": 2987, "network.bytes": 123694, + "network.community_id": "1:aVhOiCMAQUL3DYMg+b1hd6++Tsw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1045,6 +1062,7 @@ "log.level": "informational", "log.offset": 3177, "network.bytes": 35835, + "network.community_id": "1:yvanaru1i/rrH9fF3MeSmHfJVH0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1105,6 +1123,7 @@ "log.level": "informational", "log.offset": 3367, "network.bytes": 0, + "network.community_id": "1:h36yIuCF0zHqn+9q0Z5lLEIz2FE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1158,6 +1177,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 3552, + "network.community_id": "1:tCQw5Th130a6dZONq7h6PjILJZY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -1216,6 +1236,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 3703, + "network.community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1276,6 +1297,7 @@ "log.level": "informational", "log.offset": 3896, "network.bytes": 148, + "network.community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1334,6 +1356,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4071, + "network.community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1394,6 +1417,7 @@ "log.level": "informational", "log.offset": 4264, "network.bytes": 164, + "network.community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1447,6 +1471,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4439, + "network.community_id": "1:IqCv9QrYpJkgySoRM91LE2Ao1Ug=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1505,6 +1530,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4589, + "network.community_id": "1:sxPO5rXtxG30Oh+QP2ncQZ0N1U8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1559,6 +1585,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4784, + "network.community_id": "1:MZcBg2aQ/SdpVmPXf2Ze+Ng4g9Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1617,6 +1644,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4934, + "network.community_id": "1:G5HU7oEz3i/eGfSUoq5HuDVo7u4=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1676,6 +1704,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5129, + "network.community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1735,6 +1764,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5326, + "network.community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1795,6 +1825,7 @@ "log.level": "informational", "log.offset": 5519, "network.bytes": 111, + "network.community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1854,6 +1885,7 @@ "log.level": "informational", "log.offset": 5696, "network.bytes": 237, + "network.community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1907,6 +1939,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5871, + "network.community_id": "1:/KJCwT2FUqlgb+8c7f4b8fvqWFE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1965,6 +1998,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 6021, + "network.community_id": "1:gFO9U+lgj3sty9R349zScds2rBg=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2019,6 +2053,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 6218, + "network.community_id": "1:kpfWE+K4tPLbC1LWM9M8v5zQqyk=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2077,6 +2112,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 6369, + "network.community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2136,6 +2172,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 6566, + "network.community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2196,6 +2233,7 @@ "log.level": "informational", "log.offset": 6759, "network.bytes": 87, + "network.community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2255,6 +2293,7 @@ "log.level": "informational", "log.offset": 6935, "network.bytes": 221, + "network.community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2308,6 +2347,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7110, + "network.community_id": "1:J8j4D9Hm6tPmF+enIkcOgaYzEg4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2366,6 +2406,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7260, + "network.community_id": "1:2VKYvyM6qODR0XAXnVUFrYSP/IU=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2425,6 +2466,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7455, + "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2484,6 +2526,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7652, + "network.community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2544,6 +2587,7 @@ "log.level": "informational", "log.offset": 7849, "network.bytes": 101, + "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2603,6 +2647,7 @@ "log.level": "informational", "log.offset": 8026, "network.bytes": 126, + "network.community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2656,6 +2701,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 8203, + "network.community_id": "1:TO0ui5exOUfDCukU8mR9bJIjkLY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2714,6 +2760,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 8353, + "network.community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2775,6 +2822,7 @@ "log.level": "informational", "log.offset": 8548, "network.bytes": 862, + "network.community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -2833,6 +2881,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 8733, + "network.community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2893,6 +2942,7 @@ "log.level": "informational", "log.offset": 8930, "network.bytes": 104, + "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2952,6 +3002,7 @@ "log.level": "informational", "log.offset": 9107, "network.bytes": 176, + "network.community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3005,6 +3056,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 9284, + "network.community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3063,6 +3115,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 9434, + "network.community_id": "1:2YT6PqWSIyoyRYVbl2cIXiGcMsw=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3117,6 +3170,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 9625, + "network.community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3175,6 +3229,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 9775, + "network.community_id": "1:XheyUG03AcgRSOyMnpafZQNi3wY=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3229,6 +3284,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 9966, + "network.community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3287,6 +3343,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 10116, + "network.community_id": "1:cKgOVwHWv3CzYQlpMkVbynKHE30=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3346,6 +3403,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 10307, + "network.community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -3406,6 +3464,7 @@ "log.level": "informational", "log.offset": 10500, "network.bytes": 104, + "network.community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3459,6 +3518,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 10675, + "network.community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3517,6 +3577,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 10825, + "network.community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3571,6 +3632,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 11018, + "network.community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3629,6 +3691,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 11168, + "network.community_id": "1:wH3OQfGQv6qlex3KDY6fleRZ3W4=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3688,6 +3751,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 11361, + "network.community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -3749,6 +3813,7 @@ "log.level": "informational", "log.offset": 11554, "network.bytes": 593, + "network.community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3802,6 +3867,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 11738, + "network.community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3860,6 +3926,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 11888, + "network.community_id": "1:9aaIbdVfxtctEtHtisDVEKYc8wI=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3920,6 +3987,7 @@ "log.level": "informational", "log.offset": 12081, "network.bytes": 375, + "network.community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3973,6 +4041,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 12256, + "network.community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4031,6 +4100,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 12406, + "network.community_id": "1:CUxMKGQ8Da35o4Z5ZJ3cqjyBcjE=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4060,27 +4130,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8267, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12599, + "network.community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4089,7 +4173,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1454, "tags": [ "cisco-ftd", "forwarded" @@ -4122,6 +4213,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 12769, + "network.community_id": "1:24J8khLuXWoetlU/J6WYj+4RnIU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4180,6 +4272,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 12920, + "network.community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4209,27 +4302,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8268, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13115, + "network.community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4238,7 +4345,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1455, "tags": [ "cisco-ftd", "forwarded" @@ -4246,27 +4360,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8269, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13285, + "network.community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4275,7 +4403,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1456, "tags": [ "cisco-ftd", "forwarded" @@ -4283,27 +4418,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8270, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13455, + "network.community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4312,7 +4461,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1457, "tags": [ "cisco-ftd", "forwarded" @@ -4320,27 +4476,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8271, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13625, + "network.community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4349,7 +4519,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1458, "tags": [ "cisco-ftd", "forwarded" @@ -4357,27 +4534,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8272, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13795, + "network.community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4386,7 +4577,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1459, "tags": [ "cisco-ftd", "forwarded" @@ -4394,27 +4592,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8273, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13965, + "network.community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4423,7 +4635,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1460, "tags": [ "cisco-ftd", "forwarded" @@ -4463,6 +4682,7 @@ "log.level": "informational", "log.offset": 14135, "network.bytes": 575, + "network.community_id": "1:pux42VCSy7BX42P3cpyd4c/X1M8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4523,6 +4743,7 @@ "log.level": "informational", "log.offset": 14320, "network.bytes": 5391, + "network.community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4576,6 +4797,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 14509, + "network.community_id": "1:mWEQuMzgDppOFGfUpnRU2SOVLC4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4634,6 +4856,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 14660, + "network.community_id": "1:WPQ7PgW0xK/OsH/dwOA4osO4W+M=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4691,6 +4914,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 14855, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4747,6 +4971,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 15020, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4803,6 +5028,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 15185, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4859,6 +5085,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 15350, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4915,6 +5142,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 15515, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4971,6 +5199,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 15680, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5027,6 +5256,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 15845, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5083,6 +5313,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 16010, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5139,6 +5370,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 16175, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5195,6 +5427,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 16340, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5251,6 +5484,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 16505, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5307,6 +5541,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 16670, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5363,6 +5598,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 16835, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5416,6 +5652,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 17000, + "network.community_id": "1:ZuhnndzENnR8d8NKvStxJffM+XM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -5474,6 +5711,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 17150, + "network.community_id": "1:7t0ua2FV3S8YYwDwaXzw5Tm8M80=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -5528,6 +5766,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 17343, + "network.community_id": "1:ZhyIop0bR8c1qT9K7cSplqrW0ew=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -5586,6 +5825,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 17494, + "network.community_id": "1:vvawE2mM1hKl2WU/GmHBmMoI3G8=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index ab324760e70..900923811c3 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -74,6 +74,7 @@ "log.level": "alert", "log.offset": 0, "network.application": "dns client", + "network.community_id": "1:yuD3M7UhwRSNitDpAnWcqzEC85c=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -185,6 +186,7 @@ "log.level": "alert", "log.offset": 658, "network.application": "dns client", + "network.community_id": "1:eDcIGG/W1UcwGWzaTgv5mgr2RDw=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -294,6 +296,7 @@ "log.level": "alert", "log.offset": 1371, "network.application": "dns client", + "network.community_id": "1:nTPeg7DUgB3rjeFwl+cm5VHEdXQ=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -405,6 +408,7 @@ "log.level": "alert", "log.offset": 2047, "network.application": "dns client", + "network.community_id": "1:F3IHQYMd3DO1p+rWBITDU1/XCgA=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -515,6 +519,7 @@ "log.level": "alert", "log.offset": 2766, "network.application": "dns client", + "network.community_id": "1:1SqTqSDG5492OiLhDUMOi+wnDYs=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -624,6 +629,7 @@ "log.level": "alert", "log.offset": 3449, "network.application": "dns client", + "network.community_id": "1:eXdHUOdHk5dGXusvMEGcWj9ywPM=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -736,6 +742,7 @@ "log.level": "alert", "log.offset": 4125, "network.application": "dns client", + "network.community_id": "1:rjxS8IH4jqdHiflcG+1txqEFP1M=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -845,6 +852,7 @@ "log.level": "alert", "log.offset": 4878, "network.application": "dns client", + "network.community_id": "1:R1FcZHFFvO0mHFfeVXH/CwTGCmU=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -955,6 +963,7 @@ "log.level": "alert", "log.offset": 5553, "network.application": "dns client", + "network.community_id": "1:0YJqKZXX7VN9W1Gx6txd8TFELHM=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1066,6 +1075,7 @@ "log.level": "alert", "log.offset": 6269, "network.application": "dns client", + "network.community_id": "1:jVTdIEwjG0Eb77jGrcDygrNq9jg=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1178,6 +1188,7 @@ "log.level": "alert", "log.offset": 6983, "network.application": "dns client", + "network.community_id": "1:ZllIE5YNb+12oKtX/tP/gysnSuE=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1283,6 +1294,7 @@ "log.level": "alert", "log.offset": 7672, "network.application": "dns client", + "network.community_id": "1:oGBN4YWsAncmtqDJ1onnQNRAEnw=", "network.iana_number": 6, "network.protocol": "dns", "network.transport": "tcp", @@ -1393,6 +1405,7 @@ "log.level": "alert", "log.offset": 8298, "network.application": "dns client", + "network.community_id": "1:+1CCqUYePM8bXFUXWVeSSjL3g58=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1502,6 +1515,7 @@ "log.level": "alert", "log.offset": 9010, "network.application": "dns client", + "network.community_id": "1:f5P/ntfU9KchCtCfWHT0mYDOHOw=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1612,6 +1626,7 @@ "log.level": "alert", "log.offset": 9683, "network.application": "dns client", + "network.community_id": "1:wrAm7MmrJHlBQ+ikcQmSwf2JnJM=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1723,6 +1738,7 @@ "log.level": "alert", "log.offset": 10403, "network.application": "dns client", + "network.community_id": "1:rjxS8IH4jqdHiflcG+1txqEFP1M=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1832,6 +1848,7 @@ "log.level": "alert", "log.offset": 11118, "network.application": "dns client", + "network.community_id": "1:0YJqKZXX7VN9W1Gx6txd8TFELHM=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1941,6 +1958,7 @@ "log.level": "alert", "log.offset": 11801, "network.application": "dns client", + "network.community_id": "1:nTPeg7DUgB3rjeFwl+cm5VHEdXQ=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -2050,6 +2068,7 @@ "log.level": "alert", "log.offset": 12477, "network.application": "dns client", + "network.community_id": "1:R1FcZHFFvO0mHFfeVXH/CwTGCmU=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -2157,6 +2176,7 @@ "log.level": "alert", "log.offset": 13152, "network.application": "dns client", + "network.community_id": "1:k5kQaEfpetJ7SxFkG7Ytzzz5ik0=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -2268,6 +2288,7 @@ "log.level": "alert", "log.offset": 13795, "network.application": "dns client", + "network.community_id": "1:jVTdIEwjG0Eb77jGrcDygrNq9jg=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index 8dcb7692215..709c0b6a9a2 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -53,6 +53,7 @@ "log.offset": 0, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", "network.application": "firefox", + "network.community_id": "1:aVBZLbVEijzexcqIhp/89fLm6Fw=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -140,6 +141,7 @@ "log.offset": 587, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", "network.application": "firefox", + "network.community_id": "1:T2FxxCvrJYccm7bcw2QZ9tWONIo=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -224,6 +226,7 @@ "log.level": "unknown", "log.offset": 1174, "message": "APP-DETECT failed FTP login attempt", + "network.community_id": "1:4Ze3PKactlddzol+s7PbEeCTTlk=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -307,6 +310,7 @@ "log.level": "unknown", "log.offset": 1662, "message": "APP-DETECT failed FTP login attempt", + "network.community_id": "1:yyUSZl65LfpqAPKtrjT9QRDUlfs=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index a1f9c037515..eb1a32afe4c 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -77,6 +77,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 201, + "network.community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "localhost", @@ -135,6 +136,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 360, + "network.community_id": "1:d9RGgqBro5rzu16MqJQFehDRaKY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "wan", diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 454f0f3141e..4d979868847 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -28,6 +28,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 0, + "network.community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -77,6 +78,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 139, + "network.community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -127,6 +129,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 294, + "network.community_id": "1:/AVpSqNe7QhujyFPgKMbMS9Ct44=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -177,6 +180,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 465, + "network.community_id": "1:462QRxMFThXYxhSyvR50cIDJegg=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -231,6 +235,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 632, + "network.community_id": "1:c8hH08+kxqP8+dYZZFCsPYYf0oo=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -281,6 +286,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 812, + "network.community_id": "1:oGT+RQ2PYVsSEX/LuKvEW6O6Jiw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -333,6 +339,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 938, + "network.community_id": "1:4NJbCZhuyrAJcj7S647C7IIhAM8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -380,6 +387,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1106, + "network.community_id": "1:ay9S7HyVcpV47ArwMPDsxLg6wBU=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -432,6 +440,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1233, + "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -481,6 +490,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1401, + "network.community_id": "1:fZibb4nXPyoJv3pk+hIlafmMMMY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -534,6 +544,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1527, + "network.community_id": "1:KAOD4KM9MUK44UkzQPDM20+aGPI=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -588,6 +599,7 @@ "log.level": "informational", "log.offset": 1692, "network.bytes": 140, + "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -619,6 +631,7 @@ "destination.address": "10.123.1.35", "destination.ip": "10.123.1.35", "destination.port": 52925, + "destination.user.name": "user2", "event.action": "flow-expiration", "event.category": [ "network" @@ -642,6 +655,7 @@ "log.level": "informational", "log.offset": 1844, "network.bytes": 9999999, + "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -653,14 +667,20 @@ "10.123.1.35", "192.0.2.222" ], + "related.user": [ + "user1", + "user2" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 53, + "source.user.name": "user1", "tags": [ "cisco-ftd", "forwarded" - ] + ], + "user.name": "user2" }, { "@timestamp": "2011-06-04T21:59:52.000-02:00", @@ -688,6 +708,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2008, + "network.community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "FJSG2NRFW01", @@ -735,6 +756,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2163, + "network.community_id": "1:EsAlPGwbpvnOIWG+1RbOLtWOWaI=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -788,6 +810,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2289, + "network.community_id": "1:m/dSB7tetihSecuyjm6x4Rl/8I8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -836,6 +859,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 2454, + "network.community_id": "1:cjsjwTI1K/FNwJ9mwZX971rPjfo=", "network.direction": "inbound", "network.iana_number": 17, "network.protocol": "dns", @@ -885,6 +909,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 2563, + "network.community_id": "1:Zboag8BrI6OW/Oo2vWMZ2CJe4tM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -934,6 +959,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 2722, + "network.community_id": "1:Ne/QE55iCFiCg5J75DhSp3KZzQI=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -983,6 +1009,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 2883, + "network.community_id": "1:nVqNkC3HBTw1Le7RJD28aYfCDTg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1032,6 +1059,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3044, + "network.community_id": "1:c82bgYlFS2zsrs3He7w3jq7x6jY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1081,6 +1109,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3205, + "network.community_id": "1:iQJvtLpa8CzCZimwacqAWJp9sZg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1130,6 +1159,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3366, + "network.community_id": "1:CHFAR3iwADiL0sMiLhocbg8YF4o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1179,6 +1209,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3527, + "network.community_id": "1:fW9fDNL4osH5ogPXIzh5huGyJLU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1228,6 +1259,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3688, + "network.community_id": "1:VqbI7AJvRLmCOZAb2tHFFBTeRZ8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1277,6 +1309,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3847, + "network.community_id": "1:TUJhCk7pGNvVhgiAnf4YJJaoCpo=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -1326,6 +1359,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4004, + "network.community_id": "1:EItD1g2bG+b/iorMXbZ/3Bvjam8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1373,6 +1407,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 4163, + "network.community_id": "1:a6VFmKsjwlqdlhQIeSm95/lkWlY=", "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", @@ -1419,6 +1454,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 4274, + "network.community_id": "1:96NZ3spb6QBXPZwoL7NadaqTMac=", "network.direction": "inbound", "network.iana_number": 17, "network.protocol": "dns", @@ -1468,6 +1504,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4383, + "network.community_id": "1:DbXtTF7Tt+LJ0/omdap4K0RmodY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1517,6 +1554,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4542, + "network.community_id": "1:8enMIE4IqhVXWyyRuJRvdyDxiBA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1566,6 +1604,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4703, + "network.community_id": "1:3vGj3wfvZB2f5kZmDflH/qfkWYE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1615,6 +1654,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4862, + "network.community_id": "1:Wjdn68t3gwpMPxbO1bBTBvMkQKE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1664,6 +1704,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 5018, + "network.community_id": "1:OHPCPPOkvDP3KMLJodW8pdmntUw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1713,6 +1754,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 5174, + "network.community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1762,6 +1804,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 5321, + "network.community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1811,6 +1854,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 5468, + "network.community_id": "1:IOafOGWxFLefP+hvoAc06Z1pBj8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1860,6 +1904,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 5631, + "network.community_id": "1:89qba0kw6T/uGNWcSzTTYvNoLeY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1910,6 +1955,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 5792, + "network.community_id": "1:3EQcjAJCGY7yJRip464V5VZ2h00=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1962,6 +2008,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5963, + "network.community_id": "1:xQpx+K3UkeF1wQfNjT+9cuVvkHo=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2017,6 +2064,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 6143, + "network.community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2071,6 +2119,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 6298, + "network.community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2243,6 +2292,7 @@ "log.level": "informational", "log.offset": 6803, "network.bytes": 14804, + "network.community_id": "1:tVS/eeyng4tH7pSAcq77I2cbedw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2301,6 +2351,7 @@ "log.level": "informational", "log.offset": 6973, "network.bytes": 134781, + "network.community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2359,6 +2410,7 @@ "log.level": "informational", "log.offset": 7144, "network.bytes": 134781, + "network.community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2411,6 +2463,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7315, + "network.community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "127.0.0.1", @@ -2462,6 +2515,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7462, + "network.community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "127.0.0.1", @@ -2515,6 +2569,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 7609, + "network.community_id": "1:BouUIZD+TqJZdYklL1aMrJfnbQ0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2571,6 +2626,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7765, + "network.community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2628,6 +2684,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7944, + "network.community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2687,6 +2744,7 @@ "log.level": "informational", "log.offset": 8123, "network.bytes": 11420, + "network.community_id": "1:kugTIYv6tVeitQAN8XRNgUPvZiw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2743,6 +2801,7 @@ "log.level": "informational", "log.offset": 8293, "network.bytes": 1416, + "network.community_id": "1:n1IQHcbrWLb1u8dflqz8hfEElA0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3169,6 +3228,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 9405, + "network.community_id": "1:buRYH8vRkdq5apZqKHNDfmztnUo=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3268,6 +3328,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 9669, + "network.community_id": "1:XKWgpeop6LmXORBjS+D+pjammJ4=", "network.iana_number": 1, "network.transport": "icmp", "observer.ingress.interface.name": "inside", @@ -3320,6 +3381,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 9805, + "network.community_id": "1:ZWjuP5bJeA+f0NH342ubXOWI+Lc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3382,6 +3444,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 10056, + "network.community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outsidet", @@ -3441,6 +3504,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 10355, + "network.community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outsidet", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index fae2b463a49..f5c9eb57649 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -56,6 +56,7 @@ "log.level": "alert", "log.offset": 0, "network.application": "icmp client", + "network.community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=", "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", @@ -150,6 +151,7 @@ "log.level": "alert", "log.offset": 579, "network.application": "icmp client", + "network.community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=", "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", @@ -253,6 +255,7 @@ "log.level": "alert", "log.offset": 1182, "network.application": "dns client", + "network.community_id": "1:LrHhMjRxI8XLokucnZO43cq3wJ0=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -363,6 +366,7 @@ "log.level": "alert", "log.offset": 1821, "network.application": "dns client", + "network.community_id": "1:/cLFaau3XcCC0NUtxHnt+rWlO6A=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -462,6 +466,7 @@ "input.type": "log", "log.level": "alert", "log.offset": 2515, + "network.community_id": "1:L+Ul/KflTuC9qM1HyJ2hOk2/NSM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -577,6 +582,7 @@ "advanced packaging tool", "ubuntu" ], + "network.community_id": "1:L+Ul/KflTuC9qM1HyJ2hOk2/NSM=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -682,6 +688,7 @@ "input.type": "log", "log.level": "alert", "log.offset": 3919, + "network.community_id": "1:TE/czajXLfyOntGRUMlWpOamN+I=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -793,6 +800,7 @@ "log.level": "alert", "log.offset": 4442, "network.application": "curl", + "network.community_id": "1:TE/czajXLfyOntGRUMlWpOamN+I=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -887,6 +895,7 @@ "input.type": "log", "log.level": "alert", "log.offset": 5177, + "network.community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "input", @@ -989,6 +998,7 @@ "log.level": "alert", "log.offset": 5719, "network.application": "curl", + "network.community_id": "1:EX7LDhHq0D9ez/OeVOOW5FWakkI=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index 367c559c2e6..3dcdb4f4219 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -44,6 +44,7 @@ "log.level": "alert", "log.offset": 0, "network.application": "curl", + "network.community_id": "1:ICpzATq4Q7ls9bAGqEmf+eAOtFc=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -123,6 +124,7 @@ "log.level": "alert", "log.offset": 450, "network.application": "curl", + "network.community_id": "1:1P/UJpeT0HuAQ0Zj36VUw3NWrms=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -202,6 +204,7 @@ "log.level": "alert", "log.offset": 900, "network.application": "curl", + "network.community_id": "1:k9jZpiIYklqnW5VrPKZ36zGCfpw=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -281,6 +284,7 @@ "log.level": "alert", "log.offset": 1348, "network.application": "curl", + "network.community_id": "1:1O6Tg+zlE975TFeaA0Qa6QBRfBs=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -366,6 +370,7 @@ "log.level": "alert", "log.offset": 1804, "network.application": "curl", + "network.community_id": "1:9k57JmGIU8Cd4FcndffJHSuGmHg=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -454,6 +459,7 @@ "log.level": "alert", "log.offset": 2372, "network.application": "curl", + "network.community_id": "1:eJqjWMIqoBPiagsWFCmeQAhxZaM=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -546,6 +552,7 @@ "log.level": "alert", "log.offset": 2940, "network.application": "curl", + "network.community_id": "1:EX7LDhHq0D9ez/OeVOOW5FWakkI=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -647,6 +654,7 @@ "log.level": "alert", "log.offset": 3639, "network.application": "curl", + "network.community_id": "1:idXjLwb9WD2+SkGKCxynJU8imAk=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -737,6 +745,7 @@ "log.level": "alert", "log.offset": 4397, "network.application": "curl", + "network.community_id": "1:nOd4Q0QVZ1CGu/nTE/uuQ/52Q3A=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -837,6 +846,7 @@ "log.level": "alert", "log.offset": 5211, "network.application": "curl", + "network.community_id": "1:NJVenFV6VTdZygfzWuC08PwZc84=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index a1146a75efc..eeb9024fdc4 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -77,6 +77,7 @@ "log.level": "unknown", "log.offset": 0, "network.application": "chrome", + "network.community_id": "1:IpM6MLWKXk42SgVki5Wy5/6cTfk=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 2c92b41648e..ee379156ce6 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -268,7 +268,10 @@ processors: field: "message" description: "106023" patterns: - - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" + - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '106027'" field: "message" @@ -329,28 +332,37 @@ processors: field: "message" description: "302013, 302015" patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" + - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:destination.user.name}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '303002'" field: "message" description: "303002" pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - - dissect: - if: "ctx._temp_.cisco.message_id == '302012'" + - grok: + if: "ctx._temp_.cisco.message_id == '305012'" field: "message" - description: "302012" - pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" + description: "305012" + patterns: + - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - grok: if: "ctx._temp_.cisco.message_id == '302020'" field: "message" description: "302020" patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '302022'" field: "message" @@ -366,7 +378,7 @@ processors: field: "message" description: "304001" patterns: - - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" + - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" @@ -651,13 +663,14 @@ processors: field: "message" description: "722051" patterns: - - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" - - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" - - dissect: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" + - grok: if: "ctx._temp_.cisco.message_id == '733100'" field: "message" description: "733100" - pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" + patterns: + - \[(%{SPACE})?%{DATA:_temp_.cisco.burst.object}\] drop %{NOTSPACE:_temp_.cisco.burst.id} exceeded. Current burst rate is %{INT:_temp_.cisco.burst.current_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_rate}; Current average rate is %{INT:_temp_.cisco.burst.avg_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{INT:_temp_.cisco.burst.cumulative_count} - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" @@ -667,7 +680,7 @@ processors: if: "ctx._temp_.cisco.message_id == '805001'" field: "message" description: "805001" - pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + pattern: "Offloaded %{network.transport} Flow for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - dissect: if: "ctx._temp_.cisco.message_id == '805002'" field: "message" @@ -696,7 +709,7 @@ processors: - dissect: if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." - dissect: if: "ctx._temp_.cisco.message_id == '750002'" field: "message" @@ -762,27 +775,29 @@ processors: # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # - set: - if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' + if: '["305012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' field: "event.action" value: "flow-expiration" - description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" + description: "305012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" - grok: field: "message" if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" patterns: - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + MAPPEDSRC: "(?:%{IPORHOST:_temp_.natsrcip}|%{HOSTNAME})" + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) # # Decode FTD's Security Event Syslog Messages # @@ -1320,6 +1335,35 @@ processors: Instant.parse(end).minusNanos(nanos), ZoneOffset.UTC); # + # Parse Source/Dest Username/Domain + # + - set: + field: source.user.name + value: "{{{ _temp_.cisco.source_username }}}" + if: 'ctx?.source?.user?.name == null && ctx?._temp_?.cisco?.source_username != null' + - set: + field: destination.user.name + value: "{{{ _temp_.cisco.destination_username }}}" + if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null' + - grok: + field: "source.user.name" + if: 'ctx?.source?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER:source.user.name} + pattern_definitions: + CISCO_USER: "%{USERNAME}(@%{HOSTNAME:source.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)? + - grok: + field: "destination.user.name" + if: 'ctx?.destination?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER:destination.user.name} + pattern_definitions: + CISCO_USER: "%{USERNAME}(@%{HOSTNAME:destination.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)? + # # Normalize protocol names # - lowercase: @@ -1428,50 +1472,62 @@ processors: field: "source.port" type: integer ignore_failure: true + ignore_missing: true - convert: field: "destination.port" type: integer ignore_failure: true + ignore_missing: true - convert: field: "source.bytes" type: long ignore_failure: true + ignore_missing: true - convert: field: "destination.bytes" type: long ignore_failure: true + ignore_missing: true - convert: field: "network.bytes" type: long ignore_failure: true + ignore_missing: true - convert: field: "source.packets" type: integer ignore_failure: true + ignore_missing: true - convert: field: "destination.packets" type: integer ignore_failure: true + ignore_missing: true - convert: field: "_temp_.cisco.mapped_source_port" type: integer ignore_failure: true + ignore_missing: true - convert: field: "_temp_.cisco.mapped_destination_port" type: integer ignore_failure: true + ignore_missing: true - convert: field: "_temp_.cisco.icmp_code" type: integer ignore_failure: true + ignore_missing: true - convert: field: "_temp_.cisco.icmp_type" type: integer ignore_failure: true + ignore_missing: true - convert: field: "network.iana_number" type: integer ignore_failure: true + ignore_missing: true # # Assign ECS .ip fields from .address is a valid IP address is found, # otherwise set .domain field. @@ -1856,22 +1912,22 @@ processors: allow_duplicates: false - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" if: ctx?.user?.name != null && ctx?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{host.user.name}}" + value: "{{{host.user.name}}}" if: ctx?.host?.user?.name != null && ctx?.host?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{source.user.name}}" + value: "{{{source.user.name}}}" if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{destination.user.name}}" + value: "{{{destination.user.name}}}" if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' allow_duplicates: false - append: @@ -1899,6 +1955,16 @@ processors: value: "{{source.domain}}" if: ctx.source?.domain != null && ctx.source?.domain != '' allow_duplicates: false + - append: + field: related.hosts + value: "{{source.user.domain}}" + if: ctx.source?.user?.domain != null && ctx.source?.user?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.user.domain}}" + if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != '' + allow_duplicates: false - script: lang: painless description: This script processor iterates over the whole document to remove fields with null values. @@ -1923,6 +1989,9 @@ processors: } } handleMap(ctx); + - community_id: + ignore_missing: true + ignore_failure: true on_failure: # Copy any fields under _temp_.cisco to its final destination. Those can help # with diagnosing the failure. diff --git a/x-pack/filebeat/module/coredns/_meta/config.yml b/x-pack/filebeat/module/coredns/_meta/config.yml index d9ef777bde5..4cfd48edb1e 100644 --- a/x-pack/filebeat/module/coredns/_meta/config.yml +++ b/x-pack/filebeat/module/coredns/_meta/config.yml @@ -1,7 +1,7 @@ - module: coredns # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/crowdstrike/_meta/config.yml b/x-pack/filebeat/module/crowdstrike/_meta/config.yml index 04cf80889ba..84901e8779b 100644 --- a/x-pack/filebeat/module/crowdstrike/_meta/config.yml +++ b/x-pack/filebeat/module/crowdstrike/_meta/config.yml @@ -1,7 +1,7 @@ - module: crowdstrike falcon: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/cyberark/README.md b/x-pack/filebeat/module/cyberark/README.md deleted file mode 100644 index 80bba69debc..00000000000 --- a/x-pack/filebeat/module/cyberark/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# cyberark module - -This is a module for Cyber-Ark logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML cyberark version 124 -at 2020-09-01 14:17:46.365057 +0000 UTC. - diff --git a/x-pack/filebeat/module/cyberark/_meta/config.yml b/x-pack/filebeat/module/cyberark/_meta/config.yml deleted file mode 100644 index d3a1f20ec6f..00000000000 --- a/x-pack/filebeat/module/cyberark/_meta/config.yml +++ /dev/null @@ -1,21 +0,0 @@ -# The cyberark module is deprecated and will be removed in future releases. -# Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. -- module: cyberark - corepas: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9527 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc b/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc deleted file mode 100644 index 5d349be9bfe..00000000000 --- a/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc +++ /dev/null @@ -1,66 +0,0 @@ -[role="xpack"] - -:modulename: cyberark -:has-dashboards: false - -== Cyberark module - -deprecated::[7.13.0,"This module is deprecated. Use the <>"] - -This is a module for receiving Cyber-Ark logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: corepas - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `corepas` fileset settings - -deprecated::[7.13.0] - -NOTE: This was converted from RSA NetWitness log parser XML "cyberark" device revision 124. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9527` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/cyberark/_meta/fields.yml b/x-pack/filebeat/module/cyberark/_meta/fields.yml deleted file mode 100644 index ab0db4113c7..00000000000 --- a/x-pack/filebeat/module/cyberark/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: cyberark - title: Cyber-Ark - description: > - cyberark fields. - fields: diff --git a/x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml b/x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml deleted file mode 100644 index ecf61b431da..00000000000 --- a/x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml +++ /dev/null @@ -1,2637 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - default_field: false - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - default_field: false - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cyberark/corepas/config/input.yml b/x-pack/filebeat/module/cyberark/corepas/config/input.yml deleted file mode 100644 index 11724ce0b17..00000000000 --- a/x-pack/filebeat/module/cyberark/corepas/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Cyberark" - product: "Core" - type: "Access" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/cyberark/corepas/config/liblogparser.js - - ${path.home}/module/cyberark/corepas/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.11.0 diff --git a/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js b/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js deleted file mode 100644 index cec99a043e8..00000000000 --- a/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.error(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup1, - dup2, -])); - -var dup153 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup4, - dup2, - dup3, -])); - -var dup154 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup4, - dup2, -])); - -var dup155 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, - dup2, - dup3, -])); - -var dup156 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, - dup2, -])); - -var dup157 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup15, - dup16, - dup17, - dup9, - dup2, - dup3, -])); - -var dup158 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup15, - dup16, - dup17, - dup9, - dup2, -])); - -var dup159 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup19, - dup2, - dup3, -])); - -var dup160 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup19, - dup2, -])); - -var dup161 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup15, - dup2, - dup3, -])); - -var dup162 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup15, - dup2, -])); - -var dup163 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup21, - dup2, - dup3, -])); - -var dup164 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup21, - dup2, -])); - -var dup165 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup23, - dup2, - dup3, -])); - -var dup166 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup23, - dup2, -])); - -var dup167 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup20, - dup2, - dup3, -])); - -var dup168 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup20, - dup2, -])); - -var dup169 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup26, - dup2, - dup3, -])); - -var dup170 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup26, - dup2, -])); - -var dup171 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup26, - dup2, - dup3, - dup24, - dup25, -])); - -var dup172 = linear_select([ - dup32, - dup33, -]); - -var dup173 = linear_select([ - dup34, - dup35, -]); - -var dup174 = linear_select([ - dup36, - dup37, -]); - -var dup175 = linear_select([ - dup38, - dup39, -]); - -var dup176 = linear_select([ - dup40, - dup41, -]); - -var dup177 = linear_select([ - dup42, - dup43, -]); - -var dup178 = linear_select([ - dup44, - dup45, -]); - -var dup179 = linear_select([ - dup46, - dup47, -]); - -var dup180 = linear_select([ - dup48, - dup49, -]); - -var dup181 = linear_select([ - dup50, - dup51, -]); - -var dup182 = linear_select([ - dup52, - dup53, -]); - -var dup183 = linear_select([ - dup54, - dup55, -]); - -var dup184 = linear_select([ - dup56, - dup57, -]); - -var dup185 = linear_select([ - dup58, - dup59, -]); - -var dup186 = linear_select([ - dup60, - dup61, -]); - -var dup187 = linear_select([ - dup62, - dup63, -]); - -var dup188 = linear_select([ - dup64, - dup65, -]); - -var dup189 = linear_select([ - dup66, - dup67, -]); - -var dup190 = linear_select([ - dup68, - dup69, -]); - -var dup191 = linear_select([ - dup70, - dup71, -]); - -var dup192 = linear_select([ - dup72, - dup73, -]); - -var dup193 = linear_select([ - dup74, - dup75, -]); - -var dup194 = linear_select([ - dup76, - dup77, -]); - -var dup195 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup79, - dup80, - dup81, - dup2, - dup3, -])); - -var dup196 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup79, - dup80, - dup81, - dup2, -])); - -var dup197 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup82, - dup2, - dup3, -])); - -var dup198 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup82, - dup2, -])); - -var dup199 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup83, - dup2, - dup3, -])); - -var dup200 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup83, - dup2, -])); - -var dup201 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ - dup4, - dup2, - dup3, -])); - -var dup202 = linear_select([ - dup85, - dup86, -]); - -var dup203 = linear_select([ - dup88, - dup89, -]); - -var dup204 = linear_select([ - dup91, - dup92, -]); - -var dup205 = linear_select([ - dup94, - dup95, -]); - -var dup206 = linear_select([ - dup97, - dup98, -]); - -var dup207 = linear_select([ - dup100, - dup101, -]); - -var dup208 = linear_select([ - dup103, - dup104, -]); - -var dup209 = linear_select([ - dup106, - dup107, -]); - -var dup210 = linear_select([ - dup109, - dup110, -]); - -var dup211 = linear_select([ - dup112, - dup113, -]); - -var dup212 = linear_select([ - dup115, - dup116, - dup117, - dup118, -]); - -var dup213 = linear_select([ - dup120, - dup121, -]); - -var dup214 = linear_select([ - dup123, - dup124, -]); - -var dup215 = linear_select([ - dup126, - dup127, -]); - -var dup216 = linear_select([ - dup129, - dup130, -]); - -var dup217 = linear_select([ - dup132, - dup133, -]); - -var dup218 = linear_select([ - dup135, - dup136, -]); - -var dup219 = linear_select([ - dup138, - dup139, -]); - -var dup220 = linear_select([ - dup141, - dup142, -]); - -var dup221 = linear_select([ - dup144, - dup145, -]); - -var dup222 = linear_select([ - dup147, - dup148, -]); - -var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld1}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hdevice"), - constant("\",ProductAccount=\""), - field("hfld1"), - constant("\",ProductProcess=\""), - field("process"), - constant("\",EventId=\""), - field("messageid"), - constant("\", "), - field("p0"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld4}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ - setc("header_id","0005"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hdevice"), - constant("\",ProductAccount=\""), - field("hfld4"), - constant("\",ProductProcess=\""), - field("process"), - constant("\",EventId=\""), - field("messageid"), - constant("\", "), - field("p0"), - ], - }), -])); - -var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ - setc("header_id","0002"), -])); - -var hdr4 = match("HEADER#3:0003", "message", "%{hfld1->} %{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ - setc("header_id","0003"), -])); - -var hdr5 = match("HEADER#4:0004", "message", "%CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ - setc("header_id","0004"), -])); - -var hdr6 = match("HEADER#5:0006", "message", "%{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ - setc("header_id","0006"), -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, -]); - -var msg1 = msg("1:01", dup151); - -var msg2 = msg("1", dup152); - -var select2 = linear_select([ - msg1, - msg2, -]); - -var msg3 = msg("2:01", dup153); - -var msg4 = msg("2", dup154); - -var select3 = linear_select([ - msg3, - msg4, -]); - -var msg5 = msg("3:01", dup151); - -var msg6 = msg("3", dup152); - -var select4 = linear_select([ - msg5, - msg6, -]); - -var msg7 = msg("4:01", dup155); - -var msg8 = msg("4", dup156); - -var select5 = linear_select([ - msg7, - msg8, -]); - -var part1 = tagval("MESSAGE#8:7:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup10, - dup6, - dup7, - dup8, - dup11, - dup2, - dup3, -])); - -var msg9 = msg("7:01", part1); - -var part2 = match("MESSAGE#9:7", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup10, - dup6, - dup7, - dup8, - dup11, - dup2, -])); - -var msg10 = msg("7", part2); - -var select6 = linear_select([ - msg9, - msg10, -]); - -var part3 = tagval("MESSAGE#10:8:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup12, - dup6, - dup13, - dup8, - dup11, - dup2, - dup3, -])); - -var msg11 = msg("8:01", part3); - -var part4 = match("MESSAGE#11:8", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup12, - dup6, - dup13, - dup8, - dup11, - dup2, -])); - -var msg12 = msg("8", part4); - -var select7 = linear_select([ - msg11, - msg12, -]); - -var part5 = tagval("MESSAGE#12:9:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup1, - dup14, - dup9, - dup2, - dup3, -])); - -var msg13 = msg("9:01", part5); - -var part6 = match("MESSAGE#13:9", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup1, - dup14, - dup9, - dup2, -])); - -var msg14 = msg("9", part6); - -var select8 = linear_select([ - msg13, - msg14, -]); - -var msg15 = msg("10:01", dup151); - -var msg16 = msg("10", dup152); - -var select9 = linear_select([ - msg15, - msg16, -]); - -var msg17 = msg("11:01", dup151); - -var msg18 = msg("11", dup152); - -var select10 = linear_select([ - msg17, - msg18, -]); - -var msg19 = msg("12:01", dup151); - -var msg20 = msg("12", dup152); - -var select11 = linear_select([ - msg19, - msg20, -]); - -var msg21 = msg("13:01", dup157); - -var msg22 = msg("13", dup158); - -var select12 = linear_select([ - msg21, - msg22, -]); - -var msg23 = msg("14:01", dup157); - -var msg24 = msg("14", dup158); - -var select13 = linear_select([ - msg23, - msg24, -]); - -var part7 = tagval("MESSAGE#24:15:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup15, - dup18, - dup9, - dup2, - dup3, -])); - -var msg25 = msg("15:01", part7); - -var part8 = match("MESSAGE#25:15", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup15, - dup18, - dup9, - dup2, -])); - -var msg26 = msg("15", part8); - -var select14 = linear_select([ - msg25, - msg26, -]); - -var msg27 = msg("16:01", dup159); - -var msg28 = msg("16", dup160); - -var select15 = linear_select([ - msg27, - msg28, -]); - -var msg29 = msg("17:01", dup151); - -var msg30 = msg("17", dup152); - -var select16 = linear_select([ - msg29, - msg30, -]); - -var msg31 = msg("18:01", dup161); - -var msg32 = msg("18", dup162); - -var select17 = linear_select([ - msg31, - msg32, -]); - -var part9 = tagval("MESSAGE#32:19:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup20, - dup16, - dup11, - dup2, - dup3, -])); - -var msg33 = msg("19:01", part9); - -var part10 = match("MESSAGE#33:19", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup20, - dup16, - dup11, - dup2, -])); - -var msg34 = msg("19", part10); - -var select18 = linear_select([ - msg33, - msg34, -]); - -var part11 = tagval("MESSAGE#34:20:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup19, - dup16, - dup2, - dup3, -])); - -var msg35 = msg("20:01", part11); - -var part12 = match("MESSAGE#35:20", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup19, - dup16, - dup2, -])); - -var msg36 = msg("20", part12); - -var select19 = linear_select([ - msg35, - msg36, -]); - -var part13 = tagval("MESSAGE#36:21:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup15, - dup16, - dup9, - dup2, - dup3, -])); - -var msg37 = msg("21:01", part13); - -var part14 = match("MESSAGE#37:21", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup15, - dup16, - dup9, - dup2, -])); - -var msg38 = msg("21", part14); - -var select20 = linear_select([ - msg37, - msg38, -]); - -var msg39 = msg("22:01", dup163); - -var msg40 = msg("22", dup164); - -var select21 = linear_select([ - msg39, - msg40, -]); - -var part15 = tagval("MESSAGE#40:23:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup22, - dup2, - dup3, -])); - -var msg41 = msg("23:01", part15); - -var part16 = match("MESSAGE#41:23", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup22, - dup2, -])); - -var msg42 = msg("23", part16); - -var select22 = linear_select([ - msg41, - msg42, -]); - -var msg43 = msg("24:01", dup163); - -var msg44 = msg("24", dup164); - -var select23 = linear_select([ - msg43, - msg44, -]); - -var msg45 = msg("25:01", dup151); - -var msg46 = msg("25", dup152); - -var select24 = linear_select([ - msg45, - msg46, -]); - -var msg47 = msg("26:01", dup151); - -var msg48 = msg("26", dup152); - -var select25 = linear_select([ - msg47, - msg48, -]); - -var msg49 = msg("27:01", dup151); - -var msg50 = msg("27", dup152); - -var select26 = linear_select([ - msg49, - msg50, -]); - -var msg51 = msg("28:01", dup163); - -var msg52 = msg("28", dup164); - -var select27 = linear_select([ - msg51, - msg52, -]); - -var msg53 = msg("29:01", dup151); - -var msg54 = msg("29", dup152); - -var select28 = linear_select([ - msg53, - msg54, -]); - -var msg55 = msg("30:01", dup151); - -var msg56 = msg("30", dup152); - -var select29 = linear_select([ - msg55, - msg56, -]); - -var msg57 = msg("31:01", dup163); - -var msg58 = msg("31", dup164); - -var select30 = linear_select([ - msg57, - msg58, -]); - -var msg59 = msg("32:01", dup163); - -var msg60 = msg("32", dup164); - -var select31 = linear_select([ - msg59, - msg60, -]); - -var msg61 = msg("33:01", dup163); - -var msg62 = msg("33", dup164); - -var select32 = linear_select([ - msg61, - msg62, -]); - -var msg63 = msg("34:01", dup151); - -var msg64 = msg("34", dup152); - -var select33 = linear_select([ - msg63, - msg64, -]); - -var msg65 = msg("35:01", dup151); - -var msg66 = msg("35", dup152); - -var select34 = linear_select([ - msg65, - msg66, -]); - -var msg67 = msg("36:01", dup163); - -var msg68 = msg("36", dup164); - -var select35 = linear_select([ - msg67, - msg68, -]); - -var msg69 = msg("37:01", dup163); - -var msg70 = msg("37", dup164); - -var select36 = linear_select([ - msg69, - msg70, -]); - -var msg71 = msg("38:01", dup165); - -var msg72 = msg("38", dup166); - -var select37 = linear_select([ - msg71, - msg72, -]); - -var msg73 = msg("39:01", dup163); - -var msg74 = msg("39", dup164); - -var select38 = linear_select([ - msg73, - msg74, -]); - -var msg75 = msg("40:01", dup151); - -var msg76 = msg("40", dup152); - -var select39 = linear_select([ - msg75, - msg76, -]); - -var msg77 = msg("41:01", dup151); - -var msg78 = msg("41", dup152); - -var select40 = linear_select([ - msg77, - msg78, -]); - -var msg79 = msg("42:01", dup151); - -var msg80 = msg("42", dup152); - -var select41 = linear_select([ - msg79, - msg80, -]); - -var msg81 = msg("43:01", dup151); - -var msg82 = msg("43", dup152); - -var select42 = linear_select([ - msg81, - msg82, -]); - -var msg83 = msg("44:01", dup151); - -var msg84 = msg("44", dup152); - -var select43 = linear_select([ - msg83, - msg84, -]); - -var msg85 = msg("45:01", dup151); - -var msg86 = msg("45", dup152); - -var select44 = linear_select([ - msg85, - msg86, -]); - -var msg87 = msg("46:01", dup151); - -var msg88 = msg("46", dup152); - -var select45 = linear_select([ - msg87, - msg88, -]); - -var msg89 = msg("47:01", dup151); - -var msg90 = msg("47", dup152); - -var select46 = linear_select([ - msg89, - msg90, -]); - -var msg91 = msg("48:01", dup151); - -var msg92 = msg("48", dup152); - -var select47 = linear_select([ - msg91, - msg92, -]); - -var msg93 = msg("49:01", dup151); - -var msg94 = msg("49", dup152); - -var select48 = linear_select([ - msg93, - msg94, -]); - -var part17 = tagval("MESSAGE#94:50:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup21, - dup2, - dup3, - dup24, - dup25, -])); - -var msg95 = msg("50:01", part17); - -var msg96 = msg("50", dup164); - -var select49 = linear_select([ - msg95, - msg96, -]); - -var msg97 = msg("51:01", dup163); - -var msg98 = msg("51", dup164); - -var select50 = linear_select([ - msg97, - msg98, -]); - -var msg99 = msg("52:01", dup163); - -var msg100 = msg("52", dup164); - -var select51 = linear_select([ - msg99, - msg100, -]); - -var msg101 = msg("53:01", dup151); - -var msg102 = msg("53", dup152); - -var select52 = linear_select([ - msg101, - msg102, -]); - -var msg103 = msg("54:01", dup151); - -var msg104 = msg("54", dup152); - -var select53 = linear_select([ - msg103, - msg104, -]); - -var msg105 = msg("55:01", dup151); - -var msg106 = msg("55", dup152); - -var select54 = linear_select([ - msg105, - msg106, -]); - -var msg107 = msg("56:01", dup151); - -var msg108 = msg("56", dup152); - -var select55 = linear_select([ - msg107, - msg108, -]); - -var msg109 = msg("57:01", dup165); - -var msg110 = msg("57", dup166); - -var select56 = linear_select([ - msg109, - msg110, -]); - -var msg111 = msg("58:01", dup163); - -var msg112 = msg("58", dup164); - -var select57 = linear_select([ - msg111, - msg112, -]); - -var msg113 = msg("59:01", dup163); - -var msg114 = msg("59", dup164); - -var select58 = linear_select([ - msg113, - msg114, -]); - -var msg115 = msg("60:01", dup165); - -var msg116 = msg("60", dup166); - -var select59 = linear_select([ - msg115, - msg116, -]); - -var msg117 = msg("61:01", dup167); - -var msg118 = msg("61", dup168); - -var select60 = linear_select([ - msg117, - msg118, -]); - -var msg119 = msg("62:01", dup163); - -var msg120 = msg("62", dup164); - -var select61 = linear_select([ - msg119, - msg120, -]); - -var msg121 = msg("63:01", dup151); - -var msg122 = msg("63", dup152); - -var select62 = linear_select([ - msg121, - msg122, -]); - -var msg123 = msg("64:01", dup167); - -var msg124 = msg("64", dup168); - -var select63 = linear_select([ - msg123, - msg124, -]); - -var msg125 = msg("65:01", dup151); - -var msg126 = msg("65", dup152); - -var select64 = linear_select([ - msg125, - msg126, -]); - -var msg127 = msg("66:01", dup169); - -var msg128 = msg("66", dup170); - -var select65 = linear_select([ - msg127, - msg128, -]); - -var msg129 = msg("67:01", dup169); - -var msg130 = msg("67", dup170); - -var select66 = linear_select([ - msg129, - msg130, -]); - -var msg131 = msg("68:01", dup169); - -var msg132 = msg("68", dup170); - -var select67 = linear_select([ - msg131, - msg132, -]); - -var msg133 = msg("69:01", dup169); - -var msg134 = msg("69", dup170); - -var select68 = linear_select([ - msg133, - msg134, -]); - -var msg135 = msg("70:01", dup151); - -var msg136 = msg("70", dup152); - -var select69 = linear_select([ - msg135, - msg136, -]); - -var msg137 = msg("71:01", dup169); - -var msg138 = msg("71", dup170); - -var select70 = linear_select([ - msg137, - msg138, -]); - -var msg139 = msg("72:01", dup151); - -var msg140 = msg("72", dup152); - -var select71 = linear_select([ - msg139, - msg140, -]); - -var msg141 = msg("73:01", dup169); - -var msg142 = msg("73", dup170); - -var select72 = linear_select([ - msg141, - msg142, -]); - -var msg143 = msg("74:01", dup151); - -var msg144 = msg("74", dup152); - -var select73 = linear_select([ - msg143, - msg144, -]); - -var msg145 = msg("75:01", dup169); - -var msg146 = msg("75", dup170); - -var select74 = linear_select([ - msg145, - msg146, -]); - -var msg147 = msg("76:01", dup151); - -var msg148 = msg("76", dup152); - -var select75 = linear_select([ - msg147, - msg148, -]); - -var msg149 = msg("77:01", dup151); - -var msg150 = msg("77", dup152); - -var select76 = linear_select([ - msg149, - msg150, -]); - -var msg151 = msg("78:01", dup151); - -var msg152 = msg("78", dup152); - -var select77 = linear_select([ - msg151, - msg152, -]); - -var msg153 = msg("79:01", dup169); - -var msg154 = msg("79", dup170); - -var select78 = linear_select([ - msg153, - msg154, -]); - -var msg155 = msg("80:01", dup169); - -var msg156 = msg("80", dup170); - -var select79 = linear_select([ - msg155, - msg156, -]); - -var msg157 = msg("81:01", dup167); - -var msg158 = msg("81", dup168); - -var select80 = linear_select([ - msg157, - msg158, -]); - -var msg159 = msg("82:01", dup151); - -var msg160 = msg("82", dup152); - -var select81 = linear_select([ - msg159, - msg160, -]); - -var msg161 = msg("83:01", dup169); - -var msg162 = msg("83", dup170); - -var select82 = linear_select([ - msg161, - msg162, -]); - -var msg163 = msg("84:01", dup169); - -var msg164 = msg("84", dup170); - -var select83 = linear_select([ - msg163, - msg164, -]); - -var msg165 = msg("85:01", dup151); - -var msg166 = msg("85", dup152); - -var select84 = linear_select([ - msg165, - msg166, -]); - -var msg167 = msg("86:01", dup159); - -var msg168 = msg("86", dup160); - -var select85 = linear_select([ - msg167, - msg168, -]); - -var msg169 = msg("87:01", dup151); - -var msg170 = msg("87", dup152); - -var select86 = linear_select([ - msg169, - msg170, -]); - -var msg171 = msg("88:01", dup169); - -var msg172 = msg("88", dup170); - -var select87 = linear_select([ - msg171, - msg172, -]); - -var msg173 = msg("89:01", dup151); - -var msg174 = msg("89", dup152); - -var select88 = linear_select([ - msg173, - msg174, -]); - -var msg175 = msg("90:01", dup151); - -var msg176 = msg("90", dup152); - -var select89 = linear_select([ - msg175, - msg176, -]); - -var msg177 = msg("91:01", dup151); - -var msg178 = msg("91", dup152); - -var select90 = linear_select([ - msg177, - msg178, -]); - -var msg179 = msg("92:01", dup151); - -var msg180 = msg("92", dup152); - -var select91 = linear_select([ - msg179, - msg180, -]); - -var msg181 = msg("93:01", dup151); - -var msg182 = msg("93", dup152); - -var select92 = linear_select([ - msg181, - msg182, -]); - -var msg183 = msg("94:01", dup169); - -var msg184 = msg("94", dup170); - -var select93 = linear_select([ - msg183, - msg184, -]); - -var msg185 = msg("95:01", dup169); - -var msg186 = msg("95", dup170); - -var select94 = linear_select([ - msg185, - msg186, -]); - -var msg187 = msg("96:01", dup151); - -var msg188 = msg("96", dup152); - -var select95 = linear_select([ - msg187, - msg188, -]); - -var msg189 = msg("97:01", dup151); - -var msg190 = msg("97", dup152); - -var select96 = linear_select([ - msg189, - msg190, -]); - -var msg191 = msg("98:01", dup171); - -var msg192 = msg("98", dup170); - -var select97 = linear_select([ - msg191, - msg192, -]); - -var msg193 = msg("99:01", dup171); - -var msg194 = msg("99", dup170); - -var select98 = linear_select([ - msg193, - msg194, -]); - -var msg195 = msg("100:01", dup151); - -var msg196 = msg("100", dup152); - -var select99 = linear_select([ - msg195, - msg196, -]); - -var msg197 = msg("101:01", dup151); - -var msg198 = msg("101", dup152); - -var select100 = linear_select([ - msg197, - msg198, -]); - -var msg199 = msg("102:01", dup155); - -var msg200 = msg("102", dup156); - -var select101 = linear_select([ - msg199, - msg200, -]); - -var part18 = tagval("MESSAGE#200:103:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup27, - dup6, - dup7, - dup8, - dup28, - dup2, - dup3, -])); - -var msg201 = msg("103:01", part18); - -var part19 = match("MESSAGE#201:103", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup27, - dup6, - dup7, - dup8, - dup28, - dup2, -])); - -var msg202 = msg("103", part19); - -var select102 = linear_select([ - msg201, - msg202, -]); - -var part20 = tagval("MESSAGE#202:104:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup27, - dup6, - dup29, - dup2, - dup3, -])); - -var msg203 = msg("104:01", part20); - -var part21 = match("MESSAGE#203:104", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup27, - dup6, - dup29, - dup2, -])); - -var msg204 = msg("104", part21); - -var select103 = linear_select([ - msg203, - msg204, -]); - -var msg205 = msg("105:01", dup169); - -var msg206 = msg("105", dup170); - -var select104 = linear_select([ - msg205, - msg206, -]); - -var msg207 = msg("106:01", dup169); - -var msg208 = msg("106", dup170); - -var select105 = linear_select([ - msg207, - msg208, -]); - -var msg209 = msg("107:01", dup169); - -var msg210 = msg("107", dup170); - -var select106 = linear_select([ - msg209, - msg210, -]); - -var msg211 = msg("108:01", dup169); - -var msg212 = msg("108", dup170); - -var select107 = linear_select([ - msg211, - msg212, -]); - -var msg213 = msg("109:01", dup169); - -var msg214 = msg("109", dup170); - -var select108 = linear_select([ - msg213, - msg214, -]); - -var msg215 = msg("110:01", dup151); - -var msg216 = msg("110", dup152); - -var select109 = linear_select([ - msg215, - msg216, -]); - -var msg217 = msg("111:01", dup169); - -var msg218 = msg("111", dup170); - -var select110 = linear_select([ - msg217, - msg218, -]); - -var msg219 = msg("112:01", dup169); - -var msg220 = msg("112", dup170); - -var select111 = linear_select([ - msg219, - msg220, -]); - -var msg221 = msg("114:01", dup169); - -var msg222 = msg("114", dup170); - -var select112 = linear_select([ - msg221, - msg222, -]); - -var msg223 = msg("115:01", dup169); - -var msg224 = msg("115", dup170); - -var select113 = linear_select([ - msg223, - msg224, -]); - -var msg225 = msg("116:01", dup151); - -var msg226 = msg("116", dup152); - -var select114 = linear_select([ - msg225, - msg226, -]); - -var msg227 = msg("117:01", dup151); - -var msg228 = msg("117", dup152); - -var select115 = linear_select([ - msg227, - msg228, -]); - -var msg229 = msg("118:01", dup169); - -var msg230 = msg("118", dup170); - -var select116 = linear_select([ - msg229, - msg230, -]); - -var msg231 = msg("119:01", dup169); - -var msg232 = msg("119", dup170); - -var select117 = linear_select([ - msg231, - msg232, -]); - -var msg233 = msg("120:01", dup169); - -var msg234 = msg("120", dup170); - -var select118 = linear_select([ - msg233, - msg234, -]); - -var msg235 = msg("121:01", dup169); - -var msg236 = msg("121", dup170); - -var select119 = linear_select([ - msg235, - msg236, -]); - -var msg237 = msg("122:01", dup169); - -var msg238 = msg("122", dup170); - -var select120 = linear_select([ - msg237, - msg238, -]); - -var msg239 = msg("123:01", dup169); - -var msg240 = msg("123", dup170); - -var select121 = linear_select([ - msg239, - msg240, -]); - -var msg241 = msg("124:01", dup169); - -var msg242 = msg("124", dup170); - -var select122 = linear_select([ - msg241, - msg242, -]); - -var msg243 = msg("125:01", dup169); - -var msg244 = msg("125", dup170); - -var select123 = linear_select([ - msg243, - msg244, -]); - -var msg245 = msg("126:01", dup169); - -var msg246 = msg("126", dup170); - -var select124 = linear_select([ - msg245, - msg246, -]); - -var msg247 = msg("127:01", dup169); - -var msg248 = msg("127", dup170); - -var select125 = linear_select([ - msg247, - msg248, -]); - -var msg249 = msg("128:01", dup169); - -var msg250 = msg("128", dup170); - -var select126 = linear_select([ - msg249, - msg250, -]); - -var msg251 = msg("129:01", dup169); - -var msg252 = msg("129", dup170); - -var select127 = linear_select([ - msg251, - msg252, -]); - -var msg253 = msg("130:01", dup169); - -var msg254 = msg("130", dup170); - -var select128 = linear_select([ - msg253, - msg254, -]); - -var msg255 = msg("131:01", dup151); - -var msg256 = msg("131", dup152); - -var select129 = linear_select([ - msg255, - msg256, -]); - -var msg257 = msg("132:01", dup151); - -var msg258 = msg("132", dup152); - -var select130 = linear_select([ - msg257, - msg258, -]); - -var msg259 = msg("133:01", dup151); - -var msg260 = msg("133", dup152); - -var select131 = linear_select([ - msg259, - msg260, -]); - -var part22 = tagval("MESSAGE#260:134:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup30, - dup2, - dup3, -])); - -var msg261 = msg("134:01", part22); - -var part23 = match("MESSAGE#261:134", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup30, - dup2, -])); - -var msg262 = msg("134", part23); - -var select132 = linear_select([ - msg261, - msg262, -]); - -var msg263 = msg("135:01", dup151); - -var msg264 = msg("135", dup152); - -var select133 = linear_select([ - msg263, - msg264, -]); - -var msg265 = msg("136:01", dup169); - -var msg266 = msg("136", dup170); - -var select134 = linear_select([ - msg265, - msg266, -]); - -var msg267 = msg("137:01", dup169); - -var msg268 = msg("137", dup170); - -var select135 = linear_select([ - msg267, - msg268, -]); - -var msg269 = msg("138:01", dup169); - -var msg270 = msg("138", dup170); - -var select136 = linear_select([ - msg269, - msg270, -]); - -var msg271 = msg("139:01", dup169); - -var msg272 = msg("139", dup170); - -var select137 = linear_select([ - msg271, - msg272, -]); - -var msg273 = msg("140:01", dup169); - -var msg274 = msg("140", dup170); - -var select138 = linear_select([ - msg273, - msg274, -]); - -var msg275 = msg("141:01", dup169); - -var msg276 = msg("141", dup170); - -var select139 = linear_select([ - msg275, - msg276, -]); - -var msg277 = msg("142:01", dup169); - -var msg278 = msg("142", dup170); - -var select140 = linear_select([ - msg277, - msg278, -]); - -var msg279 = msg("143:01", dup169); - -var msg280 = msg("143", dup170); - -var select141 = linear_select([ - msg279, - msg280, -]); - -var msg281 = msg("144:01", dup169); - -var msg282 = msg("144", dup170); - -var select142 = linear_select([ - msg281, - msg282, -]); - -var msg283 = msg("145:01", dup169); - -var msg284 = msg("145", dup170); - -var select143 = linear_select([ - msg283, - msg284, -]); - -var msg285 = msg("146:01", dup151); - -var msg286 = msg("146", dup152); - -var select144 = linear_select([ - msg285, - msg286, -]); - -var msg287 = msg("147:01", dup151); - -var msg288 = msg("147", dup152); - -var select145 = linear_select([ - msg287, - msg288, -]); - -var msg289 = msg("148:01", dup151); - -var msg290 = msg("148", dup152); - -var select146 = linear_select([ - msg289, - msg290, -]); - -var msg291 = msg("149:01", dup151); - -var msg292 = msg("149", dup152); - -var select147 = linear_select([ - msg291, - msg292, -]); - -var msg293 = msg("150:01", dup151); - -var msg294 = msg("150", dup152); - -var select148 = linear_select([ - msg293, - msg294, -]); - -var msg295 = msg("152:01", dup151); - -var msg296 = msg("152", dup152); - -var select149 = linear_select([ - msg295, - msg296, -]); - -var msg297 = msg("153:01", dup151); - -var msg298 = msg("153", dup152); - -var select150 = linear_select([ - msg297, - msg298, -]); - -var msg299 = msg("154:01", dup151); - -var msg300 = msg("154", dup152); - -var select151 = linear_select([ - msg299, - msg300, -]); - -var msg301 = msg("155:01", dup151); - -var msg302 = msg("155", dup152); - -var select152 = linear_select([ - msg301, - msg302, -]); - -var msg303 = msg("156:01", dup151); - -var msg304 = msg("156", dup152); - -var select153 = linear_select([ - msg303, - msg304, -]); - -var msg305 = msg("157:01", dup151); - -var msg306 = msg("157", dup152); - -var select154 = linear_select([ - msg305, - msg306, -]); - -var msg307 = msg("158:01", dup151); - -var msg308 = msg("158", dup152); - -var select155 = linear_select([ - msg307, - msg308, -]); - -var msg309 = msg("159:01", dup151); - -var msg310 = msg("159", dup152); - -var select156 = linear_select([ - msg309, - msg310, -]); - -var msg311 = msg("160:01", dup151); - -var msg312 = msg("160", dup152); - -var select157 = linear_select([ - msg311, - msg312, -]); - -var msg313 = msg("161:01", dup151); - -var msg314 = msg("161", dup152); - -var select158 = linear_select([ - msg313, - msg314, -]); - -var msg315 = msg("162:01", dup151); - -var msg316 = msg("162", dup152); - -var select159 = linear_select([ - msg315, - msg316, -]); - -var msg317 = msg("163:01", dup151); - -var msg318 = msg("163", dup152); - -var select160 = linear_select([ - msg317, - msg318, -]); - -var msg319 = msg("164:01", dup151); - -var msg320 = msg("164", dup152); - -var select161 = linear_select([ - msg319, - msg320, -]); - -var msg321 = msg("165:01", dup151); - -var msg322 = msg("165", dup152); - -var select162 = linear_select([ - msg321, - msg322, -]); - -var msg323 = msg("166:01", dup151); - -var msg324 = msg("166", dup152); - -var select163 = linear_select([ - msg323, - msg324, -]); - -var msg325 = msg("167:01", dup151); - -var msg326 = msg("167", dup152); - -var select164 = linear_select([ - msg325, - msg326, -]); - -var msg327 = msg("168:01", dup151); - -var msg328 = msg("168", dup152); - -var select165 = linear_select([ - msg327, - msg328, -]); - -var msg329 = msg("169:01", dup151); - -var msg330 = msg("169", dup152); - -var select166 = linear_select([ - msg329, - msg330, -]); - -var msg331 = msg("170:01", dup169); - -var msg332 = msg("170", dup170); - -var select167 = linear_select([ - msg331, - msg332, -]); - -var msg333 = msg("171:01", dup151); - -var msg334 = msg("171", dup152); - -var select168 = linear_select([ - msg333, - msg334, -]); - -var msg335 = msg("172:01", dup169); - -var msg336 = msg("172", dup170); - -var select169 = linear_select([ - msg335, - msg336, -]); - -var msg337 = msg("173:01", dup151); - -var msg338 = msg("173", dup152); - -var select170 = linear_select([ - msg337, - msg338, -]); - -var msg339 = msg("174:01", dup151); - -var msg340 = msg("174", dup152); - -var select171 = linear_select([ - msg339, - msg340, -]); - -var msg341 = msg("175:01", dup151); - -var msg342 = msg("175", dup152); - -var select172 = linear_select([ - msg341, - msg342, -]); - -var msg343 = msg("176:01", dup151); - -var msg344 = msg("176", dup152); - -var select173 = linear_select([ - msg343, - msg344, -]); - -var msg345 = msg("177:01", dup151); - -var msg346 = msg("177", dup152); - -var select174 = linear_select([ - msg345, - msg346, -]); - -var msg347 = msg("178:01", dup151); - -var msg348 = msg("178", dup152); - -var select175 = linear_select([ - msg347, - msg348, -]); - -var msg349 = msg("179:01", dup169); - -var msg350 = msg("179", dup170); - -var select176 = linear_select([ - msg349, - msg350, -]); - -var msg351 = msg("180:01", dup169); - -var msg352 = msg("180", dup170); - -var select177 = linear_select([ - msg351, - msg352, -]); - -var msg353 = msg("181:01", dup169); - -var msg354 = msg("181", dup170); - -var select178 = linear_select([ - msg353, - msg354, -]); - -var msg355 = msg("182:01", dup169); - -var msg356 = msg("182", dup170); - -var select179 = linear_select([ - msg355, - msg356, -]); - -var msg357 = msg("183:01", dup169); - -var msg358 = msg("183", dup170); - -var select180 = linear_select([ - msg357, - msg358, -]); - -var msg359 = msg("184:01", dup169); - -var msg360 = msg("184", dup170); - -var select181 = linear_select([ - msg359, - msg360, -]); - -var msg361 = msg("185:01", dup169); - -var msg362 = msg("185", dup170); - -var select182 = linear_select([ - msg361, - msg362, -]); - -var msg363 = msg("186:01", dup151); - -var msg364 = msg("186", dup152); - -var select183 = linear_select([ - msg363, - msg364, -]); - -var msg365 = msg("187:01", dup169); - -var msg366 = msg("187", dup170); - -var select184 = linear_select([ - msg365, - msg366, -]); - -var msg367 = msg("188:01", dup169); - -var msg368 = msg("188", dup170); - -var select185 = linear_select([ - msg367, - msg368, -]); - -var msg369 = msg("189:01", dup169); - -var msg370 = msg("189", dup170); - -var select186 = linear_select([ - msg369, - msg370, -]); - -var msg371 = msg("191:01", dup151); - -var msg372 = msg("191", dup152); - -var select187 = linear_select([ - msg371, - msg372, -]); - -var msg373 = msg("192:01", dup169); - -var msg374 = msg("192", dup170); - -var select188 = linear_select([ - msg373, - msg374, -]); - -var msg375 = msg("193:01", dup151); - -var msg376 = msg("193", dup152); - -var select189 = linear_select([ - msg375, - msg376, -]); - -var msg377 = msg("194:01", dup169); - -var msg378 = msg("194", dup170); - -var select190 = linear_select([ - msg377, - msg378, -]); - -var msg379 = msg("195:01", dup169); - -var msg380 = msg("195", dup170); - -var select191 = linear_select([ - msg379, - msg380, -]); - -var msg381 = msg("196:01", dup151); - -var msg382 = msg("196", dup152); - -var select192 = linear_select([ - msg381, - msg382, -]); - -var msg383 = msg("197:01", dup151); - -var msg384 = msg("197", dup152); - -var select193 = linear_select([ - msg383, - msg384, -]); - -var msg385 = msg("198:01", dup169); - -var msg386 = msg("198", dup170); - -var select194 = linear_select([ - msg385, - msg386, -]); - -var msg387 = msg("199:01", dup169); - -var msg388 = msg("199", dup170); - -var select195 = linear_select([ - msg387, - msg388, -]); - -var msg389 = msg("200:01", dup169); - -var msg390 = msg("200", dup170); - -var select196 = linear_select([ - msg389, - msg390, -]); - -var msg391 = msg("201:01", dup169); - -var msg392 = msg("201", dup170); - -var select197 = linear_select([ - msg391, - msg392, -]); - -var msg393 = msg("202:01", dup169); - -var msg394 = msg("202", dup170); - -var select198 = linear_select([ - msg393, - msg394, -]); - -var msg395 = msg("203:01", dup169); - -var msg396 = msg("203", dup170); - -var select199 = linear_select([ - msg395, - msg396, -]); - -var msg397 = msg("204:01", dup151); - -var msg398 = msg("204", dup152); - -var select200 = linear_select([ - msg397, - msg398, -]); - -var msg399 = msg("205:01", dup151); - -var msg400 = msg("205", dup152); - -var select201 = linear_select([ - msg399, - msg400, -]); - -var msg401 = msg("206:01", dup151); - -var msg402 = msg("206", dup152); - -var select202 = linear_select([ - msg401, - msg402, -]); - -var msg403 = msg("207:01", dup151); - -var msg404 = msg("207", dup152); - -var select203 = linear_select([ - msg403, - msg404, -]); - -var msg405 = msg("208:01", dup151); - -var msg406 = msg("208", dup152); - -var select204 = linear_select([ - msg405, - msg406, -]); - -var msg407 = msg("209:01", dup169); - -var msg408 = msg("209", dup170); - -var select205 = linear_select([ - msg407, - msg408, -]); - -var msg409 = msg("211:01", dup169); - -var msg410 = msg("211", dup170); - -var select206 = linear_select([ - msg409, - msg410, -]); - -var msg411 = msg("212:01", dup169); - -var msg412 = msg("212", dup170); - -var select207 = linear_select([ - msg411, - msg412, -]); - -var msg413 = msg("213:01", dup169); - -var msg414 = msg("213", dup170); - -var select208 = linear_select([ - msg413, - msg414, -]); - -var msg415 = msg("214:01", dup151); - -var msg416 = msg("214", dup152); - -var select209 = linear_select([ - msg415, - msg416, -]); - -var msg417 = msg("215:01", dup151); - -var msg418 = msg("215", dup152); - -var select210 = linear_select([ - msg417, - msg418, -]); - -var msg419 = msg("216:01", dup151); - -var msg420 = msg("216", dup152); - -var select211 = linear_select([ - msg419, - msg420, -]); - -var msg421 = msg("217:01", dup169); - -var msg422 = msg("217", dup170); - -var select212 = linear_select([ - msg421, - msg422, -]); - -var msg423 = msg("218:01", dup169); - -var msg424 = msg("218", dup170); - -var select213 = linear_select([ - msg423, - msg424, -]); - -var msg425 = msg("219:01", dup169); - -var msg426 = msg("219", dup170); - -var select214 = linear_select([ - msg425, - msg426, -]); - -var msg427 = msg("220:01", dup169); - -var msg428 = msg("220", dup170); - -var select215 = linear_select([ - msg427, - msg428, -]); - -var msg429 = msg("221:01", dup169); - -var msg430 = msg("221", dup170); - -var select216 = linear_select([ - msg429, - msg430, -]); - -var msg431 = msg("222:01", dup151); - -var msg432 = msg("222", dup152); - -var select217 = linear_select([ - msg431, - msg432, -]); - -var msg433 = msg("223:01", dup169); - -var msg434 = msg("223", dup170); - -var select218 = linear_select([ - msg433, - msg434, -]); - -var msg435 = msg("224:01", dup169); - -var msg436 = msg("224", dup170); - -var select219 = linear_select([ - msg435, - msg436, -]); - -var msg437 = msg("229:01", dup169); - -var msg438 = msg("229", dup170); - -var select220 = linear_select([ - msg437, - msg438, -]); - -var msg439 = msg("230:01", dup151); - -var msg440 = msg("230", dup152); - -var select221 = linear_select([ - msg439, - msg440, -]); - -var msg441 = msg("231:01", dup151); - -var msg442 = msg("231", dup152); - -var select222 = linear_select([ - msg441, - msg442, -]); - -var msg443 = msg("232:01", dup151); - -var msg444 = msg("232", dup152); - -var select223 = linear_select([ - msg443, - msg444, -]); - -var msg445 = msg("233:01", dup151); - -var msg446 = msg("233", dup152); - -var select224 = linear_select([ - msg445, - msg446, -]); - -var msg447 = msg("236:01", dup153); - -var msg448 = msg("236", dup154); - -var select225 = linear_select([ - msg447, - msg448, -]); - -var msg449 = msg("237:01", dup169); - -var msg450 = msg("237", dup170); - -var select226 = linear_select([ - msg449, - msg450, -]); - -var msg451 = msg("238:01", dup151); - -var msg452 = msg("238", dup152); - -var select227 = linear_select([ - msg451, - msg452, -]); - -var msg453 = msg("239:01", dup169); - -var msg454 = msg("239", dup170); - -var select228 = linear_select([ - msg453, - msg454, -]); - -var msg455 = msg("240:01", dup169); - -var msg456 = msg("240", dup170); - -var select229 = linear_select([ - msg455, - msg456, -]); - -var msg457 = msg("241:01", dup169); - -var msg458 = msg("241", dup170); - -var select230 = linear_select([ - msg457, - msg458, -]); - -var msg459 = msg("243:01", dup151); - -var msg460 = msg("243", dup152); - -var select231 = linear_select([ - msg459, - msg460, -]); - -var msg461 = msg("244:01", dup151); - -var msg462 = msg("244", dup152); - -var select232 = linear_select([ - msg461, - msg462, -]); - -var msg463 = msg("246:01", dup169); - -var msg464 = msg("246", dup170); - -var select233 = linear_select([ - msg463, - msg464, -]); - -var msg465 = msg("247:01", dup169); - -var msg466 = msg("247", dup170); - -var select234 = linear_select([ - msg465, - msg466, -]); - -var msg467 = msg("248:01", dup151); - -var msg468 = msg("248", dup152); - -var select235 = linear_select([ - msg467, - msg468, -]); - -var msg469 = msg("249:01", dup151); - -var msg470 = msg("249", dup152); - -var select236 = linear_select([ - msg469, - msg470, -]); - -var msg471 = msg("250:01", dup151); - -var msg472 = msg("250", dup152); - -var select237 = linear_select([ - msg471, - msg472, -]); - -var msg473 = msg("251:01", dup169); - -var msg474 = msg("251", dup170); - -var select238 = linear_select([ - msg473, - msg474, -]); - -var msg475 = msg("252:01", dup169); - -var msg476 = msg("252", dup170); - -var select239 = linear_select([ - msg475, - msg476, -]); - -var msg477 = msg("253:01", dup151); - -var msg478 = msg("253", dup152); - -var select240 = linear_select([ - msg477, - msg478, -]); - -var msg479 = msg("254:01", dup169); - -var msg480 = msg("254", dup170); - -var select241 = linear_select([ - msg479, - msg480, -]); - -var msg481 = msg("255:01", dup151); - -var msg482 = msg("255", dup152); - -var select242 = linear_select([ - msg481, - msg482, -]); - -var msg483 = msg("256:01", dup169); - -var msg484 = msg("256", dup170); - -var select243 = linear_select([ - msg483, - msg484, -]); - -var msg485 = msg("257:01", dup169); - -var msg486 = msg("257", dup170); - -var select244 = linear_select([ - msg485, - msg486, -]); - -var msg487 = msg("259:01", dup169); - -var msg488 = msg("259", dup170); - -var select245 = linear_select([ - msg487, - msg488, -]); - -var msg489 = msg("260:01", dup151); - -var msg490 = msg("260", dup152); - -var select246 = linear_select([ - msg489, - msg490, -]); - -var msg491 = msg("261:01", dup151); - -var msg492 = msg("261", dup152); - -var select247 = linear_select([ - msg491, - msg492, -]); - -var msg493 = msg("262:01", dup151); - -var msg494 = msg("262", dup152); - -var select248 = linear_select([ - msg493, - msg494, -]); - -var msg495 = msg("263:01", dup151); - -var msg496 = msg("263", dup152); - -var select249 = linear_select([ - msg495, - msg496, -]); - -var msg497 = msg("264:01", dup169); - -var msg498 = msg("264", dup170); - -var select250 = linear_select([ - msg497, - msg498, -]); - -var msg499 = msg("265:01", dup169); - -var msg500 = msg("265", dup170); - -var select251 = linear_select([ - msg499, - msg500, -]); - -var msg501 = msg("266:01", dup169); - -var msg502 = msg("266", dup170); - -var select252 = linear_select([ - msg501, - msg502, -]); - -var msg503 = msg("267:01", dup169); - -var msg504 = msg("267", dup170); - -var select253 = linear_select([ - msg503, - msg504, -]); - -var msg505 = msg("268:01", dup169); - -var msg506 = msg("268", dup170); - -var select254 = linear_select([ - msg505, - msg506, -]); - -var msg507 = msg("269:01", dup151); - -var msg508 = msg("269", dup152); - -var select255 = linear_select([ - msg507, - msg508, -]); - -var msg509 = msg("270:01", dup169); - -var msg510 = msg("270", dup170); - -var select256 = linear_select([ - msg509, - msg510, -]); - -var msg511 = msg("271:01", dup151); - -var msg512 = msg("271", dup152); - -var select257 = linear_select([ - msg511, - msg512, -]); - -var msg513 = msg("272:01", dup169); - -var msg514 = msg("272", dup170); - -var select258 = linear_select([ - msg513, - msg514, -]); - -var msg515 = msg("273:01", dup169); - -var msg516 = msg("273", dup170); - -var select259 = linear_select([ - msg515, - msg516, -]); - -var msg517 = msg("274:01", dup169); - -var msg518 = msg("274", dup170); - -var select260 = linear_select([ - msg517, - msg518, -]); - -var msg519 = msg("275:01", dup169); - -var msg520 = msg("275", dup170); - -var select261 = linear_select([ - msg519, - msg520, -]); - -var msg521 = msg("276:01", dup169); - -var msg522 = msg("276", dup170); - -var select262 = linear_select([ - msg521, - msg522, -]); - -var msg523 = msg("277:01", dup169); - -var msg524 = msg("277", dup170); - -var select263 = linear_select([ - msg523, - msg524, -]); - -var msg525 = msg("278:01", dup169); - -var msg526 = msg("278", dup170); - -var select264 = linear_select([ - msg525, - msg526, -]); - -var msg527 = msg("279:01", dup169); - -var msg528 = msg("279", dup170); - -var select265 = linear_select([ - msg527, - msg528, -]); - -var msg529 = msg("280:01", dup151); - -var msg530 = msg("280", dup152); - -var select266 = linear_select([ - msg529, - msg530, -]); - -var msg531 = msg("281:01", dup151); - -var msg532 = msg("281", dup152); - -var select267 = linear_select([ - msg531, - msg532, -]); - -var msg533 = msg("282:01", dup169); - -var msg534 = msg("282", dup170); - -var select268 = linear_select([ - msg533, - msg534, -]); - -var msg535 = msg("283:01", dup169); - -var msg536 = msg("283", dup170); - -var select269 = linear_select([ - msg535, - msg536, -]); - -var msg537 = msg("284:01", dup151); - -var msg538 = msg("284", dup152); - -var select270 = linear_select([ - msg537, - msg538, -]); - -var msg539 = msg("285:01", dup159); - -var msg540 = msg("285", dup160); - -var select271 = linear_select([ - msg539, - msg540, -]); - -var msg541 = msg("286:01", dup169); - -var msg542 = msg("286", dup170); - -var select272 = linear_select([ - msg541, - msg542, -]); - -var msg543 = msg("287:01", dup169); - -var msg544 = msg("287", dup170); - -var select273 = linear_select([ - msg543, - msg544, -]); - -var msg545 = msg("288:01", dup169); - -var msg546 = msg("288", dup170); - -var select274 = linear_select([ - msg545, - msg546, -]); - -var msg547 = msg("289:01", dup169); - -var msg548 = msg("289", dup170); - -var select275 = linear_select([ - msg547, - msg548, -]); - -var msg549 = msg("290:01", dup169); - -var msg550 = msg("290", dup170); - -var select276 = linear_select([ - msg549, - msg550, -]); - -var msg551 = msg("291:01", dup169); - -var msg552 = msg("291", dup170); - -var select277 = linear_select([ - msg551, - msg552, -]); - -var msg553 = msg("292:01", dup169); - -var msg554 = msg("292", dup170); - -var select278 = linear_select([ - msg553, - msg554, -]); - -var msg555 = msg("293:01", dup169); - -var msg556 = msg("293", dup170); - -var select279 = linear_select([ - msg555, - msg556, -]); - -var msg557 = msg("294:01", dup169); - -var msg558 = msg("294", dup170); - -var select280 = linear_select([ - msg557, - msg558, -]); - -var msg559 = msg("295:01", dup169); - -var msg560 = msg("295", dup170); - -var select281 = linear_select([ - msg559, - msg560, -]); - -var msg561 = msg("296:01", dup169); - -var msg562 = msg("296", dup170); - -var select282 = linear_select([ - msg561, - msg562, -]); - -var msg563 = msg("297:01", dup151); - -var msg564 = msg("297", dup152); - -var select283 = linear_select([ - msg563, - msg564, -]); - -var msg565 = msg("298:01", dup151); - -var msg566 = msg("298", dup152); - -var select284 = linear_select([ - msg565, - msg566, -]); - -var msg567 = msg("299:01", dup169); - -var msg568 = msg("299", dup170); - -var select285 = linear_select([ - msg567, - msg568, -]); - -var part24 = match("MESSAGE#568:300:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); - -var all1 = all_match({ - processors: [ - dup31, - dup172, - dup173, - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - dup183, - dup184, - dup185, - dup186, - dup187, - dup188, - dup189, - dup190, - dup191, - dup192, - dup193, - dup194, - part24, - ], - on_success: processor_chain([ - dup4, - dup2, - dup3, - dup24, - ]), -}); - -var msg569 = msg("300:02", all1); - -var part25 = tagval("MESSAGE#569:300:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup4, - dup2, - dup3, - dup24, -])); - -var msg570 = msg("300:01", part25); - -var msg571 = msg("300", dup154); - -var select286 = linear_select([ - msg569, - msg570, - msg571, -]); - -var msg572 = msg("301:01", dup163); - -var msg573 = msg("301", dup164); - -var select287 = linear_select([ - msg572, - msg573, -]); - -var part26 = match("MESSAGE#573:302:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld12};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); - -var all2 = all_match({ - processors: [ - dup31, - dup172, - dup173, - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - dup183, - dup184, - dup185, - dup186, - dup187, - dup188, - dup189, - dup190, - dup191, - dup192, - dup193, - dup194, - part26, - ], - on_success: processor_chain([ - dup21, - dup2, - dup3, - dup24, - ]), -}); - -var msg574 = msg("302:02", all2); - -var msg575 = msg("302:01", dup163); - -var msg576 = msg("302", dup164); - -var select288 = linear_select([ - msg574, - msg575, - msg576, -]); - -var msg577 = msg("303:01", dup163); - -var msg578 = msg("303", dup164); - -var select289 = linear_select([ - msg577, - msg578, -]); - -var part27 = match("MESSAGE#578:304:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"DstHost=%{p0}"); - -var part28 = match("MESSAGE#578:304:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"DstHost=%{p0}"); - -var select290 = linear_select([ - part27, - part28, -]); - -var part29 = match("MESSAGE#578:304:02/24", "nwparser.p0", "%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); - -var all3 = all_match({ - processors: [ - dup31, - dup172, - dup173, - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - dup183, - dup184, - dup185, - dup186, - dup187, - dup188, - dup189, - dup190, - dup191, - dup192, - dup193, - select290, - part29, - ], - on_success: processor_chain([ - dup26, - dup2, - dup3, - dup24, - ]), -}); - -var msg579 = msg("304:02", all3); - -var msg580 = msg("304:01", dup169); - -var msg581 = msg("304", dup170); - -var select291 = linear_select([ - msg579, - msg580, - msg581, -]); - -var msg582 = msg("305:01", dup169); - -var msg583 = msg("305", dup170); - -var select292 = linear_select([ - msg582, - msg583, -]); - -var msg584 = msg("306:01", dup151); - -var msg585 = msg("306", dup152); - -var select293 = linear_select([ - msg584, - msg585, -]); - -var msg586 = msg("307:01", dup151); - -var msg587 = msg("307", dup152); - -var select294 = linear_select([ - msg586, - msg587, -]); - -var part30 = tagval("MESSAGE#587:308:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup78, - dup2, - dup3, -])); - -var msg588 = msg("308:01", part30); - -var part31 = match("MESSAGE#588:308", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup78, - dup2, -])); - -var msg589 = msg("308", part31); - -var select295 = linear_select([ - msg588, - msg589, -]); - -var part32 = tagval("MESSAGE#589:309:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup10, - dup6, - dup7, - dup8, - dup9, - dup2, - dup3, -])); - -var msg590 = msg("309:01", part32); - -var part33 = match("MESSAGE#590:309", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup10, - dup6, - dup7, - dup8, - dup9, - dup2, -])); - -var msg591 = msg("309", part33); - -var select296 = linear_select([ - msg590, - msg591, -]); - -var msg592 = msg("317:01", dup195); - -var msg593 = msg("317", dup196); - -var select297 = linear_select([ - msg592, - msg593, -]); - -var msg594 = msg("316:01", dup195); - -var msg595 = msg("316", dup196); - -var select298 = linear_select([ - msg594, - msg595, -]); - -var msg596 = msg("355:01", dup197); - -var msg597 = msg("355", dup198); - -var select299 = linear_select([ - msg596, - msg597, -]); - -var msg598 = msg("356:01", dup197); - -var msg599 = msg("356", dup198); - -var select300 = linear_select([ - msg598, - msg599, -]); - -var msg600 = msg("357:01", dup199); - -var msg601 = msg("357", dup200); - -var select301 = linear_select([ - msg600, - msg601, -]); - -var msg602 = msg("358:01", dup199); - -var msg603 = msg("358", dup200); - -var select302 = linear_select([ - msg602, - msg603, -]); - -var part34 = tagval("MESSAGE#603:190:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup84, - dup2, - dup3, -])); - -var msg604 = msg("190:01", part34); - -var part35 = match("MESSAGE#604:190", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup84, - dup2, -])); - -var msg605 = msg("190", part35); - -var select303 = linear_select([ - msg604, - msg605, -]); - -var msg606 = msg("5:01", dup161); - -var msg607 = msg("5", dup162); - -var select304 = linear_select([ - msg606, - msg607, -]); - -var msg608 = msg("310:01", dup153); - -var msg609 = msg("310", dup154); - -var select305 = linear_select([ - msg608, - msg609, -]); - -var msg610 = msg("311:01", dup153); - -var msg611 = msg("311", dup154); - -var select306 = linear_select([ - msg610, - msg611, -]); - -var msg612 = msg("312:01", dup153); - -var msg613 = msg("312", dup154); - -var select307 = linear_select([ - msg612, - msg613, -]); - -var msg614 = msg("313:01", dup153); - -var msg615 = msg("313", dup154); - -var select308 = linear_select([ - msg614, - msg615, -]); - -var msg616 = msg("359:01", dup153); - -var msg617 = msg("359", dup154); - -var select309 = linear_select([ - msg616, - msg617, -]); - -var msg618 = msg("372", dup201); - -var msg619 = msg("374", dup201); - -var msg620 = msg("376", dup201); - -var part36 = match("MESSAGE#620:411:01/17_0", "nwparser.p0", "\"%{fld89}\";LogonDomain=%{p0}"); - -var part37 = match("MESSAGE#620:411:01/17_1", "nwparser.p0", "%{fld89};LogonDomain=%{p0}"); - -var select310 = linear_select([ - part36, - part37, -]); - -var part38 = match("MESSAGE#620:411:01/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"Command=%{p0}"); - -var part39 = match("MESSAGE#620:411:01/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"Command=%{p0}"); - -var select311 = linear_select([ - part38, - part39, -]); - -var part40 = match("MESSAGE#620:411:01/24", "nwparser.p0", "%{param};ConnectionComponentId=%{fld67};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld11};RDPOffset=%{fld12};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};VIDOffset=%{fld13};"); - -var all4 = all_match({ - processors: [ - dup31, - dup172, - dup173, - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - dup183, - dup184, - dup185, - dup186, - dup187, - select310, - dup189, - dup190, - dup191, - dup192, - dup193, - select311, - part40, - ], - on_success: processor_chain([ - dup4, - dup2, - dup3, - dup24, - ]), -}); - -var msg621 = msg("411:01", all4); - -var part41 = match("MESSAGE#621:411/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};ProcessId=%{process_id};ProcessName=%{process};Protocol=%{protocol};PSMID=%{fld3};RDPOffset=%{fld4};SessionID=%{sessionid};SrcHost=%{shost};User=%{fld5};VIDOffset=%{fld6};\""); - -var select312 = linear_select([ - part41, - dup150, -]); - -var all5 = all_match({ - processors: [ - dup31, - dup202, - dup87, - dup203, - dup90, - dup204, - dup93, - dup205, - dup96, - dup206, - dup99, - dup207, - dup102, - dup208, - dup105, - dup209, - dup108, - dup210, - dup111, - dup211, - dup114, - dup212, - dup119, - dup213, - dup122, - dup214, - dup125, - dup215, - dup128, - dup216, - dup131, - dup217, - dup134, - dup218, - dup137, - dup219, - dup140, - dup220, - dup143, - dup221, - dup146, - dup222, - dup149, - select312, - ], - on_success: processor_chain([ - dup4, - dup2, - dup3, - ]), -}); - -var msg622 = msg("411", all5); - -var select313 = linear_select([ - msg621, - msg622, -]); - -var part42 = match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=\"%{directory}\";Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info}", processor_chain([ - dup4, - dup2, - dup3, -])); - -var msg623 = msg("385", part42); - -var part43 = match("MESSAGE#623:361/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};SSHOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); - -var select314 = linear_select([ - part43, - dup150, -]); - -var all6 = all_match({ - processors: [ - dup31, - dup202, - dup87, - dup203, - dup90, - dup204, - dup93, - dup205, - dup96, - dup206, - dup99, - dup207, - dup102, - dup208, - dup105, - dup209, - dup108, - dup210, - dup111, - dup211, - dup114, - dup212, - dup119, - dup213, - dup122, - dup214, - dup125, - dup215, - dup128, - dup216, - dup131, - dup217, - dup134, - dup218, - dup137, - dup219, - dup140, - dup220, - dup143, - dup221, - dup146, - dup222, - dup149, - select314, - ], - on_success: processor_chain([ - dup4, - dup2, - dup3, - ]), -}); - -var msg624 = msg("361", all6); - -var part44 = match("MESSAGE#624:412/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};TXTOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); - -var select315 = linear_select([ - part44, - dup150, -]); - -var all7 = all_match({ - processors: [ - dup31, - dup202, - dup87, - dup203, - dup90, - dup204, - dup93, - dup205, - dup96, - dup206, - dup99, - dup207, - dup102, - dup208, - dup105, - dup209, - dup108, - dup210, - dup111, - dup211, - dup114, - dup212, - dup119, - dup213, - dup122, - dup214, - dup125, - dup215, - dup128, - dup216, - dup131, - dup217, - dup134, - dup218, - dup137, - dup219, - dup140, - dup220, - dup143, - dup221, - dup146, - dup222, - dup149, - select315, - ], - on_success: processor_chain([ - dup4, - dup2, - dup3, - ]), -}); - -var msg625 = msg("412", all7); - -var msg626 = msg("378", dup153); - -var msg627 = msg("321", dup153); - -var msg628 = msg("322", dup153); - -var msg629 = msg("323", dup153); - -var msg630 = msg("318", dup153); - -var msg631 = msg("380", dup153); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "1": select2, - "10": select9, - "100": select99, - "101": select100, - "102": select101, - "103": select102, - "104": select103, - "105": select104, - "106": select105, - "107": select106, - "108": select107, - "109": select108, - "11": select10, - "110": select109, - "111": select110, - "112": select111, - "114": select112, - "115": select113, - "116": select114, - "117": select115, - "118": select116, - "119": select117, - "12": select11, - "120": select118, - "121": select119, - "122": select120, - "123": select121, - "124": select122, - "125": select123, - "126": select124, - "127": select125, - "128": select126, - "129": select127, - "13": select12, - "130": select128, - "131": select129, - "132": select130, - "133": select131, - "134": select132, - "135": select133, - "136": select134, - "137": select135, - "138": select136, - "139": select137, - "14": select13, - "140": select138, - "141": select139, - "142": select140, - "143": select141, - "144": select142, - "145": select143, - "146": select144, - "147": select145, - "148": select146, - "149": select147, - "15": select14, - "150": select148, - "152": select149, - "153": select150, - "154": select151, - "155": select152, - "156": select153, - "157": select154, - "158": select155, - "159": select156, - "16": select15, - "160": select157, - "161": select158, - "162": select159, - "163": select160, - "164": select161, - "165": select162, - "166": select163, - "167": select164, - "168": select165, - "169": select166, - "17": select16, - "170": select167, - "171": select168, - "172": select169, - "173": select170, - "174": select171, - "175": select172, - "176": select173, - "177": select174, - "178": select175, - "179": select176, - "18": select17, - "180": select177, - "181": select178, - "182": select179, - "183": select180, - "184": select181, - "185": select182, - "186": select183, - "187": select184, - "188": select185, - "189": select186, - "19": select18, - "190": select303, - "191": select187, - "192": select188, - "193": select189, - "194": select190, - "195": select191, - "196": select192, - "197": select193, - "198": select194, - "199": select195, - "2": select3, - "20": select19, - "200": select196, - "201": select197, - "202": select198, - "203": select199, - "204": select200, - "205": select201, - "206": select202, - "207": select203, - "208": select204, - "209": select205, - "21": select20, - "211": select206, - "212": select207, - "213": select208, - "214": select209, - "215": select210, - "216": select211, - "217": select212, - "218": select213, - "219": select214, - "22": select21, - "220": select215, - "221": select216, - "222": select217, - "223": select218, - "224": select219, - "229": select220, - "23": select22, - "230": select221, - "231": select222, - "232": select223, - "233": select224, - "236": select225, - "237": select226, - "238": select227, - "239": select228, - "24": select23, - "240": select229, - "241": select230, - "243": select231, - "244": select232, - "246": select233, - "247": select234, - "248": select235, - "249": select236, - "25": select24, - "250": select237, - "251": select238, - "252": select239, - "253": select240, - "254": select241, - "255": select242, - "256": select243, - "257": select244, - "259": select245, - "26": select25, - "260": select246, - "261": select247, - "262": select248, - "263": select249, - "264": select250, - "265": select251, - "266": select252, - "267": select253, - "268": select254, - "269": select255, - "27": select26, - "270": select256, - "271": select257, - "272": select258, - "273": select259, - "274": select260, - "275": select261, - "276": select262, - "277": select263, - "278": select264, - "279": select265, - "28": select27, - "280": select266, - "281": select267, - "282": select268, - "283": select269, - "284": select270, - "285": select271, - "286": select272, - "287": select273, - "288": select274, - "289": select275, - "29": select28, - "290": select276, - "291": select277, - "292": select278, - "293": select279, - "294": select280, - "295": select281, - "296": select282, - "297": select283, - "298": select284, - "299": select285, - "3": select4, - "30": select29, - "300": select286, - "301": select287, - "302": select288, - "303": select289, - "304": select291, - "305": select292, - "306": select293, - "307": select294, - "308": select295, - "309": select296, - "31": select30, - "310": select305, - "311": select306, - "312": select307, - "313": select308, - "316": select298, - "317": select297, - "318": msg630, - "32": select31, - "321": msg627, - "322": msg628, - "323": msg629, - "33": select32, - "34": select33, - "35": select34, - "355": select299, - "356": select300, - "357": select301, - "358": select302, - "359": select309, - "36": select35, - "361": msg624, - "37": select36, - "372": msg618, - "374": msg619, - "376": msg620, - "378": msg626, - "38": select37, - "380": msg631, - "385": msg623, - "39": select38, - "4": select5, - "40": select39, - "41": select40, - "411": select313, - "412": msg625, - "42": select41, - "43": select42, - "44": select43, - "45": select44, - "46": select45, - "47": select46, - "48": select47, - "49": select48, - "5": select304, - "50": select49, - "51": select50, - "52": select51, - "53": select52, - "54": select53, - "55": select54, - "56": select55, - "57": select56, - "58": select57, - "59": select58, - "60": select59, - "61": select60, - "62": select61, - "63": select62, - "64": select63, - "65": select64, - "66": select65, - "67": select66, - "68": select67, - "69": select68, - "7": select6, - "70": select69, - "71": select70, - "72": select71, - "73": select72, - "74": select73, - "75": select74, - "76": select75, - "77": select76, - "78": select77, - "79": select78, - "8": select7, - "80": select79, - "81": select80, - "82": select81, - "83": select82, - "84": select83, - "85": select84, - "86": select85, - "87": select86, - "88": select87, - "89": select88, - "9": select8, - "90": select89, - "91": select90, - "92": select91, - "93": select92, - "94": select93, - "95": select94, - "96": select95, - "97": select96, - "98": select97, - "99": select98, - }), -]); - -var part45 = match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); - -var part46 = match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); - -var part47 = match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); - -var part48 = match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); - -var part49 = match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); - -var part50 = match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); - -var part51 = match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); - -var part52 = match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); - -var part53 = match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); - -var part54 = match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); - -var part55 = match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); - -var part56 = match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); - -var part57 = match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); - -var part58 = match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); - -var part59 = match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); - -var part60 = match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); - -var part61 = match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); - -var part62 = match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); - -var part63 = match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); - -var part64 = match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); - -var part65 = match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); - -var part66 = match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); - -var part67 = match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); - -var part68 = match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); - -var part69 = match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); - -var part70 = match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); - -var part71 = match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); - -var part72 = match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); - -var part73 = match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); - -var part74 = match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); - -var part75 = match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); - -var part76 = match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); - -var part77 = match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); - -var part78 = match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); - -var part79 = match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); - -var part80 = match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); - -var part81 = match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); - -var part82 = match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); - -var part83 = match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); - -var part84 = match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); - -var part85 = match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); - -var part86 = match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); - -var part87 = match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); - -var part88 = match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); - -var part89 = match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); - -var part90 = match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); - -var part91 = match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); - -var part92 = match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); - -var part93 = match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); - -var part94 = match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); - -var part95 = match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); - -var part96 = match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); - -var part97 = match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); - -var part98 = match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); - -var part99 = match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); - -var part100 = match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); - -var part101 = match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); - -var part102 = match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); - -var part103 = match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); - -var part104 = match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); - -var part105 = match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); - -var part106 = match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); - -var part107 = match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); - -var part108 = match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); - -var part109 = match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); - -var part110 = match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); - -var part111 = match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); - -var part112 = match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); - -var part113 = match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); - -var part114 = match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); - -var part115 = match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); - -var part116 = match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); - -var part117 = match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); - -var part118 = match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); - -var part119 = match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); - -var part120 = match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); - -var part121 = match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); - -var part122 = match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); - -var part123 = match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); - -var part124 = match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); - -var part125 = match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); - -var part126 = match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); - -var part127 = match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); - -var part128 = match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); - -var part129 = match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); - -var part130 = match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); - -var part131 = match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); - -var part132 = match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); - -var part133 = match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); - -var part134 = match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); - -var part135 = match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); - -var part136 = match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); - -var part137 = match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); - -var part138 = match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); - -var part139 = match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); - -var part140 = match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); - -var part141 = match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); - -var part142 = match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); - -var part143 = match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); - -var part144 = match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); - -var part145 = match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); - -var part146 = match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); - -var part147 = match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); - -var part148 = match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); - -var part149 = match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); - -var part150 = match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); - -var part151 = match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); - -var part152 = match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); - -var part153 = match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); - -var part154 = match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); - -var part155 = match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); - -var part156 = match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); - -var part157 = match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); - -var part158 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup1, - dup2, - dup3, -])); - -var part159 = match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup1, - dup2, -])); - -var part160 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup4, - dup2, - dup3, -])); - -var part161 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup4, - dup2, -])); - -var part162 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, - dup2, - dup3, -])); - -var part163 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, - dup2, -])); - -var part164 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup15, - dup16, - dup17, - dup9, - dup2, - dup3, -])); - -var part165 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup15, - dup16, - dup17, - dup9, - dup2, -])); - -var part166 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup19, - dup2, - dup3, -])); - -var part167 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup19, - dup2, -])); - -var part168 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup15, - dup2, - dup3, -])); - -var part169 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup15, - dup2, -])); - -var part170 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup21, - dup2, - dup3, -])); - -var part171 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup21, - dup2, -])); - -var part172 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup23, - dup2, - dup3, -])); - -var part173 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup23, - dup2, -])); - -var part174 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup20, - dup2, - dup3, -])); - -var part175 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup20, - dup2, -])); - -var part176 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup26, - dup2, - dup3, -])); - -var part177 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup26, - dup2, -])); - -var part178 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup26, - dup2, - dup3, - dup24, - dup25, -])); - -var select316 = linear_select([ - dup32, - dup33, -]); - -var select317 = linear_select([ - dup34, - dup35, -]); - -var select318 = linear_select([ - dup36, - dup37, -]); - -var select319 = linear_select([ - dup38, - dup39, -]); - -var select320 = linear_select([ - dup40, - dup41, -]); - -var select321 = linear_select([ - dup42, - dup43, -]); - -var select322 = linear_select([ - dup44, - dup45, -]); - -var select323 = linear_select([ - dup46, - dup47, -]); - -var select324 = linear_select([ - dup48, - dup49, -]); - -var select325 = linear_select([ - dup50, - dup51, -]); - -var select326 = linear_select([ - dup52, - dup53, -]); - -var select327 = linear_select([ - dup54, - dup55, -]); - -var select328 = linear_select([ - dup56, - dup57, -]); - -var select329 = linear_select([ - dup58, - dup59, -]); - -var select330 = linear_select([ - dup60, - dup61, -]); - -var select331 = linear_select([ - dup62, - dup63, -]); - -var select332 = linear_select([ - dup64, - dup65, -]); - -var select333 = linear_select([ - dup66, - dup67, -]); - -var select334 = linear_select([ - dup68, - dup69, -]); - -var select335 = linear_select([ - dup70, - dup71, -]); - -var select336 = linear_select([ - dup72, - dup73, -]); - -var select337 = linear_select([ - dup74, - dup75, -]); - -var select338 = linear_select([ - dup76, - dup77, -]); - -var part179 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup79, - dup80, - dup81, - dup2, - dup3, -])); - -var part180 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup79, - dup80, - dup81, - dup2, -])); - -var part181 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup82, - dup2, - dup3, -])); - -var part182 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup82, - dup2, -])); - -var part183 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup83, - dup2, - dup3, -])); - -var part184 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup83, - dup2, -])); - -var part185 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ - dup4, - dup2, - dup3, -])); - -var select339 = linear_select([ - dup85, - dup86, -]); - -var select340 = linear_select([ - dup88, - dup89, -]); - -var select341 = linear_select([ - dup91, - dup92, -]); - -var select342 = linear_select([ - dup94, - dup95, -]); - -var select343 = linear_select([ - dup97, - dup98, -]); - -var select344 = linear_select([ - dup100, - dup101, -]); - -var select345 = linear_select([ - dup103, - dup104, -]); - -var select346 = linear_select([ - dup106, - dup107, -]); - -var select347 = linear_select([ - dup109, - dup110, -]); - -var select348 = linear_select([ - dup112, - dup113, -]); - -var select349 = linear_select([ - dup115, - dup116, - dup117, - dup118, -]); - -var select350 = linear_select([ - dup120, - dup121, -]); - -var select351 = linear_select([ - dup123, - dup124, -]); - -var select352 = linear_select([ - dup126, - dup127, -]); - -var select353 = linear_select([ - dup129, - dup130, -]); - -var select354 = linear_select([ - dup132, - dup133, -]); - -var select355 = linear_select([ - dup135, - dup136, -]); - -var select356 = linear_select([ - dup138, - dup139, -]); - -var select357 = linear_select([ - dup141, - dup142, -]); - -var select358 = linear_select([ - dup144, - dup145, -]); - -var select359 = linear_select([ - dup147, - dup148, -]); diff --git a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml deleted file mode 100644 index c0e79ff34d6..00000000000 --- a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Cyber-Ark - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cyberark/corepas/manifest.yml b/x-pack/filebeat/module/cyberark/corepas/manifest.yml deleted file mode 100644 index 068553fbee9..00000000000 --- a/x-pack/filebeat/module/cyberark/corepas/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["cyberark.corepas", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9543 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log b/x-pack/filebeat/module/cyberark/corepas/test/generated.log deleted file mode 100644 index 29dd49e5dab..00000000000 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -2016-01-29 06:09:59.732538723 +0000 UTC eacommod1428.lan %CYBERARK: MessageID="188";exercita 1.1332",ProductAccount="itv",ProductProcess="odoco",EventId="ria",EventClass="min",EventSeverity="low",EventMessage="allow",ActingUserName="utl",ActingAddress="10.208.15.216",ActionSourceUser="tation",ActionTargetUser="quasiarc",ActionObject="liqua",ActionSafe="ciade",ActionLocation="turadipi",ActionCategory="aeca",ActionRequestId="idi",ActionReason="pexe",ActionExtraDetails="nes" -%CYBERARK: MessageID="168";Version=1.259;Message=block;Issuer=dolore;Station=10.92.136.230;File=ritquiin;Safe=umqui;Location=reeufugi;Category=mdolo;RequestId=mqui;Reason=nci;Severity=very-high;SourceUser=litesse;TargetUser=orev;GatewayStation=10.175.75.18;TicketID=deF;PolicyID=sist;UserName=nnumqu;LogonDomain=iatnu3810.mail.localdomain;Address=volup208.invalid;CPMStatus=eosquir;Port=5191;Database=umdo;DeviceType=itessequ;ExtraDetails=vol; -nibus 2016-02-26 20:15:08.252538723 +0000 UTC mipsumq3879.internal.localdomain %CYBERARK: MessageID="26";Version=1.7269;Message=accept;Issuer=incid;Station=10.51.132.10;File=utper;Safe=squame;Location=ntex;Category=eius;RequestId=luptat;Reason=emape;Severity=low;SourceUser=incidi;TargetUser=nse;GatewayStation=10.46.185.46;TicketID=temvel;PolicyID=iatu;UserName=serror;LogonDomain=anti4454.api.example;Address=tetu5280.www5.invalid;CPMStatus=tionulam;Port=2548;Database=byC;DeviceType=tinculp;ExtraDetails=tur; -2016-03-12 03:17:42.512538723 +0000 UTC minim7868.www5.localdomain %CYBERARK: MessageID="184";Version=1.6713;Message=deny;Issuer=psumquia;Station=10.53.192.140;File=con;Safe=uia;Location=quiavo;Category=issusci;RequestId=mol;Reason=taspe;Severity=high;SourceUser=psumq;TargetUser=atcup;GatewayStation=10.155.236.240;TicketID=tatno;PolicyID=dquiac;UserName=ptass;LogonDomain=uam6303.api.lan;Address=llu4762.mail.localdomain;CPMStatus=scivel;Port=5695;Database=aperi;DeviceType=iveli;ExtraDetails=llumd; -%CYBERARK: MessageID="161";emaper 1.2638",ProductAccount="eos",ProductProcess="enimad",EventId="rmagni",EventClass="sit",EventSeverity="medium",EventMessage="cancel",ActingUserName="oremips",ActingAddress="10.81.199.122",ActionSourceUser="aquaeabi",ActionTargetUser="giatq",ActionObject="quid",ActionSafe="fug",ActionLocation="uatDuis",ActionCategory="ude",ActionRequestId="maveniam",ActionReason="uian",ActionExtraDetails="tempo" -eetd 2016-04-09 17:22:51.032538723 +0000 UTC eip1448.internal.local %CYBERARK: MessageID="139";Version=1.3491;Message=deny;Issuer=tcupida;Station=10.139.186.201;File=ect;Safe=reetdolo;Location=nrepreh;Category=obeataev;RequestId=lor;Reason=uidexea;Severity=medium;SourceUser=natura;TargetUser=aboris;GatewayStation=10.172.14.142;TicketID=ssitaspe;PolicyID=gitsedqu;UserName=uam;LogonDomain=temq1198.internal.example;Address=aquaeab2275.www5.domain;CPMStatus=ehend;Port=4091;Database=isiu;DeviceType=nimadmi;ExtraDetails=iatisu; -%CYBERARK: MessageID="106";Version=1.6875;Message=accept;Issuer=ipis;Station=10.47.76.251;File=eataevit;Safe=uptatev;Location=uovol;Category=dmi;RequestId=olab;Reason=mquisnos;Severity=medium;SourceUser=ore;TargetUser=etconsec;GatewayStation=10.104.111.129;TicketID=mUt;PolicyID=usmodte;UserName=ele;LogonDomain=tenbyCic5882.api.home;Address=amquisno3338.www5.lan;CPMStatus=nonnu;Port=776;Database=riat;DeviceType=luptatem;ExtraDetails=umdolor; -inB 2016-05-08 07:27:59.552538723 +0000 UTC deomni124.www.example %CYBERARK: MessageID="74";tae 1.1382",ProductAccount="animi",ProductProcess="oluptate",EventId="ofdeF",EventClass="tion",EventSeverity="very-high",EventMessage="deny",ActingUserName="quiratio",ActingAddress="10.116.120.216",ActionSourceUser="qua",ActionTargetUser="umdo",ActionObject="sed",ActionSafe="apariat",ActionLocation="mol",ActionCategory="pteursi",ActionRequestId="onse",ActionReason="rumet",ActionExtraDetails="oll" -Ciceroi 2016-05-22 14:30:33.812538723 +0000 UTC aveniam1436.www.test %CYBERARK: MessageID="144";Version=1.5529;Message=cancel;Issuer=taevi;Station=10.62.54.220;File=ehenderi;Safe=pidatat;Location=gni;Category=tquiinea;RequestId=mquaera;Reason=dun;Severity=medium;SourceUser=Duisau;TargetUser=psum;GatewayStation=10.57.40.29;TicketID=undeo;PolicyID=loremip;UserName=rnatura;LogonDomain=isqu7224.localdomain;Address=idolores3839.localdomain;CPMStatus=metcon;Port=2424;Database=emeumfug;DeviceType=upta;ExtraDetails=omn; -ons 2016-06-05 21:33:08.072538723 +0000 UTC tessec3539.home %CYBERARK: MessageID="240";nsect 1.6476",ProductAccount="tnon",ProductProcess="ionul",EventId="nibus",EventClass="edquiano",EventSeverity="medium",EventMessage="cancel",ActingUserName="ema",ActingAddress="10.74.237.180",ActionSourceUser="nsequu",ActionTargetUser="cup",ActionObject="boNemoen",ActionSafe="uid",ActionLocation="rors",ActionCategory="onofd",ActionRequestId="taed",ActionReason="lup",ActionExtraDetails="remeumf" -2016-06-20 04:35:42.332538723 +0000 UTC sectetur3333.mail.example %CYBERARK: MessageID="61";edqui 1.7780",ProductAccount="lor",ProductProcess="fugit",EventId="ido",EventClass="paqu",EventSeverity="high",EventMessage="allow",ActingUserName="remeum",ActingAddress="10.18.165.35",ActionSourceUser="admi",ActionTargetUser="modocons",ActionObject="elaudant",ActionSafe="tinvol",ActionLocation="dolore",ActionCategory="abor",ActionRequestId="iqui",ActionReason="etc",ActionExtraDetails="etM" -2016-07-04 11:38:16.592538723 +0000 UTC xercitat4824.local %CYBERARK: MessageID="90";ostr 1.4979",ProductAccount="onproide",ProductProcess="luptat",EventId="itaut",EventClass="imaven",EventSeverity="high",EventMessage="deny",ActingUserName="tema",ActingAddress="10.74.253.127",ActionSourceUser="tfug",ActionTargetUser="icab",ActionObject="mwr",ActionSafe="fugi",ActionLocation="inculpaq",ActionCategory="agna",ActionRequestId="tionemu",ActionReason="eomnisis",ActionExtraDetails="mqui" -errorsi 2016-07-18 18:40:50.852538723 +0000 UTC des5377.lan %CYBERARK: MessageID="385";Version=1.1697;Message=block;Issuer=ono;Station=10.189.109.245;File=emaperi;Safe=tame;Location="tinvol";Category=tectobe;RequestId=colabor;Reason=iusmodt;Severity=medium;GatewayStation=10.92.8.15;TicketID=agnaali;PolicyID=llitani;UserName=inima;LogonDomain=tlabo6088.www.localdomain;Address=Lor5841.internal.example;CPMStatus=sunt;Port="3075";Database=uines;DeviceType=nsec;ExtraDetails=onse -August 2 01:43:25 tat %CYBERARK: MessageID="190";tion 1.1761",ProductAccount="upt",ProductProcess="uiineavo",EventId="tisetq",EventClass="irati",EventSeverity="low",EventMessage="accept",ActingUserName="giatquov",ActingAddress="10.21.78.128",ActionSourceUser="riat",ActionTargetUser="taut",ActionObject="oreseos",ActionSafe="uames",ActionLocation="tati",ActionCategory="utaliqu",ActionRequestId="oriosamn",ActionReason="deFinibu",ActionExtraDetails="iadese" -%CYBERARK: MessageID="256";eporroqu 1.4200",ProductAccount="hil",ProductProcess="atquovo",EventId="suntinc",EventClass="xeac",EventSeverity="medium",EventMessage="deny",ActingUserName="tatn",ActingAddress="10.18.109.121",ActionSourceUser="ents",ActionTargetUser="pida",ActionObject="nse",ActionSafe="sinto",ActionLocation="emoeni",ActionCategory="oenimips",ActionRequestId="utlabore",ActionReason="ecillu",ActionExtraDetails="quip" -%CYBERARK: MessageID="105";Version=1.3727;Message=cancel;Issuer=iunt;Station=10.63.37.192;File=tio;Safe=orinrepr;Location=conse;Category=rumetM;RequestId=equi;Reason=agnaali;Severity=medium;SourceUser=sitvolup;TargetUser=reetd;GatewayStation=10.225.115.13;TicketID=maccusa;PolicyID=uptat;UserName=equep;LogonDomain=iavolu5352.localhost;Address=rpo79.mail.example;CPMStatus=siarchi;Port=2289;Database=aliqu;DeviceType=olupta;ExtraDetails=mipsumd; -remi 2016-09-13 22:51:07.892538723 +0000 UTC saute7154.internal.lan %CYBERARK: MessageID="105";Version=1.3219;Message=deny;Issuer=run;Station=10.47.202.102;File=quirat;Safe=llu;Location=licab;Category=eirure;RequestId=conseq;Reason=oidentsu;Severity=medium;SourceUser=aaliquaU;TargetUser=ntor;GatewayStation=10.95.64.124;TicketID=psaquae;PolicyID=ationemu;UserName=ice;LogonDomain=estiae3750.api.corp;Address=tionof7613.domain;CPMStatus=lapari;Port=2335;Database=ite;DeviceType=ationul;ExtraDetails=iquipex; -adol 2016-09-28 05:53:42.152538723 +0000 UTC doloremi7402.www.test %CYBERARK: MessageID="376";Version=1.6371;Message=block;Issuer=itquiin;Station=10.106.239.55;File=taevit;Safe=rinrepre;Location=etconse;Category=tincu;RequestId=ari;Reason=exercit;Severity=low;GatewayStation=10.244.114.61;TicketID=oluptate;PolicyID=onseq;UserName=serunt;LogonDomain=aquaeabi7735.internal.lan;Address=acc7692.home;CPMStatus=amest;Port="4147";Database=itame;DeviceType=intoc;ExtraDetails=oluptas; -2016-10-12 12:56:16.412538723 +0000 UTC luptasn2126.mail.home %CYBERARK: MessageID="24";Version=1.821;Message=allow;Issuer=ione;Station=10.125.160.129;File=suntexp;Safe=duntut;Location=magni;Category=pisciv;RequestId=iquidex;Reason=radipisc;Severity=low;SourceUser=nti;TargetUser=abi;GatewayStation=10.53.168.235;TicketID=fugitse;PolicyID=veniamq;UserName=one;LogonDomain=etMalor4236.www5.host;Address=quatD4191.local;CPMStatus=tenima;Port=5685;Database=sperna;DeviceType=eabilloi;ExtraDetails=estia; -orem 2016-10-26 19:58:50.672538723 +0000 UTC beata6448.mail.test %CYBERARK: MessageID="197";Version=1.1123;Message=allow;Issuer=tasuntex;Station=10.227.177.121;File=boN;Safe=eprehend;Location=aevit;Category=aboN;RequestId=ihilmo;Reason=radi;Severity=low;SourceUser=uames;TargetUser=iduntu;GatewayStation=10.33.245.220;TicketID=giatnu;PolicyID=ulapa;UserName=liqui;LogonDomain=quioffi1359.internal.lan;Address=eturadi6608.mail.host;CPMStatus=aera;Port=3366;Database=rvel;DeviceType=uid;ExtraDetails=onsecte; -November 10 03:01:24 edo %CYBERARK: MessageID="411";Version=1.5071;Message=allow;Issuer=econs;Station="10.98.182.220";File="untex";Safe="quiratio";Location="boree";Category="eco";RequestId=Utenimad;Reason=orpor;Severity="low";GatewayStation="10.167.85.181";TicketID=emvel;PolicyID="tmollita";UserName=fde;LogonDomain="nsecte3304.mail.corp";Address="eroi176.example";CPMStatus="non";Port="3341";Database=equat;DeviceType=derit;ExtraDetails="Command=dexea;ConnectionComponentId=atcu;DstHost=labor;ProcessId=6501;ProcessName=laboree.exe;Protocol=tcp;PSMID=intocc;RDPOffset=liqu;SessionID=eporr;SrcHost=xeacomm6855.api.corp;User=utlabor;VIDOffset=rau;" -November 24 10:03:59 aeabi %CYBERARK: MessageID="111";eiu 1.4456",ProductAccount="iciadese",ProductProcess="quidolor",EventId="tessec",EventClass="olupta",EventSeverity="high",EventMessage="block",ActingUserName="icabo",ActingAddress="10.89.208.95",ActionSourceUser="eleum",ActionTargetUser="sintoc",ActionObject="volupt",ActionSafe="siste",ActionLocation="uiinea",ActionCategory="Utenima",ActionRequestId="volupta",ActionReason="rcitati",ActionExtraDetails="eni" -Ute 2016-12-08 17:06:33.452538723 +0000 UTC sperna5368.mail.invalid %CYBERARK: MessageID="81";Version=1.509;Message=accept;Issuer=tDuisaut;Station=10.214.191.180;File=imvenia;Safe=spi;Location=stquido;Category=ommodico;RequestId=ptas;Reason=pta;Severity=medium;SourceUser=ptatemq;TargetUser=luptatev;GatewayStation=10.72.148.32;TicketID=ipsumd;PolicyID=ntocc;UserName=uteirure;LogonDomain=nevo4284.internal.local;Address=reetdolo6852.www.test;CPMStatus=nnum;Port=5428;Database=uamest;DeviceType=tco;ExtraDetails=uae; -%CYBERARK: MessageID="168";Version=1.3599;Message=block;Issuer=ipsumd;Station=10.136.190.236;File=evolu;Safe=ersp;Location=tquov;Category=diconseq;RequestId=inven;Reason=osquira;Severity=low;SourceUser=ataevi;TargetUser=com;GatewayStation=10.252.124.150;TicketID=trud;PolicyID=eriti;UserName=litessec;LogonDomain=itas981.mail.domain;Address=mporin6932.api.localdomain;CPMStatus=roid;Port=6604;Database=tasn;DeviceType=Nemoenim;ExtraDetails=squirati; -nbyCic 2017-01-06 07:11:41.972538723 +0000 UTC utlabor6305.internal.corp %CYBERARK: MessageID="90";Version=1.5649;Message=accept;Issuer=iquipe;Station=10.192.34.76;File=modtemp;Safe=quovol;Location=nve;Category=remag;RequestId=uredol;Reason=ccaecat;Severity=medium;SourceUser=onsequ;TargetUser=temqu;GatewayStation=10.213.144.249;TicketID=udexerci;PolicyID=naal;UserName=lore;LogonDomain=tnonpro7635.localdomain;Address=illoin2914.mail.lan;CPMStatus=uamni;Port=6895;Database=gnamal;DeviceType=metMalo;ExtraDetails=ntexplic; -%CYBERARK: MessageID="376";Version=1.2217;Message=accept;Issuer=untu;Station=10.154.4.197;File=con;Safe=nisist;Location=usmodte;Category=msequi;RequestId=tau;Reason=exercita;Severity=low;GatewayStation=10.216.84.30;TicketID=orumSe;PolicyID=boree;UserName=intoc;LogonDomain=rQuisau5300.www5.example;Address=evit5780.www.corp;CPMStatus=onev;Port="725";Database=oditem;DeviceType=gitsedqu;ExtraDetails=borios; -2017-02-03 21:16:50.492538723 +0000 UTC temUt631.www5.example %CYBERARK: MessageID="3";npr 1.4414",ProductAccount="niamqui",ProductProcess="boNem",EventId="ess",EventClass="ipisci",EventSeverity="medium",EventMessage="deny",ActingUserName="tqu",ActingAddress="10.143.193.199",ActionSourceUser="quam",ActionTargetUser="quid",ActionObject="fugiat",ActionSafe="atisun",ActionLocation="esci",ActionCategory="epre",ActionRequestId="tobeata",ActionReason="eroinBCS",ActionExtraDetails="inci" -February 18 04:19:24 rnatur %CYBERARK: MessageID="140";Version=1.5632;Message=deny;Issuer=essequam;Station=10.193.83.81;File=isisten;Safe=cusant;Location=atemq;Category=rinre;RequestId=naal;Reason=borios;Severity=high;SourceUser=isnostr;TargetUser=umqu;GatewayStation=10.65.175.9;TicketID=inesci;PolicyID=isnisi;UserName=ritatise;LogonDomain=uamei2389.internal.example;Address=uisa5736.internal.local;CPMStatus=cusant;Port=302;Database=ender;DeviceType=riamea;ExtraDetails=entorev; -%CYBERARK: MessageID="87";tutlab 1.792",ProductAccount="tatn",ProductProcess="dolorsit",EventId="sau",EventClass="aperia",EventSeverity="very-high",EventMessage="accept",ActingUserName="umdolo",ActingAddress="10.205.72.243",ActionSourceUser="stenatu",ActionTargetUser="isiuta",ActionObject="orsitam",ActionSafe="siutaliq",ActionLocation="dutp",ActionCategory="psaquaea",ActionRequestId="taevita",ActionReason="ameiusm",ActionExtraDetails="proide" -2017-03-18 18:24:33.272538723 +0000 UTC velitess7586.mail.example %CYBERARK: MessageID="45";nre 1.7231",ProductAccount="sit",ProductProcess="olab",EventId="eumiure",EventClass="ersp",EventSeverity="medium",EventMessage="allow",ActingUserName="mquisno",ActingAddress="10.107.9.163",ActionSourceUser="uptate",ActionTargetUser="mac",ActionObject="iumdol",ActionSafe="tpersp",ActionLocation="stla",ActionCategory="uptatema",ActionRequestId="oeni",ActionReason="tdol",ActionExtraDetails="sit" -April 2 01:27:07 psum %CYBERARK: MessageID="132";tasnulap 1.7220",ProductAccount="umSe",ProductProcess="xeacomm",EventId="cinge",EventClass="itla",EventSeverity="high",EventMessage="deny",ActingUserName="asiarc",ActingAddress="10.80.101.72",ActionSourceUser="uptate",ActionTargetUser="quidexea",ActionObject="ect",ActionSafe="modocons",ActionLocation="gitsed",ActionCategory="fugia",ActionRequestId="oditautf",ActionReason="quatu",ActionExtraDetails="veli" -April 16 08:29:41 labo %CYBERARK: MessageID="200";Version=1.267;Message=accept;Issuer=aboreetd;Station=10.235.136.109;File=lorin;Safe=pitl;Location=por;Category=quidexea;RequestId=nimid;Reason=runtmol;Severity=very-high;SourceUser=odi;TargetUser=ptass;GatewayStation=10.39.10.155;TicketID=dol;PolicyID=proiden;UserName=urExcept;LogonDomain=miurerep1152.internal.domain;Address=utlab3706.api.host;CPMStatus=dantium;Port=246;Database=teirured;DeviceType=onemulla;ExtraDetails=dolorem; -April 30 15:32:16 ationev %CYBERARK: MessageID="233";umdolor 1.4389",ProductAccount="itation",ProductProcess="paquioff",EventId="nci",EventClass="isau",EventSeverity="low",EventMessage="cancel",ActingUserName="ibusBon",ActingAddress="10.96.224.19",ActionSourceUser="nsequat",ActionTargetUser="doloreme",ActionObject="dun",ActionSafe="reprehe",ActionLocation="tincu",ActionCategory="suntin",ActionRequestId="itse",ActionReason="umexerc",ActionExtraDetails="oremipsu" -2017-05-14 22:34:50.312538723 +0000 UTC ntsunt4826.mail.corp %CYBERARK: MessageID="170";olo 1.237",ProductAccount="aec",ProductProcess="fdeF",EventId="iquidexe",EventClass="diconse",EventSeverity="medium",EventMessage="cancel",ActingUserName="reseo",ActingAddress="10.71.238.250",ActionSourceUser="consequa",ActionTargetUser="moenimi",ActionObject="olupt",ActionSafe="oconsequ",ActionLocation="edquiac",ActionCategory="urerepr",ActionRequestId="eseru",ActionReason="quamest",ActionExtraDetails="mac" -%CYBERARK: MessageID="294";Version=1.3804;Message=deny;Issuer=rationev;Station=10.226.20.199;File=tatem;Safe=untutlab;Location=amcor;Category=ica;RequestId=lillum;Reason=remips;Severity=low;SourceUser=taedicta;TargetUser=ritt;GatewayStation=10.226.101.180;TicketID=itesseq;PolicyID=dictasun;UserName=veniamqu;LogonDomain=rum5798.home;Address=mvel1188.internal.localdomain;CPMStatus=tetur;Port=2694;Database=conse;DeviceType=ipi;ExtraDetails=imveniam; -June 12 12:39:58 licabo %CYBERARK: MessageID="13";Version=1.1493;Message=cancel;Issuer=utaliqu;Station=10.86.22.67;File=nvolupt;Safe=oremi;Location=elites;Category=nbyCi;RequestId=tevel;Reason=usc;Severity=high;SourceUser=equinesc;TargetUser=cab;GatewayStation=10.134.65.15;TicketID=equepor;PolicyID=ncidid;UserName=quaUten;LogonDomain=nisiut3624.api.example;Address=perspici5680.domain;CPMStatus=iconseq;Port=2039;Database=isciv;DeviceType=rroqu;ExtraDetails=nofd; -%CYBERARK: MessageID="358";ilmol 1.5112",ProductAccount="tten",ProductProcess="ueipsa",EventId="tae",EventClass="autodit",EventSeverity="very-high",EventMessage="accept",ActingUserName="cidunt",ActingAddress="10.70.147.120",ActionSourceUser="exeaco",ActionTargetUser="emqu",ActionObject="nderi",ActionSafe="acommod",ActionLocation="itsedd",ActionCategory="leumiur",ActionRequestId="eratvol",ActionReason="quidol",ActionExtraDetails="eaqu" -luptatem 2017-07-11 02:45:07.352538723 +0000 UTC uaeratv3432.invalid %CYBERARK: MessageID="160";Version=1.6255;Message=cancel;Issuer=dqu;Station=10.178.242.100;File=dutpers;Safe=erun;Location=orisn;Category=reetd;RequestId=prehen;Reason=ntutlabo;Severity=medium;SourceUser=rad;TargetUser=loi;GatewayStation=10.24.111.229;TicketID=volupt;PolicyID=rem;UserName=idid;LogonDomain=tesse1089.www.host;Address=ptateve6909.www5.lan;CPMStatus=toccaec;Port=7645;Database=tenatuse;DeviceType=psaqua;ExtraDetails=ullamcor; -2017-07-25 09:47:41.612538723 +0000 UTC cupi1867.www5.test %CYBERARK: MessageID="67";orroq 1.6677",ProductAccount="ritati",ProductProcess="orisni",EventId="ons",EventClass="remagn",EventSeverity="very-high",EventMessage="deny",ActingUserName="mmodoc",ActingAddress="10.211.179.168",ActionSourceUser="atu",ActionTargetUser="untincul",ActionObject="ssecil",ActionSafe="commodi",ActionLocation="emporain",ActionCategory="ntiumto",ActionRequestId="umetMalo",ActionReason="oluptas",ActionExtraDetails="emvele" -Sedut 2017-08-08 16:50:15.872538723 +0000 UTC yCiceroi2786.www.test %CYBERARK: MessageID="141";iquamqua 1.4890",ProductAccount="dolore",ProductProcess="nsequat",EventId="olorsi",EventClass="aliq",EventSeverity="low",EventMessage="cancel",ActingUserName="mven",ActingAddress="10.30.243.163",ActionSourceUser="oremag",ActionTargetUser="illu",ActionObject="ruredo",ActionSafe="mac",ActionLocation="temUt",ActionCategory="ptassita",ActionRequestId="its",ActionReason="lore",ActionExtraDetails="idol" -2017-08-22 23:52:50.132538723 +0000 UTC urmag7650.api.invalid %CYBERARK: MessageID="26";Version=1.1844;Message=cancel;Issuer=amvo;Station=10.6.79.159;File=ommodo;Safe=uptat;Location=idex;Category=ptateve;RequestId=cons;Reason=olorese;Severity=high;SourceUser=ore;TargetUser=quid;GatewayStation=10.212.214.4;TicketID=ddoeius;PolicyID=ugiatn;UserName=midestl;LogonDomain=dictasun3878.internal.localhost;Address=modocon5089.mail.example;CPMStatus=lupta;Port=5112;Database=urExce;DeviceType=asi;ExtraDetails=ectiono; -onu 2017-09-06 06:55:24.392538723 +0000 UTC liquaUte6729.api.localhost %CYBERARK: MessageID="150";Version=1.3546;Message=deny;Issuer=atDu;Station=10.237.170.202;File=maperi;Safe=agnaaliq;Location=tlaboree;Category=norumet;RequestId=dtempo;Reason=tin;Severity=low;SourceUser=mve;TargetUser=liquide;GatewayStation=10.70.147.46;TicketID=inv;PolicyID=rroq;UserName=rcit;LogonDomain=aecatcup2241.www5.test;Address=tempor1282.www5.localhost;CPMStatus=incidid;Port=7699;Database=taedict;DeviceType=edquian;ExtraDetails=loremeu; -dmi 2017-09-20 13:57:58.652538723 +0000 UTC untexpl2847.www5.local %CYBERARK: MessageID="292";Version=1.4282;Message=allow;Issuer=emoe;Station=10.179.50.138;File=ehende;Safe=eaqueip;Location=eum;Category=lamc;RequestId=umetMal;Reason=asper;Severity=high;SourceUser=metcons;TargetUser=itasper;GatewayStation=10.228.118.81;TicketID=temquiav;PolicyID=obeata;UserName=tatemU;LogonDomain=mad5185.www5.localhost;Address=mipsum2964.invalid;CPMStatus=doei;Port=6825;Database=toditaut;DeviceType=voluptat;ExtraDetails=ugit; -October 4 21:00:32 asnu %CYBERARK: MessageID="38";Version=1.3806;Message=cancel;Issuer=henderit;Station=10.49.71.118;File=ationul;Safe=mquisn;Location=queips;Category=midest;RequestId=dex;Reason=ccae;Severity=medium;SourceUser=eavolup;TargetUser=emip;GatewayStation=10.234.165.130;TicketID=ntexplic;PolicyID=uto;UserName=iuntNequ;LogonDomain=esseq7889.www.invalid;Address=veniamq1236.invalid;CPMStatus=emo;Port=1458;Database=veniamqu;DeviceType=licaboN;ExtraDetails=atquo; -udan 2017-10-19 04:03:07.172538723 +0000 UTC yCic5749.www.localhost %CYBERARK: MessageID="119";itanim 1.4024",ProductAccount="olorema",ProductProcess="mollita",EventId="tatem",EventClass="iae",EventSeverity="low",EventMessage="allow",ActingUserName="emip",ActingAddress="10.199.5.49",ActionSourceUser="stquid",ActionTargetUser="turadipi",ActionObject="usmodi",ActionSafe="ree",ActionLocation="saquaea",ActionCategory="ation",ActionRequestId="luptas",ActionReason="minim",ActionExtraDetails="ataevi" -%CYBERARK: MessageID="156";plic 1.7053",ProductAccount="utlabo",ProductProcess="tetur",EventId="tionula",EventClass="ritqu",EventSeverity="very-high",EventMessage="allow",ActingUserName="uamei",ActingAddress="10.193.219.34",ActionSourceUser="onse",ActionTargetUser="olorem",ActionObject="turvel",ActionSafe="eratv",ActionLocation="ipsa",ActionCategory="asuntexp",ActionRequestId="adminim",ActionReason="orisni",ActionExtraDetails="nse" -November 16 18:08:15 nderi %CYBERARK: MessageID="202";Version=1.7083;Message=allow;Issuer=animid;Station=10.120.167.217;File=atuse;Safe=ueipsa;Location=scipitl;Category=eumi;RequestId=quasiarc;Reason=olli;Severity=low;SourceUser=tetura;TargetUser=rsp;GatewayStation=10.174.185.109;TicketID=roquisqu;PolicyID=edolorin;UserName=dolorem;LogonDomain=tem6815.home;Address=taliqui5348.mail.localdomain;CPMStatus=loremag;Port=6816;Database=tsuntinc;DeviceType=inrepreh;ExtraDetails=quovo; -%CYBERARK: MessageID="133";Version=1.1432;Message=cancel;Issuer=atev;Station=10.117.137.159;File=acommodi;Safe=essecill;Location=billoi;Category=moles;RequestId=dipiscin;Reason=olup;Severity=high;SourceUser=undeomni;TargetUser=accusa;GatewayStation=10.141.213.219;TicketID=itat;PolicyID=stlaboru;UserName=ate;LogonDomain=mporainc2064.home;Address=atnulapa3548.www.domain;CPMStatus=radipisc;Port=5347;Database=nibus;DeviceType=vitaed;ExtraDetails=ser; -2017-12-15 08:13:24.212538723 +0000 UTC ill6772.www.invalid %CYBERARK: MessageID="104";Version=1.4043;Message=cancel;Issuer=rem;Station=10.166.90.130;File=mdolore;Safe=eosquira;Location=pta;Category=snos;RequestId=orsi;Reason=tetura;Severity=very-high;SourceUser=lorsita;TargetUser=eavol;GatewayStation=10.94.224.229;TicketID=lupta;PolicyID=npr;UserName=etconsec;LogonDomain=caboNem1043.internal.home;Address=litesseq6785.host;CPMStatus=tob;Port=7390;Database=oditempo;DeviceType=doeiu;ExtraDetails=deF; -rcitat 2017-12-29 15:15:58.472538723 +0000 UTC dolorema2984.www.home %CYBERARK: MessageID="316";Version=1.2456;Message=deny;Issuer=tiumto;Station=10.38.28.151;File=nrepreh;Safe=ratv;Location=alorum;Category=mquisn;RequestId=atq;Reason=erspi;Severity=low;SourceUser=ugiatquo;TargetUser=incidid;GatewayStation=10.201.81.46;TicketID=sBonor;PolicyID=fugits;UserName=mipsumqu;LogonDomain=tatio6513.www.invalid;Address=onnu2272.mail.corp;CPMStatus=atatnon;Port=6064;Database=abor;DeviceType=magnid;ExtraDetails=adol; -January 12 22:18:32 niam %CYBERARK: MessageID="266";Version=1.2721;Message=deny;Issuer=rerepre;Station=10.214.245.95;File=quiineav;Safe=billoinv;Location=sci;Category=col;RequestId=obea;Reason=emp;Severity=medium;SourceUser=luptas;TargetUser=uptatem;GatewayStation=10.255.28.56;TicketID=inrepr;PolicyID=mol;UserName=umdolors;LogonDomain=dolori6232.api.invalid;Address=llit958.www.domain;CPMStatus=tat;Port=2957;Database=odt;DeviceType=cillumd;ExtraDetails=riosa; -January 27 05:21:06 lapar %CYBERARK: MessageID="311";ritati 1.3219",ProductAccount="qui",ProductProcess="otamr",EventId="nim",EventClass="ame",EventSeverity="very-high",EventMessage="cancel",ActingUserName="mip",ActingAddress="10.45.35.180",ActionSourceUser="mvolupta",ActionTargetUser="Utenima",ActionObject="iqua",ActionSafe="luptat",ActionLocation="deriti",ActionCategory="sintocc",ActionRequestId="cididu",ActionReason="uteir",ActionExtraDetails="boree" -February 10 12:23:41 diduntu %CYBERARK: MessageID="285";eiusmod 1.7546",ProductAccount="ess",ProductProcess="uide",EventId="scivel",EventClass="henderi",EventSeverity="low",EventMessage="accept",ActingUserName="enim",ActingAddress="10.141.200.133",ActionSourceUser="ersp",ActionTargetUser="iame",ActionObject="orroquis",ActionSafe="aquio",ActionLocation="riatu",ActionCategory="loinve",ActionRequestId="tanimid",ActionReason="isnostru",ActionExtraDetails="nofdeFi" -%CYBERARK: MessageID="155";ulap 1.3765",ProductAccount="illoi",ProductProcess="reetdolo",EventId="rationev",EventClass="ehender",EventSeverity="medium",EventMessage="accept",ActingUserName="ugi",ActingAddress="10.83.238.145",ActionSourceUser="ptatems",ActionTargetUser="runtmo",ActionObject="ore",ActionSafe="isund",ActionLocation="exerci",ActionCategory="tas",ActionRequestId="oraincid",ActionReason="quaer",ActionExtraDetails="eetdo" -2018-03-11 02:28:49.772538723 +0000 UTC aali6869.api.localdomain %CYBERARK: MessageID="48";Version=1.3147;Message=block;Issuer=sedquiac;Station=10.39.143.155;File=ipsaqu;Safe=nisiut;Location=rumwri;Category=velill;RequestId=ore;Reason=tation;Severity=very-high;SourceUser=porincid;TargetUser=tperspic;GatewayStation=10.41.89.217;TicketID=ict;PolicyID=squirati;UserName=tem;LogonDomain=mestq2106.api.host;Address=llamc6724.www.lan;CPMStatus=tesseci;Port=4020;Database=radipis;DeviceType=cive;ExtraDetails=nse; -isnisiu 2018-03-25 09:31:24.032538723 +0000 UTC suntincu2940.www5.domain %CYBERARK: MessageID="378";Version=1.6382;Message=accept;Issuer=minim;Station=10.5.5.1;File=reseosq;Safe=gna;Location=isiutali;Category=lumqu;RequestId=onulamco;Reason=ons;Severity=low;SourceUser=uptat;TargetUser=unt;GatewayStation=10.153.123.20;TicketID=tla;PolicyID=mquiad;UserName=CSe;LogonDomain=lors7553.api.local;Address=reseosqu1629.mail.lan;CPMStatus=utemvel;Port=5325;Database=atu;DeviceType=iusm;ExtraDetails=roi; -2018-04-08 16:33:58.292538723 +0000 UTC rere5274.mail.domain %CYBERARK: MessageID="269";Version=1.3193;Message=deny;Issuer=iamea;Station=10.210.61.109;File=tiumto;Safe=cor;Location=odoco;Category=oin;RequestId=itseddoe;Reason=elites;Severity=low;SourceUser=uamei;TargetUser=eursinto;GatewayStation=10.168.132.175;TicketID=licaboNe;PolicyID=tautfug;UserName=giatquov;LogonDomain=olu5333.www.domain;Address=orumSe4514.www.corp;CPMStatus=umquam;Port=80;Database=ici;DeviceType=nisiuta;ExtraDetails=iquaUt; -%CYBERARK: MessageID="176";atnula 1.5038",ProductAccount="lmo",ProductProcess="iquidex",EventId="olup",EventClass="remipsu",EventSeverity="low",EventMessage="accept",ActingUserName="quiac",ActingAddress="10.123.154.17",ActionSourceUser="etdol",ActionTargetUser="dolorsi",ActionObject="nturmag",ActionSafe="tura",ActionLocation="osquirat",ActionCategory="equat",ActionRequestId="aliquid",ActionReason="usantiu",ActionExtraDetails="idunt" -%CYBERARK: MessageID="4";min 1.136",ProductAccount="xplic",ProductProcess="eseruntm",EventId="lpaquiof",EventClass="oloreeu",EventSeverity="very-high",EventMessage="deny",ActingUserName="etquasia",ActingAddress="10.169.123.103",ActionSourceUser="riatur",ActionTargetUser="oeni",ActionObject="dol",ActionSafe="dol",ActionLocation="atur",ActionCategory="issu",ActionRequestId="identsu",ActionReason="piscivel",ActionExtraDetails="hend" -%CYBERARK: MessageID="276";aer 1.7744",ProductAccount="iati",ProductProcess="minim",EventId="scipi",EventClass="tur",EventSeverity="very-high",EventMessage="cancel",ActingUserName="Nemoenim",ActingAddress="10.126.205.76",ActionSourceUser="etur",ActionTargetUser="rsitvol",ActionObject="utali",ActionSafe="sed",ActionLocation="xeac",ActionCategory="umdolors",ActionRequestId="lumdo",ActionReason="acom",ActionExtraDetails="eFini" -June 4 20:44:15 uovol %CYBERARK: MessageID="38";Version=1.3184;Message=accept;Issuer=eufug;Station=10.164.66.154;File=est;Safe=civelits;Location=ici;Category=snulap;RequestId=enimadm;Reason=stenatu;Severity=very-high;SourceUser=sitvo;TargetUser=ine;GatewayStation=10.169.101.161;TicketID=itessequ;PolicyID=iusmodit;UserName=orissu;LogonDomain=fic5107.home;Address=mmodoco2581.www5.host;CPMStatus=isiutali;Port=3575;Database=stquidol;DeviceType=Nemoenim;ExtraDetails=imadmini; -amvo 2018-06-19 03:46:49.592538723 +0000 UTC tnul6235.www5.lan %CYBERARK: MessageID="79";isau 1.1480",ProductAccount="ihilmole",ProductProcess="saquaea",EventId="ons",EventClass="orsitam",EventSeverity="medium",EventMessage="block",ActingUserName="metco",ActingAddress="10.70.83.200",ActionSourceUser="riame",ActionTargetUser="riat",ActionObject="sseq",ActionSafe="eriam",ActionLocation="pernat",ActionCategory="udan",ActionRequestId="archi",ActionReason="iutaliq",ActionExtraDetails="urQuis" -July 3 10:49:23 orum %CYBERARK: MessageID="53";Version=1.4887;Message=block;Issuer=madminim;Station=10.207.97.192;File=quio;Safe=eom;Location=teni;Category=ipiscive;RequestId=dant;Reason=etdolor;Severity=high;SourceUser=paria;TargetUser=mmod;GatewayStation=10.134.55.11;TicketID=amqu;PolicyID=lorsitam;UserName=tanimid;LogonDomain=onpr47.api.home;Address=oremqu7663.local;CPMStatus=llumq;Port=5816;Database=tetura;DeviceType=rumet;ExtraDetails=uptasnul; -2018-07-17 17:51:58.112538723 +0000 UTC nde2358.mail.corp %CYBERARK: MessageID="75";Version=1.3601;Message=cancel;Issuer=texplica;Station=10.52.150.104;File=esse;Safe=veniam;Location=edquian;Category=sus;RequestId=imavenia;Reason=expli;Severity=low;SourceUser=orum;TargetUser=oinBCSed;GatewayStation=10.31.187.19;TicketID=ilm;PolicyID=mvel;UserName=eritq;LogonDomain=rehen4859.api.host;Address=eve234.www5.local;CPMStatus=nula;Port=2783;Database=lit;DeviceType=santi;ExtraDetails=ritati; -dip 2018-08-01 00:54:32.372538723 +0000 UTC idolo5292.local %CYBERARK: MessageID="89";Version=1.3175;Message=allow;Issuer=runtm;Station=10.41.232.147;File=psumd;Safe=oloree;Location=seos;Category=rios;RequestId=labo;Reason=lpaquiof;Severity=high;SourceUser=mcorpo;TargetUser=ntexpl;GatewayStation=10.61.175.217;TicketID=enbyCi;PolicyID=reetdo;UserName=tat;LogonDomain=eufugia4481.corp;Address=fficia2304.www5.home;CPMStatus=vel;Port=2396;Database=rere;DeviceType=pta;ExtraDetails=nonn; -August 15 07:57:06 volup %CYBERARK: MessageID="261";ptate 1.3830",ProductAccount="uisnos",ProductProcess="quamqua",EventId="ntut",EventClass="mag",EventSeverity="very-high",EventMessage="deny",ActingUserName="mini",ActingAddress="10.150.30.95",ActionSourceUser="tur",ActionTargetUser="atnonpr",ActionObject="ita",ActionSafe="amquaer",ActionLocation="aqui",ActionCategory="enby",ActionRequestId="lpa",ActionReason="isn",ActionExtraDetails="smod" -August 29 14:59:40 siuta %CYBERARK: MessageID="66";atev 1.6626",ProductAccount="CSe",ProductProcess="exerci",EventId="inesciu",EventClass="quid",EventSeverity="high",EventMessage="deny",ActingUserName="onse",ActingAddress="10.98.71.45",ActionSourceUser="destla",ActionTargetUser="fugitse",ActionObject="minimve",ActionSafe="serrorsi",ActionLocation="tametco",ActionCategory="mquisnos",ActionRequestId="lore",ActionReason="isci",ActionExtraDetails="Dui" -lup 2018-09-12 22:02:15.152538723 +0000 UTC iumtotam1010.www5.corp %CYBERARK: MessageID="168";userror 1.5986",ProductAccount="nonn",ProductProcess="hite",EventId="ianonnum",EventClass="nofdeFi",EventSeverity="medium",EventMessage="deny",ActingUserName="remq",ActingAddress="10.252.251.143",ActionSourceUser="velill",ActionTargetUser="rspic",ActionObject="orinrepr",ActionSafe="ror",ActionLocation="onsecte",ActionCategory="doei",ActionRequestId="nvolupta",ActionReason="tev",ActionExtraDetails="nre" -%CYBERARK: MessageID="274";lumdolor 1.4706",ProductAccount="eserun",ProductProcess="rvelill",EventId="lupta",EventClass="byC",EventSeverity="high",EventMessage="accept",ActingUserName="uta",ActingAddress="10.197.203.167",ActionSourceUser="ulapa",ActionTargetUser="iumdo",ActionObject="iusmodit",ActionSafe="aturv",ActionLocation="ectetura",ActionCategory="obeataev",ActionRequestId="umf",ActionReason="olesti",ActionExtraDetails="smo" -tDuis 2018-10-11 12:07:23.672538723 +0000 UTC iqu1643.www.host %CYBERARK: MessageID="96";inim 1.6806",ProductAccount="ibusBo",ProductProcess="untincu",EventId="tten",EventClass="etur",EventSeverity="low",EventMessage="accept",ActingUserName="enima",ActingAddress="10.187.170.23",ActionSourceUser="sequ",ActionTargetUser="sectetu",ActionObject="evi",ActionSafe="tionula",ActionLocation="accus",ActionCategory="uatu",ActionRequestId="mquis",ActionReason="lab",ActionExtraDetails="uido" -2018-10-25 19:09:57.932538723 +0000 UTC nimadmin5577.corp %CYBERARK: MessageID="61";Version=1.3824;Message=allow;Issuer=tinculpa;Station=10.123.62.215;File=rumSecti;Safe=riamea;Location=eca;Category=oluptate;RequestId=Duisa;Reason=consequa;Severity=low;SourceUser=iaecon;TargetUser=aevitaed;GatewayStation=10.250.248.215;TicketID=remap;PolicyID=deri;UserName=quaeratv;LogonDomain=involu1450.www.localhost;Address=udexerc2708.api.test;CPMStatus=odic;Port=505;Database=lica;DeviceType=secil;ExtraDetails=uisnos; -scipit 2018-11-09 02:12:32.192538723 +0000 UTC lloinve551.internal.local %CYBERARK: MessageID="372";Version=1.3759;Message=block;Issuer=isiutali;Station=10.146.57.23;File=evit;Safe=tno;Location=iss;Category=taspe;RequestId=lum;Reason=xerc;Severity=high;GatewayStation=10.147.154.118;TicketID=nvol;PolicyID=enimadmi;UserName=tateveli;LogonDomain=osa3211.www5.example;Address=temvele5776.www.test;CPMStatus=inimve;Port="864";Database=cin;DeviceType=tmo;ExtraDetails=onofdeF; -its 2018-11-23 09:15:06.452538723 +0000 UTC uptasnul2751.www5.corp %CYBERARK: MessageID="232";ostrudex 1.4542",ProductAccount="niamqui",ProductProcess="usmodite",EventId="tlabo",EventClass="tatemse",EventSeverity="very-high",EventMessage="cancel",ActingUserName="uamestqu",ActingAddress="10.193.33.201",ActionSourceUser="hender",ActionTargetUser="ptatemU",ActionObject="seq",ActionSafe="rumSe",ActionLocation="tatnonp",ActionCategory="ommo",ActionRequestId="adeser",ActionReason="uasiarc",ActionExtraDetails="doeiu" -2018-12-07 16:17:40.712538723 +0000 UTC atuserro6791.internal.host %CYBERARK: MessageID="24";upta 1.313",ProductAccount="onnumqua",ProductProcess="quioff",EventId="iuntN",EventClass="ipis",EventSeverity="low",EventMessage="block",ActingUserName="nesci",ActingAddress="10.154.172.82",ActionSourceUser="lorsi",ActionTargetUser="tetura",ActionObject="eeufug",ActionSafe="edutper",ActionLocation="tevelite",ActionCategory="tocca",ActionRequestId="orsitvol",ActionReason="ntor",ActionExtraDetails="oinBCSed" -%CYBERARK: MessageID="79";obeatae 1.1886",ProductAccount="midestl",ProductProcess="quatu",EventId="avolu",EventClass="teturad",EventSeverity="very-high",EventMessage="allow",ActingUserName="expl",ActingAddress="10.47.63.70",ActionSourceUser="lup",ActionTargetUser="tpers",ActionObject="orsitv",ActionSafe="temseq",ActionLocation="uisaute",ActionCategory="uun",ActionRequestId="end",ActionReason="odocons",ActionExtraDetails="olu" -January 5 06:22:49 amn %CYBERARK: MessageID="312";itessequ 1.5170",ProductAccount="fdeFinib",ProductProcess="uip",EventId="ectobea",EventClass="dat",EventSeverity="very-high",EventMessage="block",ActingUserName="turQuis",ActingAddress="10.178.160.245",ActionSourceUser="deomnisi",ActionTargetUser="olupta",ActionObject="oll",ActionSafe="laboree",ActionLocation="udantiu",ActionCategory="itametco",ActionRequestId="iav",ActionReason="odico",ActionExtraDetails="rsint" -January 19 13:25:23 quiav %CYBERARK: MessageID="77";Version=1.6648;Message=block;Issuer=Nem;Station=10.85.13.237;File=oluptat;Safe=enimad;Location=tis;Category=qua;RequestId=con;Reason=tore;Severity=high;SourceUser=quelaud;TargetUser=luptat;GatewayStation=10.89.154.115;TicketID=oeiusmo;PolicyID=nimv;UserName=emeu;LogonDomain=tatemac5192.www5.test;Address=teursint1321.www5.example;CPMStatus=lamcolab;Port=7024;Database=nturmag;DeviceType=uredol;ExtraDetails=maliqua; -2019-02-02 20:27:57.752538723 +0000 UTC omnisi5530.mail.example %CYBERARK: MessageID="308";Version=1.3387;Message=allow;Issuer=itame;Station=10.222.32.183;File=yCiceroi;Safe=nostrum;Location=orroquis;Category=eumi;RequestId=tvo;Reason=aea;Severity=low;SourceUser=mmo;TargetUser=eve;GatewayStation=10.65.207.234;TicketID=ciad;PolicyID=ugiatqu;UserName=eruntmo;LogonDomain=nimve2787.mail.test;Address=boreet2051.internal.localdomain;CPMStatus=iavo;Port=1644;Database=udexerc;DeviceType=ovolupta;ExtraDetails=volup; -rro 2019-02-17 03:30:32.012538723 +0000 UTC tuser6944.local %CYBERARK: MessageID="54";iarchite 1.1612",ProductAccount="oinven",ProductProcess="natu",EventId="edqu",EventClass="tationu",EventSeverity="high",EventMessage="cancel",ActingUserName="olore",ActingAddress="10.16.181.60",ActionSourceUser="ameaquei",ActionTargetUser="gnama",ActionObject="esciun",ActionSafe="tesse",ActionLocation="olupta",ActionCategory="isno",ActionRequestId="oluptas",ActionReason="nderiti",ActionExtraDetails="uatu" -orem 2019-03-03 10:33:06.272538723 +0000 UTC giatqu1484.internal.corp %CYBERARK: MessageID="208";oreseosq 1.2275",ProductAccount="uianon",ProductProcess="nul",EventId="onse",EventClass="sitam",EventSeverity="very-high",EventMessage="deny",ActingUserName="illoin",ActingAddress="10.91.213.82",ActionSourceUser="uid",ActionTargetUser="amnis",ActionObject="rvelil",ActionSafe="adese",ActionLocation="olorsi",ActionCategory="caboNemo",ActionRequestId="uptas",ActionReason="temaccus",ActionExtraDetails="ons" -2019-03-17 17:35:40.532538723 +0000 UTC oreeu3666.invalid %CYBERARK: MessageID="48";tis 1.6724",ProductAccount="eprehe",ProductProcess="tinvolup",EventId="iaeconse",EventClass="uisa",EventSeverity="medium",EventMessage="allow",ActingUserName="tdolo",ActingAddress="10.204.214.98",ActionSourceUser="iumt",ActionTargetUser="porissus",ActionObject="imip",ActionSafe="tsunt",ActionLocation="rnat",ActionCategory="oremi",ActionRequestId="ectobeat",ActionReason="ecte",ActionExtraDetails="abo" -%CYBERARK: MessageID="219";snos 1.5910",ProductAccount="moenimip",ProductProcess="uames",EventId="tium",EventClass="ianonn",EventSeverity="very-high",EventMessage="accept",ActingUserName="etc",ActingAddress="10.223.178.192",ActionSourceUser="atquovol",ActionTargetUser="evel",ActionObject="edol",ActionSafe="sequuntu",ActionLocation="quameius",ActionCategory="litse",ActionRequestId="san",ActionReason="apari",ActionExtraDetails="iarchit" -2019-04-15 07:40:49.052538723 +0000 UTC nsequat6724.www.invalid %CYBERARK: MessageID="183";Version=1.801;Message=cancel;Issuer=ati;Station=10.26.137.126;File=dolor;Safe=Mal;Location=ametcons;Category=tconse;RequestId=eumf;Reason=roquisq;Severity=medium;SourceUser=doconse;TargetUser=audant;GatewayStation=10.26.33.181;TicketID=remeum;PolicyID=mmod;UserName=taevit;LogonDomain=ama6820.mail.example;Address=umto3015.mail.lan;CPMStatus=sitv;Port=4667;Database=com;DeviceType=rep;ExtraDetails=mveni; -April 29 14:43:23 num %CYBERARK: MessageID="41";Version=1.10;Message=accept;Issuer=quaerat;Station=10.148.195.208;File=amnih;Safe=tper;Location=pisciv;Category=tconsect;RequestId=pariat;Reason=iutal;Severity=low;SourceUser=ctobeat;TargetUser=isi;GatewayStation=10.142.161.116;TicketID=eca;PolicyID=ctionofd;UserName=mpori;LogonDomain=olupt966.www5.corp;Address=etquasia1800.www.host;CPMStatus=nimip;Port=7612;Database=squamest;DeviceType=quisn;ExtraDetails=pteu; -velillum 2019-05-13 21:45:57.572538723 +0000 UTC ntNequ7639.internal.localdomain %CYBERARK: MessageID="270";Version=1.1026;Message=block;Issuer=itinvo;Station=10.107.24.54;File=emipsumq;Safe=culpaq;Location=quamq;Category=usan;RequestId=tdolo;Reason=ident;Severity=medium;SourceUser=itaedi;TargetUser=hend;GatewayStation=10.10.174.253;TicketID=esciun;PolicyID=tasnul;UserName=uptasn;LogonDomain=lit4112.www.localhost;Address=quisquam2153.mail.host;CPMStatus=dit;Port=2717;Database=lup;DeviceType=aeca;ExtraDetails=isau; -May 28 04:48:31 boreetd %CYBERARK: MessageID="309";tNe 1.2566",ProductAccount="eeufug",ProductProcess="ntin",EventId="iades",EventClass="radipis",EventSeverity="very-high",EventMessage="deny",ActingUserName="luptate",ActingAddress="10.87.92.17",ActionSourceUser="utlabore",ActionTargetUser="tamr",ActionObject="serr",ActionSafe="usci",ActionLocation="unturmag",ActionCategory="dexeaco",ActionRequestId="lupta",ActionReason="ura",ActionExtraDetails="oreeufug" -June 11 11:51:06 dolo %CYBERARK: MessageID="295";Version=1.5649;Message=deny;Issuer=Finibus;Station=10.161.51.135;File=porin;Safe=metMal;Location=ciati;Category=ecillum;RequestId=olor;Reason=amei;Severity=medium;SourceUser=quid;TargetUser=accus;GatewayStation=10.231.51.136;TicketID=ctobeat;PolicyID=upta;UserName=asper;LogonDomain=dictasun3408.internal.invalid;Address=secte1774.localhost;CPMStatus=iqui;Port=5200;Database=litani;DeviceType=emp;ExtraDetails=arch; -June 25 18:53:40 dipisciv %CYBERARK: MessageID="148";uam 1.2575",ProductAccount="llum",ProductProcess="mwr",EventId="cia",EventClass="idolo",EventSeverity="low",EventMessage="allow",ActingUserName="mquido",ActingAddress="10.51.17.32",ActionSourceUser="ree",ActionTargetUser="itten",ActionObject="quipexea",ActionSafe="orsitv",ActionLocation="dunt",ActionCategory="int",ActionRequestId="ionevo",ActionReason="llitani",ActionExtraDetails="uscipit" -etco 2019-07-10 01:56:14.612538723 +0000 UTC iuntN4077.www.invalid %CYBERARK: MessageID="260";isnostru 1.270",ProductAccount="mmodicon",ProductProcess="eetdo",EventId="mquisno",EventClass="atvolup",EventSeverity="medium",EventMessage="deny",ActingUserName="ollita",ActingAddress="10.108.123.148",ActionSourceUser="cto",ActionTargetUser="cusa",ActionObject="nderi",ActionSafe="tem",ActionLocation="tcu",ActionCategory="eumiu",ActionRequestId="nim",ActionReason="pteurs",ActionExtraDetails="ercitati" -July 24 08:58:48 eturadip %CYBERARK: MessageID="8";Version=1.425;Message=accept;Issuer=rsitamet;Station=10.114.0.148;File=utod;Safe=olesti;Location=edquia;Category=ihi;RequestId=undeomn;Reason=ape;Severity=medium;SourceUser=amco;TargetUser=ons;GatewayStation=10.198.187.144;TicketID=atquo;PolicyID=borio;UserName=equatD;LogonDomain=uidol6868.mail.localdomain;Address=uido2773.www5.test;CPMStatus=acons;Port=3820;Database=periam;DeviceType=ain;ExtraDetails=umiurer; -onorume 2019-08-07 16:01:23.132538723 +0000 UTC abill5290.lan %CYBERARK: MessageID="89";mini 1.7224",ProductAccount="loru",ProductProcess="iadeser",EventId="litess",EventClass="qui",EventSeverity="low",EventMessage="allow",ActingUserName="equa",ActingAddress="10.61.140.120",ActionSourceUser="olorsit",ActionTargetUser="naaliq",ActionObject="plica",ActionSafe="asiarc",ActionLocation="lor",ActionCategory="nvolupt",ActionRequestId="dquia",ActionReason="ora",ActionExtraDetails="umfugiat" -%CYBERARK: MessageID="36";Version=1.6988;Message=deny;Issuer=ite;Station=10.93.24.151;File=Duis;Safe=lupt;Location=quatur;Category=dminim;RequestId=ptatevel;Reason=aperiame;Severity=very-high;SourceUser=eirured;TargetUser=sequamn;GatewayStation=10.149.238.108;TicketID=ciatisun;PolicyID=duntutl;UserName=nven;LogonDomain=ptat4878.lan;Address=quame1852.www.test;CPMStatus=deomni;Port=4512;Database=fugi;DeviceType=nse;ExtraDetails=nesciu; -September 5 06:06:31 inrepreh %CYBERARK: MessageID="39";rit 1.6107",ProductAccount="cipitla",ProductProcess="tlab",EventId="vel",EventClass="ionevo",EventSeverity="high",EventMessage="accept",ActingUserName="uinesc",ActingAddress="10.101.45.225",ActionSourceUser="utla",ActionTargetUser="emi",ActionObject="uaerat",ActionSafe="iduntu",ActionLocation="samvol",ActionCategory="equa",ActionRequestId="apari",ActionReason="tsunt",ActionExtraDetails="caecat" -qui 2019-09-19 13:09:05.912538723 +0000 UTC caboN3124.mail.home %CYBERARK: MessageID="8";catcupid 1.3167",ProductAccount="quela",ProductProcess="uamquaer",EventId="texplica",EventClass="enimi",EventSeverity="low",EventMessage="cancel",ActingUserName="ore",ActingAddress="10.2.204.161",ActionSourceUser="iquamqu",ActionTargetUser="eumfugia",ActionObject="reeufugi",ActionSafe="sequines",ActionLocation="minimve",ActionCategory="texplica",ActionRequestId="entorev",ActionReason="quuntur",ActionExtraDetails="olup" -les 2019-10-03 20:11:40.172538723 +0000 UTC norumet2571.internal.example %CYBERARK: MessageID="89";temp 1.6971",ProductAccount="aliqu",ProductProcess="sequine",EventId="utaliqui",EventClass="isciv",EventSeverity="very-high",EventMessage="cancel",ActingUserName="ptatemse",ActingAddress="10.33.112.100",ActionSourceUser="catcup",ActionTargetUser="enimad",ActionObject="magnaali",ActionSafe="velillum",ActionLocation="ionev",ActionCategory="vitaedi",ActionRequestId="rna",ActionReason="cons",ActionExtraDetails="Except" -%CYBERARK: MessageID="95";Version=1.3175;Message=block;Issuer=neavol;Station=10.94.152.238;File=rporiss;Safe=billoinv;Location=etconse;Category=nesciu;RequestId=mali;Reason=roinBCSe;Severity=very-high;SourceUser=uames;TargetUser=tla;GatewayStation=10.151.110.250;TicketID=psa;PolicyID=nreprehe;UserName=pidatatn;LogonDomain=isno4595.local;Address=lla5407.lan;CPMStatus=upt;Port=4762;Database=itaedict;DeviceType=eroi;ExtraDetails=onemull; -mporain 2019-11-01 10:16:48.692538723 +0000 UTC eratvo7756.localdomain %CYBERARK: MessageID="179";Version=1.4965;Message=allow;Issuer=alorumwr;Station=10.146.61.5;File=tvolu;Safe=imve;Location=ollitan;Category=temseq;RequestId=vol;Reason=loremips;Severity=high;SourceUser=eturadi;TargetUser=umS;GatewayStation=10.77.9.17;TicketID=henderi;PolicyID=taevitae;UserName=tevel;LogonDomain=tatemse5403.home;Address=iquipexe4708.api.localhost;CPMStatus=quuntur;Port=5473;Database=amremap;DeviceType=oremagna;ExtraDetails=aqu; -%CYBERARK: MessageID="83";tvolu 1.2244",ProductAccount="ore",ProductProcess="lors",EventId="saute",EventClass="ecillumd",EventSeverity="high",EventMessage="allow",ActingUserName="sequatu",ActingAddress="10.128.102.130",ActionSourceUser="mdoloree",ActionTargetUser="que",ActionObject="inBCSed",ActionSafe="cteturad",ActionLocation="umq",ActionCategory="ita",ActionRequestId="ipsaquae",ActionReason="olu",ActionExtraDetails="exerci" -2019-11-30 00:21:57.212538723 +0000 UTC moen6809.internal.example %CYBERARK: MessageID="150";Version=1.7701;Message=cancel;Issuer=reseo;Station=10.31.86.83;File=pariat;Safe=icaboNe;Location=boreetd;Category=uir;RequestId=rumex;Reason=ectobea;Severity=medium;SourceUser=tamrem;TargetUser=doloremi;GatewayStation=10.200.162.248;TicketID=uptate;PolicyID=giatquo;UserName=onnu;LogonDomain=reprehe650.www.corp;Address=oremip4070.www5.invalid;CPMStatus=turad;Port=1704;Database=billo;DeviceType=doloremi;ExtraDetails=ectetura; -%CYBERARK: MessageID="166";cul 1.3325",ProductAccount="atatn",ProductProcess="ipisc",EventId="iatnulap",EventClass="roi",EventSeverity="high",EventMessage="allow",ActingUserName="volup",ActingAddress="10.103.215.159",ActionSourceUser="ddoeiusm",ActionTargetUser="apa",ActionObject="archite",ActionSafe="tur",ActionLocation="ddo",ActionCategory="emp",ActionRequestId="inBC",ActionReason="did",ActionExtraDetails="atcupi" diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json deleted file mode 100644 index 6df370af4bb..00000000000 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json +++ /dev/null @@ -1,5584 +0,0 @@ -[ - { - "event.action": "allow", - "event.code": "ria", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2016-01-29 06:09:59.732538723 +0000 UTC eacommod1428.lan %CYBERARK: MessageID=\"188\";exercita 1.1332\",ProductAccount=\"itv\",ProductProcess=\"odoco\",EventId=\"ria\",EventClass=\"min\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"utl\",ActingAddress=\"10.208.15.216\",ActionSourceUser=\"tation\",ActionTargetUser=\"quasiarc\",ActionObject=\"liqua\",ActionSafe=\"ciade\",ActionLocation=\"turadipi\",ActionCategory=\"aeca\",ActionRequestId=\"idi\",ActionReason=\"pexe\",ActionExtraDetails=\"nes\"", - "file.directory": "turadipi", - "file.name": "liqua", - "fileset.name": "corepas", - "host.ip": "10.208.15.216", - "input.type": "log", - "log.level": "low", - "log.offset": 0, - "observer.product": "exercita", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1332", - "related.ip": [ - "10.208.15.216" - ], - "related.user": [ - "itv", - "quasiarc", - "utl" - ], - "rsa.db.index": "nes", - "rsa.internal.event_desc": "pexe", - "rsa.internal.messageid": "188", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "aeca", - "rsa.misc.group_object": "ciade", - "rsa.misc.reference_id": "ria", - "rsa.misc.reference_id1": "idi", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.1332", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "utl" - }, - { - "destination.address": "volup208.invalid", - "destination.port": 5191, - "event.action": "block", - "event.code": "168", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"168\";Version=1.259;Message=block;Issuer=dolore;Station=10.92.136.230;File=ritquiin;Safe=umqui;Location=reeufugi;Category=mdolo;RequestId=mqui;Reason=nci;Severity=very-high;SourceUser=litesse;TargetUser=orev;GatewayStation=10.175.75.18;TicketID=deF;PolicyID=sist;UserName=nnumqu;LogonDomain=iatnu3810.mail.localdomain;Address=volup208.invalid;CPMStatus=eosquir;Port=5191;Database=umdo;DeviceType=itessequ;ExtraDetails=vol;", - "file.directory": "reeufugi", - "file.name": "ritquiin", - "fileset.name": "corepas", - "group.name": "litesse", - "host.ip": "10.92.136.230", - "input.type": "log", - "log.level": "very-high", - "log.offset": 477, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.259", - "related.hosts": [ - "iatnu3810.mail.localdomain", - "volup208.invalid" - ], - "related.ip": [ - "10.175.75.18", - "10.92.136.230" - ], - "related.user": [ - "dolore", - "nnumqu", - "orev" - ], - "rsa.db.database": "umdo", - "rsa.db.index": "vol", - "rsa.internal.event_desc": "nci", - "rsa.internal.messageid": "168", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "mdolo", - "rsa.misc.disposition": "eosquir", - "rsa.misc.group": "litesse", - "rsa.misc.group_object": "umqui", - "rsa.misc.obj_type": "itessequ", - "rsa.misc.operation_id": "deF", - "rsa.misc.policy_name": "sist", - "rsa.misc.reference_id": "168", - "rsa.misc.reference_id1": "mqui", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.259", - "rsa.network.domain": "iatnu3810.mail.localdomain", - "rsa.network.host_dst": "volup208.invalid", - "server.domain": "iatnu3810.mail.localdomain", - "server.registered_domain": "mail.localdomain", - "server.subdomain": "iatnu3810", - "server.top_level_domain": "localdomain", - "service.type": "cyberark", - "source.ip": [ - "10.175.75.18" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "dolore" - }, - { - "destination.address": "tetu5280.www5.invalid", - "destination.port": 2548, - "event.action": "accept", - "event.code": "26", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "nibus 2016-02-26 20:15:08.252538723 +0000 UTC mipsumq3879.internal.localdomain %CYBERARK: MessageID=\"26\";Version=1.7269;Message=accept;Issuer=incid;Station=10.51.132.10;File=utper;Safe=squame;Location=ntex;Category=eius;RequestId=luptat;Reason=emape;Severity=low;SourceUser=incidi;TargetUser=nse;GatewayStation=10.46.185.46;TicketID=temvel;PolicyID=iatu;UserName=serror;LogonDomain=anti4454.api.example;Address=tetu5280.www5.invalid;CPMStatus=tionulam;Port=2548;Database=byC;DeviceType=tinculp;ExtraDetails=tur;", - "file.directory": "ntex", - "file.name": "utper", - "fileset.name": "corepas", - "group.name": "incidi", - "host.ip": "10.51.132.10", - "input.type": "log", - "log.level": "low", - "log.offset": 921, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7269", - "related.hosts": [ - "anti4454.api.example", - "tetu5280.www5.invalid" - ], - "related.ip": [ - "10.46.185.46", - "10.51.132.10" - ], - "related.user": [ - "incid", - "nse", - "serror" - ], - "rsa.db.database": "byC", - "rsa.db.index": "tur", - "rsa.internal.event_desc": "emape", - "rsa.internal.messageid": "26", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "eius", - "rsa.misc.disposition": "tionulam", - "rsa.misc.group": "incidi", - "rsa.misc.group_object": "squame", - "rsa.misc.obj_type": "tinculp", - "rsa.misc.operation_id": "temvel", - "rsa.misc.policy_name": "iatu", - "rsa.misc.reference_id": "26", - "rsa.misc.reference_id1": "luptat", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7269", - "rsa.network.domain": "anti4454.api.example", - "rsa.network.host_dst": "tetu5280.www5.invalid", - "server.domain": "anti4454.api.example", - "server.registered_domain": "api.example", - "server.subdomain": "anti4454", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.46.185.46" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "incid" - }, - { - "destination.address": "llu4762.mail.localdomain", - "destination.port": 5695, - "event.action": "deny", - "event.code": "184", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2016-03-12 03:17:42.512538723 +0000 UTC minim7868.www5.localdomain %CYBERARK: MessageID=\"184\";Version=1.6713;Message=deny;Issuer=psumquia;Station=10.53.192.140;File=con;Safe=uia;Location=quiavo;Category=issusci;RequestId=mol;Reason=taspe;Severity=high;SourceUser=psumq;TargetUser=atcup;GatewayStation=10.155.236.240;TicketID=tatno;PolicyID=dquiac;UserName=ptass;LogonDomain=uam6303.api.lan;Address=llu4762.mail.localdomain;CPMStatus=scivel;Port=5695;Database=aperi;DeviceType=iveli;ExtraDetails=llumd;", - "file.directory": "quiavo", - "file.name": "con", - "fileset.name": "corepas", - "group.name": "psumq", - "host.ip": "10.53.192.140", - "input.type": "log", - "log.level": "high", - "log.offset": 1433, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6713", - "related.hosts": [ - "llu4762.mail.localdomain", - "uam6303.api.lan" - ], - "related.ip": [ - "10.155.236.240", - "10.53.192.140" - ], - "related.user": [ - "atcup", - "psumquia", - "ptass" - ], - "rsa.db.database": "aperi", - "rsa.db.index": "llumd", - "rsa.internal.event_desc": "taspe", - "rsa.internal.messageid": "184", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "issusci", - "rsa.misc.disposition": "scivel", - "rsa.misc.group": "psumq", - "rsa.misc.group_object": "uia", - "rsa.misc.obj_type": "iveli", - "rsa.misc.operation_id": "tatno", - "rsa.misc.policy_name": "dquiac", - "rsa.misc.reference_id": "184", - "rsa.misc.reference_id1": "mol", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.6713", - "rsa.network.domain": "uam6303.api.lan", - "rsa.network.host_dst": "llu4762.mail.localdomain", - "server.domain": "uam6303.api.lan", - "server.registered_domain": "api.lan", - "server.subdomain": "uam6303", - "server.top_level_domain": "lan", - "service.type": "cyberark", - "source.ip": [ - "10.155.236.240" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "psumquia" - }, - { - "event.action": "cancel", - "event.code": "rmagni", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"161\";emaper 1.2638\",ProductAccount=\"eos\",ProductProcess=\"enimad\",EventId=\"rmagni\",EventClass=\"sit\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"oremips\",ActingAddress=\"10.81.199.122\",ActionSourceUser=\"aquaeabi\",ActionTargetUser=\"giatq\",ActionObject=\"quid\",ActionSafe=\"fug\",ActionLocation=\"uatDuis\",ActionCategory=\"ude\",ActionRequestId=\"maveniam\",ActionReason=\"uian\",ActionExtraDetails=\"tempo\"", - "file.directory": "uatDuis", - "file.name": "quid", - "fileset.name": "corepas", - "host.ip": "10.81.199.122", - "input.type": "log", - "log.level": "medium", - "log.offset": 1935, - "observer.product": "emaper", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2638", - "related.ip": [ - "10.81.199.122" - ], - "related.user": [ - "eos", - "giatq", - "oremips" - ], - "rsa.db.index": "tempo", - "rsa.internal.event_desc": "uian", - "rsa.internal.messageid": "161", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "ude", - "rsa.misc.group_object": "fug", - "rsa.misc.reference_id": "rmagni", - "rsa.misc.reference_id1": "maveniam", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.2638", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "oremips" - }, - { - "destination.address": "aquaeab2275.www5.domain", - "destination.port": 4091, - "event.action": "deny", - "event.code": "139", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "eetd 2016-04-09 17:22:51.032538723 +0000 UTC eip1448.internal.local %CYBERARK: MessageID=\"139\";Version=1.3491;Message=deny;Issuer=tcupida;Station=10.139.186.201;File=ect;Safe=reetdolo;Location=nrepreh;Category=obeataev;RequestId=lor;Reason=uidexea;Severity=medium;SourceUser=natura;TargetUser=aboris;GatewayStation=10.172.14.142;TicketID=ssitaspe;PolicyID=gitsedqu;UserName=uam;LogonDomain=temq1198.internal.example;Address=aquaeab2275.www5.domain;CPMStatus=ehend;Port=4091;Database=isiu;DeviceType=nimadmi;ExtraDetails=iatisu;", - "file.directory": "nrepreh", - "file.name": "ect", - "fileset.name": "corepas", - "group.name": "natura", - "host.ip": "10.139.186.201", - "input.type": "log", - "log.level": "medium", - "log.offset": 2366, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3491", - "related.hosts": [ - "aquaeab2275.www5.domain", - "temq1198.internal.example" - ], - "related.ip": [ - "10.139.186.201", - "10.172.14.142" - ], - "related.user": [ - "aboris", - "tcupida", - "uam" - ], - "rsa.db.database": "isiu", - "rsa.db.index": "iatisu", - "rsa.internal.event_desc": "uidexea", - "rsa.internal.messageid": "139", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "obeataev", - "rsa.misc.disposition": "ehend", - "rsa.misc.group": "natura", - "rsa.misc.group_object": "reetdolo", - "rsa.misc.obj_type": "nimadmi", - "rsa.misc.operation_id": "ssitaspe", - "rsa.misc.policy_name": "gitsedqu", - "rsa.misc.reference_id": "139", - "rsa.misc.reference_id1": "lor", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.3491", - "rsa.network.domain": "temq1198.internal.example", - "rsa.network.host_dst": "aquaeab2275.www5.domain", - "server.domain": "temq1198.internal.example", - "server.registered_domain": "internal.example", - "server.subdomain": "temq1198", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.172.14.142" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tcupida" - }, - { - "destination.address": "amquisno3338.www5.lan", - "destination.port": 776, - "event.action": "accept", - "event.code": "106", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"106\";Version=1.6875;Message=accept;Issuer=ipis;Station=10.47.76.251;File=eataevit;Safe=uptatev;Location=uovol;Category=dmi;RequestId=olab;Reason=mquisnos;Severity=medium;SourceUser=ore;TargetUser=etconsec;GatewayStation=10.104.111.129;TicketID=mUt;PolicyID=usmodte;UserName=ele;LogonDomain=tenbyCic5882.api.home;Address=amquisno3338.www5.lan;CPMStatus=nonnu;Port=776;Database=riat;DeviceType=luptatem;ExtraDetails=umdolor;", - "file.directory": "uovol", - "file.name": "eataevit", - "fileset.name": "corepas", - "group.name": "ore", - "host.ip": "10.47.76.251", - "input.type": "log", - "log.level": "medium", - "log.offset": 2894, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6875", - "related.hosts": [ - "amquisno3338.www5.lan", - "tenbyCic5882.api.home" - ], - "related.ip": [ - "10.104.111.129", - "10.47.76.251" - ], - "related.user": [ - "ele", - "etconsec", - "ipis" - ], - "rsa.db.database": "riat", - "rsa.db.index": "umdolor", - "rsa.internal.event_desc": "mquisnos", - "rsa.internal.messageid": "106", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "dmi", - "rsa.misc.disposition": "nonnu", - "rsa.misc.group": "ore", - "rsa.misc.group_object": "uptatev", - "rsa.misc.obj_type": "luptatem", - "rsa.misc.operation_id": "mUt", - "rsa.misc.policy_name": "usmodte", - "rsa.misc.reference_id": "106", - "rsa.misc.reference_id1": "olab", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6875", - "rsa.network.domain": "tenbyCic5882.api.home", - "rsa.network.host_dst": "amquisno3338.www5.lan", - "server.domain": "tenbyCic5882.api.home", - "server.registered_domain": "api.home", - "server.subdomain": "tenbyCic5882", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.104.111.129" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ipis" - }, - { - "event.action": "deny", - "event.code": "ofdeF", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "inB 2016-05-08 07:27:59.552538723 +0000 UTC deomni124.www.example %CYBERARK: MessageID=\"74\";tae 1.1382\",ProductAccount=\"animi\",ProductProcess=\"oluptate\",EventId=\"ofdeF\",EventClass=\"tion\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"quiratio\",ActingAddress=\"10.116.120.216\",ActionSourceUser=\"qua\",ActionTargetUser=\"umdo\",ActionObject=\"sed\",ActionSafe=\"apariat\",ActionLocation=\"mol\",ActionCategory=\"pteursi\",ActionRequestId=\"onse\",ActionReason=\"rumet\",ActionExtraDetails=\"oll\"", - "file.directory": "mol", - "file.name": "sed", - "fileset.name": "corepas", - "host.ip": "10.116.120.216", - "input.type": "log", - "log.level": "very-high", - "log.offset": 3339, - "observer.product": "tae", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1382", - "related.ip": [ - "10.116.120.216" - ], - "related.user": [ - "animi", - "quiratio", - "umdo" - ], - "rsa.db.index": "oll", - "rsa.internal.event_desc": "rumet", - "rsa.internal.messageid": "74", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "pteursi", - "rsa.misc.group_object": "apariat", - "rsa.misc.reference_id": "ofdeF", - "rsa.misc.reference_id1": "onse", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.1382", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "quiratio" - }, - { - "destination.address": "idolores3839.localdomain", - "destination.port": 2424, - "event.action": "cancel", - "event.code": "144", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "Ciceroi 2016-05-22 14:30:33.812538723 +0000 UTC aveniam1436.www.test %CYBERARK: MessageID=\"144\";Version=1.5529;Message=cancel;Issuer=taevi;Station=10.62.54.220;File=ehenderi;Safe=pidatat;Location=gni;Category=tquiinea;RequestId=mquaera;Reason=dun;Severity=medium;SourceUser=Duisau;TargetUser=psum;GatewayStation=10.57.40.29;TicketID=undeo;PolicyID=loremip;UserName=rnatura;LogonDomain=isqu7224.localdomain;Address=idolores3839.localdomain;CPMStatus=metcon;Port=2424;Database=emeumfug;DeviceType=upta;ExtraDetails=omn;", - "file.directory": "gni", - "file.name": "ehenderi", - "fileset.name": "corepas", - "group.name": "Duisau", - "host.ip": "10.62.54.220", - "input.type": "log", - "log.level": "medium", - "log.offset": 3831, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5529", - "related.hosts": [ - "idolores3839.localdomain", - "isqu7224.localdomain" - ], - "related.ip": [ - "10.57.40.29", - "10.62.54.220" - ], - "related.user": [ - "psum", - "rnatura", - "taevi" - ], - "rsa.db.database": "emeumfug", - "rsa.db.index": "omn", - "rsa.internal.event_desc": "dun", - "rsa.internal.messageid": "144", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "tquiinea", - "rsa.misc.disposition": "metcon", - "rsa.misc.group": "Duisau", - "rsa.misc.group_object": "pidatat", - "rsa.misc.obj_type": "upta", - "rsa.misc.operation_id": "undeo", - "rsa.misc.policy_name": "loremip", - "rsa.misc.reference_id": "144", - "rsa.misc.reference_id1": "mquaera", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5529", - "rsa.network.domain": "isqu7224.localdomain", - "rsa.network.host_dst": "idolores3839.localdomain", - "server.domain": "isqu7224.localdomain", - "server.registered_domain": "isqu7224.localdomain", - "server.top_level_domain": "localdomain", - "service.type": "cyberark", - "source.ip": [ - "10.57.40.29" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "taevi" - }, - { - "event.action": "cancel", - "event.code": "nibus", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "ons 2016-06-05 21:33:08.072538723 +0000 UTC tessec3539.home %CYBERARK: MessageID=\"240\";nsect 1.6476\",ProductAccount=\"tnon\",ProductProcess=\"ionul\",EventId=\"nibus\",EventClass=\"edquiano\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"ema\",ActingAddress=\"10.74.237.180\",ActionSourceUser=\"nsequu\",ActionTargetUser=\"cup\",ActionObject=\"boNemoen\",ActionSafe=\"uid\",ActionLocation=\"rors\",ActionCategory=\"onofd\",ActionRequestId=\"taed\",ActionReason=\"lup\",ActionExtraDetails=\"remeumf\"", - "file.directory": "rors", - "file.name": "boNemoen", - "fileset.name": "corepas", - "host.ip": "10.74.237.180", - "input.type": "log", - "log.level": "medium", - "log.offset": 4349, - "observer.product": "nsect", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6476", - "related.ip": [ - "10.74.237.180" - ], - "related.user": [ - "cup", - "ema", - "tnon" - ], - "rsa.db.index": "remeumf", - "rsa.internal.event_desc": "lup", - "rsa.internal.messageid": "240", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "onofd", - "rsa.misc.group_object": "uid", - "rsa.misc.reference_id": "nibus", - "rsa.misc.reference_id1": "taed", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6476", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ema" - }, - { - "event.action": "allow", - "event.code": "ido", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2016-06-20 04:35:42.332538723 +0000 UTC sectetur3333.mail.example %CYBERARK: MessageID=\"61\";edqui 1.7780\",ProductAccount=\"lor\",ProductProcess=\"fugit\",EventId=\"ido\",EventClass=\"paqu\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"remeum\",ActingAddress=\"10.18.165.35\",ActionSourceUser=\"admi\",ActionTargetUser=\"modocons\",ActionObject=\"elaudant\",ActionSafe=\"tinvol\",ActionLocation=\"dolore\",ActionCategory=\"abor\",ActionRequestId=\"iqui\",ActionReason=\"etc\",ActionExtraDetails=\"etM\"", - "file.directory": "dolore", - "file.name": "elaudant", - "fileset.name": "corepas", - "host.ip": "10.18.165.35", - "input.type": "log", - "log.level": "high", - "log.offset": 4835, - "observer.product": "edqui", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7780", - "related.ip": [ - "10.18.165.35" - ], - "related.user": [ - "lor", - "modocons", - "remeum" - ], - "rsa.db.index": "etM", - "rsa.internal.event_desc": "etc", - "rsa.internal.messageid": "61", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "abor", - "rsa.misc.group_object": "tinvol", - "rsa.misc.reference_id": "ido", - "rsa.misc.reference_id1": "iqui", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.7780", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "remeum" - }, - { - "event.action": "deny", - "event.code": "itaut", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2016-07-04 11:38:16.592538723 +0000 UTC xercitat4824.local %CYBERARK: MessageID=\"90\";ostr 1.4979\",ProductAccount=\"onproide\",ProductProcess=\"luptat\",EventId=\"itaut\",EventClass=\"imaven\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"tema\",ActingAddress=\"10.74.253.127\",ActionSourceUser=\"tfug\",ActionTargetUser=\"icab\",ActionObject=\"mwr\",ActionSafe=\"fugi\",ActionLocation=\"inculpaq\",ActionCategory=\"agna\",ActionRequestId=\"tionemu\",ActionReason=\"eomnisis\",ActionExtraDetails=\"mqui\"", - "file.directory": "inculpaq", - "file.name": "mwr", - "fileset.name": "corepas", - "host.ip": "10.74.253.127", - "input.type": "log", - "log.level": "high", - "log.offset": 5321, - "observer.product": "ostr", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4979", - "related.ip": [ - "10.74.253.127" - ], - "related.user": [ - "icab", - "onproide", - "tema" - ], - "rsa.db.index": "mqui", - "rsa.internal.event_desc": "eomnisis", - "rsa.internal.messageid": "90", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "agna", - "rsa.misc.group_object": "fugi", - "rsa.misc.reference_id": "itaut", - "rsa.misc.reference_id1": "tionemu", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4979", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tema" - }, - { - "destination.address": "Lor5841.internal.example", - "destination.port": 3075, - "event.action": "block", - "event.code": "385", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "errorsi 2016-07-18 18:40:50.852538723 +0000 UTC des5377.lan %CYBERARK: MessageID=\"385\";Version=1.1697;Message=block;Issuer=ono;Station=10.189.109.245;File=emaperi;Safe=tame;Location=\"tinvol\";Category=tectobe;RequestId=colabor;Reason=iusmodt;Severity=medium;GatewayStation=10.92.8.15;TicketID=agnaali;PolicyID=llitani;UserName=inima;LogonDomain=tlabo6088.www.localdomain;Address=Lor5841.internal.example;CPMStatus=sunt;Port=\"3075\";Database=uines;DeviceType=nsec;ExtraDetails=onse", - "file.directory": "tinvol", - "file.name": "emaperi", - "fileset.name": "corepas", - "host.ip": "10.189.109.245", - "input.type": "log", - "log.level": "medium", - "log.offset": 5807, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1697", - "related.hosts": [ - "Lor5841.internal.example", - "tlabo6088.www.localdomain" - ], - "related.ip": [ - "10.189.109.245", - "10.92.8.15" - ], - "related.user": [ - "inima", - "ono" - ], - "rsa.db.database": "uines", - "rsa.db.index": "onse", - "rsa.internal.event_desc": "iusmodt", - "rsa.internal.messageid": "385", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "tectobe", - "rsa.misc.disposition": "sunt", - "rsa.misc.group_object": "tame", - "rsa.misc.obj_type": "nsec", - "rsa.misc.operation_id": "agnaali", - "rsa.misc.policy_name": "llitani", - "rsa.misc.reference_id": "385", - "rsa.misc.reference_id1": "colabor", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.1697", - "rsa.network.domain": "tlabo6088.www.localdomain", - "rsa.network.host_dst": "Lor5841.internal.example", - "server.domain": "tlabo6088.www.localdomain", - "server.registered_domain": "www.localdomain", - "server.subdomain": "tlabo6088", - "server.top_level_domain": "localdomain", - "service.type": "cyberark", - "source.ip": [ - "10.92.8.15" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ono" - }, - { - "event.action": "accept", - "event.code": "tisetq", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "August 2 01:43:25 tat %CYBERARK: MessageID=\"190\";tion 1.1761\",ProductAccount=\"upt\",ProductProcess=\"uiineavo\",EventId=\"tisetq\",EventClass=\"irati\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"giatquov\",ActingAddress=\"10.21.78.128\",ActionSourceUser=\"riat\",ActionTargetUser=\"taut\",ActionObject=\"oreseos\",ActionSafe=\"uames\",ActionLocation=\"tati\",ActionCategory=\"utaliqu\",ActionRequestId=\"oriosamn\",ActionReason=\"deFinibu\",ActionExtraDetails=\"iadese\"", - "file.directory": "tati", - "file.name": "oreseos", - "fileset.name": "corepas", - "host.ip": "10.21.78.128", - "input.type": "log", - "log.level": "low", - "log.offset": 6286, - "observer.product": "tion", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1761", - "related.ip": [ - "10.21.78.128" - ], - "related.user": [ - "giatquov", - "taut", - "upt" - ], - "rsa.db.index": "iadese", - "rsa.internal.event_desc": "deFinibu", - "rsa.internal.messageid": "190", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "utaliqu", - "rsa.misc.group_object": "uames", - "rsa.misc.reference_id": "tisetq", - "rsa.misc.reference_id1": "oriosamn", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.1761", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "giatquov" - }, - { - "event.action": "deny", - "event.code": "suntinc", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"256\";eporroqu 1.4200\",ProductAccount=\"hil\",ProductProcess=\"atquovo\",EventId=\"suntinc\",EventClass=\"xeac\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"tatn\",ActingAddress=\"10.18.109.121\",ActionSourceUser=\"ents\",ActionTargetUser=\"pida\",ActionObject=\"nse\",ActionSafe=\"sinto\",ActionLocation=\"emoeni\",ActionCategory=\"oenimips\",ActionRequestId=\"utlabore\",ActionReason=\"ecillu\",ActionExtraDetails=\"quip\"", - "file.directory": "emoeni", - "file.name": "nse", - "fileset.name": "corepas", - "host.ip": "10.18.109.121", - "input.type": "log", - "log.level": "medium", - "log.offset": 6744, - "observer.product": "eporroqu", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4200", - "related.ip": [ - "10.18.109.121" - ], - "related.user": [ - "hil", - "pida", - "tatn" - ], - "rsa.db.index": "quip", - "rsa.internal.event_desc": "ecillu", - "rsa.internal.messageid": "256", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "oenimips", - "rsa.misc.group_object": "sinto", - "rsa.misc.reference_id": "suntinc", - "rsa.misc.reference_id1": "utlabore", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.4200", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tatn" - }, - { - "destination.address": "rpo79.mail.example", - "destination.port": 2289, - "event.action": "cancel", - "event.code": "105", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"105\";Version=1.3727;Message=cancel;Issuer=iunt;Station=10.63.37.192;File=tio;Safe=orinrepr;Location=conse;Category=rumetM;RequestId=equi;Reason=agnaali;Severity=medium;SourceUser=sitvolup;TargetUser=reetd;GatewayStation=10.225.115.13;TicketID=maccusa;PolicyID=uptat;UserName=equep;LogonDomain=iavolu5352.localhost;Address=rpo79.mail.example;CPMStatus=siarchi;Port=2289;Database=aliqu;DeviceType=olupta;ExtraDetails=mipsumd;", - "file.directory": "conse", - "file.name": "tio", - "fileset.name": "corepas", - "group.name": "sitvolup", - "host.ip": "10.63.37.192", - "input.type": "log", - "log.level": "medium", - "log.offset": 7176, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3727", - "related.hosts": [ - "iavolu5352.localhost", - "rpo79.mail.example" - ], - "related.ip": [ - "10.225.115.13", - "10.63.37.192" - ], - "related.user": [ - "equep", - "iunt", - "reetd" - ], - "rsa.db.database": "aliqu", - "rsa.db.index": "mipsumd", - "rsa.internal.event_desc": "agnaali", - "rsa.internal.messageid": "105", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "rumetM", - "rsa.misc.disposition": "siarchi", - "rsa.misc.group": "sitvolup", - "rsa.misc.group_object": "orinrepr", - "rsa.misc.obj_type": "olupta", - "rsa.misc.operation_id": "maccusa", - "rsa.misc.policy_name": "uptat", - "rsa.misc.reference_id": "105", - "rsa.misc.reference_id1": "equi", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.3727", - "rsa.network.domain": "iavolu5352.localhost", - "rsa.network.host_dst": "rpo79.mail.example", - "server.domain": "iavolu5352.localhost", - "server.registered_domain": "iavolu5352.localhost", - "server.top_level_domain": "localhost", - "service.type": "cyberark", - "source.ip": [ - "10.225.115.13" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "iunt" - }, - { - "destination.address": "tionof7613.domain", - "destination.port": 2335, - "event.action": "deny", - "event.code": "105", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "remi 2016-09-13 22:51:07.892538723 +0000 UTC saute7154.internal.lan %CYBERARK: MessageID=\"105\";Version=1.3219;Message=deny;Issuer=run;Station=10.47.202.102;File=quirat;Safe=llu;Location=licab;Category=eirure;RequestId=conseq;Reason=oidentsu;Severity=medium;SourceUser=aaliquaU;TargetUser=ntor;GatewayStation=10.95.64.124;TicketID=psaquae;PolicyID=ationemu;UserName=ice;LogonDomain=estiae3750.api.corp;Address=tionof7613.domain;CPMStatus=lapari;Port=2335;Database=ite;DeviceType=ationul;ExtraDetails=iquipex;", - "file.directory": "licab", - "file.name": "quirat", - "fileset.name": "corepas", - "group.name": "aaliquaU", - "host.ip": "10.47.202.102", - "input.type": "log", - "log.level": "medium", - "log.offset": 7622, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3219", - "related.hosts": [ - "estiae3750.api.corp", - "tionof7613.domain" - ], - "related.ip": [ - "10.47.202.102", - "10.95.64.124" - ], - "related.user": [ - "ice", - "ntor", - "run" - ], - "rsa.db.database": "ite", - "rsa.db.index": "iquipex", - "rsa.internal.event_desc": "oidentsu", - "rsa.internal.messageid": "105", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "eirure", - "rsa.misc.disposition": "lapari", - "rsa.misc.group": "aaliquaU", - "rsa.misc.group_object": "llu", - "rsa.misc.obj_type": "ationul", - "rsa.misc.operation_id": "psaquae", - "rsa.misc.policy_name": "ationemu", - "rsa.misc.reference_id": "105", - "rsa.misc.reference_id1": "conseq", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.3219", - "rsa.network.domain": "estiae3750.api.corp", - "rsa.network.host_dst": "tionof7613.domain", - "server.domain": "estiae3750.api.corp", - "server.registered_domain": "api.corp", - "server.subdomain": "estiae3750", - "server.top_level_domain": "corp", - "service.type": "cyberark", - "source.ip": [ - "10.95.64.124" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "run" - }, - { - "destination.address": "acc7692.home", - "destination.port": 4147, - "event.action": "block", - "event.code": "376", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "adol 2016-09-28 05:53:42.152538723 +0000 UTC doloremi7402.www.test %CYBERARK: MessageID=\"376\";Version=1.6371;Message=block;Issuer=itquiin;Station=10.106.239.55;File=taevit;Safe=rinrepre;Location=etconse;Category=tincu;RequestId=ari;Reason=exercit;Severity=low;GatewayStation=10.244.114.61;TicketID=oluptate;PolicyID=onseq;UserName=serunt;LogonDomain=aquaeabi7735.internal.lan;Address=acc7692.home;CPMStatus=amest;Port=\"4147\";Database=itame;DeviceType=intoc;ExtraDetails=oluptas;", - "file.directory": "etconse", - "file.name": "taevit", - "fileset.name": "corepas", - "host.ip": "10.106.239.55", - "input.type": "log", - "log.level": "low", - "log.offset": 8130, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6371", - "related.hosts": [ - "acc7692.home", - "aquaeabi7735.internal.lan" - ], - "related.ip": [ - "10.106.239.55", - "10.244.114.61" - ], - "related.user": [ - "itquiin", - "serunt" - ], - "rsa.db.database": "itame", - "rsa.db.index": "oluptas", - "rsa.internal.event_desc": "exercit", - "rsa.internal.messageid": "376", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "tincu", - "rsa.misc.disposition": "amest", - "rsa.misc.group_object": "rinrepre", - "rsa.misc.obj_type": "intoc", - "rsa.misc.operation_id": "oluptate", - "rsa.misc.policy_name": "onseq", - "rsa.misc.reference_id": "376", - "rsa.misc.reference_id1": "ari", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.6371", - "rsa.network.domain": "aquaeabi7735.internal.lan", - "rsa.network.host_dst": "acc7692.home", - "server.domain": "aquaeabi7735.internal.lan", - "server.registered_domain": "internal.lan", - "server.subdomain": "aquaeabi7735", - "server.top_level_domain": "lan", - "service.type": "cyberark", - "source.ip": [ - "10.244.114.61" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "itquiin" - }, - { - "destination.address": "quatD4191.local", - "destination.port": 5685, - "event.action": "allow", - "event.code": "24", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2016-10-12 12:56:16.412538723 +0000 UTC luptasn2126.mail.home %CYBERARK: MessageID=\"24\";Version=1.821;Message=allow;Issuer=ione;Station=10.125.160.129;File=suntexp;Safe=duntut;Location=magni;Category=pisciv;RequestId=iquidex;Reason=radipisc;Severity=low;SourceUser=nti;TargetUser=abi;GatewayStation=10.53.168.235;TicketID=fugitse;PolicyID=veniamq;UserName=one;LogonDomain=etMalor4236.www5.host;Address=quatD4191.local;CPMStatus=tenima;Port=5685;Database=sperna;DeviceType=eabilloi;ExtraDetails=estia;", - "file.directory": "magni", - "file.name": "suntexp", - "fileset.name": "corepas", - "group.name": "nti", - "host.ip": "10.125.160.129", - "input.type": "log", - "log.level": "low", - "log.offset": 8609, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.821", - "related.hosts": [ - "etMalor4236.www5.host", - "quatD4191.local" - ], - "related.ip": [ - "10.125.160.129", - "10.53.168.235" - ], - "related.user": [ - "abi", - "ione", - "one" - ], - "rsa.db.database": "sperna", - "rsa.db.index": "estia", - "rsa.internal.event_desc": "radipisc", - "rsa.internal.messageid": "24", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "pisciv", - "rsa.misc.disposition": "tenima", - "rsa.misc.group": "nti", - "rsa.misc.group_object": "duntut", - "rsa.misc.obj_type": "eabilloi", - "rsa.misc.operation_id": "fugitse", - "rsa.misc.policy_name": "veniamq", - "rsa.misc.reference_id": "24", - "rsa.misc.reference_id1": "iquidex", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.821", - "rsa.network.domain": "etMalor4236.www5.host", - "rsa.network.host_dst": "quatD4191.local", - "server.domain": "etMalor4236.www5.host", - "server.registered_domain": "www5.host", - "server.subdomain": "etMalor4236", - "server.top_level_domain": "host", - "service.type": "cyberark", - "source.ip": [ - "10.53.168.235" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ione" - }, - { - "destination.address": "eturadi6608.mail.host", - "destination.port": 3366, - "event.action": "allow", - "event.code": "197", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "orem 2016-10-26 19:58:50.672538723 +0000 UTC beata6448.mail.test %CYBERARK: MessageID=\"197\";Version=1.1123;Message=allow;Issuer=tasuntex;Station=10.227.177.121;File=boN;Safe=eprehend;Location=aevit;Category=aboN;RequestId=ihilmo;Reason=radi;Severity=low;SourceUser=uames;TargetUser=iduntu;GatewayStation=10.33.245.220;TicketID=giatnu;PolicyID=ulapa;UserName=liqui;LogonDomain=quioffi1359.internal.lan;Address=eturadi6608.mail.host;CPMStatus=aera;Port=3366;Database=rvel;DeviceType=uid;ExtraDetails=onsecte;", - "file.directory": "aevit", - "file.name": "boN", - "fileset.name": "corepas", - "group.name": "uames", - "host.ip": "10.227.177.121", - "input.type": "log", - "log.level": "low", - "log.offset": 9110, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1123", - "related.hosts": [ - "eturadi6608.mail.host", - "quioffi1359.internal.lan" - ], - "related.ip": [ - "10.227.177.121", - "10.33.245.220" - ], - "related.user": [ - "iduntu", - "liqui", - "tasuntex" - ], - "rsa.db.database": "rvel", - "rsa.db.index": "onsecte", - "rsa.internal.event_desc": "radi", - "rsa.internal.messageid": "197", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "aboN", - "rsa.misc.disposition": "aera", - "rsa.misc.group": "uames", - "rsa.misc.group_object": "eprehend", - "rsa.misc.obj_type": "uid", - "rsa.misc.operation_id": "giatnu", - "rsa.misc.policy_name": "ulapa", - "rsa.misc.reference_id": "197", - "rsa.misc.reference_id1": "ihilmo", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.1123", - "rsa.network.domain": "quioffi1359.internal.lan", - "rsa.network.host_dst": "eturadi6608.mail.host", - "server.domain": "quioffi1359.internal.lan", - "server.registered_domain": "internal.lan", - "server.subdomain": "quioffi1359", - "server.top_level_domain": "lan", - "service.type": "cyberark", - "source.ip": [ - "10.33.245.220" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tasuntex" - }, - { - "destination.address": "eroi176.example", - "destination.port": 3341, - "event.action": "allow", - "event.code": "411", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "November 10 03:01:24 edo %CYBERARK: MessageID=\"411\";Version=1.5071;Message=allow;Issuer=econs;Station=\"10.98.182.220\";File=\"untex\";Safe=\"quiratio\";Location=\"boree\";Category=\"eco\";RequestId=Utenimad;Reason=orpor;Severity=\"low\";GatewayStation=\"10.167.85.181\";TicketID=emvel;PolicyID=\"tmollita\";UserName=fde;LogonDomain=\"nsecte3304.mail.corp\";Address=\"eroi176.example\";CPMStatus=\"non\";Port=\"3341\";Database=equat;DeviceType=derit;ExtraDetails=\"Command=dexea;ConnectionComponentId=atcu;DstHost=labor;ProcessId=6501;ProcessName=laboree.exe;Protocol=tcp;PSMID=intocc;RDPOffset=liqu;SessionID=eporr;SrcHost=xeacomm6855.api.corp;User=utlabor;VIDOffset=rau;\"", - "file.directory": "boree", - "file.name": "untex", - "fileset.name": "corepas", - "host.hostname": "xeacomm6855.api.corp", - "host.ip": "10.98.182.220", - "input.type": "log", - "log.level": "low", - "log.offset": 9617, - "network.protocol": "tcp", - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5071", - "process.name": "laboree.exe", - "process.pid": 6501, - "related.hosts": [ - "eroi176.example", - "nsecte3304.mail.corp", - "xeacomm6855.api.corp" - ], - "related.ip": [ - "10.167.85.181", - "10.98.182.220" - ], - "related.user": [ - "econs", - "fde" - ], - "rsa.db.database": "equat", - "rsa.internal.event_desc": "orpor", - "rsa.internal.messageid": "411", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "eco", - "rsa.misc.disposition": "non", - "rsa.misc.group_object": "quiratio", - "rsa.misc.log_session_id": "eporr", - "rsa.misc.obj_type": "derit", - "rsa.misc.operation_id": "emvel", - "rsa.misc.param": "dexea", - "rsa.misc.policy_name": "tmollita", - "rsa.misc.reference_id": "411", - "rsa.misc.reference_id1": "Utenimad", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.5071", - "rsa.network.domain": "nsecte3304.mail.corp", - "rsa.network.host_dst": "eroi176.example", - "server.domain": "nsecte3304.mail.corp", - "server.registered_domain": "mail.corp", - "server.subdomain": "nsecte3304", - "server.top_level_domain": "corp", - "service.type": "cyberark", - "source.address": "xeacomm6855.api.corp", - "source.ip": [ - "10.167.85.181" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "econs" - }, - { - "event.action": "block", - "event.code": "tessec", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "November 24 10:03:59 aeabi %CYBERARK: MessageID=\"111\";eiu 1.4456\",ProductAccount=\"iciadese\",ProductProcess=\"quidolor\",EventId=\"tessec\",EventClass=\"olupta\",EventSeverity=\"high\",EventMessage=\"block\",ActingUserName=\"icabo\",ActingAddress=\"10.89.208.95\",ActionSourceUser=\"eleum\",ActionTargetUser=\"sintoc\",ActionObject=\"volupt\",ActionSafe=\"siste\",ActionLocation=\"uiinea\",ActionCategory=\"Utenima\",ActionRequestId=\"volupta\",ActionReason=\"rcitati\",ActionExtraDetails=\"eni\"", - "file.directory": "uiinea", - "file.name": "volupt", - "fileset.name": "corepas", - "host.ip": "10.89.208.95", - "input.type": "log", - "log.level": "high", - "log.offset": 10266, - "observer.product": "eiu", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4456", - "related.ip": [ - "10.89.208.95" - ], - "related.user": [ - "icabo", - "iciadese", - "sintoc" - ], - "rsa.db.index": "eni", - "rsa.internal.event_desc": "rcitati", - "rsa.internal.messageid": "111", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "Utenima", - "rsa.misc.group_object": "siste", - "rsa.misc.reference_id": "tessec", - "rsa.misc.reference_id1": "volupta", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4456", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "icabo" - }, - { - "destination.address": "reetdolo6852.www.test", - "destination.port": 5428, - "event.action": "accept", - "event.code": "81", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "Ute 2016-12-08 17:06:33.452538723 +0000 UTC sperna5368.mail.invalid %CYBERARK: MessageID=\"81\";Version=1.509;Message=accept;Issuer=tDuisaut;Station=10.214.191.180;File=imvenia;Safe=spi;Location=stquido;Category=ommodico;RequestId=ptas;Reason=pta;Severity=medium;SourceUser=ptatemq;TargetUser=luptatev;GatewayStation=10.72.148.32;TicketID=ipsumd;PolicyID=ntocc;UserName=uteirure;LogonDomain=nevo4284.internal.local;Address=reetdolo6852.www.test;CPMStatus=nnum;Port=5428;Database=uamest;DeviceType=tco;ExtraDetails=uae;", - "file.directory": "stquido", - "file.name": "imvenia", - "fileset.name": "corepas", - "group.name": "ptatemq", - "host.ip": "10.214.191.180", - "input.type": "log", - "log.level": "medium", - "log.offset": 10730, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.509", - "related.hosts": [ - "nevo4284.internal.local", - "reetdolo6852.www.test" - ], - "related.ip": [ - "10.214.191.180", - "10.72.148.32" - ], - "related.user": [ - "luptatev", - "tDuisaut", - "uteirure" - ], - "rsa.db.database": "uamest", - "rsa.db.index": "uae", - "rsa.internal.event_desc": "pta", - "rsa.internal.messageid": "81", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "ommodico", - "rsa.misc.disposition": "nnum", - "rsa.misc.group": "ptatemq", - "rsa.misc.group_object": "spi", - "rsa.misc.obj_type": "tco", - "rsa.misc.operation_id": "ipsumd", - "rsa.misc.policy_name": "ntocc", - "rsa.misc.reference_id": "81", - "rsa.misc.reference_id1": "ptas", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.509", - "rsa.network.domain": "nevo4284.internal.local", - "rsa.network.host_dst": "reetdolo6852.www.test", - "server.domain": "nevo4284.internal.local", - "server.registered_domain": "internal.local", - "server.subdomain": "nevo4284", - "server.top_level_domain": "local", - "service.type": "cyberark", - "source.ip": [ - "10.72.148.32" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tDuisaut" - }, - { - "destination.address": "mporin6932.api.localdomain", - "destination.port": 6604, - "event.action": "block", - "event.code": "168", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"168\";Version=1.3599;Message=block;Issuer=ipsumd;Station=10.136.190.236;File=evolu;Safe=ersp;Location=tquov;Category=diconseq;RequestId=inven;Reason=osquira;Severity=low;SourceUser=ataevi;TargetUser=com;GatewayStation=10.252.124.150;TicketID=trud;PolicyID=eriti;UserName=litessec;LogonDomain=itas981.mail.domain;Address=mporin6932.api.localdomain;CPMStatus=roid;Port=6604;Database=tasn;DeviceType=Nemoenim;ExtraDetails=squirati;", - "file.directory": "tquov", - "file.name": "evolu", - "fileset.name": "corepas", - "group.name": "ataevi", - "host.ip": "10.136.190.236", - "input.type": "log", - "log.level": "low", - "log.offset": 11247, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3599", - "related.hosts": [ - "itas981.mail.domain", - "mporin6932.api.localdomain" - ], - "related.ip": [ - "10.136.190.236", - "10.252.124.150" - ], - "related.user": [ - "com", - "ipsumd", - "litessec" - ], - "rsa.db.database": "tasn", - "rsa.db.index": "squirati", - "rsa.internal.event_desc": "osquira", - "rsa.internal.messageid": "168", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "diconseq", - "rsa.misc.disposition": "roid", - "rsa.misc.group": "ataevi", - "rsa.misc.group_object": "ersp", - "rsa.misc.obj_type": "Nemoenim", - "rsa.misc.operation_id": "trud", - "rsa.misc.policy_name": "eriti", - "rsa.misc.reference_id": "168", - "rsa.misc.reference_id1": "inven", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3599", - "rsa.network.domain": "itas981.mail.domain", - "rsa.network.host_dst": "mporin6932.api.localdomain", - "server.domain": "itas981.mail.domain", - "server.registered_domain": "mail.domain", - "server.subdomain": "itas981", - "server.top_level_domain": "domain", - "service.type": "cyberark", - "source.ip": [ - "10.252.124.150" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ipsumd" - }, - { - "destination.address": "illoin2914.mail.lan", - "destination.port": 6895, - "event.action": "accept", - "event.code": "90", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "nbyCic 2017-01-06 07:11:41.972538723 +0000 UTC utlabor6305.internal.corp %CYBERARK: MessageID=\"90\";Version=1.5649;Message=accept;Issuer=iquipe;Station=10.192.34.76;File=modtemp;Safe=quovol;Location=nve;Category=remag;RequestId=uredol;Reason=ccaecat;Severity=medium;SourceUser=onsequ;TargetUser=temqu;GatewayStation=10.213.144.249;TicketID=udexerci;PolicyID=naal;UserName=lore;LogonDomain=tnonpro7635.localdomain;Address=illoin2914.mail.lan;CPMStatus=uamni;Port=6895;Database=gnamal;DeviceType=metMalo;ExtraDetails=ntexplic;", - "file.directory": "nve", - "file.name": "modtemp", - "fileset.name": "corepas", - "group.name": "onsequ", - "host.ip": "10.192.34.76", - "input.type": "log", - "log.level": "medium", - "log.offset": 11697, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5649", - "related.hosts": [ - "illoin2914.mail.lan", - "tnonpro7635.localdomain" - ], - "related.ip": [ - "10.192.34.76", - "10.213.144.249" - ], - "related.user": [ - "iquipe", - "lore", - "temqu" - ], - "rsa.db.database": "gnamal", - "rsa.db.index": "ntexplic", - "rsa.internal.event_desc": "ccaecat", - "rsa.internal.messageid": "90", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "remag", - "rsa.misc.disposition": "uamni", - "rsa.misc.group": "onsequ", - "rsa.misc.group_object": "quovol", - "rsa.misc.obj_type": "metMalo", - "rsa.misc.operation_id": "udexerci", - "rsa.misc.policy_name": "naal", - "rsa.misc.reference_id": "90", - "rsa.misc.reference_id1": "uredol", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5649", - "rsa.network.domain": "tnonpro7635.localdomain", - "rsa.network.host_dst": "illoin2914.mail.lan", - "server.domain": "tnonpro7635.localdomain", - "server.registered_domain": "tnonpro7635.localdomain", - "server.top_level_domain": "localdomain", - "service.type": "cyberark", - "source.ip": [ - "10.213.144.249" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "iquipe" - }, - { - "destination.address": "evit5780.www.corp", - "destination.port": 725, - "event.action": "accept", - "event.code": "376", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"376\";Version=1.2217;Message=accept;Issuer=untu;Station=10.154.4.197;File=con;Safe=nisist;Location=usmodte;Category=msequi;RequestId=tau;Reason=exercita;Severity=low;GatewayStation=10.216.84.30;TicketID=orumSe;PolicyID=boree;UserName=intoc;LogonDomain=rQuisau5300.www5.example;Address=evit5780.www.corp;CPMStatus=onev;Port=\"725\";Database=oditem;DeviceType=gitsedqu;ExtraDetails=borios;", - "file.directory": "usmodte", - "file.name": "con", - "fileset.name": "corepas", - "host.ip": "10.154.4.197", - "input.type": "log", - "log.level": "low", - "log.offset": 12221, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2217", - "related.hosts": [ - "evit5780.www.corp", - "rQuisau5300.www5.example" - ], - "related.ip": [ - "10.154.4.197", - "10.216.84.30" - ], - "related.user": [ - "intoc", - "untu" - ], - "rsa.db.database": "oditem", - "rsa.db.index": "borios", - "rsa.internal.event_desc": "exercita", - "rsa.internal.messageid": "376", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "msequi", - "rsa.misc.disposition": "onev", - "rsa.misc.group_object": "nisist", - "rsa.misc.obj_type": "gitsedqu", - "rsa.misc.operation_id": "orumSe", - "rsa.misc.policy_name": "boree", - "rsa.misc.reference_id": "376", - "rsa.misc.reference_id1": "tau", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.2217", - "rsa.network.domain": "rQuisau5300.www5.example", - "rsa.network.host_dst": "evit5780.www.corp", - "server.domain": "rQuisau5300.www5.example", - "server.registered_domain": "www5.example", - "server.subdomain": "rQuisau5300", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.216.84.30" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "untu" - }, - { - "event.action": "deny", - "event.code": "ess", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2017-02-03 21:16:50.492538723 +0000 UTC temUt631.www5.example %CYBERARK: MessageID=\"3\";npr 1.4414\",ProductAccount=\"niamqui\",ProductProcess=\"boNem\",EventId=\"ess\",EventClass=\"ipisci\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"tqu\",ActingAddress=\"10.143.193.199\",ActionSourceUser=\"quam\",ActionTargetUser=\"quid\",ActionObject=\"fugiat\",ActionSafe=\"atisun\",ActionLocation=\"esci\",ActionCategory=\"epre\",ActionRequestId=\"tobeata\",ActionReason=\"eroinBCS\",ActionExtraDetails=\"inci\"", - "file.directory": "esci", - "file.name": "fugiat", - "fileset.name": "corepas", - "host.ip": "10.143.193.199", - "input.type": "log", - "log.level": "medium", - "log.offset": 12628, - "observer.product": "npr", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4414", - "related.ip": [ - "10.143.193.199" - ], - "related.user": [ - "niamqui", - "quid", - "tqu" - ], - "rsa.db.index": "inci", - "rsa.internal.event_desc": "eroinBCS", - "rsa.internal.messageid": "3", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "epre", - "rsa.misc.group_object": "atisun", - "rsa.misc.reference_id": "ess", - "rsa.misc.reference_id1": "tobeata", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.4414", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tqu" - }, - { - "destination.address": "uisa5736.internal.local", - "destination.port": 302, - "event.action": "deny", - "event.code": "140", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "February 18 04:19:24 rnatur %CYBERARK: MessageID=\"140\";Version=1.5632;Message=deny;Issuer=essequam;Station=10.193.83.81;File=isisten;Safe=cusant;Location=atemq;Category=rinre;RequestId=naal;Reason=borios;Severity=high;SourceUser=isnostr;TargetUser=umqu;GatewayStation=10.65.175.9;TicketID=inesci;PolicyID=isnisi;UserName=ritatise;LogonDomain=uamei2389.internal.example;Address=uisa5736.internal.local;CPMStatus=cusant;Port=302;Database=ender;DeviceType=riamea;ExtraDetails=entorev;", - "file.directory": "atemq", - "file.name": "isisten", - "fileset.name": "corepas", - "group.name": "isnostr", - "host.ip": "10.193.83.81", - "input.type": "log", - "log.level": "high", - "log.offset": 13114, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5632", - "related.hosts": [ - "uamei2389.internal.example", - "uisa5736.internal.local" - ], - "related.ip": [ - "10.193.83.81", - "10.65.175.9" - ], - "related.user": [ - "essequam", - "ritatise", - "umqu" - ], - "rsa.db.database": "ender", - "rsa.db.index": "entorev", - "rsa.internal.event_desc": "borios", - "rsa.internal.messageid": "140", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "rinre", - "rsa.misc.disposition": "cusant", - "rsa.misc.group": "isnostr", - "rsa.misc.group_object": "cusant", - "rsa.misc.obj_type": "riamea", - "rsa.misc.operation_id": "inesci", - "rsa.misc.policy_name": "isnisi", - "rsa.misc.reference_id": "140", - "rsa.misc.reference_id1": "naal", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.5632", - "rsa.network.domain": "uamei2389.internal.example", - "rsa.network.host_dst": "uisa5736.internal.local", - "server.domain": "uamei2389.internal.example", - "server.registered_domain": "internal.example", - "server.subdomain": "uamei2389", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.65.175.9" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "essequam" - }, - { - "event.action": "accept", - "event.code": "sau", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"87\";tutlab 1.792\",ProductAccount=\"tatn\",ProductProcess=\"dolorsit\",EventId=\"sau\",EventClass=\"aperia\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"umdolo\",ActingAddress=\"10.205.72.243\",ActionSourceUser=\"stenatu\",ActionTargetUser=\"isiuta\",ActionObject=\"orsitam\",ActionSafe=\"siutaliq\",ActionLocation=\"dutp\",ActionCategory=\"psaquaea\",ActionRequestId=\"taevita\",ActionReason=\"ameiusm\",ActionExtraDetails=\"proide\"", - "file.directory": "dutp", - "file.name": "orsitam", - "fileset.name": "corepas", - "host.ip": "10.205.72.243", - "input.type": "log", - "log.level": "very-high", - "log.offset": 13596, - "observer.product": "tutlab", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.792", - "related.ip": [ - "10.205.72.243" - ], - "related.user": [ - "isiuta", - "tatn", - "umdolo" - ], - "rsa.db.index": "proide", - "rsa.internal.event_desc": "ameiusm", - "rsa.internal.messageid": "87", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "psaquaea", - "rsa.misc.group_object": "siutaliq", - "rsa.misc.reference_id": "sau", - "rsa.misc.reference_id1": "taevita", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.792", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "umdolo" - }, - { - "event.action": "allow", - "event.code": "eumiure", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2017-03-18 18:24:33.272538723 +0000 UTC velitess7586.mail.example %CYBERARK: MessageID=\"45\";nre 1.7231\",ProductAccount=\"sit\",ProductProcess=\"olab\",EventId=\"eumiure\",EventClass=\"ersp\",EventSeverity=\"medium\",EventMessage=\"allow\",ActingUserName=\"mquisno\",ActingAddress=\"10.107.9.163\",ActionSourceUser=\"uptate\",ActionTargetUser=\"mac\",ActionObject=\"iumdol\",ActionSafe=\"tpersp\",ActionLocation=\"stla\",ActionCategory=\"uptatema\",ActionRequestId=\"oeni\",ActionReason=\"tdol\",ActionExtraDetails=\"sit\"", - "file.directory": "stla", - "file.name": "iumdol", - "fileset.name": "corepas", - "host.ip": "10.107.9.163", - "input.type": "log", - "log.level": "medium", - "log.offset": 14043, - "observer.product": "nre", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7231", - "related.ip": [ - "10.107.9.163" - ], - "related.user": [ - "mac", - "mquisno", - "sit" - ], - "rsa.db.index": "sit", - "rsa.internal.event_desc": "tdol", - "rsa.internal.messageid": "45", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "uptatema", - "rsa.misc.group_object": "tpersp", - "rsa.misc.reference_id": "eumiure", - "rsa.misc.reference_id1": "oeni", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.7231", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "mquisno" - }, - { - "event.action": "deny", - "event.code": "cinge", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "April 2 01:27:07 psum %CYBERARK: MessageID=\"132\";tasnulap 1.7220\",ProductAccount=\"umSe\",ProductProcess=\"xeacomm\",EventId=\"cinge\",EventClass=\"itla\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"asiarc\",ActingAddress=\"10.80.101.72\",ActionSourceUser=\"uptate\",ActionTargetUser=\"quidexea\",ActionObject=\"ect\",ActionSafe=\"modocons\",ActionLocation=\"gitsed\",ActionCategory=\"fugia\",ActionRequestId=\"oditautf\",ActionReason=\"quatu\",ActionExtraDetails=\"veli\"", - "file.directory": "gitsed", - "file.name": "ect", - "fileset.name": "corepas", - "host.ip": "10.80.101.72", - "input.type": "log", - "log.level": "high", - "log.offset": 14531, - "observer.product": "tasnulap", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7220", - "related.ip": [ - "10.80.101.72" - ], - "related.user": [ - "asiarc", - "quidexea", - "umSe" - ], - "rsa.db.index": "veli", - "rsa.internal.event_desc": "quatu", - "rsa.internal.messageid": "132", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "fugia", - "rsa.misc.group_object": "modocons", - "rsa.misc.reference_id": "cinge", - "rsa.misc.reference_id1": "oditautf", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.7220", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "asiarc" - }, - { - "destination.address": "utlab3706.api.host", - "destination.port": 246, - "event.action": "accept", - "event.code": "200", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "April 16 08:29:41 labo %CYBERARK: MessageID=\"200\";Version=1.267;Message=accept;Issuer=aboreetd;Station=10.235.136.109;File=lorin;Safe=pitl;Location=por;Category=quidexea;RequestId=nimid;Reason=runtmol;Severity=very-high;SourceUser=odi;TargetUser=ptass;GatewayStation=10.39.10.155;TicketID=dol;PolicyID=proiden;UserName=urExcept;LogonDomain=miurerep1152.internal.domain;Address=utlab3706.api.host;CPMStatus=dantium;Port=246;Database=teirured;DeviceType=onemulla;ExtraDetails=dolorem;", - "file.directory": "por", - "file.name": "lorin", - "fileset.name": "corepas", - "group.name": "odi", - "host.ip": "10.235.136.109", - "input.type": "log", - "log.level": "very-high", - "log.offset": 14988, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.267", - "related.hosts": [ - "miurerep1152.internal.domain", - "utlab3706.api.host" - ], - "related.ip": [ - "10.235.136.109", - "10.39.10.155" - ], - "related.user": [ - "aboreetd", - "ptass", - "urExcept" - ], - "rsa.db.database": "teirured", - "rsa.db.index": "dolorem", - "rsa.internal.event_desc": "runtmol", - "rsa.internal.messageid": "200", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "quidexea", - "rsa.misc.disposition": "dantium", - "rsa.misc.group": "odi", - "rsa.misc.group_object": "pitl", - "rsa.misc.obj_type": "onemulla", - "rsa.misc.operation_id": "dol", - "rsa.misc.policy_name": "proiden", - "rsa.misc.reference_id": "200", - "rsa.misc.reference_id1": "nimid", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.267", - "rsa.network.domain": "miurerep1152.internal.domain", - "rsa.network.host_dst": "utlab3706.api.host", - "server.domain": "miurerep1152.internal.domain", - "server.registered_domain": "internal.domain", - "server.subdomain": "miurerep1152", - "server.top_level_domain": "domain", - "service.type": "cyberark", - "source.ip": [ - "10.39.10.155" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "aboreetd" - }, - { - "event.action": "cancel", - "event.code": "nci", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "April 30 15:32:16 ationev %CYBERARK: MessageID=\"233\";umdolor 1.4389\",ProductAccount=\"itation\",ProductProcess=\"paquioff\",EventId=\"nci\",EventClass=\"isau\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"ibusBon\",ActingAddress=\"10.96.224.19\",ActionSourceUser=\"nsequat\",ActionTargetUser=\"doloreme\",ActionObject=\"dun\",ActionSafe=\"reprehe\",ActionLocation=\"tincu\",ActionCategory=\"suntin\",ActionRequestId=\"itse\",ActionReason=\"umexerc\",ActionExtraDetails=\"oremipsu\"", - "file.directory": "tincu", - "file.name": "dun", - "fileset.name": "corepas", - "host.ip": "10.96.224.19", - "input.type": "log", - "log.level": "low", - "log.offset": 15471, - "observer.product": "umdolor", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4389", - "related.ip": [ - "10.96.224.19" - ], - "related.user": [ - "doloreme", - "ibusBon", - "itation" - ], - "rsa.db.index": "oremipsu", - "rsa.internal.event_desc": "umexerc", - "rsa.internal.messageid": "233", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "suntin", - "rsa.misc.group_object": "reprehe", - "rsa.misc.reference_id": "nci", - "rsa.misc.reference_id1": "itse", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.4389", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ibusBon" - }, - { - "event.action": "cancel", - "event.code": "iquidexe", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2017-05-14 22:34:50.312538723 +0000 UTC ntsunt4826.mail.corp %CYBERARK: MessageID=\"170\";olo 1.237\",ProductAccount=\"aec\",ProductProcess=\"fdeF\",EventId=\"iquidexe\",EventClass=\"diconse\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"reseo\",ActingAddress=\"10.71.238.250\",ActionSourceUser=\"consequa\",ActionTargetUser=\"moenimi\",ActionObject=\"olupt\",ActionSafe=\"oconsequ\",ActionLocation=\"edquiac\",ActionCategory=\"urerepr\",ActionRequestId=\"eseru\",ActionReason=\"quamest\",ActionExtraDetails=\"mac\"", - "file.directory": "edquiac", - "file.name": "olupt", - "fileset.name": "corepas", - "host.ip": "10.71.238.250", - "input.type": "log", - "log.level": "medium", - "log.offset": 15937, - "observer.product": "olo", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.237", - "related.ip": [ - "10.71.238.250" - ], - "related.user": [ - "aec", - "moenimi", - "reseo" - ], - "rsa.db.index": "mac", - "rsa.internal.event_desc": "quamest", - "rsa.internal.messageid": "170", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "urerepr", - "rsa.misc.group_object": "oconsequ", - "rsa.misc.reference_id": "iquidexe", - "rsa.misc.reference_id1": "eseru", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.237", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "reseo" - }, - { - "destination.address": "mvel1188.internal.localdomain", - "destination.port": 2694, - "event.action": "deny", - "event.code": "294", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"294\";Version=1.3804;Message=deny;Issuer=rationev;Station=10.226.20.199;File=tatem;Safe=untutlab;Location=amcor;Category=ica;RequestId=lillum;Reason=remips;Severity=low;SourceUser=taedicta;TargetUser=ritt;GatewayStation=10.226.101.180;TicketID=itesseq;PolicyID=dictasun;UserName=veniamqu;LogonDomain=rum5798.home;Address=mvel1188.internal.localdomain;CPMStatus=tetur;Port=2694;Database=conse;DeviceType=ipi;ExtraDetails=imveniam;", - "file.directory": "amcor", - "file.name": "tatem", - "fileset.name": "corepas", - "group.name": "taedicta", - "host.ip": "10.226.20.199", - "input.type": "log", - "log.level": "low", - "log.offset": 16437, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3804", - "related.hosts": [ - "mvel1188.internal.localdomain", - "rum5798.home" - ], - "related.ip": [ - "10.226.101.180", - "10.226.20.199" - ], - "related.user": [ - "rationev", - "ritt", - "veniamqu" - ], - "rsa.db.database": "conse", - "rsa.db.index": "imveniam", - "rsa.internal.event_desc": "remips", - "rsa.internal.messageid": "294", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "ica", - "rsa.misc.disposition": "tetur", - "rsa.misc.group": "taedicta", - "rsa.misc.group_object": "untutlab", - "rsa.misc.obj_type": "ipi", - "rsa.misc.operation_id": "itesseq", - "rsa.misc.policy_name": "dictasun", - "rsa.misc.reference_id": "294", - "rsa.misc.reference_id1": "lillum", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3804", - "rsa.network.domain": "rum5798.home", - "rsa.network.host_dst": "mvel1188.internal.localdomain", - "server.domain": "rum5798.home", - "server.registered_domain": "rum5798.home", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.226.101.180" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "rationev" - }, - { - "destination.address": "perspici5680.domain", - "destination.port": 2039, - "event.action": "cancel", - "event.code": "13", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "June 12 12:39:58 licabo %CYBERARK: MessageID=\"13\";Version=1.1493;Message=cancel;Issuer=utaliqu;Station=10.86.22.67;File=nvolupt;Safe=oremi;Location=elites;Category=nbyCi;RequestId=tevel;Reason=usc;Severity=high;SourceUser=equinesc;TargetUser=cab;GatewayStation=10.134.65.15;TicketID=equepor;PolicyID=ncidid;UserName=quaUten;LogonDomain=nisiut3624.api.example;Address=perspici5680.domain;CPMStatus=iconseq;Port=2039;Database=isciv;DeviceType=rroqu;ExtraDetails=nofd;", - "event.outcome": "failure", - "file.directory": "elites", - "file.name": "nvolupt", - "fileset.name": "corepas", - "group.name": "equinesc", - "host.ip": "10.86.22.67", - "input.type": "log", - "log.level": "high", - "log.offset": 16888, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1493", - "related.hosts": [ - "nisiut3624.api.example", - "perspici5680.domain" - ], - "related.ip": [ - "10.134.65.15", - "10.86.22.67" - ], - "related.user": [ - "cab", - "quaUten", - "utaliqu" - ], - "rsa.db.database": "isciv", - "rsa.db.index": "nofd", - "rsa.internal.event_desc": "usc", - "rsa.internal.messageid": "13", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "nbyCi", - "rsa.misc.disposition": "iconseq", - "rsa.misc.group": "equinesc", - "rsa.misc.group_object": "oremi", - "rsa.misc.obj_type": "rroqu", - "rsa.misc.operation_id": "equepor", - "rsa.misc.policy_name": "ncidid", - "rsa.misc.reference_id": "13", - "rsa.misc.reference_id1": "tevel", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.1493", - "rsa.network.domain": "nisiut3624.api.example", - "rsa.network.host_dst": "perspici5680.domain", - "server.domain": "nisiut3624.api.example", - "server.registered_domain": "api.example", - "server.subdomain": "nisiut3624", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.134.65.15" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "utaliqu" - }, - { - "event.action": "accept", - "event.code": "tae", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"358\";ilmol 1.5112\",ProductAccount=\"tten\",ProductProcess=\"ueipsa\",EventId=\"tae\",EventClass=\"autodit\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"cidunt\",ActingAddress=\"10.70.147.120\",ActionSourceUser=\"exeaco\",ActionTargetUser=\"emqu\",ActionObject=\"nderi\",ActionSafe=\"acommod\",ActionLocation=\"itsedd\",ActionCategory=\"leumiur\",ActionRequestId=\"eratvol\",ActionReason=\"quidol\",ActionExtraDetails=\"eaqu\"", - "file.directory": "itsedd", - "file.name": "nderi", - "fileset.name": "corepas", - "host.ip": "10.70.147.120", - "input.type": "log", - "log.level": "very-high", - "log.offset": 17354, - "observer.product": "ilmol", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5112", - "related.ip": [ - "10.70.147.120" - ], - "related.user": [ - "cidunt", - "emqu", - "tten" - ], - "rsa.db.index": "eaqu", - "rsa.internal.event_desc": "quidol", - "rsa.internal.messageid": "358", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "leumiur", - "rsa.misc.group_object": "acommod", - "rsa.misc.reference_id": "tae", - "rsa.misc.reference_id1": "eratvol", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.5112", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "cidunt" - }, - { - "destination.address": "ptateve6909.www5.lan", - "destination.port": 7645, - "event.action": "cancel", - "event.code": "160", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "luptatem 2017-07-11 02:45:07.352538723 +0000 UTC uaeratv3432.invalid %CYBERARK: MessageID=\"160\";Version=1.6255;Message=cancel;Issuer=dqu;Station=10.178.242.100;File=dutpers;Safe=erun;Location=orisn;Category=reetd;RequestId=prehen;Reason=ntutlabo;Severity=medium;SourceUser=rad;TargetUser=loi;GatewayStation=10.24.111.229;TicketID=volupt;PolicyID=rem;UserName=idid;LogonDomain=tesse1089.www.host;Address=ptateve6909.www5.lan;CPMStatus=toccaec;Port=7645;Database=tenatuse;DeviceType=psaqua;ExtraDetails=ullamcor;", - "file.directory": "orisn", - "file.name": "dutpers", - "fileset.name": "corepas", - "group.name": "rad", - "host.ip": "10.178.242.100", - "input.type": "log", - "log.level": "medium", - "log.offset": 17793, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6255", - "related.hosts": [ - "ptateve6909.www5.lan", - "tesse1089.www.host" - ], - "related.ip": [ - "10.178.242.100", - "10.24.111.229" - ], - "related.user": [ - "dqu", - "idid", - "loi" - ], - "rsa.db.database": "tenatuse", - "rsa.db.index": "ullamcor", - "rsa.internal.event_desc": "ntutlabo", - "rsa.internal.messageid": "160", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "reetd", - "rsa.misc.disposition": "toccaec", - "rsa.misc.group": "rad", - "rsa.misc.group_object": "erun", - "rsa.misc.obj_type": "psaqua", - "rsa.misc.operation_id": "volupt", - "rsa.misc.policy_name": "rem", - "rsa.misc.reference_id": "160", - "rsa.misc.reference_id1": "prehen", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6255", - "rsa.network.domain": "tesse1089.www.host", - "rsa.network.host_dst": "ptateve6909.www5.lan", - "server.domain": "tesse1089.www.host", - "server.registered_domain": "www.host", - "server.subdomain": "tesse1089", - "server.top_level_domain": "host", - "service.type": "cyberark", - "source.ip": [ - "10.24.111.229" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "dqu" - }, - { - "event.action": "deny", - "event.code": "ons", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2017-07-25 09:47:41.612538723 +0000 UTC cupi1867.www5.test %CYBERARK: MessageID=\"67\";orroq 1.6677\",ProductAccount=\"ritati\",ProductProcess=\"orisni\",EventId=\"ons\",EventClass=\"remagn\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"mmodoc\",ActingAddress=\"10.211.179.168\",ActionSourceUser=\"atu\",ActionTargetUser=\"untincul\",ActionObject=\"ssecil\",ActionSafe=\"commodi\",ActionLocation=\"emporain\",ActionCategory=\"ntiumto\",ActionRequestId=\"umetMalo\",ActionReason=\"oluptas\",ActionExtraDetails=\"emvele\"", - "file.directory": "emporain", - "file.name": "ssecil", - "fileset.name": "corepas", - "host.ip": "10.211.179.168", - "input.type": "log", - "log.level": "very-high", - "log.offset": 18304, - "observer.product": "orroq", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6677", - "related.ip": [ - "10.211.179.168" - ], - "related.user": [ - "mmodoc", - "ritati", - "untincul" - ], - "rsa.db.index": "emvele", - "rsa.internal.event_desc": "oluptas", - "rsa.internal.messageid": "67", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "ntiumto", - "rsa.misc.group_object": "commodi", - "rsa.misc.reference_id": "ons", - "rsa.misc.reference_id1": "umetMalo", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.6677", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "mmodoc" - }, - { - "event.action": "cancel", - "event.code": "olorsi", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "Sedut 2017-08-08 16:50:15.872538723 +0000 UTC yCiceroi2786.www.test %CYBERARK: MessageID=\"141\";iquamqua 1.4890\",ProductAccount=\"dolore\",ProductProcess=\"nsequat\",EventId=\"olorsi\",EventClass=\"aliq\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"mven\",ActingAddress=\"10.30.243.163\",ActionSourceUser=\"oremag\",ActionTargetUser=\"illu\",ActionObject=\"ruredo\",ActionSafe=\"mac\",ActionLocation=\"temUt\",ActionCategory=\"ptassita\",ActionRequestId=\"its\",ActionReason=\"lore\",ActionExtraDetails=\"idol\"", - "file.directory": "temUt", - "file.name": "ruredo", - "fileset.name": "corepas", - "host.ip": "10.30.243.163", - "input.type": "log", - "log.level": "low", - "log.offset": 18809, - "observer.product": "iquamqua", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4890", - "related.ip": [ - "10.30.243.163" - ], - "related.user": [ - "dolore", - "illu", - "mven" - ], - "rsa.db.index": "idol", - "rsa.internal.event_desc": "lore", - "rsa.internal.messageid": "141", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "ptassita", - "rsa.misc.group_object": "mac", - "rsa.misc.reference_id": "olorsi", - "rsa.misc.reference_id1": "its", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.4890", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "mven" - }, - { - "destination.address": "modocon5089.mail.example", - "destination.port": 5112, - "event.action": "cancel", - "event.code": "26", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2017-08-22 23:52:50.132538723 +0000 UTC urmag7650.api.invalid %CYBERARK: MessageID=\"26\";Version=1.1844;Message=cancel;Issuer=amvo;Station=10.6.79.159;File=ommodo;Safe=uptat;Location=idex;Category=ptateve;RequestId=cons;Reason=olorese;Severity=high;SourceUser=ore;TargetUser=quid;GatewayStation=10.212.214.4;TicketID=ddoeius;PolicyID=ugiatn;UserName=midestl;LogonDomain=dictasun3878.internal.localhost;Address=modocon5089.mail.example;CPMStatus=lupta;Port=5112;Database=urExce;DeviceType=asi;ExtraDetails=ectiono;", - "file.directory": "idex", - "file.name": "ommodo", - "fileset.name": "corepas", - "group.name": "ore", - "host.ip": "10.6.79.159", - "input.type": "log", - "log.level": "high", - "log.offset": 19305, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1844", - "related.hosts": [ - "dictasun3878.internal.localhost", - "modocon5089.mail.example" - ], - "related.ip": [ - "10.212.214.4", - "10.6.79.159" - ], - "related.user": [ - "amvo", - "midestl", - "quid" - ], - "rsa.db.database": "urExce", - "rsa.db.index": "ectiono", - "rsa.internal.event_desc": "olorese", - "rsa.internal.messageid": "26", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "ptateve", - "rsa.misc.disposition": "lupta", - "rsa.misc.group": "ore", - "rsa.misc.group_object": "uptat", - "rsa.misc.obj_type": "asi", - "rsa.misc.operation_id": "ddoeius", - "rsa.misc.policy_name": "ugiatn", - "rsa.misc.reference_id": "26", - "rsa.misc.reference_id1": "cons", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.1844", - "rsa.network.domain": "dictasun3878.internal.localhost", - "rsa.network.host_dst": "modocon5089.mail.example", - "server.domain": "dictasun3878.internal.localhost", - "server.registered_domain": "internal.localhost", - "server.subdomain": "dictasun3878", - "server.top_level_domain": "localhost", - "service.type": "cyberark", - "source.ip": [ - "10.212.214.4" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "amvo" - }, - { - "destination.address": "tempor1282.www5.localhost", - "destination.port": 7699, - "event.action": "deny", - "event.code": "150", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "onu 2017-09-06 06:55:24.392538723 +0000 UTC liquaUte6729.api.localhost %CYBERARK: MessageID=\"150\";Version=1.3546;Message=deny;Issuer=atDu;Station=10.237.170.202;File=maperi;Safe=agnaaliq;Location=tlaboree;Category=norumet;RequestId=dtempo;Reason=tin;Severity=low;SourceUser=mve;TargetUser=liquide;GatewayStation=10.70.147.46;TicketID=inv;PolicyID=rroq;UserName=rcit;LogonDomain=aecatcup2241.www5.test;Address=tempor1282.www5.localhost;CPMStatus=incidid;Port=7699;Database=taedict;DeviceType=edquian;ExtraDetails=loremeu;", - "file.directory": "tlaboree", - "file.name": "maperi", - "fileset.name": "corepas", - "group.name": "mve", - "host.ip": "10.237.170.202", - "input.type": "log", - "log.level": "low", - "log.offset": 19818, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3546", - "related.hosts": [ - "aecatcup2241.www5.test", - "tempor1282.www5.localhost" - ], - "related.ip": [ - "10.237.170.202", - "10.70.147.46" - ], - "related.user": [ - "atDu", - "liquide", - "rcit" - ], - "rsa.db.database": "taedict", - "rsa.db.index": "loremeu", - "rsa.internal.event_desc": "tin", - "rsa.internal.messageid": "150", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "norumet", - "rsa.misc.disposition": "incidid", - "rsa.misc.group": "mve", - "rsa.misc.group_object": "agnaaliq", - "rsa.misc.obj_type": "edquian", - "rsa.misc.operation_id": "inv", - "rsa.misc.policy_name": "rroq", - "rsa.misc.reference_id": "150", - "rsa.misc.reference_id1": "dtempo", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3546", - "rsa.network.domain": "aecatcup2241.www5.test", - "rsa.network.host_dst": "tempor1282.www5.localhost", - "server.domain": "aecatcup2241.www5.test", - "server.registered_domain": "www5.test", - "server.subdomain": "aecatcup2241", - "server.top_level_domain": "test", - "service.type": "cyberark", - "source.ip": [ - "10.70.147.46" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "atDu" - }, - { - "destination.address": "mipsum2964.invalid", - "destination.port": 6825, - "event.action": "allow", - "event.code": "292", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "dmi 2017-09-20 13:57:58.652538723 +0000 UTC untexpl2847.www5.local %CYBERARK: MessageID=\"292\";Version=1.4282;Message=allow;Issuer=emoe;Station=10.179.50.138;File=ehende;Safe=eaqueip;Location=eum;Category=lamc;RequestId=umetMal;Reason=asper;Severity=high;SourceUser=metcons;TargetUser=itasper;GatewayStation=10.228.118.81;TicketID=temquiav;PolicyID=obeata;UserName=tatemU;LogonDomain=mad5185.www5.localhost;Address=mipsum2964.invalid;CPMStatus=doei;Port=6825;Database=toditaut;DeviceType=voluptat;ExtraDetails=ugit;", - "file.directory": "eum", - "file.name": "ehende", - "fileset.name": "corepas", - "group.name": "metcons", - "host.ip": "10.179.50.138", - "input.type": "log", - "log.level": "high", - "log.offset": 20339, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4282", - "related.hosts": [ - "mad5185.www5.localhost", - "mipsum2964.invalid" - ], - "related.ip": [ - "10.179.50.138", - "10.228.118.81" - ], - "related.user": [ - "emoe", - "itasper", - "tatemU" - ], - "rsa.db.database": "toditaut", - "rsa.db.index": "ugit", - "rsa.internal.event_desc": "asper", - "rsa.internal.messageid": "292", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "lamc", - "rsa.misc.disposition": "doei", - "rsa.misc.group": "metcons", - "rsa.misc.group_object": "eaqueip", - "rsa.misc.obj_type": "voluptat", - "rsa.misc.operation_id": "temquiav", - "rsa.misc.policy_name": "obeata", - "rsa.misc.reference_id": "292", - "rsa.misc.reference_id1": "umetMal", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4282", - "rsa.network.domain": "mad5185.www5.localhost", - "rsa.network.host_dst": "mipsum2964.invalid", - "server.domain": "mad5185.www5.localhost", - "server.registered_domain": "www5.localhost", - "server.subdomain": "mad5185", - "server.top_level_domain": "localhost", - "service.type": "cyberark", - "source.ip": [ - "10.228.118.81" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "emoe" - }, - { - "destination.address": "veniamq1236.invalid", - "destination.port": 1458, - "event.action": "cancel", - "event.code": "38", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "October 4 21:00:32 asnu %CYBERARK: MessageID=\"38\";Version=1.3806;Message=cancel;Issuer=henderit;Station=10.49.71.118;File=ationul;Safe=mquisn;Location=queips;Category=midest;RequestId=dex;Reason=ccae;Severity=medium;SourceUser=eavolup;TargetUser=emip;GatewayStation=10.234.165.130;TicketID=ntexplic;PolicyID=uto;UserName=iuntNequ;LogonDomain=esseq7889.www.invalid;Address=veniamq1236.invalid;CPMStatus=emo;Port=1458;Database=veniamqu;DeviceType=licaboN;ExtraDetails=atquo;", - "file.directory": "queips", - "file.name": "ationul", - "fileset.name": "corepas", - "group.name": "eavolup", - "host.ip": "10.49.71.118", - "input.type": "log", - "log.level": "medium", - "log.offset": 20854, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3806", - "related.hosts": [ - "esseq7889.www.invalid", - "veniamq1236.invalid" - ], - "related.ip": [ - "10.234.165.130", - "10.49.71.118" - ], - "related.user": [ - "emip", - "henderit", - "iuntNequ" - ], - "rsa.db.database": "veniamqu", - "rsa.db.index": "atquo", - "rsa.internal.event_desc": "ccae", - "rsa.internal.messageid": "38", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "midest", - "rsa.misc.disposition": "emo", - "rsa.misc.group": "eavolup", - "rsa.misc.group_object": "mquisn", - "rsa.misc.obj_type": "licaboN", - "rsa.misc.operation_id": "ntexplic", - "rsa.misc.policy_name": "uto", - "rsa.misc.reference_id": "38", - "rsa.misc.reference_id1": "dex", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.3806", - "rsa.network.domain": "esseq7889.www.invalid", - "rsa.network.host_dst": "veniamq1236.invalid", - "server.domain": "esseq7889.www.invalid", - "server.registered_domain": "www.invalid", - "server.subdomain": "esseq7889", - "server.top_level_domain": "invalid", - "service.type": "cyberark", - "source.ip": [ - "10.234.165.130" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "henderit" - }, - { - "event.action": "allow", - "event.code": "tatem", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "udan 2017-10-19 04:03:07.172538723 +0000 UTC yCic5749.www.localhost %CYBERARK: MessageID=\"119\";itanim 1.4024\",ProductAccount=\"olorema\",ProductProcess=\"mollita\",EventId=\"tatem\",EventClass=\"iae\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"emip\",ActingAddress=\"10.199.5.49\",ActionSourceUser=\"stquid\",ActionTargetUser=\"turadipi\",ActionObject=\"usmodi\",ActionSafe=\"ree\",ActionLocation=\"saquaea\",ActionCategory=\"ation\",ActionRequestId=\"luptas\",ActionReason=\"minim\",ActionExtraDetails=\"ataevi\"", - "file.directory": "saquaea", - "file.name": "usmodi", - "fileset.name": "corepas", - "host.ip": "10.199.5.49", - "input.type": "log", - "log.level": "low", - "log.offset": 21327, - "observer.product": "itanim", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4024", - "related.ip": [ - "10.199.5.49" - ], - "related.user": [ - "emip", - "olorema", - "turadipi" - ], - "rsa.db.index": "ataevi", - "rsa.internal.event_desc": "minim", - "rsa.internal.messageid": "119", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "ation", - "rsa.misc.group_object": "ree", - "rsa.misc.reference_id": "tatem", - "rsa.misc.reference_id1": "luptas", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.4024", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "emip" - }, - { - "event.action": "allow", - "event.code": "tionula", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"156\";plic 1.7053\",ProductAccount=\"utlabo\",ProductProcess=\"tetur\",EventId=\"tionula\",EventClass=\"ritqu\",EventSeverity=\"very-high\",EventMessage=\"allow\",ActingUserName=\"uamei\",ActingAddress=\"10.193.219.34\",ActionSourceUser=\"onse\",ActionTargetUser=\"olorem\",ActionObject=\"turvel\",ActionSafe=\"eratv\",ActionLocation=\"ipsa\",ActionCategory=\"asuntexp\",ActionRequestId=\"adminim\",ActionReason=\"orisni\",ActionExtraDetails=\"nse\"", - "file.directory": "ipsa", - "file.name": "turvel", - "fileset.name": "corepas", - "host.ip": "10.193.219.34", - "input.type": "log", - "log.level": "very-high", - "log.offset": 21826, - "observer.product": "plic", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7053", - "related.ip": [ - "10.193.219.34" - ], - "related.user": [ - "olorem", - "uamei", - "utlabo" - ], - "rsa.db.index": "nse", - "rsa.internal.event_desc": "orisni", - "rsa.internal.messageid": "156", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "asuntexp", - "rsa.misc.group_object": "eratv", - "rsa.misc.reference_id": "tionula", - "rsa.misc.reference_id1": "adminim", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.7053", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "uamei" - }, - { - "destination.address": "taliqui5348.mail.localdomain", - "destination.port": 6816, - "event.action": "allow", - "event.code": "202", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "November 16 18:08:15 nderi %CYBERARK: MessageID=\"202\";Version=1.7083;Message=allow;Issuer=animid;Station=10.120.167.217;File=atuse;Safe=ueipsa;Location=scipitl;Category=eumi;RequestId=quasiarc;Reason=olli;Severity=low;SourceUser=tetura;TargetUser=rsp;GatewayStation=10.174.185.109;TicketID=roquisqu;PolicyID=edolorin;UserName=dolorem;LogonDomain=tem6815.home;Address=taliqui5348.mail.localdomain;CPMStatus=loremag;Port=6816;Database=tsuntinc;DeviceType=inrepreh;ExtraDetails=quovo;", - "file.directory": "scipitl", - "file.name": "atuse", - "fileset.name": "corepas", - "group.name": "tetura", - "host.ip": "10.120.167.217", - "input.type": "log", - "log.level": "low", - "log.offset": 22262, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7083", - "related.hosts": [ - "taliqui5348.mail.localdomain", - "tem6815.home" - ], - "related.ip": [ - "10.120.167.217", - "10.174.185.109" - ], - "related.user": [ - "animid", - "dolorem", - "rsp" - ], - "rsa.db.database": "tsuntinc", - "rsa.db.index": "quovo", - "rsa.internal.event_desc": "olli", - "rsa.internal.messageid": "202", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "eumi", - "rsa.misc.disposition": "loremag", - "rsa.misc.group": "tetura", - "rsa.misc.group_object": "ueipsa", - "rsa.misc.obj_type": "inrepreh", - "rsa.misc.operation_id": "roquisqu", - "rsa.misc.policy_name": "edolorin", - "rsa.misc.reference_id": "202", - "rsa.misc.reference_id1": "quasiarc", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7083", - "rsa.network.domain": "tem6815.home", - "rsa.network.host_dst": "taliqui5348.mail.localdomain", - "server.domain": "tem6815.home", - "server.registered_domain": "tem6815.home", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.174.185.109" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "animid" - }, - { - "destination.address": "atnulapa3548.www.domain", - "destination.port": 5347, - "event.action": "cancel", - "event.code": "133", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"133\";Version=1.1432;Message=cancel;Issuer=atev;Station=10.117.137.159;File=acommodi;Safe=essecill;Location=billoi;Category=moles;RequestId=dipiscin;Reason=olup;Severity=high;SourceUser=undeomni;TargetUser=accusa;GatewayStation=10.141.213.219;TicketID=itat;PolicyID=stlaboru;UserName=ate;LogonDomain=mporainc2064.home;Address=atnulapa3548.www.domain;CPMStatus=radipisc;Port=5347;Database=nibus;DeviceType=vitaed;ExtraDetails=ser;", - "file.directory": "billoi", - "file.name": "acommodi", - "fileset.name": "corepas", - "group.name": "undeomni", - "host.ip": "10.117.137.159", - "input.type": "log", - "log.level": "high", - "log.offset": 22744, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1432", - "related.hosts": [ - "atnulapa3548.www.domain", - "mporainc2064.home" - ], - "related.ip": [ - "10.117.137.159", - "10.141.213.219" - ], - "related.user": [ - "accusa", - "ate", - "atev" - ], - "rsa.db.database": "nibus", - "rsa.db.index": "ser", - "rsa.internal.event_desc": "olup", - "rsa.internal.messageid": "133", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "moles", - "rsa.misc.disposition": "radipisc", - "rsa.misc.group": "undeomni", - "rsa.misc.group_object": "essecill", - "rsa.misc.obj_type": "vitaed", - "rsa.misc.operation_id": "itat", - "rsa.misc.policy_name": "stlaboru", - "rsa.misc.reference_id": "133", - "rsa.misc.reference_id1": "dipiscin", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.1432", - "rsa.network.domain": "mporainc2064.home", - "rsa.network.host_dst": "atnulapa3548.www.domain", - "server.domain": "mporainc2064.home", - "server.registered_domain": "mporainc2064.home", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.141.213.219" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "atev" - }, - { - "destination.address": "litesseq6785.host", - "destination.port": 7390, - "event.action": "cancel", - "event.code": "104", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2017-12-15 08:13:24.212538723 +0000 UTC ill6772.www.invalid %CYBERARK: MessageID=\"104\";Version=1.4043;Message=cancel;Issuer=rem;Station=10.166.90.130;File=mdolore;Safe=eosquira;Location=pta;Category=snos;RequestId=orsi;Reason=tetura;Severity=very-high;SourceUser=lorsita;TargetUser=eavol;GatewayStation=10.94.224.229;TicketID=lupta;PolicyID=npr;UserName=etconsec;LogonDomain=caboNem1043.internal.home;Address=litesseq6785.host;CPMStatus=tob;Port=7390;Database=oditempo;DeviceType=doeiu;ExtraDetails=deF;", - "file.directory": "pta", - "file.name": "mdolore", - "fileset.name": "corepas", - "group.name": "lorsita", - "host.ip": "10.166.90.130", - "input.type": "log", - "log.level": "very-high", - "log.offset": 23195, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4043", - "related.hosts": [ - "caboNem1043.internal.home", - "litesseq6785.host" - ], - "related.ip": [ - "10.166.90.130", - "10.94.224.229" - ], - "related.user": [ - "eavol", - "etconsec", - "rem" - ], - "rsa.db.database": "oditempo", - "rsa.db.index": "deF", - "rsa.internal.event_desc": "tetura", - "rsa.internal.messageid": "104", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "User", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "snos", - "rsa.misc.disposition": "tob", - "rsa.misc.group": "lorsita", - "rsa.misc.group_object": "eosquira", - "rsa.misc.obj_type": "doeiu", - "rsa.misc.operation_id": "lupta", - "rsa.misc.policy_name": "npr", - "rsa.misc.reference_id": "104", - "rsa.misc.reference_id1": "orsi", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.4043", - "rsa.network.domain": "caboNem1043.internal.home", - "rsa.network.host_dst": "litesseq6785.host", - "server.domain": "caboNem1043.internal.home", - "server.registered_domain": "internal.home", - "server.subdomain": "caboNem1043", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.94.224.229" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "rem" - }, - { - "destination.address": "onnu2272.mail.corp", - "destination.port": 6064, - "event.action": "deny", - "event.code": "316", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "rcitat 2017-12-29 15:15:58.472538723 +0000 UTC dolorema2984.www.home %CYBERARK: MessageID=\"316\";Version=1.2456;Message=deny;Issuer=tiumto;Station=10.38.28.151;File=nrepreh;Safe=ratv;Location=alorum;Category=mquisn;RequestId=atq;Reason=erspi;Severity=low;SourceUser=ugiatquo;TargetUser=incidid;GatewayStation=10.201.81.46;TicketID=sBonor;PolicyID=fugits;UserName=mipsumqu;LogonDomain=tatio6513.www.invalid;Address=onnu2272.mail.corp;CPMStatus=atatnon;Port=6064;Database=abor;DeviceType=magnid;ExtraDetails=adol;", - "file.directory": "alorum", - "file.name": "nrepreh", - "fileset.name": "corepas", - "group.name": "ugiatquo", - "host.ip": "10.38.28.151", - "input.type": "log", - "log.level": "low", - "log.offset": 23699, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2456", - "related.hosts": [ - "onnu2272.mail.corp", - "tatio6513.www.invalid" - ], - "related.ip": [ - "10.201.81.46", - "10.38.28.151" - ], - "related.user": [ - "incidid", - "mipsumqu", - "tiumto" - ], - "rsa.db.database": "abor", - "rsa.db.index": "adol", - "rsa.internal.event_desc": "erspi", - "rsa.internal.messageid": "316", - "rsa.investigations.ec_activity": "Modify", - "rsa.investigations.ec_theme": "Password", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "mquisn", - "rsa.misc.disposition": "atatnon", - "rsa.misc.group": "ugiatquo", - "rsa.misc.group_object": "ratv", - "rsa.misc.obj_type": "magnid", - "rsa.misc.operation_id": "sBonor", - "rsa.misc.policy_name": "fugits", - "rsa.misc.reference_id": "316", - "rsa.misc.reference_id1": "atq", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.2456", - "rsa.network.domain": "tatio6513.www.invalid", - "rsa.network.host_dst": "onnu2272.mail.corp", - "server.domain": "tatio6513.www.invalid", - "server.registered_domain": "www.invalid", - "server.subdomain": "tatio6513", - "server.top_level_domain": "invalid", - "service.type": "cyberark", - "source.ip": [ - "10.201.81.46" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tiumto" - }, - { - "destination.address": "llit958.www.domain", - "destination.port": 2957, - "event.action": "deny", - "event.code": "266", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "January 12 22:18:32 niam %CYBERARK: MessageID=\"266\";Version=1.2721;Message=deny;Issuer=rerepre;Station=10.214.245.95;File=quiineav;Safe=billoinv;Location=sci;Category=col;RequestId=obea;Reason=emp;Severity=medium;SourceUser=luptas;TargetUser=uptatem;GatewayStation=10.255.28.56;TicketID=inrepr;PolicyID=mol;UserName=umdolors;LogonDomain=dolori6232.api.invalid;Address=llit958.www.domain;CPMStatus=tat;Port=2957;Database=odt;DeviceType=cillumd;ExtraDetails=riosa;", - "file.directory": "sci", - "file.name": "quiineav", - "fileset.name": "corepas", - "group.name": "luptas", - "host.ip": "10.214.245.95", - "input.type": "log", - "log.level": "medium", - "log.offset": 24210, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2721", - "related.hosts": [ - "dolori6232.api.invalid", - "llit958.www.domain" - ], - "related.ip": [ - "10.214.245.95", - "10.255.28.56" - ], - "related.user": [ - "rerepre", - "umdolors", - "uptatem" - ], - "rsa.db.database": "odt", - "rsa.db.index": "riosa", - "rsa.internal.event_desc": "emp", - "rsa.internal.messageid": "266", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "col", - "rsa.misc.disposition": "tat", - "rsa.misc.group": "luptas", - "rsa.misc.group_object": "billoinv", - "rsa.misc.obj_type": "cillumd", - "rsa.misc.operation_id": "inrepr", - "rsa.misc.policy_name": "mol", - "rsa.misc.reference_id": "266", - "rsa.misc.reference_id1": "obea", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.2721", - "rsa.network.domain": "dolori6232.api.invalid", - "rsa.network.host_dst": "llit958.www.domain", - "server.domain": "dolori6232.api.invalid", - "server.registered_domain": "api.invalid", - "server.subdomain": "dolori6232", - "server.top_level_domain": "invalid", - "service.type": "cyberark", - "source.ip": [ - "10.255.28.56" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "rerepre" - }, - { - "event.action": "cancel", - "event.code": "nim", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "January 27 05:21:06 lapar %CYBERARK: MessageID=\"311\";ritati 1.3219\",ProductAccount=\"qui\",ProductProcess=\"otamr\",EventId=\"nim\",EventClass=\"ame\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"mip\",ActingAddress=\"10.45.35.180\",ActionSourceUser=\"mvolupta\",ActionTargetUser=\"Utenima\",ActionObject=\"iqua\",ActionSafe=\"luptat\",ActionLocation=\"deriti\",ActionCategory=\"sintocc\",ActionRequestId=\"cididu\",ActionReason=\"uteir\",ActionExtraDetails=\"boree\"", - "file.directory": "deriti", - "file.name": "iqua", - "fileset.name": "corepas", - "host.ip": "10.45.35.180", - "input.type": "log", - "log.level": "very-high", - "log.offset": 24673, - "observer.product": "ritati", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3219", - "related.ip": [ - "10.45.35.180" - ], - "related.user": [ - "Utenima", - "mip", - "qui" - ], - "rsa.db.index": "boree", - "rsa.internal.event_desc": "uteir", - "rsa.internal.messageid": "311", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "sintocc", - "rsa.misc.group_object": "luptat", - "rsa.misc.reference_id": "nim", - "rsa.misc.reference_id1": "cididu", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3219", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "mip" - }, - { - "event.action": "accept", - "event.code": "scivel", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "February 10 12:23:41 diduntu %CYBERARK: MessageID=\"285\";eiusmod 1.7546\",ProductAccount=\"ess\",ProductProcess=\"uide\",EventId=\"scivel\",EventClass=\"henderi\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"enim\",ActingAddress=\"10.141.200.133\",ActionSourceUser=\"ersp\",ActionTargetUser=\"iame\",ActionObject=\"orroquis\",ActionSafe=\"aquio\",ActionLocation=\"riatu\",ActionCategory=\"loinve\",ActionRequestId=\"tanimid\",ActionReason=\"isnostru\",ActionExtraDetails=\"nofdeFi\"", - "file.directory": "riatu", - "file.name": "orroquis", - "fileset.name": "corepas", - "host.ip": "10.141.200.133", - "input.type": "log", - "log.level": "low", - "log.offset": 25131, - "observer.product": "eiusmod", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7546", - "related.ip": [ - "10.141.200.133" - ], - "related.user": [ - "enim", - "ess", - "iame" - ], - "rsa.db.index": "nofdeFi", - "rsa.internal.event_desc": "isnostru", - "rsa.internal.messageid": "285", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "loinve", - "rsa.misc.group_object": "aquio", - "rsa.misc.reference_id": "scivel", - "rsa.misc.reference_id1": "tanimid", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7546", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "enim" - }, - { - "event.action": "accept", - "event.code": "rationev", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"155\";ulap 1.3765\",ProductAccount=\"illoi\",ProductProcess=\"reetdolo\",EventId=\"rationev\",EventClass=\"ehender\",EventSeverity=\"medium\",EventMessage=\"accept\",ActingUserName=\"ugi\",ActingAddress=\"10.83.238.145\",ActionSourceUser=\"ptatems\",ActionTargetUser=\"runtmo\",ActionObject=\"ore\",ActionSafe=\"isund\",ActionLocation=\"exerci\",ActionCategory=\"tas\",ActionRequestId=\"oraincid\",ActionReason=\"quaer\",ActionExtraDetails=\"eetdo\"", - "file.directory": "exerci", - "file.name": "ore", - "fileset.name": "corepas", - "host.ip": "10.83.238.145", - "input.type": "log", - "log.level": "medium", - "log.offset": 25596, - "observer.product": "ulap", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3765", - "related.ip": [ - "10.83.238.145" - ], - "related.user": [ - "illoi", - "runtmo", - "ugi" - ], - "rsa.db.index": "eetdo", - "rsa.internal.event_desc": "quaer", - "rsa.internal.messageid": "155", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "tas", - "rsa.misc.group_object": "isund", - "rsa.misc.reference_id": "rationev", - "rsa.misc.reference_id1": "oraincid", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.3765", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ugi" - }, - { - "destination.address": "llamc6724.www.lan", - "destination.port": 4020, - "event.action": "block", - "event.code": "48", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2018-03-11 02:28:49.772538723 +0000 UTC aali6869.api.localdomain %CYBERARK: MessageID=\"48\";Version=1.3147;Message=block;Issuer=sedquiac;Station=10.39.143.155;File=ipsaqu;Safe=nisiut;Location=rumwri;Category=velill;RequestId=ore;Reason=tation;Severity=very-high;SourceUser=porincid;TargetUser=tperspic;GatewayStation=10.41.89.217;TicketID=ict;PolicyID=squirati;UserName=tem;LogonDomain=mestq2106.api.host;Address=llamc6724.www.lan;CPMStatus=tesseci;Port=4020;Database=radipis;DeviceType=cive;ExtraDetails=nse;", - "file.directory": "rumwri", - "file.name": "ipsaqu", - "fileset.name": "corepas", - "group.name": "porincid", - "host.ip": "10.39.143.155", - "input.type": "log", - "log.level": "very-high", - "log.offset": 26032, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3147", - "related.hosts": [ - "llamc6724.www.lan", - "mestq2106.api.host" - ], - "related.ip": [ - "10.39.143.155", - "10.41.89.217" - ], - "related.user": [ - "sedquiac", - "tem", - "tperspic" - ], - "rsa.db.database": "radipis", - "rsa.db.index": "nse", - "rsa.internal.event_desc": "tation", - "rsa.internal.messageid": "48", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "velill", - "rsa.misc.disposition": "tesseci", - "rsa.misc.group": "porincid", - "rsa.misc.group_object": "nisiut", - "rsa.misc.obj_type": "cive", - "rsa.misc.operation_id": "ict", - "rsa.misc.policy_name": "squirati", - "rsa.misc.reference_id": "48", - "rsa.misc.reference_id1": "ore", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3147", - "rsa.network.domain": "mestq2106.api.host", - "rsa.network.host_dst": "llamc6724.www.lan", - "server.domain": "mestq2106.api.host", - "server.registered_domain": "api.host", - "server.subdomain": "mestq2106", - "server.top_level_domain": "host", - "service.type": "cyberark", - "source.ip": [ - "10.41.89.217" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "sedquiac" - }, - { - "destination.address": "reseosqu1629.mail.lan", - "destination.port": 5325, - "event.action": "accept", - "event.code": "378", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "isnisiu 2018-03-25 09:31:24.032538723 +0000 UTC suntincu2940.www5.domain %CYBERARK: MessageID=\"378\";Version=1.6382;Message=accept;Issuer=minim;Station=10.5.5.1;File=reseosq;Safe=gna;Location=isiutali;Category=lumqu;RequestId=onulamco;Reason=ons;Severity=low;SourceUser=uptat;TargetUser=unt;GatewayStation=10.153.123.20;TicketID=tla;PolicyID=mquiad;UserName=CSe;LogonDomain=lors7553.api.local;Address=reseosqu1629.mail.lan;CPMStatus=utemvel;Port=5325;Database=atu;DeviceType=iusm;ExtraDetails=roi;", - "file.directory": "isiutali", - "file.name": "reseosq", - "fileset.name": "corepas", - "group.name": "uptat", - "host.ip": "10.5.5.1", - "input.type": "log", - "log.level": "low", - "log.offset": 26541, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6382", - "related.hosts": [ - "lors7553.api.local", - "reseosqu1629.mail.lan" - ], - "related.ip": [ - "10.153.123.20", - "10.5.5.1" - ], - "related.user": [ - "CSe", - "minim", - "unt" - ], - "rsa.db.database": "atu", - "rsa.db.index": "roi", - "rsa.internal.event_desc": "ons", - "rsa.internal.messageid": "378", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "lumqu", - "rsa.misc.disposition": "utemvel", - "rsa.misc.group": "uptat", - "rsa.misc.group_object": "gna", - "rsa.misc.obj_type": "iusm", - "rsa.misc.operation_id": "tla", - "rsa.misc.policy_name": "mquiad", - "rsa.misc.reference_id": "378", - "rsa.misc.reference_id1": "onulamco", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.6382", - "rsa.network.domain": "lors7553.api.local", - "rsa.network.host_dst": "reseosqu1629.mail.lan", - "server.domain": "lors7553.api.local", - "server.registered_domain": "api.local", - "server.subdomain": "lors7553", - "server.top_level_domain": "local", - "service.type": "cyberark", - "source.ip": [ - "10.153.123.20" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "minim" - }, - { - "destination.address": "orumSe4514.www.corp", - "destination.port": 80, - "event.action": "deny", - "event.code": "269", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2018-04-08 16:33:58.292538723 +0000 UTC rere5274.mail.domain %CYBERARK: MessageID=\"269\";Version=1.3193;Message=deny;Issuer=iamea;Station=10.210.61.109;File=tiumto;Safe=cor;Location=odoco;Category=oin;RequestId=itseddoe;Reason=elites;Severity=low;SourceUser=uamei;TargetUser=eursinto;GatewayStation=10.168.132.175;TicketID=licaboNe;PolicyID=tautfug;UserName=giatquov;LogonDomain=olu5333.www.domain;Address=orumSe4514.www.corp;CPMStatus=umquam;Port=80;Database=ici;DeviceType=nisiuta;ExtraDetails=iquaUt;", - "file.directory": "odoco", - "file.name": "tiumto", - "fileset.name": "corepas", - "group.name": "uamei", - "host.ip": "10.210.61.109", - "input.type": "log", - "log.level": "low", - "log.offset": 27038, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3193", - "related.hosts": [ - "olu5333.www.domain", - "orumSe4514.www.corp" - ], - "related.ip": [ - "10.168.132.175", - "10.210.61.109" - ], - "related.user": [ - "eursinto", - "giatquov", - "iamea" - ], - "rsa.db.database": "ici", - "rsa.db.index": "iquaUt", - "rsa.internal.event_desc": "elites", - "rsa.internal.messageid": "269", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "oin", - "rsa.misc.disposition": "umquam", - "rsa.misc.group": "uamei", - "rsa.misc.group_object": "cor", - "rsa.misc.obj_type": "nisiuta", - "rsa.misc.operation_id": "licaboNe", - "rsa.misc.policy_name": "tautfug", - "rsa.misc.reference_id": "269", - "rsa.misc.reference_id1": "itseddoe", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3193", - "rsa.network.domain": "olu5333.www.domain", - "rsa.network.host_dst": "orumSe4514.www.corp", - "server.domain": "olu5333.www.domain", - "server.registered_domain": "www.domain", - "server.subdomain": "olu5333", - "server.top_level_domain": "domain", - "service.type": "cyberark", - "source.ip": [ - "10.168.132.175" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "iamea" - }, - { - "event.action": "accept", - "event.code": "olup", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"176\";atnula 1.5038\",ProductAccount=\"lmo\",ProductProcess=\"iquidex\",EventId=\"olup\",EventClass=\"remipsu\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"quiac\",ActingAddress=\"10.123.154.17\",ActionSourceUser=\"etdol\",ActionTargetUser=\"dolorsi\",ActionObject=\"nturmag\",ActionSafe=\"tura\",ActionLocation=\"osquirat\",ActionCategory=\"equat\",ActionRequestId=\"aliquid\",ActionReason=\"usantiu\",ActionExtraDetails=\"idunt\"", - "file.directory": "osquirat", - "file.name": "nturmag", - "fileset.name": "corepas", - "host.ip": "10.123.154.17", - "input.type": "log", - "log.level": "low", - "log.offset": 27541, - "observer.product": "atnula", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5038", - "related.ip": [ - "10.123.154.17" - ], - "related.user": [ - "dolorsi", - "lmo", - "quiac" - ], - "rsa.db.index": "idunt", - "rsa.internal.event_desc": "usantiu", - "rsa.internal.messageid": "176", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "equat", - "rsa.misc.group_object": "tura", - "rsa.misc.reference_id": "olup", - "rsa.misc.reference_id1": "aliquid", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.5038", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "quiac" - }, - { - "event.action": "deny", - "event.code": "lpaquiof", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"4\";min 1.136\",ProductAccount=\"xplic\",ProductProcess=\"eseruntm\",EventId=\"lpaquiof\",EventClass=\"oloreeu\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"etquasia\",ActingAddress=\"10.169.123.103\",ActionSourceUser=\"riatur\",ActionTargetUser=\"oeni\",ActionObject=\"dol\",ActionSafe=\"dol\",ActionLocation=\"atur\",ActionCategory=\"issu\",ActionRequestId=\"identsu\",ActionReason=\"piscivel\",ActionExtraDetails=\"hend\"", - "event.outcome": "failure", - "file.directory": "atur", - "file.name": "dol", - "fileset.name": "corepas", - "host.ip": "10.169.123.103", - "input.type": "log", - "log.level": "very-high", - "log.offset": 27978, - "observer.product": "min", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.136", - "related.ip": [ - "10.169.123.103" - ], - "related.user": [ - "etquasia", - "oeni", - "xplic" - ], - "rsa.db.index": "hend", - "rsa.internal.event_desc": "piscivel", - "rsa.internal.messageid": "4", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "issu", - "rsa.misc.group_object": "dol", - "rsa.misc.reference_id": "lpaquiof", - "rsa.misc.reference_id1": "identsu", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.136", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "etquasia" - }, - { - "event.action": "cancel", - "event.code": "scipi", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"276\";aer 1.7744\",ProductAccount=\"iati\",ProductProcess=\"minim\",EventId=\"scipi\",EventClass=\"tur\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"Nemoenim\",ActingAddress=\"10.126.205.76\",ActionSourceUser=\"etur\",ActionTargetUser=\"rsitvol\",ActionObject=\"utali\",ActionSafe=\"sed\",ActionLocation=\"xeac\",ActionCategory=\"umdolors\",ActionRequestId=\"lumdo\",ActionReason=\"acom\",ActionExtraDetails=\"eFini\"", - "file.directory": "xeac", - "file.name": "utali", - "fileset.name": "corepas", - "host.ip": "10.126.205.76", - "input.type": "log", - "log.level": "very-high", - "log.offset": 28412, - "observer.product": "aer", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7744", - "related.ip": [ - "10.126.205.76" - ], - "related.user": [ - "Nemoenim", - "iati", - "rsitvol" - ], - "rsa.db.index": "eFini", - "rsa.internal.event_desc": "acom", - "rsa.internal.messageid": "276", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "umdolors", - "rsa.misc.group_object": "sed", - "rsa.misc.reference_id": "scipi", - "rsa.misc.reference_id1": "lumdo", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.7744", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "Nemoenim" - }, - { - "destination.address": "mmodoco2581.www5.host", - "destination.port": 3575, - "event.action": "accept", - "event.code": "38", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "June 4 20:44:15 uovol %CYBERARK: MessageID=\"38\";Version=1.3184;Message=accept;Issuer=eufug;Station=10.164.66.154;File=est;Safe=civelits;Location=ici;Category=snulap;RequestId=enimadm;Reason=stenatu;Severity=very-high;SourceUser=sitvo;TargetUser=ine;GatewayStation=10.169.101.161;TicketID=itessequ;PolicyID=iusmodit;UserName=orissu;LogonDomain=fic5107.home;Address=mmodoco2581.www5.host;CPMStatus=isiutali;Port=3575;Database=stquidol;DeviceType=Nemoenim;ExtraDetails=imadmini;", - "file.directory": "ici", - "file.name": "est", - "fileset.name": "corepas", - "group.name": "sitvo", - "host.ip": "10.164.66.154", - "input.type": "log", - "log.level": "very-high", - "log.offset": 28841, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3184", - "related.hosts": [ - "fic5107.home", - "mmodoco2581.www5.host" - ], - "related.ip": [ - "10.164.66.154", - "10.169.101.161" - ], - "related.user": [ - "eufug", - "ine", - "orissu" - ], - "rsa.db.database": "stquidol", - "rsa.db.index": "imadmini", - "rsa.internal.event_desc": "stenatu", - "rsa.internal.messageid": "38", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "snulap", - "rsa.misc.disposition": "isiutali", - "rsa.misc.group": "sitvo", - "rsa.misc.group_object": "civelits", - "rsa.misc.obj_type": "Nemoenim", - "rsa.misc.operation_id": "itessequ", - "rsa.misc.policy_name": "iusmodit", - "rsa.misc.reference_id": "38", - "rsa.misc.reference_id1": "enimadm", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3184", - "rsa.network.domain": "fic5107.home", - "rsa.network.host_dst": "mmodoco2581.www5.host", - "server.domain": "fic5107.home", - "server.registered_domain": "fic5107.home", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.169.101.161" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "eufug" - }, - { - "event.action": "block", - "event.code": "ons", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "amvo 2018-06-19 03:46:49.592538723 +0000 UTC tnul6235.www5.lan %CYBERARK: MessageID=\"79\";isau 1.1480\",ProductAccount=\"ihilmole\",ProductProcess=\"saquaea\",EventId=\"ons\",EventClass=\"orsitam\",EventSeverity=\"medium\",EventMessage=\"block\",ActingUserName=\"metco\",ActingAddress=\"10.70.83.200\",ActionSourceUser=\"riame\",ActionTargetUser=\"riat\",ActionObject=\"sseq\",ActionSafe=\"eriam\",ActionLocation=\"pernat\",ActionCategory=\"udan\",ActionRequestId=\"archi\",ActionReason=\"iutaliq\",ActionExtraDetails=\"urQuis\"", - "file.directory": "pernat", - "file.name": "sseq", - "fileset.name": "corepas", - "host.ip": "10.70.83.200", - "input.type": "log", - "log.level": "medium", - "log.offset": 29317, - "observer.product": "isau", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1480", - "related.ip": [ - "10.70.83.200" - ], - "related.user": [ - "ihilmole", - "metco", - "riat" - ], - "rsa.db.index": "urQuis", - "rsa.internal.event_desc": "iutaliq", - "rsa.internal.messageid": "79", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "udan", - "rsa.misc.group_object": "eriam", - "rsa.misc.reference_id": "ons", - "rsa.misc.reference_id1": "archi", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.1480", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "metco" - }, - { - "destination.address": "oremqu7663.local", - "destination.port": 5816, - "event.action": "block", - "event.code": "53", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "July 3 10:49:23 orum %CYBERARK: MessageID=\"53\";Version=1.4887;Message=block;Issuer=madminim;Station=10.207.97.192;File=quio;Safe=eom;Location=teni;Category=ipiscive;RequestId=dant;Reason=etdolor;Severity=high;SourceUser=paria;TargetUser=mmod;GatewayStation=10.134.55.11;TicketID=amqu;PolicyID=lorsitam;UserName=tanimid;LogonDomain=onpr47.api.home;Address=oremqu7663.local;CPMStatus=llumq;Port=5816;Database=tetura;DeviceType=rumet;ExtraDetails=uptasnul;", - "file.directory": "teni", - "file.name": "quio", - "fileset.name": "corepas", - "group.name": "paria", - "host.ip": "10.207.97.192", - "input.type": "log", - "log.level": "high", - "log.offset": 29810, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4887", - "related.hosts": [ - "onpr47.api.home", - "oremqu7663.local" - ], - "related.ip": [ - "10.134.55.11", - "10.207.97.192" - ], - "related.user": [ - "madminim", - "mmod", - "tanimid" - ], - "rsa.db.database": "tetura", - "rsa.db.index": "uptasnul", - "rsa.internal.event_desc": "etdolor", - "rsa.internal.messageid": "53", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "ipiscive", - "rsa.misc.disposition": "llumq", - "rsa.misc.group": "paria", - "rsa.misc.group_object": "eom", - "rsa.misc.obj_type": "rumet", - "rsa.misc.operation_id": "amqu", - "rsa.misc.policy_name": "lorsitam", - "rsa.misc.reference_id": "53", - "rsa.misc.reference_id1": "dant", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4887", - "rsa.network.domain": "onpr47.api.home", - "rsa.network.host_dst": "oremqu7663.local", - "server.domain": "onpr47.api.home", - "server.registered_domain": "api.home", - "server.subdomain": "onpr47", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.134.55.11" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "madminim" - }, - { - "destination.address": "eve234.www5.local", - "destination.port": 2783, - "event.action": "cancel", - "event.code": "75", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2018-07-17 17:51:58.112538723 +0000 UTC nde2358.mail.corp %CYBERARK: MessageID=\"75\";Version=1.3601;Message=cancel;Issuer=texplica;Station=10.52.150.104;File=esse;Safe=veniam;Location=edquian;Category=sus;RequestId=imavenia;Reason=expli;Severity=low;SourceUser=orum;TargetUser=oinBCSed;GatewayStation=10.31.187.19;TicketID=ilm;PolicyID=mvel;UserName=eritq;LogonDomain=rehen4859.api.host;Address=eve234.www5.local;CPMStatus=nula;Port=2783;Database=lit;DeviceType=santi;ExtraDetails=ritati;", - "file.directory": "edquian", - "file.name": "esse", - "fileset.name": "corepas", - "group.name": "orum", - "host.ip": "10.52.150.104", - "input.type": "log", - "log.level": "low", - "log.offset": 30264, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3601", - "related.hosts": [ - "eve234.www5.local", - "rehen4859.api.host" - ], - "related.ip": [ - "10.31.187.19", - "10.52.150.104" - ], - "related.user": [ - "eritq", - "oinBCSed", - "texplica" - ], - "rsa.db.database": "lit", - "rsa.db.index": "ritati", - "rsa.internal.event_desc": "expli", - "rsa.internal.messageid": "75", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "sus", - "rsa.misc.disposition": "nula", - "rsa.misc.group": "orum", - "rsa.misc.group_object": "veniam", - "rsa.misc.obj_type": "santi", - "rsa.misc.operation_id": "ilm", - "rsa.misc.policy_name": "mvel", - "rsa.misc.reference_id": "75", - "rsa.misc.reference_id1": "imavenia", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3601", - "rsa.network.domain": "rehen4859.api.host", - "rsa.network.host_dst": "eve234.www5.local", - "server.domain": "rehen4859.api.host", - "server.registered_domain": "api.host", - "server.subdomain": "rehen4859", - "server.top_level_domain": "host", - "service.type": "cyberark", - "source.ip": [ - "10.31.187.19" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "texplica" - }, - { - "destination.address": "fficia2304.www5.home", - "destination.port": 2396, - "event.action": "allow", - "event.code": "89", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "dip 2018-08-01 00:54:32.372538723 +0000 UTC idolo5292.local %CYBERARK: MessageID=\"89\";Version=1.3175;Message=allow;Issuer=runtm;Station=10.41.232.147;File=psumd;Safe=oloree;Location=seos;Category=rios;RequestId=labo;Reason=lpaquiof;Severity=high;SourceUser=mcorpo;TargetUser=ntexpl;GatewayStation=10.61.175.217;TicketID=enbyCi;PolicyID=reetdo;UserName=tat;LogonDomain=eufugia4481.corp;Address=fficia2304.www5.home;CPMStatus=vel;Port=2396;Database=rere;DeviceType=pta;ExtraDetails=nonn;", - "file.directory": "seos", - "file.name": "psumd", - "fileset.name": "corepas", - "group.name": "mcorpo", - "host.ip": "10.41.232.147", - "input.type": "log", - "log.level": "high", - "log.offset": 30752, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3175", - "related.hosts": [ - "eufugia4481.corp", - "fficia2304.www5.home" - ], - "related.ip": [ - "10.41.232.147", - "10.61.175.217" - ], - "related.user": [ - "ntexpl", - "runtm", - "tat" - ], - "rsa.db.database": "rere", - "rsa.db.index": "nonn", - "rsa.internal.event_desc": "lpaquiof", - "rsa.internal.messageid": "89", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "rios", - "rsa.misc.disposition": "vel", - "rsa.misc.group": "mcorpo", - "rsa.misc.group_object": "oloree", - "rsa.misc.obj_type": "pta", - "rsa.misc.operation_id": "enbyCi", - "rsa.misc.policy_name": "reetdo", - "rsa.misc.reference_id": "89", - "rsa.misc.reference_id1": "labo", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.3175", - "rsa.network.domain": "eufugia4481.corp", - "rsa.network.host_dst": "fficia2304.www5.home", - "server.domain": "eufugia4481.corp", - "server.registered_domain": "eufugia4481.corp", - "server.top_level_domain": "corp", - "service.type": "cyberark", - "source.ip": [ - "10.61.175.217" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "runtm" - }, - { - "event.action": "deny", - "event.code": "ntut", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "August 15 07:57:06 volup %CYBERARK: MessageID=\"261\";ptate 1.3830\",ProductAccount=\"uisnos\",ProductProcess=\"quamqua\",EventId=\"ntut\",EventClass=\"mag\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"mini\",ActingAddress=\"10.150.30.95\",ActionSourceUser=\"tur\",ActionTargetUser=\"atnonpr\",ActionObject=\"ita\",ActionSafe=\"amquaer\",ActionLocation=\"aqui\",ActionCategory=\"enby\",ActionRequestId=\"lpa\",ActionReason=\"isn\",ActionExtraDetails=\"smod\"", - "file.directory": "aqui", - "file.name": "ita", - "fileset.name": "corepas", - "host.ip": "10.150.30.95", - "input.type": "log", - "log.level": "very-high", - "log.offset": 31238, - "observer.product": "ptate", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3830", - "related.ip": [ - "10.150.30.95" - ], - "related.user": [ - "atnonpr", - "mini", - "uisnos" - ], - "rsa.db.index": "smod", - "rsa.internal.event_desc": "isn", - "rsa.internal.messageid": "261", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "enby", - "rsa.misc.group_object": "amquaer", - "rsa.misc.reference_id": "ntut", - "rsa.misc.reference_id1": "lpa", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3830", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "mini" - }, - { - "event.action": "deny", - "event.code": "inesciu", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "August 29 14:59:40 siuta %CYBERARK: MessageID=\"66\";atev 1.6626\",ProductAccount=\"CSe\",ProductProcess=\"exerci\",EventId=\"inesciu\",EventClass=\"quid\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"onse\",ActingAddress=\"10.98.71.45\",ActionSourceUser=\"destla\",ActionTargetUser=\"fugitse\",ActionObject=\"minimve\",ActionSafe=\"serrorsi\",ActionLocation=\"tametco\",ActionCategory=\"mquisnos\",ActionRequestId=\"lore\",ActionReason=\"isci\",ActionExtraDetails=\"Dui\"", - "file.directory": "tametco", - "file.name": "minimve", - "fileset.name": "corepas", - "host.ip": "10.98.71.45", - "input.type": "log", - "log.level": "high", - "log.offset": 31683, - "observer.product": "atev", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6626", - "related.ip": [ - "10.98.71.45" - ], - "related.user": [ - "CSe", - "fugitse", - "onse" - ], - "rsa.db.index": "Dui", - "rsa.internal.event_desc": "isci", - "rsa.internal.messageid": "66", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "mquisnos", - "rsa.misc.group_object": "serrorsi", - "rsa.misc.reference_id": "inesciu", - "rsa.misc.reference_id1": "lore", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.6626", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "onse" - }, - { - "event.action": "deny", - "event.code": "ianonnum", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "lup 2018-09-12 22:02:15.152538723 +0000 UTC iumtotam1010.www5.corp %CYBERARK: MessageID=\"168\";userror 1.5986\",ProductAccount=\"nonn\",ProductProcess=\"hite\",EventId=\"ianonnum\",EventClass=\"nofdeFi\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"remq\",ActingAddress=\"10.252.251.143\",ActionSourceUser=\"velill\",ActionTargetUser=\"rspic\",ActionObject=\"orinrepr\",ActionSafe=\"ror\",ActionLocation=\"onsecte\",ActionCategory=\"doei\",ActionRequestId=\"nvolupta\",ActionReason=\"tev\",ActionExtraDetails=\"nre\"", - "file.directory": "onsecte", - "file.name": "orinrepr", - "fileset.name": "corepas", - "host.ip": "10.252.251.143", - "input.type": "log", - "log.level": "medium", - "log.offset": 32136, - "observer.product": "userror", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5986", - "related.ip": [ - "10.252.251.143" - ], - "related.user": [ - "nonn", - "remq", - "rspic" - ], - "rsa.db.index": "nre", - "rsa.internal.event_desc": "tev", - "rsa.internal.messageid": "168", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "doei", - "rsa.misc.group_object": "ror", - "rsa.misc.reference_id": "ianonnum", - "rsa.misc.reference_id1": "nvolupta", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5986", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "remq" - }, - { - "event.action": "accept", - "event.code": "lupta", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"274\";lumdolor 1.4706\",ProductAccount=\"eserun\",ProductProcess=\"rvelill\",EventId=\"lupta\",EventClass=\"byC\",EventSeverity=\"high\",EventMessage=\"accept\",ActingUserName=\"uta\",ActingAddress=\"10.197.203.167\",ActionSourceUser=\"ulapa\",ActionTargetUser=\"iumdo\",ActionObject=\"iusmodit\",ActionSafe=\"aturv\",ActionLocation=\"ectetura\",ActionCategory=\"obeataev\",ActionRequestId=\"umf\",ActionReason=\"olesti\",ActionExtraDetails=\"smo\"", - "file.directory": "ectetura", - "file.name": "iusmodit", - "fileset.name": "corepas", - "host.ip": "10.197.203.167", - "input.type": "log", - "log.level": "high", - "log.offset": 32636, - "observer.product": "lumdolor", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4706", - "related.ip": [ - "10.197.203.167" - ], - "related.user": [ - "eserun", - "iumdo", - "uta" - ], - "rsa.db.index": "smo", - "rsa.internal.event_desc": "olesti", - "rsa.internal.messageid": "274", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "obeataev", - "rsa.misc.group_object": "aturv", - "rsa.misc.reference_id": "lupta", - "rsa.misc.reference_id1": "umf", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4706", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "uta" - }, - { - "event.action": "accept", - "event.code": "tten", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "tDuis 2018-10-11 12:07:23.672538723 +0000 UTC iqu1643.www.host %CYBERARK: MessageID=\"96\";inim 1.6806\",ProductAccount=\"ibusBo\",ProductProcess=\"untincu\",EventId=\"tten\",EventClass=\"etur\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"enima\",ActingAddress=\"10.187.170.23\",ActionSourceUser=\"sequ\",ActionTargetUser=\"sectetu\",ActionObject=\"evi\",ActionSafe=\"tionula\",ActionLocation=\"accus\",ActionCategory=\"uatu\",ActionRequestId=\"mquis\",ActionReason=\"lab\",ActionExtraDetails=\"uido\"", - "file.directory": "accus", - "file.name": "evi", - "fileset.name": "corepas", - "host.ip": "10.187.170.23", - "input.type": "log", - "log.level": "low", - "log.offset": 33071, - "observer.product": "inim", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6806", - "related.ip": [ - "10.187.170.23" - ], - "related.user": [ - "enima", - "ibusBo", - "sectetu" - ], - "rsa.db.index": "uido", - "rsa.internal.event_desc": "lab", - "rsa.internal.messageid": "96", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "uatu", - "rsa.misc.group_object": "tionula", - "rsa.misc.reference_id": "tten", - "rsa.misc.reference_id1": "mquis", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.6806", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "enima" - }, - { - "destination.address": "udexerc2708.api.test", - "destination.port": 505, - "event.action": "allow", - "event.code": "61", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2018-10-25 19:09:57.932538723 +0000 UTC nimadmin5577.corp %CYBERARK: MessageID=\"61\";Version=1.3824;Message=allow;Issuer=tinculpa;Station=10.123.62.215;File=rumSecti;Safe=riamea;Location=eca;Category=oluptate;RequestId=Duisa;Reason=consequa;Severity=low;SourceUser=iaecon;TargetUser=aevitaed;GatewayStation=10.250.248.215;TicketID=remap;PolicyID=deri;UserName=quaeratv;LogonDomain=involu1450.www.localhost;Address=udexerc2708.api.test;CPMStatus=odic;Port=505;Database=lica;DeviceType=secil;ExtraDetails=uisnos;", - "file.directory": "eca", - "file.name": "rumSecti", - "fileset.name": "corepas", - "group.name": "iaecon", - "host.ip": "10.123.62.215", - "input.type": "log", - "log.level": "low", - "log.offset": 33555, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3824", - "related.hosts": [ - "involu1450.www.localhost", - "udexerc2708.api.test" - ], - "related.ip": [ - "10.123.62.215", - "10.250.248.215" - ], - "related.user": [ - "aevitaed", - "quaeratv", - "tinculpa" - ], - "rsa.db.database": "lica", - "rsa.db.index": "uisnos", - "rsa.internal.event_desc": "consequa", - "rsa.internal.messageid": "61", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "oluptate", - "rsa.misc.disposition": "odic", - "rsa.misc.group": "iaecon", - "rsa.misc.group_object": "riamea", - "rsa.misc.obj_type": "secil", - "rsa.misc.operation_id": "remap", - "rsa.misc.policy_name": "deri", - "rsa.misc.reference_id": "61", - "rsa.misc.reference_id1": "Duisa", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3824", - "rsa.network.domain": "involu1450.www.localhost", - "rsa.network.host_dst": "udexerc2708.api.test", - "server.domain": "involu1450.www.localhost", - "server.registered_domain": "www.localhost", - "server.subdomain": "involu1450", - "server.top_level_domain": "localhost", - "service.type": "cyberark", - "source.ip": [ - "10.250.248.215" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tinculpa" - }, - { - "destination.address": "temvele5776.www.test", - "destination.port": 864, - "event.action": "block", - "event.code": "372", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "scipit 2018-11-09 02:12:32.192538723 +0000 UTC lloinve551.internal.local %CYBERARK: MessageID=\"372\";Version=1.3759;Message=block;Issuer=isiutali;Station=10.146.57.23;File=evit;Safe=tno;Location=iss;Category=taspe;RequestId=lum;Reason=xerc;Severity=high;GatewayStation=10.147.154.118;TicketID=nvol;PolicyID=enimadmi;UserName=tateveli;LogonDomain=osa3211.www5.example;Address=temvele5776.www.test;CPMStatus=inimve;Port=\"864\";Database=cin;DeviceType=tmo;ExtraDetails=onofdeF;", - "file.directory": "iss", - "file.name": "evit", - "fileset.name": "corepas", - "host.ip": "10.146.57.23", - "input.type": "log", - "log.level": "high", - "log.offset": 34065, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3759", - "related.hosts": [ - "osa3211.www5.example", - "temvele5776.www.test" - ], - "related.ip": [ - "10.146.57.23", - "10.147.154.118" - ], - "related.user": [ - "isiutali", - "tateveli" - ], - "rsa.db.database": "cin", - "rsa.db.index": "onofdeF", - "rsa.internal.event_desc": "xerc", - "rsa.internal.messageid": "372", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "taspe", - "rsa.misc.disposition": "inimve", - "rsa.misc.group_object": "tno", - "rsa.misc.obj_type": "tmo", - "rsa.misc.operation_id": "nvol", - "rsa.misc.policy_name": "enimadmi", - "rsa.misc.reference_id": "372", - "rsa.misc.reference_id1": "lum", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.3759", - "rsa.network.domain": "osa3211.www5.example", - "rsa.network.host_dst": "temvele5776.www.test", - "server.domain": "osa3211.www5.example", - "server.registered_domain": "www5.example", - "server.subdomain": "osa3211", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.147.154.118" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "isiutali" - }, - { - "event.action": "cancel", - "event.code": "tlabo", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "its 2018-11-23 09:15:06.452538723 +0000 UTC uptasnul2751.www5.corp %CYBERARK: MessageID=\"232\";ostrudex 1.4542\",ProductAccount=\"niamqui\",ProductProcess=\"usmodite\",EventId=\"tlabo\",EventClass=\"tatemse\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"uamestqu\",ActingAddress=\"10.193.33.201\",ActionSourceUser=\"hender\",ActionTargetUser=\"ptatemU\",ActionObject=\"seq\",ActionSafe=\"rumSe\",ActionLocation=\"tatnonp\",ActionCategory=\"ommo\",ActionRequestId=\"adeser\",ActionReason=\"uasiarc\",ActionExtraDetails=\"doeiu\"", - "file.directory": "tatnonp", - "file.name": "seq", - "fileset.name": "corepas", - "host.ip": "10.193.33.201", - "input.type": "log", - "log.level": "very-high", - "log.offset": 34538, - "observer.product": "ostrudex", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4542", - "related.ip": [ - "10.193.33.201" - ], - "related.user": [ - "niamqui", - "ptatemU", - "uamestqu" - ], - "rsa.db.index": "doeiu", - "rsa.internal.event_desc": "uasiarc", - "rsa.internal.messageid": "232", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "ommo", - "rsa.misc.group_object": "rumSe", - "rsa.misc.reference_id": "tlabo", - "rsa.misc.reference_id1": "adeser", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.4542", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "uamestqu" - }, - { - "event.action": "block", - "event.code": "iuntN", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2018-12-07 16:17:40.712538723 +0000 UTC atuserro6791.internal.host %CYBERARK: MessageID=\"24\";upta 1.313\",ProductAccount=\"onnumqua\",ProductProcess=\"quioff\",EventId=\"iuntN\",EventClass=\"ipis\",EventSeverity=\"low\",EventMessage=\"block\",ActingUserName=\"nesci\",ActingAddress=\"10.154.172.82\",ActionSourceUser=\"lorsi\",ActionTargetUser=\"tetura\",ActionObject=\"eeufug\",ActionSafe=\"edutper\",ActionLocation=\"tevelite\",ActionCategory=\"tocca\",ActionRequestId=\"orsitvol\",ActionReason=\"ntor\",ActionExtraDetails=\"oinBCSed\"", - "file.directory": "tevelite", - "file.name": "eeufug", - "fileset.name": "corepas", - "host.ip": "10.154.172.82", - "input.type": "log", - "log.level": "low", - "log.offset": 35054, - "observer.product": "upta", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.313", - "related.ip": [ - "10.154.172.82" - ], - "related.user": [ - "nesci", - "onnumqua", - "tetura" - ], - "rsa.db.index": "oinBCSed", - "rsa.internal.event_desc": "ntor", - "rsa.internal.messageid": "24", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "tocca", - "rsa.misc.group_object": "edutper", - "rsa.misc.reference_id": "iuntN", - "rsa.misc.reference_id1": "orsitvol", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.313", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "nesci" - }, - { - "event.action": "allow", - "event.code": "avolu", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"79\";obeatae 1.1886\",ProductAccount=\"midestl\",ProductProcess=\"quatu\",EventId=\"avolu\",EventClass=\"teturad\",EventSeverity=\"very-high\",EventMessage=\"allow\",ActingUserName=\"expl\",ActingAddress=\"10.47.63.70\",ActionSourceUser=\"lup\",ActionTargetUser=\"tpers\",ActionObject=\"orsitv\",ActionSafe=\"temseq\",ActionLocation=\"uisaute\",ActionCategory=\"uun\",ActionRequestId=\"end\",ActionReason=\"odocons\",ActionExtraDetails=\"olu\"", - "file.directory": "uisaute", - "file.name": "orsitv", - "fileset.name": "corepas", - "host.ip": "10.47.63.70", - "input.type": "log", - "log.level": "very-high", - "log.offset": 35557, - "observer.product": "obeatae", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1886", - "related.ip": [ - "10.47.63.70" - ], - "related.user": [ - "expl", - "midestl", - "tpers" - ], - "rsa.db.index": "olu", - "rsa.internal.event_desc": "odocons", - "rsa.internal.messageid": "79", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "uun", - "rsa.misc.group_object": "temseq", - "rsa.misc.reference_id": "avolu", - "rsa.misc.reference_id1": "end", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.1886", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "expl" - }, - { - "event.action": "block", - "event.code": "ectobea", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "January 5 06:22:49 amn %CYBERARK: MessageID=\"312\";itessequ 1.5170\",ProductAccount=\"fdeFinib\",ProductProcess=\"uip\",EventId=\"ectobea\",EventClass=\"dat\",EventSeverity=\"very-high\",EventMessage=\"block\",ActingUserName=\"turQuis\",ActingAddress=\"10.178.160.245\",ActionSourceUser=\"deomnisi\",ActionTargetUser=\"olupta\",ActionObject=\"oll\",ActionSafe=\"laboree\",ActionLocation=\"udantiu\",ActionCategory=\"itametco\",ActionRequestId=\"iav\",ActionReason=\"odico\",ActionExtraDetails=\"rsint\"", - "file.directory": "udantiu", - "file.name": "oll", - "fileset.name": "corepas", - "host.ip": "10.178.160.245", - "input.type": "log", - "log.level": "very-high", - "log.offset": 35987, - "observer.product": "itessequ", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5170", - "related.ip": [ - "10.178.160.245" - ], - "related.user": [ - "fdeFinib", - "olupta", - "turQuis" - ], - "rsa.db.index": "rsint", - "rsa.internal.event_desc": "odico", - "rsa.internal.messageid": "312", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "itametco", - "rsa.misc.group_object": "laboree", - "rsa.misc.reference_id": "ectobea", - "rsa.misc.reference_id1": "iav", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.5170", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "turQuis" - }, - { - "destination.address": "teursint1321.www5.example", - "destination.port": 7024, - "event.action": "block", - "event.code": "77", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "January 19 13:25:23 quiav %CYBERARK: MessageID=\"77\";Version=1.6648;Message=block;Issuer=Nem;Station=10.85.13.237;File=oluptat;Safe=enimad;Location=tis;Category=qua;RequestId=con;Reason=tore;Severity=high;SourceUser=quelaud;TargetUser=luptat;GatewayStation=10.89.154.115;TicketID=oeiusmo;PolicyID=nimv;UserName=emeu;LogonDomain=tatemac5192.www5.test;Address=teursint1321.www5.example;CPMStatus=lamcolab;Port=7024;Database=nturmag;DeviceType=uredol;ExtraDetails=maliqua;", - "file.directory": "tis", - "file.name": "oluptat", - "fileset.name": "corepas", - "group.name": "quelaud", - "host.ip": "10.85.13.237", - "input.type": "log", - "log.level": "high", - "log.offset": 36454, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6648", - "related.hosts": [ - "tatemac5192.www5.test", - "teursint1321.www5.example" - ], - "related.ip": [ - "10.85.13.237", - "10.89.154.115" - ], - "related.user": [ - "Nem", - "emeu", - "luptat" - ], - "rsa.db.database": "nturmag", - "rsa.db.index": "maliqua", - "rsa.internal.event_desc": "tore", - "rsa.internal.messageid": "77", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "qua", - "rsa.misc.disposition": "lamcolab", - "rsa.misc.group": "quelaud", - "rsa.misc.group_object": "enimad", - "rsa.misc.obj_type": "uredol", - "rsa.misc.operation_id": "oeiusmo", - "rsa.misc.policy_name": "nimv", - "rsa.misc.reference_id": "77", - "rsa.misc.reference_id1": "con", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.6648", - "rsa.network.domain": "tatemac5192.www5.test", - "rsa.network.host_dst": "teursint1321.www5.example", - "server.domain": "tatemac5192.www5.test", - "server.registered_domain": "www5.test", - "server.subdomain": "tatemac5192", - "server.top_level_domain": "test", - "service.type": "cyberark", - "source.ip": [ - "10.89.154.115" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "Nem" - }, - { - "destination.address": "boreet2051.internal.localdomain", - "destination.port": 1644, - "event.action": "allow", - "event.code": "308", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2019-02-02 20:27:57.752538723 +0000 UTC omnisi5530.mail.example %CYBERARK: MessageID=\"308\";Version=1.3387;Message=allow;Issuer=itame;Station=10.222.32.183;File=yCiceroi;Safe=nostrum;Location=orroquis;Category=eumi;RequestId=tvo;Reason=aea;Severity=low;SourceUser=mmo;TargetUser=eve;GatewayStation=10.65.207.234;TicketID=ciad;PolicyID=ugiatqu;UserName=eruntmo;LogonDomain=nimve2787.mail.test;Address=boreet2051.internal.localdomain;CPMStatus=iavo;Port=1644;Database=udexerc;DeviceType=ovolupta;ExtraDetails=volup;", - "file.directory": "orroquis", - "file.name": "yCiceroi", - "fileset.name": "corepas", - "group.name": "mmo", - "host.ip": "10.222.32.183", - "input.type": "log", - "log.level": "low", - "log.offset": 36923, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3387", - "related.hosts": [ - "boreet2051.internal.localdomain", - "nimve2787.mail.test" - ], - "related.ip": [ - "10.222.32.183", - "10.65.207.234" - ], - "related.user": [ - "eruntmo", - "eve", - "itame" - ], - "rsa.db.database": "udexerc", - "rsa.db.index": "volup", - "rsa.internal.event_desc": "aea", - "rsa.internal.messageid": "308", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "eumi", - "rsa.misc.disposition": "iavo", - "rsa.misc.group": "mmo", - "rsa.misc.group_object": "nostrum", - "rsa.misc.obj_type": "ovolupta", - "rsa.misc.operation_id": "ciad", - "rsa.misc.policy_name": "ugiatqu", - "rsa.misc.reference_id": "308", - "rsa.misc.reference_id1": "tvo", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3387", - "rsa.network.domain": "nimve2787.mail.test", - "rsa.network.host_dst": "boreet2051.internal.localdomain", - "server.domain": "nimve2787.mail.test", - "server.registered_domain": "mail.test", - "server.subdomain": "nimve2787", - "server.top_level_domain": "test", - "service.type": "cyberark", - "source.ip": [ - "10.65.207.234" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "itame" - }, - { - "event.action": "cancel", - "event.code": "edqu", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "rro 2019-02-17 03:30:32.012538723 +0000 UTC tuser6944.local %CYBERARK: MessageID=\"54\";iarchite 1.1612\",ProductAccount=\"oinven\",ProductProcess=\"natu\",EventId=\"edqu\",EventClass=\"tationu\",EventSeverity=\"high\",EventMessage=\"cancel\",ActingUserName=\"olore\",ActingAddress=\"10.16.181.60\",ActionSourceUser=\"ameaquei\",ActionTargetUser=\"gnama\",ActionObject=\"esciun\",ActionSafe=\"tesse\",ActionLocation=\"olupta\",ActionCategory=\"isno\",ActionRequestId=\"oluptas\",ActionReason=\"nderiti\",ActionExtraDetails=\"uatu\"", - "file.directory": "olupta", - "file.name": "esciun", - "fileset.name": "corepas", - "host.ip": "10.16.181.60", - "input.type": "log", - "log.level": "high", - "log.offset": 37436, - "observer.product": "iarchite", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1612", - "related.ip": [ - "10.16.181.60" - ], - "related.user": [ - "gnama", - "oinven", - "olore" - ], - "rsa.db.index": "uatu", - "rsa.internal.event_desc": "nderiti", - "rsa.internal.messageid": "54", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "isno", - "rsa.misc.group_object": "tesse", - "rsa.misc.reference_id": "edqu", - "rsa.misc.reference_id1": "oluptas", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.1612", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "olore" - }, - { - "event.action": "deny", - "event.code": "onse", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "orem 2019-03-03 10:33:06.272538723 +0000 UTC giatqu1484.internal.corp %CYBERARK: MessageID=\"208\";oreseosq 1.2275\",ProductAccount=\"uianon\",ProductProcess=\"nul\",EventId=\"onse\",EventClass=\"sitam\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"illoin\",ActingAddress=\"10.91.213.82\",ActionSourceUser=\"uid\",ActionTargetUser=\"amnis\",ActionObject=\"rvelil\",ActionSafe=\"adese\",ActionLocation=\"olorsi\",ActionCategory=\"caboNemo\",ActionRequestId=\"uptas\",ActionReason=\"temaccus\",ActionExtraDetails=\"ons\"", - "file.directory": "olorsi", - "file.name": "rvelil", - "fileset.name": "corepas", - "host.ip": "10.91.213.82", - "input.type": "log", - "log.level": "very-high", - "log.offset": 37931, - "observer.product": "oreseosq", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2275", - "related.ip": [ - "10.91.213.82" - ], - "related.user": [ - "amnis", - "illoin", - "uianon" - ], - "rsa.db.index": "ons", - "rsa.internal.event_desc": "temaccus", - "rsa.internal.messageid": "208", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "caboNemo", - "rsa.misc.group_object": "adese", - "rsa.misc.reference_id": "onse", - "rsa.misc.reference_id1": "uptas", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.2275", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "illoin" - }, - { - "event.action": "allow", - "event.code": "iaeconse", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2019-03-17 17:35:40.532538723 +0000 UTC oreeu3666.invalid %CYBERARK: MessageID=\"48\";tis 1.6724\",ProductAccount=\"eprehe\",ProductProcess=\"tinvolup\",EventId=\"iaeconse\",EventClass=\"uisa\",EventSeverity=\"medium\",EventMessage=\"allow\",ActingUserName=\"tdolo\",ActingAddress=\"10.204.214.98\",ActionSourceUser=\"iumt\",ActionTargetUser=\"porissus\",ActionObject=\"imip\",ActionSafe=\"tsunt\",ActionLocation=\"rnat\",ActionCategory=\"oremi\",ActionRequestId=\"ectobeat\",ActionReason=\"ecte\",ActionExtraDetails=\"abo\"", - "file.directory": "rnat", - "file.name": "imip", - "fileset.name": "corepas", - "host.ip": "10.204.214.98", - "input.type": "log", - "log.level": "medium", - "log.offset": 38435, - "observer.product": "tis", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6724", - "related.ip": [ - "10.204.214.98" - ], - "related.user": [ - "eprehe", - "porissus", - "tdolo" - ], - "rsa.db.index": "abo", - "rsa.internal.event_desc": "ecte", - "rsa.internal.messageid": "48", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "oremi", - "rsa.misc.group_object": "tsunt", - "rsa.misc.reference_id": "iaeconse", - "rsa.misc.reference_id1": "ectobeat", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6724", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tdolo" - }, - { - "event.action": "accept", - "event.code": "tium", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"219\";snos 1.5910\",ProductAccount=\"moenimip\",ProductProcess=\"uames\",EventId=\"tium\",EventClass=\"ianonn\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"etc\",ActingAddress=\"10.223.178.192\",ActionSourceUser=\"atquovol\",ActionTargetUser=\"evel\",ActionObject=\"edol\",ActionSafe=\"sequuntu\",ActionLocation=\"quameius\",ActionCategory=\"litse\",ActionRequestId=\"san\",ActionReason=\"apari\",ActionExtraDetails=\"iarchit\"", - "file.directory": "quameius", - "file.name": "edol", - "fileset.name": "corepas", - "host.ip": "10.223.178.192", - "input.type": "log", - "log.level": "very-high", - "log.offset": 38923, - "observer.product": "snos", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5910", - "related.ip": [ - "10.223.178.192" - ], - "related.user": [ - "etc", - "evel", - "moenimip" - ], - "rsa.db.index": "iarchit", - "rsa.internal.event_desc": "apari", - "rsa.internal.messageid": "219", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "litse", - "rsa.misc.group_object": "sequuntu", - "rsa.misc.reference_id": "tium", - "rsa.misc.reference_id1": "san", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.5910", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "etc" - }, - { - "destination.address": "umto3015.mail.lan", - "destination.port": 4667, - "event.action": "cancel", - "event.code": "183", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2019-04-15 07:40:49.052538723 +0000 UTC nsequat6724.www.invalid %CYBERARK: MessageID=\"183\";Version=1.801;Message=cancel;Issuer=ati;Station=10.26.137.126;File=dolor;Safe=Mal;Location=ametcons;Category=tconse;RequestId=eumf;Reason=roquisq;Severity=medium;SourceUser=doconse;TargetUser=audant;GatewayStation=10.26.33.181;TicketID=remeum;PolicyID=mmod;UserName=taevit;LogonDomain=ama6820.mail.example;Address=umto3015.mail.lan;CPMStatus=sitv;Port=4667;Database=com;DeviceType=rep;ExtraDetails=mveni;", - "file.directory": "ametcons", - "file.name": "dolor", - "fileset.name": "corepas", - "group.name": "doconse", - "host.ip": "10.26.137.126", - "input.type": "log", - "log.level": "medium", - "log.offset": 39362, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.801", - "related.hosts": [ - "ama6820.mail.example", - "umto3015.mail.lan" - ], - "related.ip": [ - "10.26.137.126", - "10.26.33.181" - ], - "related.user": [ - "ati", - "audant", - "taevit" - ], - "rsa.db.database": "com", - "rsa.db.index": "mveni", - "rsa.internal.event_desc": "roquisq", - "rsa.internal.messageid": "183", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "tconse", - "rsa.misc.disposition": "sitv", - "rsa.misc.group": "doconse", - "rsa.misc.group_object": "Mal", - "rsa.misc.obj_type": "rep", - "rsa.misc.operation_id": "remeum", - "rsa.misc.policy_name": "mmod", - "rsa.misc.reference_id": "183", - "rsa.misc.reference_id1": "eumf", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.801", - "rsa.network.domain": "ama6820.mail.example", - "rsa.network.host_dst": "umto3015.mail.lan", - "server.domain": "ama6820.mail.example", - "server.registered_domain": "mail.example", - "server.subdomain": "ama6820", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.26.33.181" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ati" - }, - { - "destination.address": "etquasia1800.www.host", - "destination.port": 7612, - "event.action": "accept", - "event.code": "41", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "April 29 14:43:23 num %CYBERARK: MessageID=\"41\";Version=1.10;Message=accept;Issuer=quaerat;Station=10.148.195.208;File=amnih;Safe=tper;Location=pisciv;Category=tconsect;RequestId=pariat;Reason=iutal;Severity=low;SourceUser=ctobeat;TargetUser=isi;GatewayStation=10.142.161.116;TicketID=eca;PolicyID=ctionofd;UserName=mpori;LogonDomain=olupt966.www5.corp;Address=etquasia1800.www.host;CPMStatus=nimip;Port=7612;Database=squamest;DeviceType=quisn;ExtraDetails=pteu;", - "file.directory": "pisciv", - "file.name": "amnih", - "fileset.name": "corepas", - "group.name": "ctobeat", - "host.ip": "10.148.195.208", - "input.type": "log", - "log.level": "low", - "log.offset": 39858, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.10", - "related.hosts": [ - "etquasia1800.www.host", - "olupt966.www5.corp" - ], - "related.ip": [ - "10.142.161.116", - "10.148.195.208" - ], - "related.user": [ - "isi", - "mpori", - "quaerat" - ], - "rsa.db.database": "squamest", - "rsa.db.index": "pteu", - "rsa.internal.event_desc": "iutal", - "rsa.internal.messageid": "41", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "tconsect", - "rsa.misc.disposition": "nimip", - "rsa.misc.group": "ctobeat", - "rsa.misc.group_object": "tper", - "rsa.misc.obj_type": "quisn", - "rsa.misc.operation_id": "eca", - "rsa.misc.policy_name": "ctionofd", - "rsa.misc.reference_id": "41", - "rsa.misc.reference_id1": "pariat", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.10", - "rsa.network.domain": "olupt966.www5.corp", - "rsa.network.host_dst": "etquasia1800.www.host", - "server.domain": "olupt966.www5.corp", - "server.registered_domain": "www5.corp", - "server.subdomain": "olupt966", - "server.top_level_domain": "corp", - "service.type": "cyberark", - "source.ip": [ - "10.142.161.116" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "quaerat" - }, - { - "destination.address": "quisquam2153.mail.host", - "destination.port": 2717, - "event.action": "block", - "event.code": "270", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "velillum 2019-05-13 21:45:57.572538723 +0000 UTC ntNequ7639.internal.localdomain %CYBERARK: MessageID=\"270\";Version=1.1026;Message=block;Issuer=itinvo;Station=10.107.24.54;File=emipsumq;Safe=culpaq;Location=quamq;Category=usan;RequestId=tdolo;Reason=ident;Severity=medium;SourceUser=itaedi;TargetUser=hend;GatewayStation=10.10.174.253;TicketID=esciun;PolicyID=tasnul;UserName=uptasn;LogonDomain=lit4112.www.localhost;Address=quisquam2153.mail.host;CPMStatus=dit;Port=2717;Database=lup;DeviceType=aeca;ExtraDetails=isau;", - "file.directory": "quamq", - "file.name": "emipsumq", - "fileset.name": "corepas", - "group.name": "itaedi", - "host.ip": "10.107.24.54", - "input.type": "log", - "log.level": "medium", - "log.offset": 40321, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1026", - "related.hosts": [ - "lit4112.www.localhost", - "quisquam2153.mail.host" - ], - "related.ip": [ - "10.10.174.253", - "10.107.24.54" - ], - "related.user": [ - "hend", - "itinvo", - "uptasn" - ], - "rsa.db.database": "lup", - "rsa.db.index": "isau", - "rsa.internal.event_desc": "ident", - "rsa.internal.messageid": "270", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "usan", - "rsa.misc.disposition": "dit", - "rsa.misc.group": "itaedi", - "rsa.misc.group_object": "culpaq", - "rsa.misc.obj_type": "aeca", - "rsa.misc.operation_id": "esciun", - "rsa.misc.policy_name": "tasnul", - "rsa.misc.reference_id": "270", - "rsa.misc.reference_id1": "tdolo", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.1026", - "rsa.network.domain": "lit4112.www.localhost", - "rsa.network.host_dst": "quisquam2153.mail.host", - "server.domain": "lit4112.www.localhost", - "server.registered_domain": "www.localhost", - "server.subdomain": "lit4112", - "server.top_level_domain": "localhost", - "service.type": "cyberark", - "source.ip": [ - "10.10.174.253" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "itinvo" - }, - { - "event.action": "deny", - "event.code": "iades", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "May 28 04:48:31 boreetd %CYBERARK: MessageID=\"309\";tNe 1.2566\",ProductAccount=\"eeufug\",ProductProcess=\"ntin\",EventId=\"iades\",EventClass=\"radipis\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"luptate\",ActingAddress=\"10.87.92.17\",ActionSourceUser=\"utlabore\",ActionTargetUser=\"tamr\",ActionObject=\"serr\",ActionSafe=\"usci\",ActionLocation=\"unturmag\",ActionCategory=\"dexeaco\",ActionRequestId=\"lupta\",ActionReason=\"ura\",ActionExtraDetails=\"oreeufug\"", - "event.outcome": "failure", - "file.directory": "unturmag", - "file.name": "serr", - "fileset.name": "corepas", - "host.ip": "10.87.92.17", - "input.type": "log", - "log.level": "very-high", - "log.offset": 40841, - "observer.product": "tNe", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2566", - "related.ip": [ - "10.87.92.17" - ], - "related.user": [ - "eeufug", - "luptate", - "tamr" - ], - "rsa.db.index": "oreeufug", - "rsa.internal.event_desc": "ura", - "rsa.internal.messageid": "309", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "dexeaco", - "rsa.misc.group_object": "usci", - "rsa.misc.reference_id": "iades", - "rsa.misc.reference_id1": "lupta", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.2566", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "luptate" - }, - { - "destination.address": "secte1774.localhost", - "destination.port": 5200, - "event.action": "deny", - "event.code": "295", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "June 11 11:51:06 dolo %CYBERARK: MessageID=\"295\";Version=1.5649;Message=deny;Issuer=Finibus;Station=10.161.51.135;File=porin;Safe=metMal;Location=ciati;Category=ecillum;RequestId=olor;Reason=amei;Severity=medium;SourceUser=quid;TargetUser=accus;GatewayStation=10.231.51.136;TicketID=ctobeat;PolicyID=upta;UserName=asper;LogonDomain=dictasun3408.internal.invalid;Address=secte1774.localhost;CPMStatus=iqui;Port=5200;Database=litani;DeviceType=emp;ExtraDetails=arch;", - "file.directory": "ciati", - "file.name": "porin", - "fileset.name": "corepas", - "group.name": "quid", - "host.ip": "10.161.51.135", - "input.type": "log", - "log.level": "medium", - "log.offset": 41300, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5649", - "related.hosts": [ - "dictasun3408.internal.invalid", - "secte1774.localhost" - ], - "related.ip": [ - "10.161.51.135", - "10.231.51.136" - ], - "related.user": [ - "Finibus", - "accus", - "asper" - ], - "rsa.db.database": "litani", - "rsa.db.index": "arch", - "rsa.internal.event_desc": "amei", - "rsa.internal.messageid": "295", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "ecillum", - "rsa.misc.disposition": "iqui", - "rsa.misc.group": "quid", - "rsa.misc.group_object": "metMal", - "rsa.misc.obj_type": "emp", - "rsa.misc.operation_id": "ctobeat", - "rsa.misc.policy_name": "upta", - "rsa.misc.reference_id": "295", - "rsa.misc.reference_id1": "olor", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5649", - "rsa.network.domain": "dictasun3408.internal.invalid", - "rsa.network.host_dst": "secte1774.localhost", - "server.domain": "dictasun3408.internal.invalid", - "server.registered_domain": "internal.invalid", - "server.subdomain": "dictasun3408", - "server.top_level_domain": "invalid", - "service.type": "cyberark", - "source.ip": [ - "10.231.51.136" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "Finibus" - }, - { - "event.action": "allow", - "event.code": "cia", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "June 25 18:53:40 dipisciv %CYBERARK: MessageID=\"148\";uam 1.2575\",ProductAccount=\"llum\",ProductProcess=\"mwr\",EventId=\"cia\",EventClass=\"idolo\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"mquido\",ActingAddress=\"10.51.17.32\",ActionSourceUser=\"ree\",ActionTargetUser=\"itten\",ActionObject=\"quipexea\",ActionSafe=\"orsitv\",ActionLocation=\"dunt\",ActionCategory=\"int\",ActionRequestId=\"ionevo\",ActionReason=\"llitani\",ActionExtraDetails=\"uscipit\"", - "file.directory": "dunt", - "file.name": "quipexea", - "fileset.name": "corepas", - "host.ip": "10.51.17.32", - "input.type": "log", - "log.level": "low", - "log.offset": 41765, - "observer.product": "uam", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2575", - "related.ip": [ - "10.51.17.32" - ], - "related.user": [ - "itten", - "llum", - "mquido" - ], - "rsa.db.index": "uscipit", - "rsa.internal.event_desc": "llitani", - "rsa.internal.messageid": "148", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "int", - "rsa.misc.group_object": "orsitv", - "rsa.misc.reference_id": "cia", - "rsa.misc.reference_id1": "ionevo", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.2575", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "mquido" - }, - { - "event.action": "deny", - "event.code": "mquisno", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "etco 2019-07-10 01:56:14.612538723 +0000 UTC iuntN4077.www.invalid %CYBERARK: MessageID=\"260\";isnostru 1.270\",ProductAccount=\"mmodicon\",ProductProcess=\"eetdo\",EventId=\"mquisno\",EventClass=\"atvolup\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"ollita\",ActingAddress=\"10.108.123.148\",ActionSourceUser=\"cto\",ActionTargetUser=\"cusa\",ActionObject=\"nderi\",ActionSafe=\"tem\",ActionLocation=\"tcu\",ActionCategory=\"eumiu\",ActionRequestId=\"nim\",ActionReason=\"pteurs\",ActionExtraDetails=\"ercitati\"", - "file.directory": "tcu", - "file.name": "nderi", - "fileset.name": "corepas", - "host.ip": "10.108.123.148", - "input.type": "log", - "log.level": "medium", - "log.offset": 42211, - "observer.product": "isnostru", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.270", - "related.ip": [ - "10.108.123.148" - ], - "related.user": [ - "cusa", - "mmodicon", - "ollita" - ], - "rsa.db.index": "ercitati", - "rsa.internal.event_desc": "pteurs", - "rsa.internal.messageid": "260", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "eumiu", - "rsa.misc.group_object": "tem", - "rsa.misc.reference_id": "mquisno", - "rsa.misc.reference_id1": "nim", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.270", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ollita" - }, - { - "destination.address": "uido2773.www5.test", - "destination.port": 3820, - "event.action": "accept", - "event.code": "8", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "July 24 08:58:48 eturadip %CYBERARK: MessageID=\"8\";Version=1.425;Message=accept;Issuer=rsitamet;Station=10.114.0.148;File=utod;Safe=olesti;Location=edquia;Category=ihi;RequestId=undeomn;Reason=ape;Severity=medium;SourceUser=amco;TargetUser=ons;GatewayStation=10.198.187.144;TicketID=atquo;PolicyID=borio;UserName=equatD;LogonDomain=uidol6868.mail.localdomain;Address=uido2773.www5.test;CPMStatus=acons;Port=3820;Database=periam;DeviceType=ain;ExtraDetails=umiurer;", - "event.outcome": "success", - "file.directory": "edquia", - "file.name": "utod", - "fileset.name": "corepas", - "group.name": "amco", - "host.ip": "10.114.0.148", - "input.type": "log", - "log.level": "medium", - "log.offset": 42710, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.425", - "related.hosts": [ - "uido2773.www5.test", - "uidol6868.mail.localdomain" - ], - "related.ip": [ - "10.114.0.148", - "10.198.187.144" - ], - "related.user": [ - "equatD", - "ons", - "rsitamet" - ], - "rsa.db.database": "periam", - "rsa.db.index": "umiurer", - "rsa.internal.event_desc": "ape", - "rsa.internal.messageid": "8", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "ihi", - "rsa.misc.disposition": "acons", - "rsa.misc.group": "amco", - "rsa.misc.group_object": "olesti", - "rsa.misc.obj_type": "ain", - "rsa.misc.operation_id": "atquo", - "rsa.misc.policy_name": "borio", - "rsa.misc.reference_id": "8", - "rsa.misc.reference_id1": "undeomn", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.425", - "rsa.network.domain": "uidol6868.mail.localdomain", - "rsa.network.host_dst": "uido2773.www5.test", - "server.domain": "uidol6868.mail.localdomain", - "server.registered_domain": "mail.localdomain", - "server.subdomain": "uidol6868", - "server.top_level_domain": "localdomain", - "service.type": "cyberark", - "source.ip": [ - "10.198.187.144" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "rsitamet" - }, - { - "event.action": "allow", - "event.code": "litess", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "onorume 2019-08-07 16:01:23.132538723 +0000 UTC abill5290.lan %CYBERARK: MessageID=\"89\";mini 1.7224\",ProductAccount=\"loru\",ProductProcess=\"iadeser\",EventId=\"litess\",EventClass=\"qui\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"equa\",ActingAddress=\"10.61.140.120\",ActionSourceUser=\"olorsit\",ActionTargetUser=\"naaliq\",ActionObject=\"plica\",ActionSafe=\"asiarc\",ActionLocation=\"lor\",ActionCategory=\"nvolupt\",ActionRequestId=\"dquia\",ActionReason=\"ora\",ActionExtraDetails=\"umfugiat\"", - "file.directory": "lor", - "file.name": "plica", - "fileset.name": "corepas", - "host.ip": "10.61.140.120", - "input.type": "log", - "log.level": "low", - "log.offset": 43175, - "observer.product": "mini", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7224", - "related.ip": [ - "10.61.140.120" - ], - "related.user": [ - "equa", - "loru", - "naaliq" - ], - "rsa.db.index": "umfugiat", - "rsa.internal.event_desc": "ora", - "rsa.internal.messageid": "89", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "nvolupt", - "rsa.misc.group_object": "asiarc", - "rsa.misc.reference_id": "litess", - "rsa.misc.reference_id1": "dquia", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7224", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "equa" - }, - { - "destination.address": "quame1852.www.test", - "destination.port": 4512, - "event.action": "deny", - "event.code": "36", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"36\";Version=1.6988;Message=deny;Issuer=ite;Station=10.93.24.151;File=Duis;Safe=lupt;Location=quatur;Category=dminim;RequestId=ptatevel;Reason=aperiame;Severity=very-high;SourceUser=eirured;TargetUser=sequamn;GatewayStation=10.149.238.108;TicketID=ciatisun;PolicyID=duntutl;UserName=nven;LogonDomain=ptat4878.lan;Address=quame1852.www.test;CPMStatus=deomni;Port=4512;Database=fugi;DeviceType=nse;ExtraDetails=nesciu;", - "file.directory": "quatur", - "file.name": "Duis", - "fileset.name": "corepas", - "group.name": "eirured", - "host.ip": "10.93.24.151", - "input.type": "log", - "log.level": "very-high", - "log.offset": 43663, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6988", - "related.hosts": [ - "ptat4878.lan", - "quame1852.www.test" - ], - "related.ip": [ - "10.149.238.108", - "10.93.24.151" - ], - "related.user": [ - "ite", - "nven", - "sequamn" - ], - "rsa.db.database": "fugi", - "rsa.db.index": "nesciu", - "rsa.internal.event_desc": "aperiame", - "rsa.internal.messageid": "36", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "dminim", - "rsa.misc.disposition": "deomni", - "rsa.misc.group": "eirured", - "rsa.misc.group_object": "lupt", - "rsa.misc.obj_type": "nse", - "rsa.misc.operation_id": "ciatisun", - "rsa.misc.policy_name": "duntutl", - "rsa.misc.reference_id": "36", - "rsa.misc.reference_id1": "ptatevel", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.6988", - "rsa.network.domain": "ptat4878.lan", - "rsa.network.host_dst": "quame1852.www.test", - "server.domain": "ptat4878.lan", - "server.registered_domain": "ptat4878.lan", - "server.top_level_domain": "lan", - "service.type": "cyberark", - "source.ip": [ - "10.149.238.108" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ite" - }, - { - "event.action": "accept", - "event.code": "vel", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "September 5 06:06:31 inrepreh %CYBERARK: MessageID=\"39\";rit 1.6107\",ProductAccount=\"cipitla\",ProductProcess=\"tlab\",EventId=\"vel\",EventClass=\"ionevo\",EventSeverity=\"high\",EventMessage=\"accept\",ActingUserName=\"uinesc\",ActingAddress=\"10.101.45.225\",ActionSourceUser=\"utla\",ActionTargetUser=\"emi\",ActionObject=\"uaerat\",ActionSafe=\"iduntu\",ActionLocation=\"samvol\",ActionCategory=\"equa\",ActionRequestId=\"apari\",ActionReason=\"tsunt\",ActionExtraDetails=\"caecat\"", - "file.directory": "samvol", - "file.name": "uaerat", - "fileset.name": "corepas", - "host.ip": "10.101.45.225", - "input.type": "log", - "log.level": "high", - "log.offset": 44101, - "observer.product": "rit", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6107", - "related.ip": [ - "10.101.45.225" - ], - "related.user": [ - "cipitla", - "emi", - "uinesc" - ], - "rsa.db.index": "caecat", - "rsa.internal.event_desc": "tsunt", - "rsa.internal.messageid": "39", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "equa", - "rsa.misc.group_object": "iduntu", - "rsa.misc.reference_id": "vel", - "rsa.misc.reference_id1": "apari", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.6107", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "uinesc" - }, - { - "event.action": "cancel", - "event.code": "texplica", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "qui 2019-09-19 13:09:05.912538723 +0000 UTC caboN3124.mail.home %CYBERARK: MessageID=\"8\";catcupid 1.3167\",ProductAccount=\"quela\",ProductProcess=\"uamquaer\",EventId=\"texplica\",EventClass=\"enimi\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"ore\",ActingAddress=\"10.2.204.161\",ActionSourceUser=\"iquamqu\",ActionTargetUser=\"eumfugia\",ActionObject=\"reeufugi\",ActionSafe=\"sequines\",ActionLocation=\"minimve\",ActionCategory=\"texplica\",ActionRequestId=\"entorev\",ActionReason=\"quuntur\",ActionExtraDetails=\"olup\"", - "event.outcome": "success", - "file.directory": "minimve", - "file.name": "reeufugi", - "fileset.name": "corepas", - "host.ip": "10.2.204.161", - "input.type": "log", - "log.level": "low", - "log.offset": 44555, - "observer.product": "catcupid", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3167", - "related.ip": [ - "10.2.204.161" - ], - "related.user": [ - "eumfugia", - "ore", - "quela" - ], - "rsa.db.index": "olup", - "rsa.internal.event_desc": "quuntur", - "rsa.internal.messageid": "8", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "texplica", - "rsa.misc.group_object": "sequines", - "rsa.misc.reference_id": "texplica", - "rsa.misc.reference_id1": "entorev", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3167", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ore" - }, - { - "event.action": "cancel", - "event.code": "utaliqui", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "les 2019-10-03 20:11:40.172538723 +0000 UTC norumet2571.internal.example %CYBERARK: MessageID=\"89\";temp 1.6971\",ProductAccount=\"aliqu\",ProductProcess=\"sequine\",EventId=\"utaliqui\",EventClass=\"isciv\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"ptatemse\",ActingAddress=\"10.33.112.100\",ActionSourceUser=\"catcup\",ActionTargetUser=\"enimad\",ActionObject=\"magnaali\",ActionSafe=\"velillum\",ActionLocation=\"ionev\",ActionCategory=\"vitaedi\",ActionRequestId=\"rna\",ActionReason=\"cons\",ActionExtraDetails=\"Except\"", - "file.directory": "ionev", - "file.name": "magnaali", - "fileset.name": "corepas", - "host.ip": "10.33.112.100", - "input.type": "log", - "log.level": "very-high", - "log.offset": 45067, - "observer.product": "temp", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6971", - "related.ip": [ - "10.33.112.100" - ], - "related.user": [ - "aliqu", - "enimad", - "ptatemse" - ], - "rsa.db.index": "Except", - "rsa.internal.event_desc": "cons", - "rsa.internal.messageid": "89", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "vitaedi", - "rsa.misc.group_object": "velillum", - "rsa.misc.reference_id": "utaliqui", - "rsa.misc.reference_id1": "rna", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.6971", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ptatemse" - }, - { - "destination.address": "lla5407.lan", - "destination.port": 4762, - "event.action": "block", - "event.code": "95", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"95\";Version=1.3175;Message=block;Issuer=neavol;Station=10.94.152.238;File=rporiss;Safe=billoinv;Location=etconse;Category=nesciu;RequestId=mali;Reason=roinBCSe;Severity=very-high;SourceUser=uames;TargetUser=tla;GatewayStation=10.151.110.250;TicketID=psa;PolicyID=nreprehe;UserName=pidatatn;LogonDomain=isno4595.local;Address=lla5407.lan;CPMStatus=upt;Port=4762;Database=itaedict;DeviceType=eroi;ExtraDetails=onemull;", - "file.directory": "etconse", - "file.name": "rporiss", - "fileset.name": "corepas", - "group.name": "uames", - "host.ip": "10.94.152.238", - "input.type": "log", - "log.level": "very-high", - "log.offset": 45585, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3175", - "related.hosts": [ - "isno4595.local", - "lla5407.lan" - ], - "related.ip": [ - "10.151.110.250", - "10.94.152.238" - ], - "related.user": [ - "neavol", - "pidatatn", - "tla" - ], - "rsa.db.database": "itaedict", - "rsa.db.index": "onemull", - "rsa.internal.event_desc": "roinBCSe", - "rsa.internal.messageid": "95", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "nesciu", - "rsa.misc.disposition": "upt", - "rsa.misc.group": "uames", - "rsa.misc.group_object": "billoinv", - "rsa.misc.obj_type": "eroi", - "rsa.misc.operation_id": "psa", - "rsa.misc.policy_name": "nreprehe", - "rsa.misc.reference_id": "95", - "rsa.misc.reference_id1": "mali", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3175", - "rsa.network.domain": "isno4595.local", - "rsa.network.host_dst": "lla5407.lan", - "server.domain": "isno4595.local", - "server.registered_domain": "isno4595.local", - "server.top_level_domain": "local", - "service.type": "cyberark", - "source.ip": [ - "10.151.110.250" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "neavol" - }, - { - "destination.address": "iquipexe4708.api.localhost", - "destination.port": 5473, - "event.action": "allow", - "event.code": "179", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "mporain 2019-11-01 10:16:48.692538723 +0000 UTC eratvo7756.localdomain %CYBERARK: MessageID=\"179\";Version=1.4965;Message=allow;Issuer=alorumwr;Station=10.146.61.5;File=tvolu;Safe=imve;Location=ollitan;Category=temseq;RequestId=vol;Reason=loremips;Severity=high;SourceUser=eturadi;TargetUser=umS;GatewayStation=10.77.9.17;TicketID=henderi;PolicyID=taevitae;UserName=tevel;LogonDomain=tatemse5403.home;Address=iquipexe4708.api.localhost;CPMStatus=quuntur;Port=5473;Database=amremap;DeviceType=oremagna;ExtraDetails=aqu;", - "file.directory": "ollitan", - "file.name": "tvolu", - "fileset.name": "corepas", - "group.name": "eturadi", - "host.ip": "10.146.61.5", - "input.type": "log", - "log.level": "high", - "log.offset": 46024, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4965", - "related.hosts": [ - "iquipexe4708.api.localhost", - "tatemse5403.home" - ], - "related.ip": [ - "10.146.61.5", - "10.77.9.17" - ], - "related.user": [ - "alorumwr", - "tevel", - "umS" - ], - "rsa.db.database": "amremap", - "rsa.db.index": "aqu", - "rsa.internal.event_desc": "loremips", - "rsa.internal.messageid": "179", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "temseq", - "rsa.misc.disposition": "quuntur", - "rsa.misc.group": "eturadi", - "rsa.misc.group_object": "imve", - "rsa.misc.obj_type": "oremagna", - "rsa.misc.operation_id": "henderi", - "rsa.misc.policy_name": "taevitae", - "rsa.misc.reference_id": "179", - "rsa.misc.reference_id1": "vol", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4965", - "rsa.network.domain": "tatemse5403.home", - "rsa.network.host_dst": "iquipexe4708.api.localhost", - "server.domain": "tatemse5403.home", - "server.registered_domain": "tatemse5403.home", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.77.9.17" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "alorumwr" - }, - { - "event.action": "allow", - "event.code": "saute", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"83\";tvolu 1.2244\",ProductAccount=\"ore\",ProductProcess=\"lors\",EventId=\"saute\",EventClass=\"ecillumd\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"sequatu\",ActingAddress=\"10.128.102.130\",ActionSourceUser=\"mdoloree\",ActionTargetUser=\"que\",ActionObject=\"inBCSed\",ActionSafe=\"cteturad\",ActionLocation=\"umq\",ActionCategory=\"ita\",ActionRequestId=\"ipsaquae\",ActionReason=\"olu\",ActionExtraDetails=\"exerci\"", - "file.directory": "umq", - "file.name": "inBCSed", - "fileset.name": "corepas", - "host.ip": "10.128.102.130", - "input.type": "log", - "log.level": "high", - "log.offset": 46542, - "observer.product": "tvolu", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2244", - "related.ip": [ - "10.128.102.130" - ], - "related.user": [ - "ore", - "que", - "sequatu" - ], - "rsa.db.index": "exerci", - "rsa.internal.event_desc": "olu", - "rsa.internal.messageid": "83", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "ita", - "rsa.misc.group_object": "cteturad", - "rsa.misc.reference_id": "saute", - "rsa.misc.reference_id1": "ipsaquae", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.2244", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "sequatu" - }, - { - "destination.address": "oremip4070.www5.invalid", - "destination.port": 1704, - "event.action": "cancel", - "event.code": "150", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2019-11-30 00:21:57.212538723 +0000 UTC moen6809.internal.example %CYBERARK: MessageID=\"150\";Version=1.7701;Message=cancel;Issuer=reseo;Station=10.31.86.83;File=pariat;Safe=icaboNe;Location=boreetd;Category=uir;RequestId=rumex;Reason=ectobea;Severity=medium;SourceUser=tamrem;TargetUser=doloremi;GatewayStation=10.200.162.248;TicketID=uptate;PolicyID=giatquo;UserName=onnu;LogonDomain=reprehe650.www.corp;Address=oremip4070.www5.invalid;CPMStatus=turad;Port=1704;Database=billo;DeviceType=doloremi;ExtraDetails=ectetura;", - "file.directory": "boreetd", - "file.name": "pariat", - "fileset.name": "corepas", - "group.name": "tamrem", - "host.ip": "10.31.86.83", - "input.type": "log", - "log.level": "medium", - "log.offset": 46973, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7701", - "related.hosts": [ - "oremip4070.www5.invalid", - "reprehe650.www.corp" - ], - "related.ip": [ - "10.200.162.248", - "10.31.86.83" - ], - "related.user": [ - "doloremi", - "onnu", - "reseo" - ], - "rsa.db.database": "billo", - "rsa.db.index": "ectetura", - "rsa.internal.event_desc": "ectobea", - "rsa.internal.messageid": "150", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "uir", - "rsa.misc.disposition": "turad", - "rsa.misc.group": "tamrem", - "rsa.misc.group_object": "icaboNe", - "rsa.misc.obj_type": "doloremi", - "rsa.misc.operation_id": "uptate", - "rsa.misc.policy_name": "giatquo", - "rsa.misc.reference_id": "150", - "rsa.misc.reference_id1": "rumex", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.7701", - "rsa.network.domain": "reprehe650.www.corp", - "rsa.network.host_dst": "oremip4070.www5.invalid", - "server.domain": "reprehe650.www.corp", - "server.registered_domain": "www.corp", - "server.subdomain": "reprehe650", - "server.top_level_domain": "corp", - "service.type": "cyberark", - "source.ip": [ - "10.200.162.248" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "reseo" - }, - { - "event.action": "allow", - "event.code": "iatnulap", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"166\";cul 1.3325\",ProductAccount=\"atatn\",ProductProcess=\"ipisc\",EventId=\"iatnulap\",EventClass=\"roi\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"volup\",ActingAddress=\"10.103.215.159\",ActionSourceUser=\"ddoeiusm\",ActionTargetUser=\"apa\",ActionObject=\"archite\",ActionSafe=\"tur\",ActionLocation=\"ddo\",ActionCategory=\"emp\",ActionRequestId=\"inBC\",ActionReason=\"did\",ActionExtraDetails=\"atcupi\"", - "file.directory": "ddo", - "file.name": "archite", - "fileset.name": "corepas", - "host.ip": "10.103.215.159", - "input.type": "log", - "log.level": "high", - "log.offset": 47494, - "observer.product": "cul", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3325", - "related.ip": [ - "10.103.215.159" - ], - "related.user": [ - "apa", - "atatn", - "volup" - ], - "rsa.db.index": "atcupi", - "rsa.internal.event_desc": "did", - "rsa.internal.messageid": "166", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "emp", - "rsa.misc.group_object": "tur", - "rsa.misc.reference_id": "iatnulap", - "rsa.misc.reference_id1": "inBC", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.3325", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "volup" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberark/fields.go b/x-pack/filebeat/module/cyberark/fields.go deleted file mode 100644 index 92881453766..00000000000 --- a/x-pack/filebeat/module/cyberark/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package cyberark - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "cyberark", asset.ModuleFieldsPri, AssetCyberark); err != nil { - panic(err) - } -} - -// AssetCyberark returns asset data. -// This is the base64 encoded zlib format compressed contents of module/cyberark. -func AssetCyberark() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8JW09BU331F0IstwJekxP3l+/e4J9KMEzz2nIlX5N/+wshpPsBmXEQpZn8hYT/eo0fu/99RySt4DWRYFdKX024tKBnlMHE/b37GiFqCXqluYXXxOqm/4ld1/DaYbhSuuz9vYQZbYQtcMnXZEaFga2PB/i2/3tPKyBqRuwCWsRIhxhZLUADfmY1nc04IwtqyBRAEjU1oJdQTgb0aUPvQMxcq6a+PSm7TN0si1hLKrbIG199bP3YEptFKjPf+vv+FcY3bLArHxfcuO8RbkhjoCRWEUZr2wT+a7oiFRhD5+7f1BKmKjCOaOU+3wFNyFs1J6fAVAk6ToiHxXeROpScFi4sQdrCkZYYcEA4M/cDyw3ynClpQVrj7geXxlJpWzRMFEfLq0MQLKnd/WCIHfc4uSUItWS14GxBKDFgDFeSLLg1hJL3YH/nVoIx7e5PBkejI9YsVCNKImEJmkyhO3c11QbIO7DUoUbJTKuqt9TTt2puXlxQdgXWPBuAP+UamBXr58QGvCn5AF5Y+BMue2hOoowUsARxACeFkrv3c4uTp1BrYNQGTEqYcQklUVIgWpZOBZCK1nGsKjMvkl2YPXv8Ltzz89MfyJKKJtx4XoK0fMbD6YRryiwRau73Sw82AqnjDnw4Lfg9tx011ZazRlCNvw8bOxk9GQPQB52U2MkYQB4/KaNbsjzunrz8/3uyf0/cqnk25H7XV03/KJCQ3W15NNgt6SFCLztqGoxqNMv09t6fbbnu//0wM5ZaqEDax4gcbUpuCybozh1+JOiBtHr9GBFbOJ3qMSLG5WGI5dWYWsnxeE9aCfQQ6ZGXbTOAMqUNNaLXxOzM3hdbt4DDZqCHDJSE+1kRO3rIAPoNVsQ4F3dcK0fioux5VaLs8+wakJmIfSTCwTuzjx1DrW4k/9LARo3WHf3hT+tto/ZESeYeB2rVY7dsR8TNkucVh33unrhl+Iwz2r/Pb9WcnC1BWnKJwpk0sgTtTBANQVANSJ/xayiJAeuAbP14ew0zbrC0mzCAfW+DpduEAeg7bcrQE5jev3TYwRzQdQee3I0HC2Uy6av9c/mrMrYvIsXuiTQgSy7n7Ycmdmx6PqSvh7/8kAM2+NEoY88vlj8RWpbaycqx677L3AH1Vn2tzF2+ys3eV//vstdxK79s2JUL3pHW95aVhJI5X4LsnGRfryLgWHSY/yKvBVI+RuXv64hojDo0VL0uNHzJsNf94CFuMNI9XSOXz/zS5AIv0vPgzbaUfFzXQBgdSpApEOB2AZp8Opf2h1dEafKLUNT++JJMqcFT1AbIZnzeaFT9bqD7EHX3K6Ybw6D5jM8E/gX367nK5WbbZx23K3/1DgalV1SX2ZS6nkTrkd3n5PnF5y19jxINgu5uKSFmbSxU4RENaDtoC/An1XjmuX8rzedcUtH+ZltbuYEPufSvPYkR5xefX0VYENAfcOL+LOgwGnI5xeuzOahDxfHQ12cBtAR9lNj1r7gUOT+9T5TU49sPliKYw2Klj9rJJliR3c9GW0XrfKNo4UVxpsuJEgKYVfprFMCOew+Qc+POHDeEedZB6TDdUlTfql21hexh9CO0+Co2fSyqaqUMJrtVSpLperBphGj40oCxDqDhVS3WYZ/cl52gJ0DZghheAnn6PbEL3ZCXP//8jKyoIQZAdqvs4cSjUF5vwQlTK2kgHyvYV3MqmGqk7XwKTTX1Qs9dZROFQJ7SqVpCjxlcRjMrW/FmrAZajd4f9tUcmwdmFZS82dXTUjDqm5jm2DkW+Ixw+8/m5fc//NV4kf6iRgHaIv3PATX/dPbgW7oGTV6SM8lobRrhIyvOpLyTXI9Bv2fwI5JbGVvlx5fkXx25z8mPP5J/JUxppy8jFWHR5+S/C/s/3Re5IdtM+Sa6hVKV8GhtXbmCglEhppRd5dWAPXJSWbw21Hq7wjERZFkrLi2aJhbiCc54OArQWmXKT9vog6YGxqlAjBFTY5V2mrVce63DfbCkgpf+YMSQImSmGlm6F0YAIs/lPChHNyYvbt+IAeQUscBwHfaEjUZ2YS0ULR/LOxfQIYb/CaQCqzmLWB3BFO5/GW1h/9y3Qtg9+9RuNFo1a7dtQn5VK7c1Q5uTS6K0M8asIlcA9Q1MexQv3lfCNK0YGFMseVmUuaKuZ63kmYMETS1e8tJxsGcXLrm2DRXOaN/yvcuIi4NX3JndGCtHZngqwlU/PyXaSWuDDhVkGtVzsN3XbuSE0ZmSnh6cEz4Tbj8ndJZQ0FDwn5+2vtcPUCkL5DKcd6YBH9rpekxQuv+1gZivIPASVipMLXjOzIZHbc4bPlD7H4Vu5mRuxvOOt869AeGst6eutVrCE/JfI8LoxcuMiweI0btVnXF0cfLmIui+jErHHl7VSu9qvASfyK8uDaJ5HO6PT/6pQkMcTfeYK3XblG82P9kY7F7PQct8Ql7+/IqskO8VUEmoEHFfATr1UU3a+I/ICjR4sNQSAdRYouROucg2Ex9cTfy6mRi5qznCtoF3vytdIuMwqwnYQiqh5uvdQNyM64EWS8jPhC2opsx6JrpLvUb80WkuSSNDTo/Y8pmPVtSmLuj2gfqcQYQ9sUu0KCqnZCrZhhE0XY3KNJSsO2olZaix+hiFDD4HxVijW4jGUllSXRKpdEUF/zOW36t0FeVPGbIcDmaRaqaDJ+lOTNpg3SHzQvAZIMURA98AU7IcUbA3210Ym9PPsocgLpmqagE2egBGnagUFXir+Y4Y7NWbaftAB/nSrR09zmNHeftkjh6/Skm7SLRNm/rUVDkvmyyn8oEYfybLHGx3IP9UMne3hT1i0a3eqpg+vfbjLocHIirbjX5DLFzbcPnIErTplVOU+/LAIvt738O2BpqKzE2ZHlO6hDLfOxiSbMIzZboVWx2jzbTpvtiPrw9fK62qCUJtsCjfMJBUc+XV+qoRln9nOWhC61q01S+bXjYVlXQeK80lRGB4p7UXPVIeV0O4fWKIWkkfGbO0qnc9gwFjt5pDcXj7rCFswZ11o0owE/KuMRbNpD5QdyupHcnLpRYO3KS9Amw2c3gv4RiaEG5yu6DnnYYZaJDMHwjqVOuSL3npNBs8D3FBdtkKso87zIsTeV1zfTQKN/vpY0HX7iRyK9aeWOOEntPXHFJ4QPf7RhNu+qgL57mTxp08mwyW7NLJVJNaAlUDRe6+EDv+p74qqEF+aaA52lFyp9ufoo18XFFDEIly5Nwgcj+kZmpCpWCLoRlk2ryyGV7feZUD17rIgGpd5NCe65SiaBvoy+RQM+hKvVfkYUzIHfMx+sYMnss7vTmHis2b5NohwYLNA7HTDSG1I4iygRKfQrE2jcgddhqxolRjmarghcehM14wK1vNBieEysCCLQNy5IDAEjS3OUtH9hDWrh6KAHuRnX0un7zFi4Pegf6V7ipdHDSMO9XA+IxvDJ+4duuDOWM9VYKunD+bKbIBnYuRl5uCidZFVYYgSxTvYDYfaxM+b1vpfUtQafLbZUiN5aZNCNj1q+H67Q6NVUmaWhmeUHDc6myhOS1L32EKU/nbuzvahacRtsjXuuiOokg2FWjO7iqLorQdoYptD2H9SrbuZnix5O/3gLQlyFLpkDC7lzI1/eMBute0oV01/QNY3I52iOWvBR+w20nQ/Yh5SZ+zV903wwsZqv6DmAlergXtcoulsoSSReh4EU+gFWpetIkqDyLU24N4Z6F+jJ4pW7Lv75huhV2rUXzEFX8lOFvnvj175MIFIhCaa0uxHpHLjciZNx1n4IdGACIWF6dKWrjOrbF2CJ1L76/b9EOlZWnc/+GjSkWLUKwBzA2PM1tQOYdCwiq3LBgLXMKqF+pHJcRazaeNhZ6EGOboG4+609b7z19cdJiaJhN2HecEz9a2ch/T0BDczS/yyPT1t4hxixVgjmFtw0GzyfnSS9ATcgl+UxoDekLngK28Q6b7TOkWhwHsFozX2xn+nvjf9/pWKE2mWq3cZ+1fg67pza7RftLn5QXVNrWbrgOc2qMS7pQaVIce604pUXZqY64rpWoIAcVcb/EbSagAbbvsIr1ZNPzNh7eC+Og1AcAkpIjCXBKp5HcaakBLZl/2A5oNx3xyWKO1uzCdvYI7iXrcC+4jbG34Z0DZittFUJa9rCenuOAUq00kUfK7uXL/veclQCWliCiOGemmvWDgC0TAIalmxEkHy8FMyOVGpuwONuhXVuXB+MSX8zXGGTG+ZNQn25RB/AbGU8JEY2x7IMM/BtuEP+HG7WSoiQ7+Daf44qfjKtDRtR9/w+IWvW/LlE8pe3KT4eWwPEUsCDVGMY7+UrcbUXsSN+wtv4LXhJJ6sTacUUFKbq6ek1rjTJTnBCx7EleUqaaH1F7e8aH3dTaaVmBBG1JTg128DDZy8L0ImKoqJ8XUVtB+WFoDlu1V9/x78FAaX28PMzxMXnwzVdXN8A5m2DZKVlyWahXyaZmSDGr7vMukGGXGgMxZI8SafGmo8M7PUlWUyyA1ZG8hoUaerr7XM5W6tId0pxK+5fIKylAL1CaiU4PeqWCguE++6VCb8HLfxolBV4isoq4/2cm7JXYRaNH77fKh8PqtDp5Xcjls19MFnUFXfHewU24Xa1gTsfXnf7+m/WNiTXvGRf473pH8C67WXWMNZcOAtJEjiLvbDGhORRF5TbM9Ipe4ZKs2776PvQfQvTCjfgFgV+aglgMpPMZhdffQLahZdDfUqYWRKsOGLXzmb1tj05UZnrSQdlqEOUK6ZSZGM/er7t/DSlPi5LkkHHPuGskEUO3+hI3wNqiFAsLg7dRtYefN0Qcv/Jphn6dH/WIxVU257Ppm9x+sUDaq7/B6LbluzLE9fX1tBBEY9/gdJ0AauRInfnXfk3HcU+otuOyu8Y593st8fkree0nzNDRuIH7aXij6dbg9i+vV3gH9EL78nvv5/BRZGkreOjEx9B5sR+R8GqAnYeIPkZMFK27iRurSrHP2st+O6oYCba8u7PVjS298H/HUONafdAuT89MbNdlU/rkbNFmH2EtZbjTaCTnx9Zmh36nwH+zXZhFBvf2NH74J7rhpY7vKTWW7x6iRAoznjPIPykqRJdWcTsWgCtA3ZeCS1IKOCAID0mTtj7K1oX1V1a88cZLKaRhtfSF3+3z54vxiV4cmoWWs9yiM1WUfOFDw1rWQm0iLR5KcS0su+VxSFBYjR7RWOmfz2icD+eUO6UWruyns6oj/6RDp3WU8ZaWKHJz3v30kXDLRlODEWRhk634+IU/PrmlVC3hNLrxDxINF6T2J+0UwMnf02CY6pzZPSxwzbq6cyn0AXncoxeu5Md+Hp+EDN1d7Qq5W8/kcdL4RdnGWfe7HAgIOqJ0uNJiFEqU7Pd5WH5k0uhV6P4JnYRh7D1L56QevYzzrmnGcn8bLSG4dnWeqqosj513hroTcKxzj6v17ppl+59BREutTZzhuRpUNG7PSglr6QFljfcw7aak0dh5wcr3Fb2RKHNXliuqHydAbdtV30pWGh8gRMdIa+akTopS8o6ztpxxXbp0IOqodo+R3rYKq90shb2smH2qtgZrkucHGUtukUpw7fxTl4sHMDrf4VF0TXr4Yf7/cy9ocA0OH0adB42N/FxwW8avbvmOZp+8NDvnpcO7eIc8Zl6pJFePs1ZGYefI75SRpSqfDwCP7U2LAuTszbh2JN0I4uUdMwxgYM2sEOXPrE6ZKMO5ItM1+45YFlyVcJ2aA4MYepnneU7bgwmiK6RaJKWiMb1ZUc4EZPBEPno+/yzmhyMTv3G+jlMkM51BNfXOhB9KIw+rkaZfPWYM2dSi69RJmwLKgImwS4tsOT89Gigy9m2v4HudOKPHKV5fkFXxV/tvuQ8qlISVYykXEyTBVje39boQ0JY6em9l6bGmXx4Z4jD+kFqpaZMvmeUNKmNEQAgqdL9sYfsjWdFrxErSgayzksio8ruRp5Ea6D9DqDr+GWVsF7n31xnLbYGNGEiVsYxsMGzbd97omjWL1/DuMpsY0g6xiqqrcfcpzjE48dMJ7yb61Vkteev9Z20WuAjOaCFUqdnig8e7esl+42GiNrJ+XF1cNrmtMenoYWd+unlfW/6GmB/qdDibvf6tpCMDEb1fN8zXOPcWEYr/zlxfn5HygUPXRyNa1NlSX7McgYWFXVw07T2pI38UfFnKr48q9FxHFVJW5K74GFXe7SkfAhThcRtSjRfpuCT5kcITK854LOJQO+wTaLh7C57zsQjkjTrwqtdU4KANP8PKnU/I6uusm5zPVTve++OS757SBKEzWuAbW9L0IPvVrCrHy1rYL077EjSM4QqJe8XLbIdJVV9Il5YIOAxmkc4UTrK+cgdYjkxb8HTrE158u7haMlSo0gPIB2AFJId3A8PlkRCLyqpg2ZblO7p/hVZG0DqgHtzFwWKPzvV6q9BA1Vwm7HOyU2BWmOUZBAjf97FXfc5U2JbddZd2mL1rAKDbYblOx4UXJJrywn0ifJZaag8ujWeUnn8/I01Ar8bkRTleecoEFHJgHdnZdK+O++Yx8N3Q0yN0ozJVUK7llCBlgDTazWG5DH5m0yegRXHC7aaEnbZX7+1Ca9BbmlK3Jp1FzTfCppg9RlB8W3mIxl6SiXM40rWBvOkZNNU7tzd8nYUu5vMBlyXtV+uToTVvAXtZZBClyg/aFqQKOEbkspO2+ce9hRX5tJJqS71QJgjzlcjn59jnhij0nU/d/4P6PSirWhpvJt/H4omV1MRN0MDk/tQ61reGfXBBcFH1dKCfX7fArNdvbqMGqrJj6v04Dnm0bBAPaHeQoQssqrdzdwezzu9+pBvLRJwB/++3nd7+/+XD27bc+53ZJNeWjZ3Kl9FXKkuUbL9jv7YL9CNuoE4zK1EpEqNlJ26Wkew4oc8/FOoMJM1MapOEspQDpuZIyYFyl94JE4gOpgBYryofDie/tHcDe56mBuuuTukTdNNNMl8JOS2N16sp3rNfO5hDrv6XJ3tG25iOfk/TQYpfNYLCBShOKTTZ1L6HexYGY8VFHU0tqNkfsoaRGuxFFyNwt74kL5YP7Cd7dceGQD/r/h+GqG5XZT/57kCNW9nz0AZG9SD7I4WjjuPvwU+oISVtbO9uzS5/aLqO9zbLDPpnP0O02OLk3R6bbltX8GPEwLPqaUS4cr9tmLhdBZpyf9mvbsBOXMwctzCMtDMazCtuc68KpiAfQc0jiNaZbh+qjE1VVjdz1RA2wk4c1brovdu/h2v4d4jp1h5s5TLO+L26XVJb/ruJRsw1ullp+iGS4N3bDhbeQM42pOeMqWZbosSx4xH5FtRwGHR476kZWdaFyCePL9+8uyG/ej7pJSo0j8uWoqQSX//GWfGlAj/RubYQsNOx26syb3NBziK7Jh7boLJrW1WnpLOFD2geqUo8RcEDrgxxHN0G1keDYveGW6Qc0UEF1lWG3HNgM7gVaJyxA7oA2ZbKptFsw03a72gJdUrurFd4X7hQkW1RUpyor6eCuazoYX3zv6BNlg3SqJDCLRfKzwGCWtoCqAzybY6ulDGDV9I8MUGuafBKG7ziV/Hhh0L3gqR+c0LmtAqd6JkdaFpThYJT05ScOtpEJjfce4Om8Xv4kr+0i+fvOZMGsLkqTtO96D7qDfFjk6RaAl4ImlxiyADnnMmFR5BB0jtxoWcwKs+KWJZcfspgJtTK0Sp+70oct7TIf9AxRFyYLLnOKEy5r0NV0nSzhfQC7Zld5gC+pyHFWeF3UWllVpA9JIfTlTwV6HNPDFtnuplDzoszBbAc4ff4bk0VFrwtrU7kNtgG7Ey0gw6NQcZkJaS7zIV0LU4ipKFKHRbdgf58RePLO4D3YqXsh9mGnrurtw/45I+xXGWH/S0bY/yMj7L/mgW1VLegUcoiUDnp680wWVSNQ+Z6uM7yTLfD6KoNeUjWCz6s6j/bttEwq5qmTkAJknkMpMfCFpfeNyML4hMQMO2g0y2NNOsB5rEmzNk2dYRYpk11ZdRZT1SrrTA+4ziBCrLLOMMsFG82aLMAbya8llcoAy3AIl68cVzI9CstXqrYLoGUGt5qq6oKJDD5sBzhDkATh6unapneLOsgmC+S6KTLENJjmljMqMhQQmYLOQbJ1wqyrPmxJxfpPKKc58F4W2AY0C2TfDiYP1j6xNgv06bxevsrjgzbFlNu/Zmk0xkyRdlbcDmCtkotqk+WaI1RgOn2Vm/E+/mSztnqAwS68nz+9c8QDR7UvC3DfTT5dB7ke7BkXkMOGMcUsxybyWcri7G3AOXQDU/AakxSLLKKO18ufSmPrQTP/RLCNZllgCz6DHGaMQUdzBSVPVjC6DZvLPKekUmUjwDCVg9sBOJ9nkE2qNitqk87870GPZZAnAaxhzo3VNL0nZAM7g8anoc7Fap2N1wY7ketM8tVn5vsjngG61UCrDIqkLwXKhXY+5Xq1UNwUfsJseuhrqmmWA16OFMKmgLz08+1Tw+XGUpl8znFp7LTRqYYFtlDBzwrKAbVJjmt6PbqtSU4NFic3zNIPuz6008A+mHNalqnvAC9Th1Xb1kEZ3iJeFUwrVWXpSuQAZzDTeFXkSY4MHY9ysLm+St6eqTbpW5by2tSaJwYqqOW2SZ59JriEdC12NlBN0ok6HVwsvk3v1hLKdz0tZkIlf8474BlS/p3Nm1zqOKAZJI6zoTOgmjw3Qah5lqMr51kucK10agFWTZt5jmtWccNyiIXKZDmwOeZASLDYXCk53OQy3DeATp3x56GmTseTq1VqCyRLRZnyA6CTW6IqvWakNJ8XkXlc94a7kqDTv1l14YfyJgebdDL1Bqwf8ZrlkGUo3AwzcVILgwA2tTSoC+9ISo4uNcZ9WLBFqjr/AWi4rnnyQEANupprKu2g524KyKssgNM/vb4T2adPO1NAEwDWal5QUyccGNAHrWlqqBqoyKHfaWDIB991NBPw9Ex2kNO2cO1BVrrMgHF6R6bJ4Bs23jecIR/AQOpEAD/wOINxYuBL+gMQa9CaDGoGU8rweQbBa+rUXjajWY57oFmZXJE2msW64iYAbNON2OrDbEzyrppLJlMXSkSnxd4XqG/SmZp8O7fpj5UHmj6i1830TA13XSfv1tqU0yx56I0WGd7CxoAuSp666j3L2Io2MpSDDZYZS6vU3uBlwaWxdJZBM1hybXOo4ctaZmjdZJVuZEo3a6wtWqSj6JvGKvKhkWSwdJc9knFY3mcqeElONJTckhOqy9DN0GD79zg6fnJWRi6NTQhFMDhEn2B/A6YEiZXqdPkQXObj3FlVC7WGwWDBG/k3U02ypt63PGOOh95nhPPONMzhmlR0t9HCJhYr583uMJDsSApucDhDu3rYemygRExT10pbMmw8SshqQS3hltQaZmNH4R5puXcZQhFjfLA6OhQIl6Gz+0hfaMFl7on8PVTdan08DbFqDnYBerL5vlmoZvCiESJhCbobR2QVqak2QN6BpTgR3N9V2rHg6Vs1Ny8ufNnrM3IaRnw9J3YRmVKEzYA/QBh9jGhL8h7s79xKMPF9Hh7qLMyb4cju7hbh4p5YA1SzxYRLHsUPZ+4eob/2jvjEWRiYDPFC0EbirN95g3Nc2ybu8QbuO/3a99CUvx13R1PXhDvMLx4x9t1GFAlrmm7XeRWXJR/h2uKtGHMXHGMa9YhA2gyue48TqqUYmXiJ3XMzjgPH/rkGLNHwpQFj9zTtPjxb+e698r3KgGN5/KpeYu96pLq80213yj6cPEYYG9v6O3ZoN6+jlKec/X/zfEO32PlpKxRw7fjZQKshXRLvHY+we1ym1ADx6dodNmRwq7pdCr94GHxlNwq+w1xp374+ykZCqCEGAMed0f3zqjSVhrIjjPcddJj2S0tUezeHhjUaJ6DtQ7oGXXGvbhwL6c2SfjAHX3IBcyACliAINYbPpd+4zbz++NHHlswPKL9x/T0nffogk54dZo3kXxrYHZNI45evh+9hHRMPm4LSajS89BeSKSkBcyvIitvFmKAgJFIZ0mnsGg4qL7qzaeHYifKke6KEmnNGBXEYjJg+iMXDYodLjYxpfDje1Yu1iaPXS2dbqZ2s1tQPPBWcmmKhstsE3ojrzDWcpbIZauSkYn8ET7wfAPGXxmGLb1oYxMIEUD15I4xyhvjWfTvFYDn5NfxiQt7IdfevAXSLtryRltBywlRVNxZ0XAxnceM7wvKZZ9/s7gXOWNzaEG7/2bz8/oe/Otv3tLcdLce+iaIdzmmRNmJ2W8cNXYMm/9L55MyLgAYiF7/1qet/8p95ucF569Tv3Y8Dk5dvkm1PdgemuHUm5P1vH88c7aDBO0/QX1pywzTUVLK10yqDeiZ2c0EIcug5+fjuNTmX9seXz8n5+9Oz/3xNPp1L++on8nS1WBMJ3C5AE7ZQJoxKU1oDs/itH179r//27EmUI2AXGWXcLj9Qpk4qGh/HYzKfvjte80t/Fs9bpOJXvHxcSPdl0w2YH9gw7tYPfAzfHcV0Y5185to2VJC3b95Hkf1TScjnyzrsZPwfJWES561D96sRoUjIzcITt+AxvsF79mFOLazoA4xIx9N9Qd6UpUY/rT/lMXS6p5dV9aFxzvvGQs5P3l34V2k0PFZRc8Tox5ZTyWuq4e0m5xcOlRHvl+PhgZMgkvDQrT3Ow1YTK/x0reMKiB66tCy5+zIVm4Btb5Z//J074gFwJiFecBVu+On2ERigssm1zqLX3fZJo+R9wPBCaduJ5IHQLTHAhhvA7fpmyWuOzHtPD5fz9jFpyXo3xngJMbvxWF7cgB1avtQYxbhTOb3faKDjECeXNZVzmHSmE1NyxueNhpJM1wgTZIlZQ3E5Ux/YemBQNDqiLUcXnWXodyAS6v79Eq7kDgANlbJQhMzu9HlG6VlbSlPQwqfiZwBdW50H+CzDkZhlqBYWOa5Drv4ndQam0rJoPXH51PJdC97RMdldre9MeAAN9swuQEuw5OO6hufkU/uMvUUH2I/konWADV6C38Y0tXZUzxGUiRHTuEU6+MWfEypEVJmoN1/EBDeqMTFvCdq9gVxaRYzFx5xL8ul8VKAwTJDNJq+Si2wHVNUZxr45wBpM6oxeBzZDiYt/EVOnoqO/PQO2frRCIUDOk0+KRJyd8pFRCx3RQL3KQ0UvACMJw3SCGaHkF6VXVJfDOd2EvJljspcm1N34a8ylm4JdAci46pm4a+JdY9zKUtEP1XlkCLaMx8yIAYVchjxXTEuouHViKYzYiJO4FFQeI45/CwdlmyDSc1EOCNx2WW4iKUtnwc7RgN1+eVJHKoFhF4Jlun5wt4vYU205awTVBPtFkxaJp2fXr9+quZrN4tPfgRV2Adm3dwvZj25Bfxt7eJ85vB26bxq7AGlDsvgo2qZJ2Tnhdgk9fslx1D8Z0KMIq8YydVxOhyXHEb5sGANjRnDGzuOHNUc7LPEE8SJOxZ0rvSaRwoQBbscQTls4wg6OTiphgM/USrp3xcmtmHLY/ZAMFKVtqpbp+tGNvJuU+K6lWDMgOJQdPcEPs6MPc0kMt01EfhIsLoAgogPUBTWElqp2r4tdANdEreRmyzzjLL1WUlUjebU4k8Nw36L+uEqEU+65LJ38Udp0DKDkFy6AvAmITQZsuI2zV3aE+Ts5mjDe0f8g6QqjLLgMWQtpuRCjMcKIlPXu92CEz9e7DPUaqTkxnhA6VTmrByLET2FBl1w1qF0yVdVaVXwkQxGOjdyZpFOBRWQzcrIfNy6XndjJiOQuhltaJ4kisIVh0uEyByAYWb/DL/fu9l7ZzX0bPXabMstG2t1yttQafYll4AU7xKy/lRaE7/EcJGjOWpKQIZjot5tawO0Cn9rYbDcSkJ2wHybG6vHgZ0vTIW23Hoyml/tpCuqFXysjXVHTtDPCLa/AOLnutT0NNYwGkcIuJGsKceNGYOPBe26DvuXROqR394MdrR9vR9MPhUk25PTWpAWH8U0UDmhDijcC4RbC4Oul7uWN1Omj7p2/aElo0zfvXLJeqscRIDfI8U6AfL3H8cebtyzVaIPjbNnt5KM+qgRJecduIT+OehxT0jY4jJ1SjyVoO37q5JU7jV0UFdiFeoAoCd3yJBOPRvja6IZjLyWtsnqd9kR1PigR/LUOkT3nMpMn5D8nP3//PXn69vTNxTNyyo3lct5ws4ASS+GjuAg1V9n7Au2LhGG27MzjEbYZvziSMaZVZq/ivvpPt6sxDLobgx75ZEOf73JdGKb9d3W/Pccf4hSLmVIZa5O+yRSjIlV3uh1CPtCSN8avQJQmhldcUO3FkxOb7g4xfNfj5VV4zw0vj9lppJ8p/8kdhNaLuNMXc3PJ89VZvJH77jqGNUKlYc//G5xE+MngLATHDfTKMsq4K1PpnIkBg5ANslrpOZX8zz1Z1TLfUbgtsw/gdP9MjbB7xnW0ljRT159f3HL4WvgWX7530VZW869AhV0wqoHUGkpVcUmjBXc98XRBLQdpzY3p8YIek9q39EGJ9a0foc50cN3VeeIEV021xWZIG1L3i9UjNjsKwuY2EnUGJWhqoSySJZXtOR9O+PzSrtgFzy60WvKyax4WvkfrWgRNdXAwQvMf96xt67RxBWdDJC+PRGW3ZOj1Z9cjZEaHh2Lm5JL76PliV3EfaQHXKZ0ph4LfVfOEa9SZej/qVULPI4R6HRU1VmqIsUp7ie+gVWAprvYEvzVx33oSp77iZSngeFLuHa53WzkX2d6e3DtIzrXjMY5D7kVYrddhSK7b6OxzUgvqtsy9z0oTkEyv6zEvP6ZCHsGevEUGne5sy1+VseQdZQsuR0y6kmaSHN/s8vqTxEz/WoMTH04/8k3OzIS8LWlNPuM/vH5UKunrTv85fDzJgi7BaU4CqCZfGtBrgj0ITa2kgVajihenOnoL/M1x5GXogcccZM3bLpDSk+/78o3j2ZJ0BFQ3B+hDaI56W0xxylNeh9nuGW9bS281MXK2YXh4uSG6kTJqx5rn3cvjI8++jdRIjV2AWAQLM/9GULLislQrQ0wNjM84c588j9UJhjzZ4QVx5Hl8Nzk35Cl2hAXJNs8Qhi6f9bhFGonv+FuYU7Ymn8x249suAlvtFtImz651KxzBYB957fumFqKCtWp4yNyLOOB41wcgUv2/VWmK5TxD9m2TnV+hHuvO69XrCMVIYfSghd8cQOxx8nrHSA0ZvsH13sq6MyR9vAvokJrjOOy6gMH23mwSMv02DHYo3pDi5uJnLBtIORJwtMINSS5hxmXw1aNwwq5+Fa1Hmg4idgcVimXCbeOA2VH/UgvGzmebm/bQS2mkN2Xnw7aWskV15Bb4m1WR4WRgHfW3I8uQlymX6SaIJb0bjmQsKsz7eEaEVL9sB7fFt9HelPdHpnYOsM779t2AdU11e6bcn59vSFkt+KCVOnG3w9myPvn9VuTZ5DNLfFsLpdf5Nvxvpqby327sGNMist1FvVXPY0+TY8vfXiD0G2h7MJVoQFXbb30/VaOnoABptaoPER2laqYD58KtznhY01nbcEM5AuLoqzuOew9PVFVTue7uI147HKfv7ZUlaPcMFVzOVFwpoOYqd43QDfJjx4psMVtB3q7osy+5cgR+aYRYk/9oqOAzDiU5xbpn7xyMorKCacGUuuIPFHT/HabEr7+xn6kY0+aTd5vdhMPrxqLKfeAI05vv+oduiTBlJ7ijvU9+Qj6ua0/6xnPgmON3cHzzNMyKpM1kd9B2OHhHhH5iYm1rd5E5hquuUy63sfOexVrp1tuPIeYPb0e2vNcrJ/FxanlR551DtIcVbuUbPfctmlqpTJrINlJuHbcfpKY27ppksqAmZbS/B1iHcvrEkBstEm5zD2rCXemM0aLRqbwhPZgGdEHn6WzKDejkz9M26KTpj9ugw6nPIFjg2oJE1Sq9ceLgJzvNnaK30LCTKpNao/JLHKOWcEvmfsRlUb16Ef77JKDwIvxHyGuKuf2pAB3PzgvkPGD03BPTD56jx7U3am1AThkGojmTissZaD0Sdx3SfRS6+or/jayPumePgGTbl3jW24bIlcKwtsp6pSJLHO34nfm4vTt2HzGDWPf/9A8YJmiND/zk9QL0cfwRTmcPGU9PT3D04zNyguvHUQNtj9QsZYTPJ6DD8E/YysLc05wXsoaOe4zsbbhb9InpdYreu9P8z0O9kndvjRLfbXLJ/4x7a/hVJply/o8zImGuLPcbWC+oGZkAZdix2wr1ttIvPj5c0G11tglQgwSXnTPWNk5v62/iCSmGz49RUbHd36ibevhxdNCykybcmCa50omQMVkqn7fufjEUxBC0zuoDHWxKX3qeucXJJQan90mno2RIdJ3BQxT56SWmdu5/jHrS8zAk7y499+A4LkKNEcUy54u+G1INjuwoMmXhjh5tkrdpNLkA8ysIFnWm5gbfbMaV9B8klK0/EYPxOqXJ+eWbf7y7IBfunSK/yZHpKxtsM1VSH4Ltx5WKY4tiiC2AXZmDnMi3E8J5e5DFhs51/Tq7FmGYBhpGEG6k4B4tFzQfNIV8ACXX49F1BRk1GhBnS21ztAmffSyXVPDSH8QIEruC8GhdrfcJQuTYFazNrthOdPLbBNLEsBfW1qbgOIM2C2jcyhwMYfQR3CY+l23li9Lcrm+4UUxVVdY+cbfE2+MRHELxEvwV1yB2Lc3ULpaVoLIw5qEG3rqVvQz/PVDb1mhFsfWlxkWt+DHSqmMIewwIYoBIxa0BZCtbUCkHjTNyt5sKqyIiIzHbI7Vt7h6WMPPw97dv3od378XO8t2DYpXe9f0n79nGzVWxVKLJxYA37RxnGebcdJOx23G+jeTWkKceCfMMu3VgYW87UXcHPEGko9SIJpM0extw/SS5DekCk+2igyVozBSYNYIwJRnU1hnKl34PR9orrFY5pa9nvDPY2xHaDtFaaUuU4++v//4mloIbZXvqc6f0/PgJlrsFBlsu1in1zU6ijWL+fvbbxfkFeUevKy7Lbqx3fFsdbUdPw9waojhCViBjQN0+sjr1KV6ymDw921c5FrPjFWw+dBF+S3J2tWPLWRak8vlp6NIbsNiLoTjepjxwr4CW4uq/fN1wV5gjy6Emmfp2o7/EmdAPlN0YxlWjFd8FdStf3PucmCaSok4N+ZuxWsn5v00FZVeCGwvl316Evz3vPuVyBiz+0YxrWFERVWToVPR+Q6gsiVFk5FhqmHNj9dpZ9scUFjW1i9Csv8OB7OIwQBKdUsdC0xdC+3otpnSvC3mnT3aYg7R6/Zf/GwAA//+GnLko" -} diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/config.yml b/x-pack/filebeat/module/cyberarkpas/_meta/config.yml index 4ebf2db818d..9b2cc6d0e27 100644 --- a/x-pack/filebeat/module/cyberarkpas/_meta/config.yml +++ b/x-pack/filebeat/module/cyberarkpas/_meta/config.yml @@ -1,6 +1,6 @@ - module: cyberarkpas audit: - enabled: true + enabled: false # Set which input to use between tcp (default), udp, or file. # diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json b/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json index 406c258f164..9ac5720c6aa 100644 --- a/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json +++ b/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json @@ -972,10 +972,402 @@ "embeddableConfig": { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"id\":null,\"isAutoSelect\":true},\"id\":\"a3734143-d6e1-4551-b0b1-8282a37e151b\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\"},{\"label\":\"filebeat-* | Source Point\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"geoField\":\"source.geo.location\",\"scalingType\":\"TOP_HITS\",\"topHitsSplitField\":\"source.ip\",\"tooltipProperties\":[\"host.name\",\"source.ip\",\"source.domain\",\"source.geo.country_iso_code\",\"source.as.organization.name\"],\"id\":\"5f2b25a1-01ea-45ca-a4a2-f1a670c3b149\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"filterByMapBounds\":true,\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":22},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"home\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#6092C0\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":8}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"icon\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"2ad8e318-4ef4-4e89-94f2-f37e395c488c\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]},{\"label\":\"filebeat-* | Destination point\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"geoField\":\"destination.geo.location\",\"scalingType\":\"TOP_HITS\",\"topHitsSplitField\":\"destination.ip\",\"tooltipProperties\":[\"host.name\",\"destination.ip\",\"destination.domain\",\"destination.geo.country_iso_code\",\"destination.as.organization.name\"],\"id\":\"bc95f479-964f-4498-be1e-376d34a01b0a\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"filterByMapBounds\":true,\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":35},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#D36086\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":8}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"icon\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"dbb878c8-4039-49f1-b2ff-ab7fb942ba55\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]},{\"label\":\"filebeat-* | Line\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"sourceGeoField\":\"source.geo.location\",\"destGeoField\":\"destination.geo.location\",\"metrics\":[{\"type\":\"count\"},{\"type\":\"sum\",\"field\":\"destination.bytes\"}],\"id\":\"faf6884d-b7cb-41dd-ab86-95970d7c59d2\",\"type\":\"ES_PEW_PEW\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#6092C0\"}},\"lineWidth\":{\"type\":\"DYNAMIC\",\"options\":{\"minSize\":1,\"maxSize\":8,\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3}}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"9c450fbf-b009-4b53-9810-2f47ca8dcfa8\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]}]", - "mapStateJSON": "{\"zoom\":1.24,\"center\":{\"lon\":-49.38072,\"lat\":7.87497},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "a3734143-d6e1-4551-b0b1-8282a37e151b", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "id": null, + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "2ad8e318-4ef4-4e89-94f2-f37e395c488c", + "joins": [], + "label": "Filebeat index | Source Point", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "filterByMapBounds": true, + "geoField": "source.geo.location", + "id": "5f2b25a1-01ea-45ca-a4a2-f1a670c3b149", + "indexPatternId": "filebeat-*", + "scalingType": "TOP_HITS", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [ + "host.name", + "source.ip", + "source.domain", + "source.geo.country_iso_code", + "source.as.organization.name" + ], + "topHitsSize": 22, + "topHitsSplitField": "source.ip", + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#6092C0" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "home" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 8 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 2 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "icon" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + }, + { + "alpha": 0.75, + "id": "dbb878c8-4039-49f1-b2ff-ab7fb942ba55", + "joins": [], + "label": "Filebeat index | Destination point", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "filterByMapBounds": true, + "geoField": "destination.geo.location", + "id": "bc95f479-964f-4498-be1e-376d34a01b0a", + "indexPatternId": "filebeat-*", + "scalingType": "TOP_HITS", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [ + "host.name", + "destination.ip", + "destination.domain", + "destination.geo.country_iso_code", + "destination.as.organization.name" + ], + "topHitsSize": 35, + "topHitsSplitField": "destination.ip", + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#D36086" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 8 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 2 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "icon" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + }, + { + "alpha": 0.75, + "id": "9c450fbf-b009-4b53-9810-2f47ca8dcfa8", + "joins": [], + "label": "Filebeat index | Line", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "destGeoField": "destination.geo.location", + "id": "faf6884d-b7cb-41dd-ab86-95970d7c59d2", + "indexPatternId": "filebeat-*", + "metrics": [ + { + "type": "count" + }, + { + "field": "destination.bytes", + "type": "sum" + } + ], + "sourceGeoField": "source.geo.location", + "type": "ES_PEW_PEW" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#54B399" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#6092C0" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "field": { + "name": "doc_count", + "origin": "source" + }, + "fieldMetaOptions": { + "isEnabled": true, + "sigma": 3 + }, + "maxSize": 8, + "minSize": 1 + }, + "type": "DYNAMIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 7.87497, + "lon": -49.38072 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-15w", + "to": "now" + }, + "zoom": 1.24 + }, "title": "", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } }, "enhancements": {}, "hiddenLayers": [], diff --git a/x-pack/filebeat/module/cylance/_meta/config.yml b/x-pack/filebeat/module/cylance/_meta/config.yml index f48f72b6065..3025ab38401 100644 --- a/x-pack/filebeat/module/cylance/_meta/config.yml +++ b/x-pack/filebeat/module/cylance/_meta/config.yml @@ -1,6 +1,6 @@ - module: cylance protect: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/envoyproxy/_meta/config.yml b/x-pack/filebeat/module/envoyproxy/_meta/config.yml index c0fada4e3ae..8009773045d 100644 --- a/x-pack/filebeat/module/envoyproxy/_meta/config.yml +++ b/x-pack/filebeat/module/envoyproxy/_meta/config.yml @@ -1,7 +1,7 @@ - module: envoyproxy # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/f5/_meta/config.yml b/x-pack/filebeat/module/f5/_meta/config.yml index a939fc021f8..48ccc13d31a 100644 --- a/x-pack/filebeat/module/f5/_meta/config.yml +++ b/x-pack/filebeat/module/f5/_meta/config.yml @@ -1,6 +1,6 @@ - module: f5 bigipapm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -19,7 +19,7 @@ # var.tz_offset: local bigipafm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/fortinet/_meta/config.yml b/x-pack/filebeat/module/fortinet/_meta/config.yml index 5f5561c7925..f71e5732b14 100644 --- a/x-pack/filebeat/module/fortinet/_meta/config.yml +++ b/x-pack/filebeat/module/fortinet/_meta/config.yml @@ -1,6 +1,6 @@ - module: fortinet firewall: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -23,7 +23,7 @@ #var.external_interfaces: [ "WAN" ] clientendpoint: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -42,7 +42,7 @@ # var.tz_offset: local fortimail: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -61,7 +61,7 @@ # var.tz_offset: local fortimanager: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/gcp/_meta/config.yml b/x-pack/filebeat/module/gcp/_meta/config.yml index b32c5a65957..7b804388694 100644 --- a/x-pack/filebeat/module/gcp/_meta/config.yml +++ b/x-pack/filebeat/module/gcp/_meta/config.yml @@ -1,6 +1,6 @@ - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -28,7 +28,7 @@ #var.internal_networks: [ "private" ] firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -55,7 +55,7 @@ #var.internal_networks: [ "private" ] audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id diff --git a/x-pack/filebeat/module/gcp/_meta/kibana/7/map/a97de660-73a5-11ea-a345-f985c61fe654.json b/x-pack/filebeat/module/gcp/_meta/kibana/7/map/a97de660-73a5-11ea-a345-f985c61fe654.json index 4632935ce64..fcafb6c5428 100644 --- a/x-pack/filebeat/module/gcp/_meta/kibana/7/map/a97de660-73a5-11ea-a345-f985c61fe654.json +++ b/x-pack/filebeat/module/gcp/_meta/kibana/7/map/a97de660-73a5-11ea-a345-f985c61fe654.json @@ -1,8 +1,148 @@ { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\",\"geoField\":\"source.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"LIMIT\",\"topHitsSize\":1,\"type\":\"ES_SEARCH\",\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"279da950-e9a7-4287-ab37-25906e448455\",\"label\":\"Source Locations\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[],\"query\":{\"query\":\"event.dataset:gcp.audit\",\"language\":\"kuery\"}}]", - "mapStateJSON": "{\"zoom\":1.97,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": {}, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "279da950-e9a7-4287-ab37-25906e448455", + "joins": [], + "label": "Source Locations", + "maxZoom": 24, + "minZoom": 0, + "query": { + "language": "kuery", + "query": "event.dataset:gcp.audit" + }, + "sourceDescriptor": { + "applyGlobalQuery": true, + "filterByMapBounds": true, + "geoField": "source.geo.location", + "id": "79ec6461-7561-45e4-a6a2-9d6fbd4cf986", + "indexPatternRefName": "layer_1_source_index_pattern", + "scalingType": "LIMIT", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [], + "topHitsSize": 1, + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#54B399" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#41937c" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 19.94277, + "lon": 0 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false + }, + "timeFilters": { + "from": "now-7d", + "to": "now" + }, + "zoom": 1.97 + }, "title": "Audit Source Locations [Filebeat GCP]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/google_workspace/_meta/config.yml b/x-pack/filebeat/module/google_workspace/_meta/config.yml index 1d6c5ad4589..58d6a754b1e 100644 --- a/x-pack/filebeat/module/google_workspace/_meta/config.yml +++ b/x-pack/filebeat/module/google_workspace/_meta/config.yml @@ -1,6 +1,6 @@ - module: google_workspace saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -8,7 +8,7 @@ # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -16,7 +16,7 @@ # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -24,7 +24,7 @@ # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -32,7 +32,7 @@ # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -40,7 +40,7 @@ # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h diff --git a/x-pack/filebeat/module/googlecloud/_meta/config.yml b/x-pack/filebeat/module/googlecloud/_meta/config.yml deleted file mode 100644 index 2c535fb4664..00000000000 --- a/x-pack/filebeat/module/googlecloud/_meta/config.yml +++ /dev/null @@ -1,55 +0,0 @@ -# googlecloud module is deprecated, please use gcp instead -- module: gcp - vpcflow: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be - # configured to use this topic as a sink for VPC flow logs. - var.topic: gcp-vpc-flowlogs - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-vpc-flowlogs-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - firewall: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-firewall - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-firewall-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - audit: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-audit - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-audit - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json diff --git a/x-pack/filebeat/module/googlecloud/module.yml b/x-pack/filebeat/module/googlecloud/module.yml deleted file mode 100644 index e5d6de04886..00000000000 --- a/x-pack/filebeat/module/googlecloud/module.yml +++ /dev/null @@ -1 +0,0 @@ -movedTo: gcp diff --git a/x-pack/filebeat/module/gsuite/_meta/config.yml b/x-pack/filebeat/module/gsuite/_meta/config.yml deleted file mode 100644 index 0badc11284e..00000000000 --- a/x-pack/filebeat/module/gsuite/_meta/config.yml +++ /dev/null @@ -1,50 +0,0 @@ -# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. -- module: gsuite - saml: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - user_accounts: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - login: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - admin: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - drive: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - groups: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h diff --git a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc deleted file mode 100644 index 38402d773a0..00000000000 --- a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc +++ /dev/null @@ -1,133 +0,0 @@ -[role="xpack"] - -:modulename: gsuite -:has-dashboards: false - -== GSuite module - -beta[] - -deprecated::[7.12] - -This is a module for ingesting data from the different GSuite audit reports API's. - -include::../include/gs-link.asciidoc[] - -[float] -=== Compatibility - -It is compatible with a subset of applications under the https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started[Google Reports API v1]. As of today it supports: - -[options="header"] -|=========================================================================================================================================================================================================================== -| GSuite Service | Description | -| SAML https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[api docs] https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054[help] | View users’ successful and failed sign-ins to SAML applications. | -| User Accounts https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[api docs] https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054[help] | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | -| Login https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[api docs] https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054[help] | Track user sign-in activity to your domain. | -| Admin https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[api docs] https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054[help] | View administrator activity performed within the Google Admin console. | -| Drive https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[api docs] https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054[help] | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | -| Groups https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[api docs] https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054[help] | Track changes to groups, group memberships and group messages. | -|=========================================================================================================================================================================================================================== - -[float] -=== Configure the module - -In order for Filebeat to ingest data from the Google Reports API you must: - -- Have an *administrator account*. -- https://support.google.com/gsuitemigrate/answer/9222993?hl=en[Set up a ServiceAccount] using the administrator account. -- https://support.google.com/gsuitemigrate/answer/9222865?hl=en[Set up access to the Admin SDK API] for the ServiceAccount. -- https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Enable Domain-Wide Delegation] for your ServiceAccount. - -This module will make use of the following *oauth2 scope*: - -- `https://www.googleapis.com/auth/admin.reports.audit.readonly` - -Once you have downloaded your service account credentials as a JSON file, -you can set up your module: - -[float] -===== Configuration options - -[source,yaml] ----- -- module: gsuite - saml: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - user_accounts: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - login: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - admin: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - drive: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - groups: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" ----- - -Every fileset has the following configuration options: - -*`var.jwt_file`*:: - -Specifies the path to the JWT credentials file. - -*`var.delegated_account`*:: - -Email of the admin user used to access the API. - -*`var.http_client_timeout`*:: - -Duration of the time limit on HTTP requests made by the module. Defaults to -`60s`. - -*`var.interval`*:: - -Duration between requests to the API. Defaults to `2h`. - -NOTE: GSuite defaults to a 2 hour polling interval because Google reports can go from -some minutes up to 3 days of delay. For more details on this, you can read more https://support.google.com/a/answer/7061566[here]. - -*`var.user_key`*:: - -Specifies the user key to fetch reports from. Defaults to `all`. - -*`var.initial_interval`*:: - -It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to `24h`. - -[float] -==== GSuite Reports ECS fields - -This is a list of GSuite Reports fields that are mapped to ECS. - -[options="header"] -|=============================================================================================== -| GSuite Reports | ECS Fields | -| `items[].id.time` | `@timestamp` | -| `items[].id.uniqueQualifier` | `event.id` | -| `items[].id.applicationName` | `event.provider` | -| `items[].events[].name` | `event.action` | -| `items[].customerId` | `organization.id` | -| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` | -| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | -| `items[].actor.profileId` | `source.user.id` | -|=============================================================================================== - -These are the common ones to all filesets. - -:has-dashboards!: - -:modulename!: diff --git a/x-pack/filebeat/module/gsuite/_meta/fields.yml b/x-pack/filebeat/module/gsuite/_meta/fields.yml deleted file mode 100644 index 21ef9c6e692..00000000000 --- a/x-pack/filebeat/module/gsuite/_meta/fields.yml +++ /dev/null @@ -1,42 +0,0 @@ -- key: gsuite - title: "gsuite" - description: > - gsuite Module - fields: - - name: gsuite - default_field: false - type: group - description: > - Gsuite specific fields. - - More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - fields: - - name: actor.type - type: keyword - description: > - The type of actor. - - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: > - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: > - The type of GSuite event, mapped from `items[].events[].type` in the original payload. - Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - example: audit#activity - - name: kind - type: keyword - description: > - The type of API resource, mapped from `kind` in the original payload. - More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - example: audit#activity - - name: organization.domain - type: keyword - description: > - The domain that is affected by the report's event. diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml deleted file mode 100644 index 7c82f3ed6e7..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ /dev/null @@ -1,271 +0,0 @@ -- name: admin - type: group - fields: - - name: application.edition - type: keyword - description: The GSuite edition. - - name: application.name - type: keyword - description: The application's name. - - name: application.enabled - type: keyword - description: The enabled application. - - name: application.licences_order_number - type: keyword - description: Order number used to redeem licenses. - - name: application.licences_purchased - type: keyword - description: Number of licences purchased. - - name: application.id - type: keyword - description: The application ID. - - name: application.asp_id - type: keyword - description: The application specific password ID. - - name: application.package_id - type: keyword - description: The mobile application package ID. - - name: group.email - type: keyword - description: The group's primary email address. - - name: new_value - type: keyword - description: The new value for the setting. - - name: old_value - type: keyword - description: The old value for the setting. - - name: org_unit.name - type: keyword - description: The organizational unit name. - - name: org_unit.full - type: keyword - description: The org unit full path including the root org unit name. - - name: setting.name - type: keyword - description: The setting name. - - name: user_defined_setting.name - type: keyword - description: The name of the user-defined setting. - - name: setting.description - type: keyword - description: The setting name. - - name: group.priorities - type: keyword - description: Group priorities. - - name: domain.alias - type: keyword - description: The domain alias. - - name: domain.name - type: keyword - description: The primary domain name. - - name: domain.secondary_name - type: keyword - description: The secondary domain name. - - name: managed_configuration - type: keyword - description: The name of the managed configuration. - - name: non_featured_services_selection - type: keyword - description: > - Non-featured services selection. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED - - name: field - type: keyword - description: The name of the field. - - name: resource.id - type: keyword - description: The name of the resource identifier. - - name: user.email - type: keyword - description: The user's primary email address. - - name: user.nickname - type: keyword - description: The user's nickname. - - name: user.birthdate - type: date - description: The user's birth date. - - name: gateway.name - type: keyword - description: Gateway name. Present on some chat settings. - - name: chrome_os.session_type - type: keyword - description: Chrome OS session type. - - name: device.serial_number - type: keyword - description: Device serial number. - - name: device.id - type: keyword - - name: device.type - type: keyword - description: Device type. - - name: print_server.name - type: keyword - description: The name of the print server. - - name: printer.name - type: keyword - description: The name of the printer. - - name: device.command_details - type: keyword - description: Command details. - - name: role.id - type: keyword - description: Unique identifier for this role privilege. - - name: role.name - type: keyword - description: > - The role name. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings - - name: privilege.name - type: keyword - description: Privilege name. - - name: service.name - type: keyword - description: The service name. - - name: url.name - type: keyword - description: The website name. - - name: product.name - type: keyword - description: The product name. - - name: product.sku - type: keyword - description: The product SKU. - - name: bulk_upload.failed - type: long - description: Number of failed records in bulk upload operation. - - name: bulk_upload.total - type: long - description: Number of total records in bulk upload operation. - - name: group.allowed_list - type: keyword - description: Names of allow-listed groups. - - name: email.quarantine_name - type: keyword - description: The name of the quarantine. - - name: email.log_search_filter.message_id - type: keyword - description: The log search filter's email message ID. - - name: email.log_search_filter.start_date - type: date - description: The log search filter's start date. - - name: email.log_search_filter.end_date - type: date - description: The log search filter's ending date. - - name: email.log_search_filter.recipient.value - type: keyword - description: The log search filter's email recipient. - - name: email.log_search_filter.sender.value - type: keyword - description: The log search filter's email sender. - - name: email.log_search_filter.recipient.ip - type: ip - description: The log search filter's email recipient's IP address. - - name: email.log_search_filter.sender.ip - type: ip - description: The log search filter's email sender's IP address. - - name: chrome_licenses.enabled - type: keyword - description: > - Licences enabled. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings - - name: chrome_licenses.allowed - type: keyword - description: > - Licences enabled. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings - - name: oauth2.service.name - type: keyword - description: > - OAuth2 service name. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings - - name: oauth2.application.id - type: keyword - description: OAuth2 application ID. - - name: oauth2.application.name - type: keyword - description: OAuth2 application name. - - name: oauth2.application.type - type: keyword - description: > - OAuth2 application type. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings - - name: verification_method - type: keyword - description: > - Related verification method. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings - - name: alert.name - type: keyword - description: The alert name. - - name: rule.name - type: keyword - description: The rule name. - - name: api.client.name - type: keyword - description: The API client name. - - name: api.scopes - type: keyword - description: The API scopes. - - name: mdm.token - type: keyword - description: The MDM vendor enrollment token. - - name: mdm.vendor - type: keyword - description: The MDM vendor's name. - - name: info_type - type: keyword - description: > - This will be used to state what kind of information was changed. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings - - name: email_monitor.dest_email - type: keyword - description: The destination address of the email monitor. - - name: email_monitor.level.chat - type: keyword - description: The chat email monitor level. - - name: email_monitor.level.draft - type: keyword - description: The draft email monitor level. - - name: email_monitor.level.incoming - type: keyword - description: The incoming email monitor level. - - name: email_monitor.level.outgoing - type: keyword - description: The outgoing email monitor level. - - name: email_dump.include_deleted - type: boolean - description: Indicates if deleted emails are included in the export. - - name: email_dump.package_content - type: keyword - description: The contents of the mailbox package. - - name: email_dump.query - type: keyword - description: The search query used for the dump. - - name: request.id - type: keyword - description: The request ID. - - name: mobile.action.id - type: keyword - description: The mobile device action's ID. - - name: mobile.action.type - type: keyword - description: > - The mobile device action's type. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - - name: mobile.certificate.name - type: keyword - description: The mobile certificate common name. - - name: mobile.company_owned_devices - type: long - description: The number of devices a company owns. - - name: distribution.entity.name - type: keyword - description: > - The distribution entity value, which can be a group name or an org-unit name. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - - name: distribution.entity.type - type: keyword - description: > - The distribution entity type, which can be a group or an org-unit. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings diff --git a/x-pack/filebeat/module/gsuite/admin/config/config.yml b/x-pack/filebeat/module/gsuite/admin/config/config.yml deleted file mode 100644 index 409da0182e3..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/config/config.yml +++ /dev/null @@ -1,54 +0,0 @@ -{{ if eq .input "httpjson" }} -type: httpjson - -url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/admin -json_objects_array: items -split_events_by: events - -interval: {{ .interval }} - -{{ if .http_client_timeout }} -http_client_timeout: {{ .http_client_timeout }} -{{ end }} - -oauth2.provider: google -oauth2.google.jwt_file: {{ .jwt_file }} -oauth2.google.delegated_account: {{ .delegated_account }} -oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly - -date_cursor.url_field: startTime -date_cursor.initial_interval: {{ .initial_interval }} - -pagination.id_field: nextPageToken -pagination.url_field: pageToken - -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} - -{{ else if eq .input "file" }} -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.11.0 - - script: - lang: javascript - id: gsuite-common - file: ${path.home}/module/gsuite/config/common.js - - script: - lang: javascript - id: gsuite-admin - file: ${path.home}/module/gsuite/admin/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js deleted file mode 100644 index 9fdaa12998e..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ /dev/null @@ -1,967 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var login = (function () { - var processor = require("processor"); - - var categorizeEvent = function(evt) { - // not convinced that these should be iam - evt.Put("event.category", ["iam"]); - switch (evt.Get("event.action")) { - case "CHANGE_APPLICATION_SETTING": - case "UPDATE_MANAGED_CONFIGURATION": - case "CHANGE_CALENDAR_SETTING": - case "CHANGE_CHAT_SETTING": - case "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING": - case "GPLUS_PREMIUM_FEATURES": - case "UPDATE_CALENDAR_RESOURCE_FEATURE": - case "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED": - case "MEET_INTEROP_MODIFY_GATEWAY": - case "CHANGE_CHROME_OS_APPLICATION_SETTING": - case "CHANGE_CHROME_OS_DEVICE_SETTING": - case "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING": - case "CHANGE_CHROME_OS_SETTING": - case "CHANGE_CHROME_OS_USER_SETTING": - case "CHANGE_CONTACTS_SETTING": - case "CHANGE_DOCS_SETTING": - case "CHANGE_SITES_SETTING": - case "CHANGE_EMAIL_SETTING": - case "CHANGE_GMAIL_SETTING": - case "ALLOW_STRONG_AUTHENTICATION": - case "ALLOW_SERVICE_FOR_OAUTH2_ACCESS": - case "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS": - case "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID": - case "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION": - case "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY": - case "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION": - case "CHANGE_TWO_STEP_VERIFICATION_START_DATE": - case "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS": - case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": - case "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY": - case "ENFORCE_STRONG_AUTHENTICATION": - case "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS": - case "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED": - case "SESSION_CONTROL_SETTINGS_CHANGE": - case "CHANGE_SESSION_LENGTH": - case "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS": - case "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET": - case "ENABLE_API_ACCESS": - case "CHANGE_WHITELIST_SETTING": - case "COMMUNICATION_PREFERENCES_SETTING_CHANGE": - case "ENABLE_FEEDBACK_SOLICITATION": - case "TOGGLE_CONTACT_SHARING": - case "TOGGLE_USE_CUSTOM_LOGO": - case "CHANGE_DATA_LOCALIZATION_SETTING": - case "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY": - case "TOGGLE_SSO_ENABLED": - case "TOGGLE_SSL": - case "TOGGLE_NEW_APP_FEATURES": - case "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL": - case "TOGGLE_OPEN_ID_ENABLED": - case "TOGGLE_OUTBOUND_RELAY": - case "CHANGE_SSO_SETTINGS": - case "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS": - case "CHANGE_MOBILE_APPLICATION_SETTINGS": - case "CHANGE_MOBILE_SETTING": - evt.AppendTo("event.category", "configuration") - evt.Put("event.type", ["change"]); - break; - case "UPDATE_BUILDING": - case "RENAME_CALENDAR_RESOURCE": - case "UPDATE_CALENDAR_RESOURCE": - case "CANCEL_CALENDAR_EVENTS": - case "RELEASE_CALENDAR_RESOURCES": - case "CHANGE_DEVICE_STATE": - case "CHANGE_CHROME_OS_DEVICE_ANNOTATION": - case "CHANGE_CHROME_OS_DEVICE_STATE": - case "UPDATE_CHROME_OS_PRINT_SERVER": - case "UPDATE_CHROME_OS_PRINTER": - case "MOVE_DEVICE_TO_ORG_UNIT_DETAILED": - case "UPDATE_DEVICE": - case "SEND_CHROME_OS_DEVICE_COMMAND": - case "ASSIGN_ROLE": - case "ADD_PRIVILEGE": - case "REMOVE_PRIVILEGE": - case "RENAME_ROLE": - case "UPDATE_ROLE": - case "UNASSIGN_ROLE": - case "TRANSFER_DOCUMENT_OWNERSHIP": - case "ORG_USERS_LICENSE_ASSIGNMENT": - case "ORG_ALL_USERS_LICENSE_ASSIGNMENT": - case "USER_LICENSE_ASSIGNMENT": - case "CHANGE_LICENSE_AUTO_ASSIGN": - case "USER_LICENSE_REASSIGNMENT": - case "ORG_LICENSE_REVOKE": - case "USER_LICENSE_REVOKE": - case "UPDATE_DYNAMIC_LICENSE": - case "DROP_FROM_QUARANTINE": - case "REJECT_FROM_QUARANTINE": - case "RELEASE_FROM_QUARANTINE": - case "CHROME_LICENSES_ENABLED": - case "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED": - case "ASSIGN_CUSTOM_LOGO": - case "UNASSIGN_CUSTOM_LOGO": - case "REVOKE_ENROLLMENT_TOKEN": - case "CHROME_LICENSES_ALLOWED": - case "EDIT_ORG_UNIT_DESCRIPTION": - case "MOVE_ORG_UNIT": - case "EDIT_ORG_UNIT_NAME": - case "REVOKE_DEVICE_ENROLLMENT_TOKEN": - case "TOGGLE_SERVICE_ENABLED": - case "ADD_TO_TRUSTED_OAUTH2_APPS": - case "REMOVE_FROM_TRUSTED_OAUTH2_APPS": - case "BLOCK_ON_DEVICE_ACCESS": - case "TOGGLE_CAA_ENABLEMENT": - case "CHANGE_CAA_ERROR_MESSAGE": - case "CHANGE_CAA_APP_ASSIGNMENTS": - case "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS": - case "TRUST_DOMAIN_OWNED_OAUTH2_APPS": - case "UNBLOCK_ON_DEVICE_ACCESS": - case "CHANGE_ACCOUNT_AUTO_RENEWAL": - case "ADD_APPLICATION": - case "ADD_APPLICATION_TO_WHITELIST": - case "CHANGE_ADVERTISEMENT_OPTION": - case "CHANGE_ALERT_CRITERIA": - case "ALERT_RECEIVERS_CHANGED": - case "RENAME_ALERT": - case "ALERT_STATUS_CHANGED": - case "ADD_DOMAIN_ALIAS": - case "REMOVE_DOMAIN_ALIAS": - case "AUTHORIZE_API_CLIENT_ACCESS": - case "REMOVE_API_CLIENT_ACCESS": - case "CHROME_LICENSES_REDEEMED": - case "TOGGLE_AUTO_ADD_NEW_SERVICE": - case "CHANGE_PRIMARY_DOMAIN": - case "CHANGE_CONFLICT_ACCOUNT_ACTION": - case "CHANGE_CUSTOM_LOGO": - case "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA": - case "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO": - case "CHANGE_DOMAIN_DEFAULT_LOCALE": - case "CHANGE_DOMAIN_DEFAULT_TIMEZONE": - case "CHANGE_DOMAIN_NAME": - case "TOGGLE_ENABLE_PRE_RELEASE_FEATURES": - case "CHANGE_DOMAIN_SUPPORT_MESSAGE": - case "ADD_TRUSTED_DOMAINS": - case "REMOVE_TRUSTED_DOMAINS": - case "CHANGE_EDU_TYPE": - case "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO": - case "CHANGE_LOGIN_BACKGROUND_COLOR": - case "CHANGE_LOGIN_BORDER_COLOR": - case "CHANGE_LOGIN_ACTIVITY_TRACE": - case "PLAY_FOR_WORK_ENROLL": - case "PLAY_FOR_WORK_UNENROLL": - case "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL": - case "CHANGE_ORGANIZATION_NAME": - case "CHANGE_PASSWORD_MAX_LENGTH": - case "CHANGE_PASSWORD_MIN_LENGTH": - case "REMOVE_APPLICATION": - case "REMOVE_APPLICATION_FROM_WHITELIST": - case "CHANGE_RENEW_DOMAIN_REGISTRATION": - case "CHANGE_RESELLER_ACCESS": - case "RULE_ACTIONS_CHANGED": - case "CHANGE_RULE_CRITERIA": - case "RENAME_RULE": - case "RULE_STATUS_CHANGED": - case "ADD_SECONDARY_DOMAIN": - case "REMOVE_SECONDARY_DOMAIN": - case "UPDATE_DOMAIN_SECONDARY_EMAIL": - case "UPDATE_RULE": - case "ADD_MOBILE_CERTIFICATE": - case "COMPANY_OWNED_DEVICE_BLOCKED": - case "COMPANY_OWNED_DEVICE_UNBLOCKED": - case "COMPANY_OWNED_DEVICE_WIPED": - case "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT": - case "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER": - case "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST": - case "ADD_MOBILE_APPLICATION_TO_WHITELIST": - case "CHANGE_ADMIN_RESTRICTIONS_PIN": - case "CHANGE_MOBILE_WIRELESS_NETWORK": - case "ADD_MOBILE_WIRELESS_NETWORK": - case "REMOVE_MOBILE_WIRELESS_NETWORK": - case "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD": - case "REMOVE_MOBILE_CERTIFICATE": - evt.Put("event.type", ["change"]); - break; - case "CREATE_APPLICATION_SETTING": - case "CREATE_GMAIL_SETTING": - evt.AppendTo("event.category", "configuration") - evt.Put("event.type", ["creation"]); - break; - case "CREATE_MANAGED_CONFIGURATION": - case "CREATE_BUILDING": - case "CREATE_CALENDAR_RESOURCE": - case "CREATE_CALENDAR_RESOURCE_FEATURE": - case "MEET_INTEROP_CREATE_GATEWAY": - case "INSERT_CHROME_OS_PRINT_SERVER": - case "INSERT_CHROME_OS_PRINTER": - case "CREATE_ROLE": - case "ADD_WEB_ADDRESS": - case "EMAIL_UNDELETE": - case "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED": - case "CREATE_DEVICE_ENROLLMENT_TOKEN": - case "CREATE_ENROLLMENT_TOKEN": - case "CREATE_ORG_UNIT": - case "CREATE_ALERT": - case "CREATE_PLAY_FOR_WORK_TOKEN": - case "GENERATE_TRANSFER_TOKEN": - case "REGENERATE_OAUTH_CONSUMER_SECRET": - case "CREATE_RULE": - case "GENERATE_PIN": - case "COMPANY_DEVICES_BULK_CREATION": - evt.Put("event.type", ["creation"]); - break; - case "DELETE_APPLICATION_SETTING": - case "DELETE_GMAIL_SETTING": - evt.AppendTo("event.category", "configuration") - evt.Put("event.type", ["deletion"]); - break; - case "DELETE_MANAGED_CONFIGURATION": - case "DELETE_BUILDING": - case "DELETE_CALENDAR_RESOURCE": - case "DELETE_CALENDAR_RESOURCE_FEATURE": - case "MEET_INTEROP_DELETE_GATEWAY": - case "DELETE_CHROME_OS_PRINT_SERVER": - case "DELETE_CHROME_OS_PRINTER": - case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": - case "DELETE_ROLE": - case "DELETE_WEB_ADDRESS": - case "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED": - case "REMOVE_ORG_UNIT": - case "DELETE_ALERT": - case "DELETE_PLAY_FOR_WORK_TOKEN": - case "DELETE_RULE": - case "COMPANY_DEVICE_DELETION": - evt.Put("event.type", ["deletion"]); - break; - case "DELETE_GROUP": - evt.Put("event.type", ["group", "creation"]); - break; - case "CREATE_GROUP": - evt.Put("event.type", ["group", "creation"]); - break; - case "REORDER_GROUP_BASED_POLICIES_EVENT": - case "CHANGE_GROUP_DESCRIPTION": - case "ADD_GROUP_MEMBER": - case "REMOVE_GROUP_MEMBER": - case "UPDATE_GROUP_MEMBER": - case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS": - case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE": - case "CHANGE_GROUP_NAME": - case "CHANGE_GROUP_SETTING": - case "GROUP_MEMBER_BULK_UPLOAD": - case "WHITELISTED_GROUPS_UPDATED": - evt.Put("event.type", ["group", "change"]); - break; - case "REVOKE_3LO_DEVICE_TOKENS": - case "REVOKE_3LO_TOKEN": - case "ADD_RECOVERY_EMAIL": - case "ADD_RECOVERY_PHONE": - case "GRANT_ADMIN_PRIVILEGE": - case "REVOKE_ADMIN_PRIVILEGE": - case "REVOKE_ASP": - case "TOGGLE_AUTOMATIC_CONTACT_SHARING": - case "CANCEL_USER_INVITE": - case "CHANGE_USER_CUSTOM_FIELD": - case "CHANGE_USER_EXTERNAL_ID": - case "CHANGE_USER_GENDER": - case "CHANGE_USER_IM": - case "ENABLE_USER_IP_WHITELIST": - case "CHANGE_USER_KEYWORD": - case "CHANGE_USER_LANGUAGE": - case "CHANGE_USER_LOCATION": - case "CHANGE_USER_ORGANIZATION": - case "CHANGE_USER_PHONE_NUMBER": - case "CHANGE_RECOVERY_EMAIL": - case "CHANGE_RECOVERY_PHONE": - case "CHANGE_USER_RELATION": - case "CHANGE_USER_ADDRESS": - case "GRANT_DELEGATED_ADMIN_PRIVILEGES": - case "CHANGE_FIRST_NAME": - case "GMAIL_RESET_USER": - case "CHANGE_LAST_NAME": - case "MAIL_ROUTING_DESTINATION_ADDED": - case "MAIL_ROUTING_DESTINATION_REMOVED": - case "ADD_NICKNAME": - case "REMOVE_NICKNAME": - case "CHANGE_PASSWORD": - case "CHANGE_PASSWORD_ON_NEXT_LOGIN": - case "REMOVE_RECOVERY_EMAIL": - case "REMOVE_RECOVERY_PHONE": - case "RESET_SIGNIN_COOKIES": - case "SECURITY_KEY_REGISTERED_FOR_USER": - case "REVOKE_SECURITY_KEY": - case "TURN_OFF_2_STEP_VERIFICATION": - case "UNBLOCK_USER_SESSION": - case "UNENROLL_USER_FROM_TITANIUM": - case "ARCHIVE_USER": - case "UPDATE_BIRTHDATE": - case "DOWNGRADE_USER_FROM_GPLUS": - case "USER_ENROLLED_IN_TWO_STEP_VERIFICATION": - case "MOVE_USER_TO_ORG_UNIT": - case "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD": - case "RENAME_USER": - case "UNENROLL_USER_FROM_STRONG_AUTH": - case "SUSPEND_USER": - case "UNARCHIVE_USER": - case "UNSUSPEND_USER": - case "UPGRADE_USER_TO_GPLUS": - case "MOBILE_DEVICE_APPROVE": - case "MOBILE_DEVICE_BLOCK": - case "MOBILE_DEVICE_WIPE": - case "MOBILE_ACCOUNT_WIPE": - case "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE": - case "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK": - evt.Put("event.type", ["user", "change"]); - break; - case "DELETE_2SV_SCRATCH_CODES": - case "DELETE_ACCOUNT_INFO_DUMP": - case "DELETE_EMAIL_MONITOR": - case "DELETE_MAILBOX_DUMP": - case "DELETE_USER": - case "MOBILE_DEVICE_DELETE": - evt.Put("event.type", ["user", "deletion"]); - break; - case "GENERATE_2SV_SCRATCH_CODES": - case "CREATE_EMAIL_MONITOR": - case "CREATE_DATA_TRANSFER_REQUEST": - case "CREATE_USER": - case "UNDELETE_USER": - evt.Put("event.type", ["user", "creation"]); - break; - case "ISSUE_DEVICE_COMMAND": - case "DRIVE_DATA_RESTORE": - case "VIEW_SITE_DETAILS": - case "EMAIL_LOG_SEARCH": - case "SKIP_DOMAIN_ALIAS_MX": - case "VERIFY_DOMAIN_ALIAS_MX": - case "VERIFY_DOMAIN_ALIAS": - case "VIEW_DNS_LOGIN_DETAILS": - case "MX_RECORD_VERIFICATION_CLAIM": - case "UPLOAD_OAUTH_CERTIFICATE": - case "SKIP_SECONDARY_DOMAIN_MX": - case "VERIFY_SECONDARY_DOMAIN_MX": - case "VERIFY_SECONDARY_DOMAIN": - case "BULK_UPLOAD": - case "DOWNLOAD_PENDING_INVITES_LIST": - case "DOWNLOAD_USERLIST_CSV": - case "USERS_BULK_UPLOAD": - case "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT": - case "USE_GOOGLE_MOBILE_MANAGEMENT": - case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS": - case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS": - evt.Put("event.type", ["info"]); - break; - case "GROUP_LIST_DOWNLOAD": - case "GROUP_MEMBERS_DOWNLOAD": - evt.Put("event.type", ["group", "info"]); - break; - case "REQUEST_ACCOUNT_INFO": - case "REQUEST_MAILBOX_DUMP": - case "RESEND_USER_INVITE": - case "BULK_UPLOAD_NOTIFICATION_SENT": - case "USER_INVITE": - case "VIEW_TEMP_PASSWORD": - case "USERS_BULK_UPLOAD_NOTIFICATION_SENT": - case "ACTION_CANCELLED": - case "ACTION_REQUESTED": - evt.Put("event.type", ["user", "info"]); - break; - } - }; - - var getParamValue = function(param) { - if (param.value) { - return param.value; - } - if (param.multiValue) { - return param.multiValue; - } - if (param.intValue !== null) { - return param.intValue; - } - }; - - var flattenParams = function(evt) { - var params = evt.Get("json.events.parameters"); - if (!params || !Array.isArray(params)) { - return; - } - - params.forEach(function(p){ - evt.Put("gsuite.admin."+p.name, getParamValue(p)); - }); - - evt.Delete("json.events.parameters"); - }; - - var setGroupInfo = function(evt) { - var email = evt.Get("gsuite.admin.group.email"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.Put("group.name", data[0]); - evt.Put("group.domain", data[1]); - }; - - var setRelatedUserInfo = function(evt) { - var email = evt.Get("gsuite.admin.user.email"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.AppendTo("related.user", data[0]); - evt.Put("user.target.name", data[0]); - evt.Put("user.target.domain", data[1]); - evt.Put("user.target.email", email); - var groupName = evt.Get("group.name"); - if (groupName) { - evt.Put("user.target.group.name", groupName); - } - var groupDomain = evt.Get("group.domain"); - if (groupDomain) { - evt.Put("user.target.group.domain", groupDomain); - } - }; - - var setEventDuration = function(evt) { - var start = evt.Get("event.start"); - var end = evt.Get("event.end"); - if (!start || !end) { - return; - } - - evt.Put("event.duration", end.UnixNano() - start.UnixNano()); - }; - - var setEventOutcome = function(evt) { - var failed = evt.Get("gsuite.admin.group.bulk_upload.failed"); - if (failed === null) { - return; - } - - if (failed === 0) { - evt.Put("event.outcome", "success"); - } else { - evt.Put("event.outcome", "failure"); - } - }; - - var setGroupAllowedlist = function(evt) { - var allowedList = evt.Get("gsuite.admin.WHITELISTED_GROUPS"); - if (!allowedList) { - return; - } - - evt.Put("gsuite.admin.group.allowed_list", allowedList.split(",")); - evt.Delete("gsuite.admin.WHITELISTED_GROUPS"); - }; - - var deleteField = function(field) { - return function(evt) { - evt.Delete(field); - }; - }; - - var parseDate = function(field, targetField) { - return new processor.Chain() - .Add(new processor.Timestamp({ - field: field, - target_field: targetField, - timezone: "UTC", - layouts: [ - "2006-01-02T15:04:05Z", - "2006-01-02T15:04:05.999Z", - "2006/01/02 15:04:05 UTC", - ], - tests: [ - "2020-02-05T18:19:23Z", - "2020-02-05T18:19:23.599Z", - "2020/07/28 04:59:59 UTC", - ], - ignore_missing: true, - })) - .Add(deleteField(field)) - .Build() - }; - - var pipeline = new processor.Chain() - .Add(categorizeEvent) - .Add(flattenParams) - .Convert({ - fields: [ - { - from: "gsuite.admin.APPLICATION_EDITION", - to: "gsuite.admin.application.edition", - }, - { - from: "gsuite.admin.APPLICATION_NAME", - to: "gsuite.admin.application.name", - }, - { - from: "gsuite.admin.APPLICATION_ENABLED", - to: "gsuite.admin.application.enabled", - }, - { - from: "gsuite.admin.APP_LICENSES_ORDER_NUMBER", - to: "gsuite.admin.application.licences_order_number", - }, - { - from: "gsuite.admin.CHROME_NUM_LICENSES_PURCHASED", - to: "gsuite.admin.application.licences_purchased", - type: "long", - }, - { - from: "gsuite.admin.REAUTH_APPLICATION", - to: "gsuite.admin.application.name", - }, - { - from: "gsuite.admin.GROUP_EMAIL", - to: "gsuite.admin.group.email", - }, - { - from: "gsuite.admin.GROUP_NAME", - to: "group.name", - }, - { - from: "gsuite.admin.NEW_VALUE", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.OLD_VALUE", - to: "gsuite.admin.old_value", - }, - { - from: "gsuite.admin.ORG_UNIT_NAME", - to: "gsuite.admin.org_unit.name", - }, - { - from: "gsuite.admin.SETTING_NAME", - to: "gsuite.admin.setting.name", - }, - { - from: "gsuite.admin.SETTING_DESCRIPTION", - to: "gsuite.admin.setting.description", - }, - { - from: "gsuite.admin.USER_DEFINED_SETTING_NAME", - to: "gsuite.admin.user_defined_setting.name", - }, - { - from: "gsuite.admin.GROUP_PRIORITIES", - to: "gsuite.admin.group.priorities", - }, - { - from: "gsuite.admin.DOMAIN_NAME", - to: "gsuite.admin.domain.name", - }, - { - from: "gsuite.admin.DOMAIN_ALIAS", - to: "gsuite.admin.domain.alias", - }, - { - from: "gsuite.admin.SECONDARY_DOMAIN_NAME", - to: "gsuite.admin.domain.secondary_name", - }, - { - from: "gsuite.admin.MANAGED_CONFIGURATION_NAME", - to: "gsuite.admin.managed_configuration", - }, - { - from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", - to: "gsuite.admin.application.package_id", - }, - { - from: "gsuite.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION", - to: "gsuite.admin.non_featured_services_selection", - }, - { - from: "gsuite.admin.FIELD_NAME", - to: "gsuite.admin.field", - }, - { - from: "gsuite.admin.RESOURCE_IDENTIFIER", - to: "gsuite.admin.resource.id", - }, - { - from: "gsuite.admin.USER_EMAIL", - to: "gsuite.admin.user.email", - }, - { - from: "gsuite.admin.GATEWAY_NAME", - to: "gsuite.admin.gateway.name", - }, - { - from: "gsuite.admin.APP_ID", - to: "gsuite.admin.application.id", - }, - { - from: "gsuite.admin.ASP_ID", - to: "gsuite.admin.application.asp_id", - }, - { - from: "gsuite.admin.CHROME_OS_SESSION_TYPE", - to: "gsuite.admin.chrome_os.session_type", - }, - { - from: "gsuite.admin.DEVICE_NEW_STATE", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.DEVICE_PREVIOUS_STATE", - to: "gsuite.admin.old_value", - }, - { - from: "gsuite.admin.DEVICE_SERIAL_NUMBER", - to: "gsuite.admin.device.serial_number", - }, - { - from: "gsuite.admin.DEVICE_ID", - to: "gsuite.admin.device.id", - }, - { - from: "gsuite.admin.DEVICE_TYPE", - to: "gsuite.admin.device.type", - }, - { - from: "gsuite.admin.PRINT_SERVER_NAME", - to: "gsuite.admin.print_server.name", - }, - { - from: "gsuite.admin.PRINTER_NAME", - to: "gsuite.admin.printer.name", - }, - { - from: "gsuite.admin.DEVICE_COMMAND_DETAILS", - to: "gsuite.admin.device.command_details", - }, - { - from: "gsuite.admin.DEVICE_NEW_ORG_UNIT", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.DEVICE_PREVIOUS_ORG_UNIT", - to: "gsuite.admin.old_value", - }, - { - from: "gsuite.admin.ROLE_NAME", - to: "gsuite.admin.role.name", - }, - { - from: "gsuite.admin.ROLE_ID", - to: "gsuite.admin.role.id", - }, - { - from: "gsuite.admin.PRIVILEGE_NAME", - to: "gsuite.admin.privilege.name", - }, - { - from: "gsuite.admin.SITE_LOCATION", - to: "url.path", - }, - { - from: "gsuite.admin.WEB_ADDRESS", - to: "url.full", - }, - { - from: "gsuite.admin.SITE_NAME", - to: "gsuite.admin.url.name", - }, - { - from: "gsuite.admin.SERVICE_NAME", - to: "gsuite.admin.service.name", - }, - { - from: "gsuite.admin.PRODUCT_NAME", - to: "gsuite.admin.product.name", - }, - { - from: "gsuite.admin.SKU_NAME", - to: "gsuite.admin.product.sku", - }, - { - from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER", - to: "gsuite.admin.bulk_upload.failed", - type: "long", - }, - { - from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER", - to: "gsuite.admin.bulk_upload.total", - type: "long", - }, - { - from: "gsuite.admin.BULK_UPLOAD_FAIL_USERS_NUMBER", - to: "gsuite.admin.bulk_upload.failed", - type: "long", - }, - { - from: "gsuite.admin.BULK_UPLOAD_TOTAL_USERS_NUMBER", - to: "gsuite.admin.bulk_upload.total", - type: "long", - }, - { - from: "gsuite.admin.EMAIL_LOG_SEARCH_MSG_ID", - to: "gsuite.admin.email.log_search_filter.message_id", - }, - { - from: "gsuite.admin.EMAIL_LOG_SEARCH_RECIPIENT", - to: "gsuite.admin.email.log_search_filter.recipient.value", - }, - { - from: "gsuite.admin.EMAIL_LOG_SEARCH_SENDER", - to: "gsuite.admin.email.log_search_filter.sender.value", - }, - { - from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP", - to: "gsuite.admin.email.log_search_filter.recipient.ip", - type: "ip", - }, - { - from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP", - to: "gsuite.admin.email.log_search_filter.sender.ip", - type: "ip", - }, - { - from: "gsuite.admin.QUARANTINE_NAME", - to: "gsuite.admin.email.quarantine_name", - }, - { - from: "gsuite.admin.CHROME_LICENSES_ENABLED", - to: "gsuite.admin.chrome_licenses.enabled", - }, - { - from: "gsuite.admin.CHROME_LICENSES_ALLOWED", - to: "gsuite.admin.chrome_licenses.allowed", - }, - { - from: "gsuite.admin.FULL_ORG_UNIT_PATH", - to: "gsuite.admin.org_unit.full", - }, - { - from: "gsuite.admin.OAUTH2_SERVICE_NAME", - to: "gsuite.admin.oauth2.service.name", - }, - { - from: "gsuite.admin.OAUTH2_APP_ID", - to: "gsuite.admin.oauth2.application.id", - }, - { - from: "gsuite.admin.OAUTH2_APP_NAME", - to: "gsuite.admin.oauth2.application.name", - }, - { - from: "gsuite.admin.OAUTH2_APP_TYPE", - to: "gsuite.admin.oauth2.application.type", - }, - { - from: "gsuite.admin.ALLOWED_TWO_STEP_VERIFICATION_METHOD", - to: "gsuite.admin.verification_method", - }, - { - from: "gsuite.admin.DOMAIN_VERIFICATION_METHOD", - to: "gsuite.admin.verification_method", - }, - { - from: "gsuite.admin.CAA_ASSIGNMENTS_NEW", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.CAA_ASSIGNMENTS_OLD", - to: "gsuite.admin.old_value", - }, - { - from: "gsuite.admin.REAUTH_SETTING_NEW", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.REAUTH_SETTING_OLD", - to: "gsuite.admin.old_value", - }, - { - from: "gsuite.admin.ALERT_NAME", - to: "gsuite.admin.alert.name", - }, - { - from: "gsuite.admin.API_CLIENT_NAME", - to: "gsuite.admin.api.client.name", - }, - { - from: "gsuite.admin.API_SCOPES", - to: "gsuite.admin.api.scopes", - }, - { - from: "gsuite.admin.PLAY_FOR_WORK_TOKEN_ID", - to: "gsuite.admin.mdm.token", - }, - { - from: "gsuite.admin.PLAY_FOR_WORK_MDM_VENDOR_NAME", - to: "gsuite.admin.mdm.vendor", - }, - { - from: "gsuite.admin.INFO_TYPE", - to: "gsuite.admin.info_type", - }, - { - from: "gsuite.admin.RULE_NAME", - to: "gsuite.admin.rule.name", - }, - { - from: "gsuite.admin.USER_CUSTOM_FIELD", - to: "gsuite.admin.setting.name", - }, - { - from: "gsuite.admin.EMAIL_MONITOR_DEST_EMAIL", - to: "gsuite.admin.email_monitor.dest_email", - }, - { - from: "gsuite.admin.EMAIL_MONITOR_LEVEL_CHAT", - to: "gsuite.admin.email_monitor.level.chat", - }, - { - from: "gsuite.admin.EMAIL_MONITOR_LEVEL_DRAFT_EMAIL", - to: "gsuite.admin.email_monitor.level.draft", - }, - { - from: "gsuite.admin.EMAIL_MONITOR_LEVEL_INCOMING_EMAIL", - to: "gsuite.admin.email_monitor.level.incoming", - }, - { - from: "gsuite.admin.EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL", - to: "gsuite.admin.email_monitor.level.outgoing", - }, - { - from: "gsuite.admin.EMAIL_EXPORT_INCLUDE_DELETED", - to: "gsuite.admin.email_dump.include_deleted", - }, - { - from: "gsuite.admin.EMAIL_EXPORT_PACKAGE_CONTENT", - to: "gsuite.admin.email_dump.package_content", - }, - { - from: "gsuite.admin.SEARCH_QUERY_FOR_DUMP", - to: "gsuite.admin.email_dump.query", - }, - { - from: "gsuite.admin.DESTINATION_USER_EMAIL", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.REQUEST_ID", - to: "gsuite.admin.request.id", - }, - { - from: "gsuite.admin.GMAIL_RESET_REASON", - to: "message", - }, - { - from: "gsuite.admin.USER_NICKNAME", - to: "gsuite.admin.user.nickname", - }, - { - from: "gsuite.admin.ACTION_ID", - to: "gsuite.admin.mobile.action.id", - }, - { - from: "gsuite.admin.ACTION_TYPE", - to: "gsuite.admin.mobile.action.type", - }, - { - from: "gsuite.admin.MOBILE_CERTIFICATE_COMMON_NAME", - to: "gsuite.admin.mobile.certificate.name", - }, - { - from: "gsuite.admin.NUMBER_OF_COMPANY_OWNED_DEVICES", - to: "gsuite.admin.mobile.company_owned_devices", - type: "long", - }, - { - from: "gsuite.admin.COMPANY_DEVICE_ID", - to: "gsuite.admin.device.id", - }, - { - from: "gsuite.admin.DISTRIBUTION_ENTITY_NAME", - to: "gsuite.admin.distribution.entity.name", - }, - { - from: "gsuite.admin.DISTRIBUTION_ENTITY_TYPE", - to: "gsuite.admin.distribution.entity.type", - }, - { - from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", - to: "gsuite.admin.application.package_id", - }, - { - from: "gsuite.admin.NEW_PERMISSION_GRANT_STATE", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.OLD_PERMISSION_GRANT_STATE", - to: "gsuite.admin.old_value", - }, - { - from: "gsuite.admin.PERMISSION_GROUP_NAME", - to: "gsuite.admin.setting.name", - }, - { - from: "gsuite.admin.MOBILE_WIRELESS_NETWORK_NAME", - to: "network.name", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(parseDate( - "gsuite.admin.EMAIL_LOG_SEARCH_END_DATE", - "gsuite.admin.email.log_search_filter.end_date" - )) - .Add(parseDate( - "gsuite.admin.EMAIL_LOG_SEARCH_START_DATE", - "gsuite.admin.email.log_search_filter.start_date" - )) - .Add(parseDate( - "gsuite.admin.BIRTHDATE", - "gsuite.admin.user.birthdate" - )) - .Add(parseDate( - "gsuite.admin.BEGIN_DATE_TIME", - "event.start" - )) - .Add(parseDate( - "gsuite.admin.START_DATE", - "event.start" - )) - .Add(parseDate( - "gsuite.admin.END_DATE", - "event.end" - )) - .Add(parseDate( - "gsuite.admin.END_DATE_TIME", - "event.end" - )) - .Add(setGroupInfo) - .Add(setRelatedUserInfo) - .Add(setEventDuration) - .Add(setEventOutcome) - .Add(setGroupAllowedlist) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return login.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/admin/manifest.yml b/x-pack/filebeat/module/gsuite/admin/manifest.yml deleted file mode 100644 index c5992776ac0..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: jwt_file - - name: delegated_account - - name: initial_interval - default: 24h - - name: http_client_timeout - default: 60s - - name: user_key - default: all - - name: interval - default: 2h - - name: tags - default: [forwarded] - - name: proxy_url - -input: config/config.yml -ingest_pipeline: ../ingest/common.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log deleted file mode 100644 index 2d2d36e96a3..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log +++ /dev/null @@ -1,9 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json deleted file mode 100644 index ab7e42ab458..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json +++ /dev/null @@ -1,499 +0,0 @@ -[ - { - "event.action": "CHANGE_APPLICATION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.edition": "basic", - "gsuite.admin.application.name": "drive", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_APPLICATION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.edition": "basic", - "gsuite.admin.application.name": "drive", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 641, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_APPLICATION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.edition": "basic", - "gsuite.admin.application.name": "drive", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1247, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "drive", - "gsuite.admin.group.priorities": [ - "a", - "b" - ], - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1853, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "GPLUS_PREMIUM_FEATURES", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2346, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_MANAGED_CONFIGURATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "1234", - "gsuite.admin.managed_configuration": "a", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2770, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_MANAGED_CONFIGURATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "1234", - "gsuite.admin.managed_configuration": "a", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3218, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_MANAGED_CONFIGURATION", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "1234", - "gsuite.admin.managed_configuration": "a", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3666, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.non_featured_services_selection": "FLASHLIGHT_EDU_SELECTION_MANUAL", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4114, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log deleted file mode 100644 index bcbed9ee886..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log +++ /dev/null @@ -1,13 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json deleted file mode 100644 index 3772a9892a4..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json +++ /dev/null @@ -1,702 +0,0 @@ -[ - { - "event.action": "CREATE_BUILDING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_BUILDING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 414, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_BUILDING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.field": "field", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.resource.id": "1234", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 828, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_CALENDAR_RESOURCE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1361, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_CALENDAR_RESOURCE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1784, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2207, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2638, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.field": "field", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.resource.id": "1234", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3069, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RENAME_CALENDAR_RESOURCE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3619, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_CALENDAR_RESOURCE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.field": "field", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.resource.id": "1234", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4077, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CALENDAR_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4619, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CANCEL_CALENDAR_EVENTS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5208, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "RELEASE_CALENDAR_RESOURCES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5598, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log deleted file mode 100644 index b078b332402..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log +++ /dev/null @@ -1,4 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json deleted file mode 100644 index 74ff813ecdd..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json +++ /dev/null @@ -1,215 +0,0 @@ -[ - { - "event.action": "MEET_INTEROP_CREATE_GATEWAY", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.gateway.name": "gateway", - "gsuite.event.type": "CHAT_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MEET_INTEROP_DELETE_GATEWAY", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.gateway.name": "gateway", - "gsuite.event.type": "CHAT_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 384, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MEET_INTEROP_MODIFY_GATEWAY", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.gateway.name": "gateway", - "gsuite.event.type": "CHAT_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 768, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHAT_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHAT_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1152, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log deleted file mode 100644 index 9c3bd721f39..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log +++ /dev/null @@ -1,21 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json deleted file mode 100644 index ed4950f5b6c..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json +++ /dev/null @@ -1,1132 +0,0 @@ -[ - { - "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "2345", - "gsuite.admin.chrome_os.session_type": "type", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DEVICE_STATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.device.type": "type", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "prev", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 648, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "2345", - "gsuite.admin.chrome_os.session_type": "type", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1162, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "2345", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1802, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "2345", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2233, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2634, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3136, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3641, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "INSERT_CHROME_OS_PRINT_SERVER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.print_server.name": "server", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4151, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_CHROME_OS_PRINT_SERVER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.print_server.name": "server", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4546, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.print_server.name": "server", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4941, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "INSERT_CHROME_OS_PRINTER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.printer.name": "printer", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5406, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_CHROME_OS_PRINTER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.printer.name": "printer", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5792, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_CHROME_OS_PRINTER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.printer.name": "printer", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6178, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6634, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_USER_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7135, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ISSUE_DEVICE_COMMAND", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.command_details": [ - "-a", - "command" - ], - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7635, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.device.type": "type", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "prev", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8124, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "1234", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8657, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_DEVICE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9047, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CONTACTS_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CONTACTS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9465, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log deleted file mode 100644 index 5aececc68aa..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log +++ /dev/null @@ -1 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json deleted file mode 100644 index 00c54f3096f..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json +++ /dev/null @@ -1,58 +0,0 @@ -[ - { - "event.action": "CHANGE_CONTACTS_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CONTACTS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log deleted file mode 100644 index da76df3f767..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log +++ /dev/null @@ -1,8 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json deleted file mode 100644 index 01b558fdf49..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json +++ /dev/null @@ -1,430 +0,0 @@ -[ - { - "event.action": "ASSIGN_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CREATE_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 483, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 912, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_PRIVILEGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.privilege.name": "privilege", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1341, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_PRIVILEGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.privilege.name": "privilege", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1818, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RENAME_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2298, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2728, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UNASSIGN_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3157, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log deleted file mode 100644 index c3166fb87d2..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log +++ /dev/null @@ -1,3 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json deleted file mode 100644 index e22c5444b0f..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json +++ /dev/null @@ -1,176 +0,0 @@ -[ - { - "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DOCS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DRIVE_DATA_RESTORE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.duration": 10800000000000, - "event.end": "2002-10-02T15:00:00.000Z", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.start": "2002-10-02T12:00:00.000Z", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DOCS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 471, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_DOCS_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "DOCS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 967, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log deleted file mode 100644 index b452d9e8d94..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log +++ /dev/null @@ -1,85 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ACCOUNT_AUTO_RENEWAL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"NON_AUTO_RENEWAL"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_ENABLED","value":"app enabled"},{"name":"APPLICATION_NAME","value":"app name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_ALERT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_STATUS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"DOMAIN_VERIFICATION_METHOD","value":"ANALYTICS"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_API_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"true"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"AUTHORIZE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"},{"name":"API_SCOPES","multiValue":["a","b"]}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHROME_LICENSES_REDEEMED","parameters":[{"name":"APP_LICENSES_ORDER_NUMBER","value":"abcd123"},{"name":"APPLICATION_NAME","value":"app name"},{"name":"CHROME_NUM_LICENSES_PURCHASED","intValue":1}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_AUTO_ADD_NEW_SERVICE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PRIMARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_WHITELIST_SETTING","parameters":[{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"COMMUNICATION_PREFERENCES_SETTING_CHANGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CONFLICT_ACCOUNT_ACTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_FEEDBACK_SOLICITATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_CONTACT_SHARING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VIEW_DNS_LOGIN_DETAILS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_LOCALE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_TIMEZONE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_PRE_RELEASE_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_SUPPORT_MESSAGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EDU_TYPE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSO_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_TRANSFER_TOKEN"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BACKGROUND_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BORDER_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_ACTIVITY_TRACE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_ENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"},{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_UNENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"MX_RECORD_VERIFICATION_CLAIM","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_NEW_APP_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPLOAD_OAUTH_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REGENERATE_OAUTH_CONSUMER_SECRET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OPEN_ID_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ORGANIZATION_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OUTBOUND_RELAY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MAX_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MIN_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RENEW_DOMAIN_REGISTRATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RESELLER_ACCESS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_ACTIONS_CHANGED","parameters":[{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RULE_CRITERIA","parameters":[{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_RULE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_STATUS_CHANGED","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_SECONDARY_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_SSO_SETTINGS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_PIN"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json deleted file mode 100644 index 404587a6647..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json +++ /dev/null @@ -1,4459 +0,0 @@ -[ - { - "event.action": "CHANGE_ACCOUNT_AUTO_RENEWAL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "NON_AUTO_RENEWAL", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_APPLICATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.enabled": "app enabled", - "gsuite.admin.application.id": "id", - "gsuite.admin.application.name": "app name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 437, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_APPLICATION_TO_WHITELIST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "id", - "gsuite.admin.application.name": "app name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 900, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_ADVERTISEMENT_OPTION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1323, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_ALERT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.alert.name": "alert name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1782, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_ALERT_CRITERIA", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.alert.name": "alert name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2154, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_ALERT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.alert.name": "alert name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2535, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ALERT_RECEIVERS_CHANGED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.alert.name": "alert name", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2907, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RENAME_ALERT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3360, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ALERT_STATUS_CHANGED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.alert.name": "alert name", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3759, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_DOMAIN_ALIAS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.alias": "alias", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4209, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_DOMAIN_ALIAS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.alias": "alias", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4627, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "SKIP_DOMAIN_ALIAS_MX", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.alias": "alias", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5048, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "VERIFY_DOMAIN_ALIAS_MX", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.alias": "alias", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5470, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "VERIFY_DOMAIN_ALIAS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.alias": "alias", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.verification_method": "ANALYTICS", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5894, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6373, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6803, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ENABLE_API_ACCESS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.admin.old_value": "true", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7235, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "AUTHORIZE_API_CLIENT_ACCESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.api.client.name": "api client", - "gsuite.admin.api.scopes": [ - "a", - "b" - ], - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7687, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_API_CLIENT_ACCESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.api.client.name": "api client", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8169, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHROME_LICENSES_REDEEMED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.licences_order_number": "abcd123", - "gsuite.admin.application.licences_purchased": 1, - "gsuite.admin.application.name": "app name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8603, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9100, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_PRIMARY_DOMAIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9526, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_WHITELIST_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "false", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9946, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10401, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10917, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ENABLE_FEEDBACK_SOLICITATION", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11381, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_CONTACT_SHARING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11843, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.mdm.token": "token", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12264, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_USE_CUSTOM_LOGO", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12657, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CUSTOM_LOGO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13078, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13458, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13919, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.info_type": "ADDRESS", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14377, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.mdm.token": "token", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14846, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "VIEW_DNS_LOGIN_DETAILS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15239, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15623, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16083, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DOMAIN_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16545, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16960, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 17391, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_TRUSTED_DOMAINS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 17852, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_TRUSTED_DOMAINS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18233, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_EDU_TYPE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18617, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19064, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_SSO_ENABLED", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19493, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_SSL", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19908, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.info_type": "ADDRESS", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 20315, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "GENERATE_TRANSFER_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 20778, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 21103, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_LOGIN_BORDER_COLOR", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 21564, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 22021, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "PLAY_FOR_WORK_ENROLL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.mdm.token": "token", - "gsuite.admin.mdm.vendor": "vendor", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 22480, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "PLAY_FOR_WORK_UNENROLL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.mdm.vendor": "vendor", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 22925, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MX_RECORD_VERIFICATION_CLAIM", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 23322, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "TOGGLE_NEW_APP_FEATURES", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 23761, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 24181, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPLOAD_OAUTH_CERTIFICATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 24611, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 24997, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_OPEN_ID_ENABLED", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25391, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_ORGANIZATION_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25810, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_OUTBOUND_RELAY", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 26266, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_PASSWORD_MAX_LENGTH", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 26758, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_PASSWORD_MIN_LENGTH", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 27216, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 27674, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 28139, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_APPLICATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "appid", - "gsuite.admin.application.name": "app name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 28610, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "appid", - "gsuite.admin.application.name": "app name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29026, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29457, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_RESELLER_ACCESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29921, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RULE_ACTIONS_CHANGED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.rule.name": "rule", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 30330, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_RULE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.rule.name": "rule", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 30703, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_RULE_CRITERIA", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.rule.name": "rule", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 31067, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_RULE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.rule.name": "rule", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 31440, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RENAME_RULE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 31804, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RULE_STATUS_CHANGED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.rule.name": "rule", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 32202, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_SECONDARY_DOMAIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.domain.secondary_name": "example2.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 32644, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_SECONDARY_DOMAIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.domain.secondary_name": "example2.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 33082, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "SKIP_SECONDARY_DOMAIN_MX", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.domain.secondary_name": "example2.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 33523, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "VERIFY_SECONDARY_DOMAIN_MX", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.domain.secondary_name": "example2.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 33965, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "VERIFY_SECONDARY_DOMAIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.domain.secondary_name": "example2.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 34409, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 34850, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_SSO_SETTINGS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 35311, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "GENERATE_PIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 35692, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_RULE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.rule.name": "rule", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 36006, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log deleted file mode 100644 index dc0842dc0d4..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log +++ /dev/null @@ -1,9 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2020/07/28 04:59:59 UTC"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json deleted file mode 100644 index 69ddb7692a2..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json +++ /dev/null @@ -1,497 +0,0 @@ -[ - { - "event.action": "DROP_FROM_QUARANTINE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email.log_search_filter.message_id": "id", - "gsuite.admin.email.quarantine_name": "quarantine", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "EMAIL_LOG_SEARCH", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2020/07/28 04:59:59 UTC\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email.log_search_filter.end_date": "2020-07-28T04:59:59.000Z", - "gsuite.admin.email.log_search_filter.message_id": "id", - "gsuite.admin.email.log_search_filter.recipient.ip": "1.1.1.1", - "gsuite.admin.email.log_search_filter.recipient.value": "recipient", - "gsuite.admin.email.log_search_filter.sender.ip": "1.1.1.1", - "gsuite.admin.email.log_search_filter.sender.value": "sender", - "gsuite.admin.email.log_search_filter.start_date": "2002-10-02T10:00:00.000Z", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 432, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "EMAIL_UNDELETE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.duration": 7200000000000, - "event.end": "2002-10-02T12:00:00.000Z", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", - "event.provider": "admin", - "event.start": "2002-10-02T10:00:00.000Z", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1188, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_EMAIL_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1671, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_GMAIL_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.description": "setting description", - "gsuite.admin.setting.name": "setting", - "gsuite.admin.user_defined_setting.name": "setting name", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2254, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_GMAIL_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.description": "setting description", - "gsuite.admin.setting.name": "setting", - "gsuite.admin.user_defined_setting.name": "setting name", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2792, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_GMAIL_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.description": "setting description", - "gsuite.admin.setting.name": "setting", - "gsuite.admin.user_defined_setting.name": "setting name", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3330, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REJECT_FROM_QUARANTINE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email.log_search_filter.message_id": "id", - "gsuite.admin.email.quarantine_name": "quarantine", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3868, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RELEASE_FROM_QUARANTINE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email.log_search_filter.message_id": "id", - "gsuite.admin.email.quarantine_name": "quarantine", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4302, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log deleted file mode 100644 index 2c60ded89cc..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log +++ /dev/null @@ -1,14 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json deleted file mode 100644 index 7cc876ea788..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json +++ /dev/null @@ -1,798 +0,0 @@ -[ - { - "event.action": "CREATE_GROUP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_GROUP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 379, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_GROUP_DESCRIPTION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 758, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "GROUP_LIST_DOWNLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", - "event.provider": "admin", - "event.type": [ - "group", - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1149, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_GROUP_MEMBER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1469, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "REMOVE_GROUP_MEMBER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1901, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "UPDATE_GROUP_MEMBER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2336, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2841, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3364, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "GROUP_MEMBER_BULK_UPLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.bulk_upload.failed": 0, - "gsuite.admin.bulk_upload.total": 10, - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3906, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "GROUP_MEMBERS_DOWNLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", - "event.provider": "admin", - "event.type": [ - "group", - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4370, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_GROUP_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4693, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_GROUP_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5112, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "WHITELISTED_GROUPS_UPDATED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.group.allowed_list": [ - "a", - "b", - "c" - ], - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5611, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log deleted file mode 100644 index c028ff6ba1c..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log +++ /dev/null @@ -1,8 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json deleted file mode 100644 index 2f36dd24262..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json +++ /dev/null @@ -1,440 +0,0 @@ -[ - { - "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.name": "product", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.name": "product", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 463, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USER_LICENSE_ASSIGNMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.product.name": "product", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 930, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.product.name": "product", - "gsuite.admin.product.sku": "sku", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1398, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USER_LICENSE_REASSIGNMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.product.name": "product", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1854, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ORG_LICENSE_REVOKE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.name": "product", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2359, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USER_LICENSE_REVOKE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.old_value": "old", - "gsuite.admin.product.name": "product", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2812, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UPDATE_DYNAMIC_LICENSE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.name": "product", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3276, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log deleted file mode 100644 index 69c376c4453..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log +++ /dev/null @@ -1,31 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_CANCELLED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_REQUESTED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"name"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICES_BULK_CREATION","parameters":[{"name":"NUMBER_OF_COMPANY_OWNED_DEVICES","intValue":10}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_BLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICE_DELETION","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_UNBLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_WIPED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","parameters":[{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"GROUP"},{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"NEW_PERMISSION_GRANT_STATE","value":"GRANTED"},{"name":"OLD_PERMISSION_GRANT_STATE","value":"DENIED"},{"name":"PERMISSION_GROUP_NAME","value":"LOCATION"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_SETTINGS","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_APPLICATION_TO_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_DELETE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_ADMIN_RESTRICTIONS_PIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"cert"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_ACCOUNT_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json deleted file mode 100644 index 2dbefb68450..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json +++ /dev/null @@ -1,1688 +0,0 @@ -[ - { - "event.action": "ACTION_CANCELLED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.mobile.action.id": "id", - "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ACTION_REQUESTED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.mobile.action.id": "id", - "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 534, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ADD_MOBILE_CERTIFICATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.mobile.certificate.name": "name", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1068, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "COMPANY_DEVICES_BULK_CREATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.mobile.company_owned_devices": 10, - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1548, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1951, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "COMPANY_DEVICE_DELETION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2376, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2796, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "COMPANY_OWNED_DEVICE_WIPED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3223, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.distribution.entity.name": "ANY", - "gsuite.admin.distribution.entity.type": "GROUP", - "gsuite.admin.new_value": "GRANTED", - "gsuite.admin.old_value": "DENIED", - "gsuite.admin.setting.name": "LOCATION", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3646, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "id", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4354, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.distribution.entity.name": "ANY", - "gsuite.admin.distribution.entity.type": "ORG_UNIT", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4795, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.distribution.entity.name": "ANY", - "gsuite.admin.distribution.entity.type": "ORG_UNIT", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5341, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.distribution.entity.name": "ANY", - "gsuite.admin.distribution.entity.type": "ORG_UNIT", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5993, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MOBILE_DEVICE_APPROVE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6534, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MOBILE_DEVICE_BLOCK", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6993, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MOBILE_DEVICE_DELETE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7450, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MOBILE_DEVICE_WIPE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7908, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_MOBILE_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8364, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8898, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9328, - "network.name": "network", - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_MOBILE_WIRELESS_NETWORK", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9817, - "network.name": "network", - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10303, - "network.name": "network", - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10792, - "network.name": "network", - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_MOBILE_CERTIFICATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.mobile.certificate.name": "cert", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11290, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11773, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12110, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12440, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12782, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MOBILE_ACCOUNT_WIPE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13120, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13577, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14053, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log deleted file mode 100644 index 3ad1efedd6a..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log +++ /dev/null @@ -1,17 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json deleted file mode 100644 index 854d75f96fd..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json +++ /dev/null @@ -1,890 +0,0 @@ -[ - { - "event.action": "CHROME_LICENSES_ENABLED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.chrome_licenses.enabled": "DISABLED", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.sku": "sku", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 472, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.sku": "sku", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 982, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.sku": "sku", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1457, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.full": "full/org/path", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2002, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ASSIGN_CUSTOM_LOGO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2400, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UNASSIGN_CUSTOM_LOGO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2771, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_ENROLLMENT_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3144, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REVOKE_ENROLLMENT_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3520, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHROME_LICENSES_ALLOWED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.chrome_licenses.allowed": "EMPTY", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3896, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_ORG_UNIT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4365, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_ORG_UNIT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4733, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "EDIT_ORG_UNIT_DESCRIPTION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5101, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MOVE_ORG_UNIT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5479, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "EDIT_ORG_UNIT_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5880, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.full": "full/org/path", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6286, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_SERVICE_ENABLED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.service.name": "new", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6684, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log deleted file mode 100644 index 1035f42a2fb..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log +++ /dev/null @@ -1,24 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ADD_TO_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"REMOVE_FROM_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"BLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_START_DATE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"ALLOWED_TWO_STEP_VERIFICATION_METHOD","value":"ONLY_SECURITY_KEY"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TOGGLE_CAA_ENABLEMENT","parameters":[{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_ERROR_MESSAGE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_APP_ASSIGNMENTS","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CAA_ASSIGNMENTS_NEW","value":"new"},{"name":"CAA_ASSIGNMENTS_OLD","value":"old"},{"name":"GROUP_NAME","value":"group"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENFORCE_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json deleted file mode 100644 index b55578f2e10..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json +++ /dev/null @@ -1,1309 +0,0 @@ -[ - { - "event.action": "ALLOW_STRONG_AUTHENTICATION", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 461, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 903, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1348, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.oauth2.application.id": "id", - "gsuite.admin.oauth2.application.name": "appname", - "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1903, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.oauth2.application.id": "id", - "gsuite.admin.oauth2.application.name": "appname", - "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2424, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "BLOCK_ON_DEVICE_ACCESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2950, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3383, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3917, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4434, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4963, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.verification_method": "ONLY_SECURITY_KEY", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5481, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_CAA_ENABLEMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6010, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CAA_ERROR_MESSAGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6385, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6802, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7356, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7746, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8134, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ENFORCE_STRONG_AUTHENTICATION", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8652, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9247, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9718, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "ADMIN_CONSOLE", - "gsuite.admin.new_value": "INHERIT", - "gsuite.admin.old_value": "NEVER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10237, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_SESSION_LENGTH", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10774, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UNBLOCK_ON_DEVICE_ACCESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.oauth2.service.name": "CALENDAR", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11184, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log deleted file mode 100644 index ff07d024c4c..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log +++ /dev/null @@ -1,5 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json deleted file mode 100644 index 75de8c3c13c..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json +++ /dev/null @@ -1,275 +0,0 @@ -[ - { - "event.action": "ADD_WEB_ADDRESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url", - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_WEB_ADDRESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 594, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url", - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_SITES_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1191, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.service.name": "service", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1723, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url", - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "VIEW_SITE_DETAILS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.url.name": "site", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2233, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log deleted file mode 100644 index bed874fc9a4..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log +++ /dev/null @@ -1,74 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GENERATE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_DEVICE_TOKENS","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_TOKEN","parameters":[{"name":"APP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ASP","parameters":[{"name":"ASP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TOGGLE_AUTOMATIC_CONTACT_SHARING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"1"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CANCEL_USER_INVITE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_CUSTOM_FIELD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_CUSTOM_FIELD","value":"custom"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_EXTERNAL_ID","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_GENDER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_IM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ENABLE_USER_IP_WHITELIST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_KEYWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LANGUAGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LOCATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ORGANIZATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_PHONE_NUMBER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_RELATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ADDRESS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"},{"name":"EMAIL_MONITOR_LEVEL_CHAT","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL","value":"info"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_DATA_TRANSFER_REQUEST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DESTINATION_USER_EMAIL","value":"dest@example.com"},{"name":"APPLICATION_NAME","value":"a,b,c"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_DELEGATED_ADMIN_PRIVILEGES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_ACCOUNT_INFO_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_FIRST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GMAIL_RESET_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"GMAIL_RESET_REASON","value":"reason"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_LAST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_ADDED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_REMOVED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD_ON_NEXT_LOGIN","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_PENDING_INVITES_LIST"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_ACCOUNT_INFO","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_EXPORT_INCLUDE_DELETED","value":"true"},{"name":"EMAIL_EXPORT_PACKAGE_CONTENT","value":"contents"},{"name":"SEARCH_QUERY_FOR_DUMP","value":"foo bar"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESEND_USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESET_SIGNIN_COOKIES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SECURITY_KEY_REGISTERED_FOR_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_SECURITY_KEY","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"VIEW_TEMP_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TURN_OFF_2_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNBLOCK_USER_SESSION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_TITANIUM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPDATE_BIRTHDATE","parameters":[{"name":"BIRTHDATE","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNGRADE_USER_FROM_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_ENROLLED_IN_TWO_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_USERLIST_CSV"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MOVE_USER_TO_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RENAME_USER","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_STRONG_AUTH","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNDELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNSUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPGRADE_USER_TO_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"0"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json deleted file mode 100644 index dc713f9ae92..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json +++ /dev/null @@ -1,4198 +0,0 @@ -[ - { - "event.action": "DELETE_2SV_SCRATCH_CODES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "GENERATE_2SV_SCRATCH_CODES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 388, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REVOKE_3LO_DEVICE_TOKENS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 778, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REVOKE_3LO_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "id", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1238, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ADD_RECOVERY_EMAIL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1649, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ADD_RECOVERY_PHONE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2031, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "GRANT_ADMIN_PRIVILEGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2413, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REVOKE_ADMIN_PRIVILEGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2798, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REVOKE_ASP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.asp_id": "id", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3184, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3589, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "BULK_UPLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.bulk_upload.failed": 1, - "gsuite.admin.bulk_upload.total": 10, - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4020, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4499, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CANCEL_USER_INVITE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4937, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_CUSTOM_FIELD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "custom", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5364, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_EXTERNAL_ID", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5868, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_GENDER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6325, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_IM", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6777, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ENABLE_USER_IP_WHITELIST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7225, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_KEYWORD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7683, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_LANGUAGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8136, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_LOCATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8590, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_ORGANIZATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9044, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_PHONE_NUMBER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9502, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_RECOVERY_EMAIL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9960, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_RECOVERY_PHONE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10345, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_RELATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10730, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_ADDRESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11184, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CREATE_EMAIL_MONITOR", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.duration": 3600000000000, - "event.end": "2002-10-02T16:00:00.000Z", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", - "event.provider": "admin", - "event.start": "2002-10-02T15:00:00.000Z", - "event.type": [ - "creation", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email_monitor.dest_email": "dest@example.com", - "gsuite.admin.email_monitor.level.chat": "info", - "gsuite.admin.email_monitor.level.draft": "info", - "gsuite.admin.email_monitor.level.incoming": "info", - "gsuite.admin.email_monitor.level.outgoing": "info", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11637, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CREATE_DATA_TRANSFER_REQUEST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "a,b,c", - "gsuite.admin.new_value": "dest@example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12429, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12926, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DELETE_ACCOUNT_INFO_DUMP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.request.id": "id", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13357, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DELETE_EMAIL_MONITOR", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email_monitor.dest_email": "dest@example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13780, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DELETE_MAILBOX_DUMP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.request.id": "id", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14227, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_FIRST_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14645, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "GMAIL_RESET_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15096, - "message": "reason", - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_LAST_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15523, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MAIL_ROUTING_DESTINATION_ADDED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15973, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16402, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ADD_NICKNAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.admin.user.nickname": "nick", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16833, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REMOVE_NICKNAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.admin.user.nickname": "nick", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 17249, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_PASSWORD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 17668, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18047, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DOWNLOAD_PENDING_INVITES_LIST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18510, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_RECOVERY_EMAIL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18839, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REMOVE_RECOVERY_PHONE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19224, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REQUEST_ACCOUNT_INFO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19609, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REQUEST_MAILBOX_DUMP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.duration": 3600000000000, - "event.end": "2002-10-02T16:00:00.000Z", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", - "event.provider": "admin", - "event.start": "2002-10-02T15:00:00.000Z", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email_dump.include_deleted": "true", - "gsuite.admin.email_dump.package_content": "contents", - "gsuite.admin.email_dump.query": "foo bar", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19993, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "RESEND_USER_INVITE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 20656, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "RESET_SIGNIN_COOKIES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 21083, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 21467, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REVOKE_SECURITY_KEY", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 21863, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "USER_INVITE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 22246, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "VIEW_TEMP_PASSWORD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 22666, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "TURN_OFF_2_STEP_VERIFICATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 23093, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UNBLOCK_USER_SESSION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 23485, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UNENROLL_USER_FROM_TITANIUM", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 23869, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ARCHIVE_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 24260, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UPDATE_BIRTHDATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.birthdate": "2002-10-02T15:00:00.000Z", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 24636, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CREATE_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25068, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DELETE_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25443, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DOWNGRADE_USER_FROM_GPLUS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25818, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 26207, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DOWNLOAD_USERLIST_CSV", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 26609, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MOVE_USER_TO_ORG_UNIT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 26930, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 27389, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "RENAME_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 27834, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 28244, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "SUSPEND_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 28638, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UNARCHIVE_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29014, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UNDELETE_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29392, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UNSUSPEND_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29769, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UPGRADE_USER_TO_GPLUS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 30147, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "USERS_BULK_UPLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.bulk_upload.failed": 0, - "gsuite.admin.bulk_upload.total": 10, - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 30532, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 30972, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/config/common.js b/x-pack/filebeat/module/gsuite/config/common.js deleted file mode 100644 index 64ce7b0620f..00000000000 --- a/x-pack/filebeat/module/gsuite/config/common.js +++ /dev/null @@ -1,86 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var gsuite = (function () { - var processor = require("processor"); - - var decodeJson = new processor.DecodeJSONFields({ - fields: ["message"], - target: "json", - }); - - var parseTimestamp = new processor.Timestamp({ - field: "json.id.time", - timezone: "UTC", - layouts: ["2006-01-02T15:04:05.999Z"], - tests: ["2020-02-05T18:19:23.599Z"], - ignore_missing: true, - }); - - var convertFields = new processor.Convert({ - fields: [ - { from: "message", to: "event.original" }, - { from: "json.events.name", to: "event.action" }, - { from: "json.id.applicationName", to: "event.provider" }, - { from: "json.id.uniqueQualifier", to: "event.id", type: "string" }, - { from: "json.actor.email", to: "source.user.email" }, - { from: "json.actor.profileId", to: "source.user.id", type: "string" }, - { from: "json.ipAddress", to: "source.ip", type: "ip" }, - { from: "json.kind", to: "gsuite.kind" }, - { from: "json.id.customerId", to: "organization.id", type: "string" }, - { from: "json.actor.callerType", to: "gsuite.actor.type" }, - { from: "json.actor.key", to: "gsuite.actor.key" }, - { from: "json.ownerDomain", to: "gsuite.organization.domain" }, - { from: "json.events.type", to: "gsuite.event.type" }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }); - - var completeUserData = function(evt) { - var email = evt.Get("source.user.email"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.Put("user.id", evt.Get("source.user.id")); - evt.Put("user.name", data[0]); - evt.Put("source.user.name", data[0]); - evt.Put("user.domain", data[1]); - evt.Put("source.user.domain", data[1]); - }; - - var copyFields = function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - evt.Put("related.ip", [ip]); - } - var userName = evt.Get("source.user.name"); - if (userName) { - evt.Put("related.user", [userName]); - } - }; - - var pipeline = new processor.Chain() - .Add(decodeJson) - .Add(parseTimestamp) - .Add(convertFields) - .Add(completeUserData) - .Add(copyFields) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return gsuite.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml b/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml deleted file mode 100644 index 9c031b89ce5..00000000000 --- a/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml +++ /dev/null @@ -1,89 +0,0 @@ -- name: drive - type: group - fields: - - name: billable - type: boolean - description: Whether this activity is billable. - - name: source_folder_id - type: keyword - - name: source_folder_title - type: keyword - - name: destination_folder_id - type: keyword - - name: destination_folder_title - type: keyword - - name: file.id - type: keyword - - name: file.type - type: keyword - description: > - Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: originating_app_id - type: keyword - description: > - The Google Cloud Project ID of the application that performed the action. - - name: file.owner.email - type: keyword - - name: file.owner.is_shared_drive - type: boolean - description: > - Boolean flag denoting whether owner is a shared drive. - - name: primary_event - type: boolean - description: > - Whether this is a primary event. A single user action in Drive may generate several events. - - name: shared_drive_id - type: keyword - description: > - The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. - - name: visibility - type: keyword - description: > - Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: new_value - type: keyword - description: > - When a setting or property of the file changes, the new value for it will appear here. - - name: old_value - type: keyword - description: > - When a setting or property of the file changes, the old value for it will appear here. - - name: sheets_import_range_recipient_doc - type: keyword - description: Doc ID of the recipient of a sheets import range. - - name: old_visibility - type: keyword - description: > - When visibility changes, this holds the old value. - - name: visibility_change - type: keyword - description: > - When visibility changes, this holds the new overall visibility of the file. - - name: target_domain - type: keyword - description: > - The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. - - name: added_role - type: keyword - description: > - Added membership role of a user/group in a Team Drive. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: membership_change_type - type: keyword - description: > - Type of change in Team Drive membership of a user/group. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: shared_drive_settings_change_type - type: keyword - description: > - Type of change in Team Drive settings. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: removed_role - type: keyword - description: > - Removed membership role of a user/group in a Team Drive. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: target - type: keyword - description: Target user or group. - diff --git a/x-pack/filebeat/module/gsuite/drive/config/config.yml b/x-pack/filebeat/module/gsuite/drive/config/config.yml deleted file mode 100644 index 1fc56ba1ee5..00000000000 --- a/x-pack/filebeat/module/gsuite/drive/config/config.yml +++ /dev/null @@ -1,54 +0,0 @@ -{{ if eq .input "httpjson" }} -type: httpjson - -url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/drive -json_objects_array: items -split_events_by: events - -interval: {{ .interval }} - -{{ if .http_client_timeout }} -http_client_timeout: {{ .http_client_timeout }} -{{ end }} - -oauth2.provider: google -oauth2.google.jwt_file: {{ .jwt_file }} -oauth2.google.delegated_account: {{ .delegated_account }} -oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly - -date_cursor.url_field: startTime -date_cursor.initial_interval: {{ .initial_interval }} - -pagination.id_field: nextPageToken -pagination.url_field: pageToken - -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} - -{{ else if eq .input "file" }} -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.11.0 - - script: - lang: javascript - id: gsuite-common - file: ${path.home}/module/gsuite/config/common.js - - script: - lang: javascript - id: gsuite-drive - file: ${path.home}/module/gsuite/drive/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/drive/config/pipeline.js b/x-pack/filebeat/module/gsuite/drive/config/pipeline.js deleted file mode 100644 index 31403a880ae..00000000000 --- a/x-pack/filebeat/module/gsuite/drive/config/pipeline.js +++ /dev/null @@ -1,191 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var drive = (function () { - var path = require("path"); - var processor = require("processor"); - - var categorizeEvent = function(evt) { - evt.Put("event.category", ["file"]); - switch (evt.Get("event.action")) { - case "add_to_folder": - case "edit": - case "add_lock": - case "move": - case "remove_from_folder": - case "rename": - case "remove_lock": - case "sheets_import_range": - evt.Put("event.type", ["change"]); - break; - case "approval_canceled": - case "approval_comment_added": - case "approval_requested": - case "approval_reviewer_responded": - case "change_acl_editors": - case "change_document_access_scope": - case "change_document_visibility": - case "shared_drive_membership_change": - case "shared_drive_settings_change": - case "sheets_import_range_access_change": - case "change_user_access": - evt.AppendTo("event.category", "iam"); - evt.AppendTo("event.category", "configuration"); - evt.Put("event.type", ["change"]); - break; - case "create": - case "untrash": - case "upload": - evt.Put("event.type", ["creation"]); - break; - case "delete": - case "trash": - evt.Put("event.type", ["deletion"]); - break; - case "download": - case "preview": - case "print": - case "view": - evt.Put("event.type", ["info"]); - break; - } - }; - - var getParamValue = function(param) { - if (param.value) { - return param.value; - } - if (param.multiValue) { - return param.multiValue; - } - if (param.boolValue !== null) { - return param.boolValue; - } - }; - - var flattenParams = function(evt) { - var params = evt.Get("json.events.parameters"); - if (!params || !Array.isArray(params)) { - return; - } - - params.forEach(function(p){ - evt.Put("gsuite.drive."+p.name, getParamValue(p)); - }); - - evt.Delete("json.events.parameters"); - }; - - var setFileInfo = function(evt) { - var type = evt.Get("gsuite.drive.file.type"); - if (!type) { - return; - } - - switch (type) { - case "folder": - case "shared_drive": - evt.Put("file.type", "dir"); - break; - default: - evt.Put("file.type", "file"); - } - - // path returns extensions with a preceding ., e.g.: .tmp, .png - // according to ecs the expected format is without it, so we need to remove it. - var ext = path.extname(evt.Get("file.name")); - if (!ext) { - return; - } - - if (ext.charAt(0) === ".") { - ext = ext.substr(1); - } - evt.Put("file.extension", ext); - }; - - var setOwnerInfo = function(evt) { - var email = evt.Get("gsuite.drive.file.owner.email"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.Put("file.owner", data[0]); - evt.AppendTo("related.user", data[0]); - }; - - var setTargetRelatedUser = function(evt) { - var email = evt.Get("gsuite.drive.target"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.AppendTo("related.user", data[0]); - }; - - var pipeline = new processor.Chain() - .Add(categorizeEvent) - .Add(flattenParams) - .Convert({ - fields: [ - { - from: "gsuite.drive.doc_id", - to: "gsuite.drive.file.id", - }, - { - from: "gsuite.drive.doc_title", - to: "file.name", - }, - { - from: "gsuite.drive.doc_type", - to: "gsuite.drive.file.type", - }, - { - from: "gsuite.drive.owner", - to: "gsuite.drive.file.owner.email", - }, - { - from: "gsuite.drive.owner_is_shared_drive", - to: "gsuite.drive.file.owner.is_shared_drive", - }, - { - from: "gsuite.drive.new_settings_state", - to: "gsuite.drive.new_value", - }, - { - from: "gsuite.drive.old_settings_state", - to: "gsuite.drive.old_value", - }, - { - from: "gsuite.drive.target_user", - to: "gsuite.drive.target", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setFileInfo) - .Add(setOwnerInfo) - .Add(setTargetRelatedUser) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return drive.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/drive/manifest.yml b/x-pack/filebeat/module/gsuite/drive/manifest.yml deleted file mode 100644 index c5992776ac0..00000000000 --- a/x-pack/filebeat/module/gsuite/drive/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: jwt_file - - name: delegated_account - - name: initial_interval - default: 24h - - name: http_client_timeout - default: 60s - - name: user_key - default: all - - name: interval - default: 2h - - name: tags - default: [forwarded] - - name: proxy_url - -input: config/config.yml -ingest_pipeline: ../ingest/common.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log deleted file mode 100644 index 3cd073a7379..00000000000 --- a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log +++ /dev/null @@ -1,28 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_to_folder","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_canceled","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_comment_added","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_requested","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_reviewer_responded","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"create","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"download","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"edit","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"move","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"preview","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"print","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_from_folder","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"rename","parameters":[{"name":"billable","boolValue":true},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"bar.gif"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_value","value":"foo.gif","new_value":"bar.gif"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"untrash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"sheets_import_range","parameters":[{"name":"sheets_import_range_recipient_doc","value":"1234"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"trash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"view","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"shared_drive_id","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_editors","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_access_scope","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_visibility","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_membership_change","parameters":[{"name":"added_role","value":"editor"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"removed_role","value":"content_manager"},{"name":"membership_change_type","value":"add_to_shared_drive"},{"name":"target","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_settings_change","parameters":[{"name":"new_settings_state","value":"restricted"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_settings_state","value":"unrestricted"},{"name":"shared_drive_settings_change_type","value":"direct_acl"},{"name":"target","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"sheets_import_range_access_change","parameters":[{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"sheets_import_range_recipient_doc","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_user_access","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"old_visibility","value":"people_with_link"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"target_user","value":"user@example.com"},{"name":"visibility","value":"private"},{"name":"visibility_change","value":"external"}]}} diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json deleted file mode 100644 index 4068a18c494..00000000000 --- a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json +++ /dev/null @@ -1,1801 +0,0 @@ -[ - { - "event.action": "add_to_folder", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_to_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.destination_folder_id": "1234", - "gsuite.drive.destination_folder_title": "folder title", - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "approval_canceled", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_canceled\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 816, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "approval_comment_added", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_comment_added\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1529, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "approval_requested", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_requested\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2247, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "approval_reviewer_responded", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_reviewer_responded\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2961, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "create", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"create\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "creation" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3684, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "delete", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "deletion" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4386, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "download", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"download\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "info" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5088, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "edit", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5792, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "add_lock", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6492, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "move", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"move\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.destination_folder_id": "1234", - "gsuite.drive.destination_folder_title": "folder title", - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.source_folder_id": "1234", - "gsuite.drive.source_folder_title": "a folder title", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7196, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "preview", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"preview\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "info" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8102, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "print", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"print\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "info" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8805, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "remove_from_folder", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_from_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.source_folder_id": "1234", - "gsuite.drive.source_folder_title": "a folder title", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9506, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "rename", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"rename\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"bar.gif\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_value\",\"value\":\"foo.gif\",\"new_value\":\"bar.gif\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.extension": "gif", - "file.name": "bar.gif", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": true, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.old_value": "foo.gif", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10319, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "untrash", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"untrash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "creation" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11074, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "sheets_import_range", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.sheets_import_range_recipient_doc": "1234", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11777, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "trash", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"trash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "deletion" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12514, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "remove_lock", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13215, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "upload", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "creation" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13922, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "view", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"view\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"1234\"}]}}", - "event.provider": "drive", - "event.type": [ - "info" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.shared_drive_id": "1234", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14624, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_acl_editors", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_editors\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.new_value": "owner", - "gsuite.drive.old_value": "writers", - "gsuite.drive.old_visibility": "people_within_domain_with_link", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.drive.visibility_change": "external", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15366, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_document_access_scope", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_access_scope\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.new_value": "owner", - "gsuite.drive.old_value": "writers", - "gsuite.drive.old_visibility": "people_within_domain_with_link", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.target_domain": "all", - "gsuite.drive.visibility": "people_with_link", - "gsuite.drive.visibility_change": "external", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16275, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_document_visibility", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_visibility\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.new_value": "owner", - "gsuite.drive.old_value": "writers", - "gsuite.drive.old_visibility": "people_within_domain_with_link", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.target_domain": "all", - "gsuite.drive.visibility": "people_with_link", - "gsuite.drive.visibility_change": "external", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 17233, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "shared_drive_membership_change", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_membership_change\",\"parameters\":[{\"name\":\"added_role\",\"value\":\"editor\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"removed_role\",\"value\":\"content_manager\"},{\"name\":\"membership_change_type\",\"value\":\"add_to_shared_drive\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.added_role": "editor", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.membership_change_type": "add_to_shared_drive", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.removed_role": "content_manager", - "gsuite.drive.target": "user@example.com", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18189, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "shared_drive_settings_change", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_settings_change\",\"parameters\":[{\"name\":\"new_settings_state\",\"value\":\"restricted\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_settings_state\",\"value\":\"unrestricted\"},{\"name\":\"shared_drive_settings_change_type\",\"value\":\"direct_acl\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.new_value": "restricted", - "gsuite.drive.old_value": "unrestricted", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.shared_drive_settings_change_type": "direct_acl", - "gsuite.drive.target": "user@example.com", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19117, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "sheets_import_range_access_change", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"sheets_import_range_access_change\",\"parameters\":[{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.sheets_import_range_recipient_doc": "1234", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 20060, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_user_access", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"old_visibility\",\"value\":\"people_with_link\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"target_user\",\"value\":\"user@example.com\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.new_value": "can_comment", - "gsuite.drive.old_value": "can_view", - "gsuite.drive.old_visibility": "people_with_link", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.target": "user@example.com", - "gsuite.drive.visibility": "private", - "gsuite.drive.visibility_change": "external", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 20815, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go deleted file mode 100644 index 8ade2ec3e32..00000000000 --- a/x-pack/filebeat/module/gsuite/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package gsuite - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "gsuite", asset.ModuleFieldsPri, AssetGsuite); err != nil { - panic(err) - } -} - -// AssetGsuite returns asset data. -// This is the base64 encoded zlib format compressed contents of module/gsuite. -func AssetGsuite() string { - return "eJzkXFtz3Dayfvev6EoefE4qGtXJox5OldaaOK5IlkqSs5va2qIwRJNEBAI0AM549tdv4cIRZ4bkXEDZk6xe7BoS39do3Lob3TyDZ1xeQK5rZvANgGGG4wV853/47g0ARZ0qVhkmxQX8/xsACG/DjaQ1t40yhpzqC/fsDAQpsYVo/yhmpOYmcS9eQEa4bh6ZZWXfVrKuVi9vEdq/955UV5iyjKWBdPJm9cKNVAhMZFKVxDYGMpO12WwAKREwQ8hkLSgQA4Uxlb44P6c4Ry4rVHqSS5lznKSyPCe0ZOJM0+dzhZVURp/P/+9cYYYKRYrnJDVszgxDfc6ZNkGWtj7aOiGpkWpie7x61CjgGZcLqWjr9x412L/HAl0zkFnAfLP2/DfCa2x6erH2COCHTw/T+x8u4FJIU6CCWqMCJsAUCJqUCFSWhInJZrPpPx6n9x8vr5OmvW8pa6MZRde8p+Wv09/d+0KKs6IuiWiE7tbPMy7j1HMr+BIqhRqFgUWBAp5eNP8ETMPTr9Pfnybwzk8FK/pTKoWuS1TJMy6frGLtrwo/16iNVJBJBbeXtSngp+tbuLz70DzTIBUQAYyiMCxj6N9VciYNkDSVtTB6u6s4R2FGngrvH9wKcdA/QkmqCilkSpbwxAyW+p//mrhn9j9BFX7YpWI5E4RDRZZcEro+glOSFpAxjhqNm1MFmSMQoCxzy8CAfSAzmPtpZ7vPrAB2PVI0hPGvsursH34hZWU3MFJTZr4PLy631P/MBB1P8X46aFmrFDcUb4n21PPNCetLqpwI9m+3r078Mo9Tn1egRwJTEGOXJckyTA1SmC3D8rOdeavDatneL2y3t+RonyXQsRuvIVQVZ6nvFlJm/90Qs69vW/2z/WlWoEea7KS0v8TwtbDeaoe/mxMFmXHchD6INkCswe7k5Sy1k1EnUlFUiajLGapjpbi1GOAx7DlEwUhQSBFLcEQa9QEiVbVKC6KP18pHL4nMoMGEFeZuOVjUaLSQ4MPVbjaiq2Q8xpV5VRGtbeO9ZKhI+kxyjJSjlDPG18UJwL1CuM1hgiVhPIbZwbzVUClWErUEBwiEUoW6Z+IJXCTuhIzhFbjwx6w7ZZ3JhsYwkXdzSk7jOSWnB3GqPKkFM9GbW/vMIRws5sAWt6LNah41tFLlnssCQUVMAUykvKZM5P5UktK8vNUvUaOlWD0EnAEma4gnFDMmkCZj0dr2jR1sCc4CwfDoNw9bcK/bd7+gK8WkchbOsWzvLQ684HSzBQ+HcEaOZmoZPg5nkCl2FJsNKhD26zHwaUyloEQtk/hpG5B2c5dEkBxpkkqRsbxWJHbatOduAIc18J4tWookQ2Jq5daRmjNrHGjkmMZItGn5AnyU4qwhgoYIVkSbHjTAz9bJBGu8225VUms249h4XM7StxbQEV6CdVYEZV8aJ2EZXmsdqmdhFervf76+fPjl+sP7Xx6T6dWn5OPtx+Tn6eXjp/vpVfIwvf/tw7vpQ/IwvZ6+e5xedarYGeNjDa0D6x7Kxh2LtK3abA1ky9Xv347jTQyLcpiF4XgFS59jl26gbqAG2GZMmYIS003X8aCPywG5Bj3bPDG4IMuo/fC9x/AbEdyFAJG1YWWJkFontJnp3UKkhZIlJlJPNGrNpEg2AjgHifPOocHtAwQ017Rnd0a7RUw0KkZ4pO905bDAYwUfapD1gCW00TJGPUHMfp1Uignjtmk77Ue0dhwwBOB+6tdg3TESqSxLImgSokRHzzwP0wSbenZQyWN2z0+Cfa5xMyxqCqYdsu3unHHMewbXsceod/vQfXS2O8cOQwS+yRFLkaPd1+hZaBY2n74pF/QVo5W7BmXQb3H2yAh+i8MZ8lsUj2ZZ4EwzM8RSKUnrNN4fDTh7MOnnegyih18/dfPMav6c1JULIWeE9UXzuBT5fkErDwIKU6moBiYcBXgKsLN8wGpuS2OkId1Wz/7COIwjZfHeIOFcLpAmG8HugwbiIylRuws2C3ZmoZB6/J4N01lok881UUQYJjDag2qfDi+wQ+Rc5olGotIiyRi3p0mJWscH2rjMweOCx32rg0Ea8HvjbX1yaUOUSaIsxy6hHOyAGdknDtpDdWxh7KYv8iOkUZiyiqEwk+jgXf/IvZAcNnAoKKrXFCwwHKkxVnVKtfXzMZp6q+HD3bAPtkNtryCdR95DtOC9rK5HIi+Ctg2s6+bqIyCfgo0lVT5sV21qJZwd/+VakaQ2xU+TMUzBbY24PIqfBuzDb6MUjWmtmFnupZlxru+CJva5wevgjRmVDuaBu5Vt7hjPvndGtKXZ9vtPeVbMUbEsiJ6UaAo54g5yj9x6iWsk4ElOUkNAxGYPYVS/2d0nDA8I4ajiXT6HMrAwVB0ZpXAxibozJvFybc4mKXe2TSzT5d0H8FA7+HQqq+Ov0hoqj9Jz5UPLiZHPGHXNc3N1A3MUVCpAoSTnpe2ag+1n9Q3GoR1MumEik1EB4q4QFtOwYJzDDFdpL9oQg7AoiHFpbXbZt7NgF0RDWhCRn4bpsc/idYZtUkrBjFQTitok0dcpFoWJkBjszeTGtw6ebKDbQyJu1TBJC3J0dMFK5C4c1rjBA+8tAVUkixLBAcTJwEQqS7YV2zlIjAYjThJZm1xGStJgHCoJrctq4tNEMKHI0fS4EDMpOZLNXW9Njg+C2kMeNbAMApan0UBcirujoU1WKX6xi26ndE3KVSqFQRE3cz2EfrliZ3wmvzTJVztF+VyjWsaFlp0n7HD8PtikJjn87rPa52tHXggHlF4z3aekTUg6QmJfSG/zdz/gIa2fvxf12AdPrzinYqh78YYPlqCiFJXxlnS89Ra00oKEVJbloD/ViCHLiohlIhcCaeL12m107Qqeu2jxKoAekIBAYAC5EH1pRkwbxWZ1SA02zMTdsXdPnTYLeBY/FX6ERcHSokl3Jz7AHiLfrq5CqvysJ9HudOdZl1bHX5BdWrWQPUpd1+cpq3KlRsXm2/Uxh+T3zxjnZMa7Fb/HWfz3Al2RlLu3bqQHplfAPVeoLlEoySSnqA65e+kGcEV5B2O0LN4ISTpQjhMnY4flE6y1G3fxXMm0dq7ilZ1g/gT7qtN/c2K305hdiZBdDwmpYhL1u/eM905WeMdlTeFOyT8wtcZMY8mtReCsf1Khsq6k9TSL5tDvnvNunOxRdmjuWwcA04kuiLKn4pamDli92yr4m28EGSc5UBTSZRcvwip35K4QCTy934F6c4BKopaJq00aT8K1HceJssoAdEVQcAmaCTuGrvzSj4h1BfxcLskSchSorCGicY6KcN+yxwBo63n02VZvJQGFefaIpPQST0K5pqxqH+XMQrWlFxoUcrca7NojrXbgqgyxdM4IcYnpTLhK1PZb3X2eM81mjLcL3aK7+9sK0/WRqByNn9InsrNE1590zlVh10pI0pcKKmUFDzpwGbocQ/RJ/+h+Wa9gYcaHs2xHiIICVd8VRGwlyzjSr9fC7C29LhCNTlhpRy5RFjBZ3SonVKbH9upKpq3dewXp8lYCK3hWcKwDyn2FNeE0/ALcViXTUEhO9bpWdy3XxCN8fQntrJVuM+Xt11vzpFt0vw8kWxWzkWK3SkjsPPTmvj+g0xS19qH3tdCvjx1bl4BwLZuyd1eAArZXRgILgacGqRPIEdoGnl97M8GVhLcUs8r1pMHU6rlroBRpouQB5uRO3VxaTCjResO6YJXP+XQLwp6Y594ZYmLgnICv7A31b9ov3QhTf+wLhVDB7sGtVlonbEuHG+o7VXWtGTONW/kNNNddRnA6elJYyvnoK+/eo/5V1p7fu4+ODXoL0H8jRcHGstkKdfjE0qhYB0l5UqEqmSsmGW9YQ2XkCnllMdUVtRb7tx2/LcVt3DiMrQef4DewWcdVfm3T3jjUPXjHXcyB1tVhnOoAh4k49hD/Web3K3h0Hxvv7H/0/zbWbd5WyskqI9ZB3OrXbeOU/OlUMfKccF8T+3NpIFQlRNy/bqvh4ebx7qXcwaXZELFeBbGtj6bI1PpDpaShdmUwINdgvbyekJHLz29CL1oSdUV2XQc2hpAohCdSVcpaek9ABIUnhX+4zzY99QQ/DDH10clkHQ5eQAzvzZrvcsjaVLUJ49JTJ9TbJV8BFTqk6zRFpGs92rLYuMxjPz4VPnflk5uSkJV0cNw8LQjnaD2csRNPr20XX/CbnNOvusqdmntuHAjjtRrbsfOdDtjf4G5ooMOv0dFUoYvOE65Pq7NMJ/4TIknmvt7Y2fGuK5Y2QK0rljLZs/1stl7tWKTkcSv75Rotqgqw4xQiJYeHuz0T9/+aK8QOT1/KLTPM2uzJbMQw9r3P+fK3Vw+XN9dAalPYRTP07Tup8lowk1TEFOPJAvDJRxTy7SSO9QM3SSUdc+LZfoeD1yL31Y67FevyJZNXlMPR+LTMdaH+EwAA///6ieSc" -} diff --git a/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml b/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml deleted file mode 100644 index 05cd6b68590..00000000000 --- a/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml +++ /dev/null @@ -1,57 +0,0 @@ -- name: groups - type: group - fields: - - name: acl_permission - type: keyword - description: > - Group permission setting updated. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: email - type: keyword - description: > - Group email. - - name: member.email - type: keyword - description: > - Member email. - - name: member.role - type: keyword - description: > - Member role. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: setting - type: keyword - description: > - Group setting updated. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: new_value - type: keyword - description: > - New value(s) of the group setting. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: old_value - type: keyword - description: - Old value(s) of the group setting. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: value - type: keyword - description: > - Value of the group setting. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: message.id - type: keyword - description: > - SMTP message Id of an email message. - Present for moderation events. - - name: message.moderation_action - type: keyword - description: > - Message moderation action. - Possible values are `approved` and `rejected`. - - name: status - type: keyword - description: > - A status describing the output of an operation. - Possible values are `failed` and `succeeded`. - diff --git a/x-pack/filebeat/module/gsuite/groups/config/config.yml b/x-pack/filebeat/module/gsuite/groups/config/config.yml deleted file mode 100644 index 75b9d16063b..00000000000 --- a/x-pack/filebeat/module/gsuite/groups/config/config.yml +++ /dev/null @@ -1,54 +0,0 @@ -{{ if eq .input "httpjson" }} -type: httpjson - -url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/groups -json_objects_array: items -split_events_by: events - -interval: {{ .interval }} - -{{ if .http_client_timeout }} -http_client_timeout: {{ .http_client_timeout }} -{{ end }} - -oauth2.provider: google -oauth2.google.jwt_file: {{ .jwt_file }} -oauth2.google.delegated_account: {{ .delegated_account }} -oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly - -date_cursor.url_field: startTime -date_cursor.initial_interval: {{ .initial_interval }} - -pagination.id_field: nextPageToken -pagination.url_field: pageToken - -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} - -{{ else if eq .input "file" }} -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.11.0 - - script: - lang: javascript - id: gsuite-common - file: ${path.home}/module/gsuite/config/common.js - - script: - lang: javascript - id: gsuite-groups - file: ${path.home}/module/gsuite/groups/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js deleted file mode 100644 index a0144435049..00000000000 --- a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js +++ /dev/null @@ -1,223 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var groups = (function () { - var processor = require("processor"); - - var categorizeEvent = function(evt) { - evt.Put("event.category", ["iam"]); - evt.Put("event.type", ["group"]); - switch (evt.Get("event.action")) { - case "change_basic_setting": - case "change_identity_setting": - case "change_info_setting": - case "change_new_members_restrictions_setting": - case "change_post_replies_setting": - case "change_spam_moderation_setting": - case "change_topic_setting": - evt.AppendTo("event.category", "configuration"); - evt.AppendTo("event.type", "change"); - break; - case "change_acl_permission": - evt.AppendTo("event.type", "change"); - break; - case "accept_invitation": - evt.AppendTo("event.type", "info"); - evt.AppendTo("event.type", "user"); - break; - case "approve_join_request": - case "join": - evt.AppendTo("event.type", "user"); - evt.AppendTo("event.type", "change"); - break; - case "request_to_join": - case "ban_user_with_moderation": - case "revoke_invitation": - case "invite_user": - case "reject_join_request": - case "reinvite_user": - evt.AppendTo("event.type", "info"); - evt.AppendTo("event.type", "user"); - break; - case "create_group": - evt.AppendTo("event.type", "creation"); - break; - case "add_info_setting": - evt.AppendTo("event.category", "configuration"); - evt.AppendTo("event.type", "creation"); - break; - case "delete_group": - evt.AppendTo("event.type", "deletion"); - break; - case "remove_info_setting": - evt.AppendTo("event.category", "configuration"); - evt.AppendTo("event.type", "deletion"); - break; - case "moderate_message": - case "always_post_from_user": - evt.AppendTo("event.type", "info"); - break; - case "add_user": - evt.AppendTo("event.type", "creation"); - evt.AppendTo("event.type", "user"); - break; - case "remove_user": - evt.AppendTo("event.type", "deletion"); - evt.AppendTo("event.type", "user"); - break; - } - }; - - var getParamValue = function(param) { - if (param.value) { - return param.value; - } - if (param.multiValue) { - return param.multiValue; - } - }; - - var flattenParams = function(evt) { - var params = evt.Get("json.events.parameters"); - if (!params || !Array.isArray(params)) { - return; - } - - params.forEach(function(p){ - evt.Put("gsuite.groups."+p.name, getParamValue(p)); - }); - - evt.Delete("json.events.parameters"); - }; - - var setOutcome = function(evt) { - switch (evt.Get("gsuite.groups.status")) { - case "failed": - evt.Put("event.outcome", "failure"); - break; - case "succeeded": - evt.Put("event.outcome", "success"); - break; - } - }; - - var setGroupInfo = function(evt) { - var email = evt.Get("gsuite.groups.email"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.Put("group.name", data[0]); - evt.Put("group.domain", data[1]); - }; - - var setRelatedMemberInfo = function(evt) { - var email = evt.Get("gsuite.groups.member.email"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.AppendTo("related.user", data[0]); - evt.Put("user.target.name", data[0]); - evt.Put("user.target.domain", data[1]); - evt.Put("user.target.email", email); - var groupName = evt.Get("group.name"); - if (groupName) { - evt.Put("user.target.group.name", groupName); - } - var groupDomain = evt.Get("group.domain"); - if (groupDomain) { - evt.Put("user.target.group.domain", groupDomain); - } - }; - - var pipeline = new processor.Chain() - .Add(categorizeEvent) - .Add(flattenParams) - .Convert({ - fields: [ - { - from: "gsuite.groups.group_email", - to: "gsuite.groups.email", - }, - { - from: "gsuite.groups.new_value_repeated", - to: "gsuite.groups.new_value", - }, - { - from: "gsuite.groups.old_value_repeated", - to: "gsuite.groups.old_value", - }, - { - from: "gsuite.groups.user_email", - to: "gsuite.groups.member.email", - }, - { - from: "gsuite.groups.basic_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.identity_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.info_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.new_members_restrictions_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.post_replies_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.spam_moderation_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.topic_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.message_id", - to: "gsuite.groups.message.id", - }, - { - from: "gsuite.groups.message_moderation_action", - to: "gsuite.groups.message.moderation_action", - }, - { - from: "gsuite.groups.member_role", - to: "gsuite.groups.member.role", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setOutcome) - .Add(setGroupInfo) - .Add(setRelatedMemberInfo) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return groups.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/groups/manifest.yml b/x-pack/filebeat/module/gsuite/groups/manifest.yml deleted file mode 100644 index c5992776ac0..00000000000 --- a/x-pack/filebeat/module/gsuite/groups/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: jwt_file - - name: delegated_account - - name: initial_interval - default: 24h - - name: http_client_timeout - default: 60s - - name: user_key - default: all - - name: interval - default: 2h - - name: tags - default: [forwarded] - - name: proxy_url - -input: config/config.yml -ingest_pipeline: ../ingest/common.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log deleted file mode 100644 index e67fe7571a3..00000000000 --- a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log +++ /dev/null @@ -1,25 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_permission","parameters":[{"name":"acl_permission","value":"can_add_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value_repeated","multiValue":["managers","members"]},{"name":"old_value_repeated","multiValue":["managers"]}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"accept_invitation","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"approve_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"join","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"request_to_join","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_basic_setting","parameters":[{"name":"basic_setting","value":"allow_external_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value","value":"true"},{"name":"old_value","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"create_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"delete_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_identity_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"identity_setting","value":"required_forms_of_identity"},{"name":"new_value","value":"display_name_only"},{"name":"old_value","value":"display_name_or_google_profile"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"new_value","value":"footer"},{"name":"old_value","value":"old footer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_new_members_restrictions_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"new_members_restrictions_setting","value":"new_members_can_post"},{"name":"new_value","value":"inherit"},{"name":"old_value","value":"overriden_to_false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_post_replies_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"post_replies_setting","value":"where_should_replies_be_sent"},{"name":"new_value","value":"reply_to_custom_address"},{"name":"old_value","value":"reply_to_author_only"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_spam_moderation_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"spam_moderation_setting","value":"how_to_handle_suspected_spam_messages"},{"name":"new_value","value":"moderate_and_do_not_send_notifications"},{"name":"old_value","value":"moderate_and_send_notifications"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_topic_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"topic_setting","value":"allowed_topic_types"},{"name":"new_value","value":"discussions_questions"},{"name":"old_value","value":"discussions"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"moderate_message","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"message_moderation_action","value":"approved"},{"name":"status","value":"succeeded"},{"name":"message_id","value":"message id"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"always_post_from_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"status","value":"succeeded"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"ban_user_with_moderation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"revoke_invitation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"invite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reject_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reinvite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json deleted file mode 100644 index 758ba9ba2b1..00000000000 --- a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json +++ /dev/null @@ -1,1476 +0,0 @@ -[ - { - "event.action": "change_acl_permission", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "acl_change", - "gsuite.groups.acl_permission": "can_add_members", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": [ - "managers", - "members" - ], - "gsuite.groups.old_value": [ - "managers" - ], - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "accept_invitation", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"accept_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 559, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "approve_join_request", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 946, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "join", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1385, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "request_to_join", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"request_to_join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1759, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_basic_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "true", - "gsuite.groups.old_value": "false", - "gsuite.groups.setting": "allow_external_members", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2144, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "create_group", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "creation", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2665, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "delete_group", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "deletion", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3047, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_identity_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "display_name_only", - "gsuite.groups.old_value": "display_name_or_google_profile", - "gsuite.groups.setting": "required_forms_of_identity", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3429, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "add_info_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", - "event.provider": "groups", - "event.type": [ - "creation", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.setting": "custom_footer", - "gsuite.groups.value": "footer", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3998, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_info_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "footer", - "gsuite.groups.old_value": "old footer", - "gsuite.groups.setting": "custom_footer", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4466, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "remove_info_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", - "event.provider": "groups", - "event.type": [ - "deletion", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.setting": "custom_footer", - "gsuite.groups.value": "footer", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4983, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_new_members_restrictions_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "inherit", - "gsuite.groups.old_value": "overriden_to_false", - "gsuite.groups.setting": "new_members_can_post", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5454, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_post_replies_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "reply_to_custom_address", - "gsuite.groups.old_value": "reply_to_author_only", - "gsuite.groups.setting": "where_should_replies_be_sent", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6027, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_spam_moderation_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "moderate_and_do_not_send_notifications", - "gsuite.groups.old_value": "moderate_and_send_notifications", - "gsuite.groups.setting": "how_to_handle_suspected_spam_messages", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6602, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_topic_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "discussions_questions", - "gsuite.groups.old_value": "discussions", - "gsuite.groups.setting": "allowed_topic_types", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7218, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "moderate_message", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"moderate_message\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"message_moderation_action\",\"value\":\"approved\"},{\"name\":\"status\",\"value\":\"succeeded\"},{\"name\":\"message_id\",\"value\":\"message id\"}]}}", - "event.outcome": "success", - "event.provider": "groups", - "event.type": [ - "group", - "info" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.message.id": "message id", - "gsuite.groups.message.moderation_action": "approved", - "gsuite.groups.status": "succeeded", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7759, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "always_post_from_user", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"always_post_from_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"status\",\"value\":\"succeeded\"}]}}", - "event.outcome": "success", - "event.provider": "groups", - "event.type": [ - "group", - "info" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.groups.status": "succeeded", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8282, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "add_user", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", - "event.provider": "groups", - "event.type": [ - "creation", - "group", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.groups.member.role": "manager", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8760, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "ban_user_with_moderation", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"ban_user_with_moderation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.groups.member.role": "manager", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9228, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "revoke_invitation", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"revoke_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9712, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "invite_user", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"invite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10148, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "reject_join_request", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reject_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10578, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "reinvite_user", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reinvite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11016, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "remove_user", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "deletion", - "group", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11448, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/ingest/common.yml b/x-pack/filebeat/module/gsuite/ingest/common.yml deleted file mode 100644 index f35335c1846..00000000000 --- a/x-pack/filebeat/module/gsuite/ingest/common.yml +++ /dev/null @@ -1,33 +0,0 @@ -description: Pipeline for parsing gsuite logs -processors: - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - remove: - field: json - ignore_missing: true - - set: - field: event.ingested - value: "{{ _ingest.timestamp }}" - -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/gsuite/login/_meta/fields.yml b/x-pack/filebeat/module/gsuite/login/_meta/fields.yml deleted file mode 100644 index dc8e9711616..00000000000 --- a/x-pack/filebeat/module/gsuite/login/_meta/fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: login - type: group - fields: - - name: affected_email_address - type: keyword - - name: challenge_method - type: keyword - description: > - Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: failure_type - type: keyword - description: > - Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: type - type: keyword - description: > - Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: is_second_factor - type: boolean - - name: is_suspicious - type: boolean diff --git a/x-pack/filebeat/module/gsuite/login/config/config.yml b/x-pack/filebeat/module/gsuite/login/config/config.yml deleted file mode 100644 index 8575999100c..00000000000 --- a/x-pack/filebeat/module/gsuite/login/config/config.yml +++ /dev/null @@ -1,54 +0,0 @@ -{{ if eq .input "httpjson" }} -type: httpjson - -url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/login -json_objects_array: items -split_events_by: events - -interval: {{ .interval }} - -{{ if .http_client_timeout }} -http_client_timeout: {{ .http_client_timeout }} -{{ end }} - -oauth2.provider: google -oauth2.google.jwt_file: {{ .jwt_file }} -oauth2.google.delegated_account: {{ .delegated_account }} -oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly - -date_cursor.url_field: startTime -date_cursor.initial_interval: {{ .initial_interval }} - -pagination.id_field: nextPageToken -pagination.url_field: pageToken - -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} - -{{ else if eq .input "file" }} -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.11.0 - - script: - lang: javascript - id: gsuite-common - file: ${path.home}/module/gsuite/config/common.js - - script: - lang: javascript - id: gsuite-login - file: ${path.home}/module/gsuite/login/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/login/config/pipeline.js b/x-pack/filebeat/module/gsuite/login/config/pipeline.js deleted file mode 100644 index 2ad5d52f7de..00000000000 --- a/x-pack/filebeat/module/gsuite/login/config/pipeline.js +++ /dev/null @@ -1,117 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var login = (function () { - var processor = require("processor"); - - var categorizeEvent = function(evt) { - evt.Put("event.category", ["authentication"]); - switch (evt.Get("event.action")) { - case "login_failure": - evt.AppendTo("event.category", "session"); - evt.Put("event.type", ["start"]); - evt.Put("event.outcome", "failure"); - break; - case "login_success": - evt.AppendTo("event.category", "session"); - evt.Put("event.type", ["start"]); - evt.Put("event.outcome", "success"); - break; - case "logout": - evt.AppendTo("event.category", "session"); - evt.Put("event.type", ["end"]); - break; - case "account_disabled_generic": - case "account_disabled_spamming_through_relay": - case "account_disabled_spamming": - case "account_disabled_hijacked": - case "account_disabled_password_leak": - evt.Put("event.type", ["user", "change"]); - break; - case "gov_attack_warning": - case "login_challenge": - case "login_verification": - case "suspicious_login": - case "suspicious_login_less_secure_app": - case "suspicious_programmatic_login": - evt.Put("event.type", ["info"]); - break; - } - }; - - var getParamValue = function(param) { - if (param.value) { - return param.value; - } - if (param.multiValue) { - return param.multiValue; - } - }; - - var processParams = function(evt) { - var params = evt.Get("json.events.parameters"); - if (!params || !Array.isArray(params)) { - return; - } - - var prefixRegex = /^(login_)/; - - params.forEach(function(p){ - p.name = p.name.replace(prefixRegex, ""); - switch (p.name) { - // According to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login - // this is a timestamp in microseconds - case "timestamp": - var millis = p.intValue / 1000; - evt.Put("event.start", new Date(millis)); - break; - case "challenge_status": - if (p.value === "Challenge Passed") { - evt.Put("event.outcome", "success"); - } else { - evt.Put("event.outcome", "failure"); - } - break; - case "is_second_factor": - case "is_suspicious": - evt.Put("gsuite.login."+p.name, p.boolValue); - break; - // the rest of params are strings - default: - evt.Put("gsuite.login."+p.name, getParamValue(p)); - } - }); - - evt.Delete("json.events.parameters"); - }; - - var addTargetUser = function(evt) { - var affectedEmail = evt.Get("google_workspace.login.affected_email_address"); - if (affectedEmail) { - evt.Put("user.target.email", affectedEmail); - var data = affectedEmail.split("@"); - if (data.length !== 2) { - return; - } - - evt.Put("user.target.name", data[0]); - evt.Put("user.target.domain", data[1]); - evt.AppendTo("related.user", data[0]); - } - }; - - var pipeline = new processor.Chain() - .Add(categorizeEvent) - .Add(processParams) - .Add(addTargetUser) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return login.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/login/manifest.yml b/x-pack/filebeat/module/gsuite/login/manifest.yml deleted file mode 100644 index c5992776ac0..00000000000 --- a/x-pack/filebeat/module/gsuite/login/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: jwt_file - - name: delegated_account - - name: initial_interval - default: 24h - - name: http_client_timeout - default: 60s - - name: user_key - default: all - - name: interval - default: 2h - - name: tags - default: [forwarded] - - name: proxy_url - -input: config/config.yml -ingest_pipeline: ../ingest/common.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log deleted file mode 100644 index b721c74bf48..00000000000 --- a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log +++ /dev/null @@ -1,14 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_password_leak","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login_less_secure_app","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_programmatic_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_generic","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming_through_relay","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_hijacked","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"gov_attack_warning"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_failure_type","value":"login_failure_access_code_disallowed"},{"name":"login_type","value":"exchange"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_challenge","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_verification","parameters":[{"name":"is_second_factor","boolValue":false},{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"logout","parameters":[{"name":"login_type","value":"exchange"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"is_suspicious","boolValue":false},{"name":"login_type","value":"exchange"}]}} diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json deleted file mode 100644 index aa37acec18e..00000000000 --- a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json +++ /dev/null @@ -1,738 +0,0 @@ -[ - { - "event.action": "account_disabled_password_leak", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", - "event.provider": "login", - "event.type": [ - "change", - "user" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "suspicious_login", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", - "event.provider": "login", - "event.start": "2020-07-02T13:08:25.123Z", - "event.type": [ - "info" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 406, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "suspicious_login_less_secure_app", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login_less_secure_app\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", - "event.provider": "login", - "event.start": "2020-07-02T13:08:25.123Z", - "event.type": [ - "info" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 853, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "suspicious_programmatic_login", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_programmatic_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", - "event.provider": "login", - "event.start": "2020-07-02T13:08:25.123Z", - "event.type": [ - "info" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1316, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "account_disabled_generic", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", - "event.provider": "login", - "event.type": [ - "change", - "user" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1776, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "account_disabled_spamming_through_relay", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", - "event.provider": "login", - "event.type": [ - "change", - "user" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2176, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "account_disabled_spamming", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", - "event.provider": "login", - "event.type": [ - "change", - "user" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2591, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "account_disabled_hijacked", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_hijacked\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", - "event.provider": "login", - "event.start": "2020-07-02T13:08:25.123Z", - "event.type": [ - "change", - "user" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2992, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "gov_attack_warning", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"gov_attack_warning\"}}", - "event.provider": "login", - "event.type": [ - "info" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3448, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "login_failure", - "event.category": [ - "authentication", - "session" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_failure_type\",\"value\":\"login_failure_access_code_disallowed\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", - "event.outcome": "failure", - "event.provider": "login", - "event.type": [ - "start" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.challenge_method": "backup_code", - "gsuite.login.failure_type": "login_failure_access_code_disallowed", - "gsuite.login.type": "exchange", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3768, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "login_challenge", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_challenge\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", - "event.outcome": "failure", - "event.provider": "login", - "event.type": [ - "info" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.challenge_method": "backup_code", - "gsuite.login.type": "exchange", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4262, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "login_verification", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_verification\",\"parameters\":[{\"name\":\"is_second_factor\",\"boolValue\":false},{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", - "event.outcome": "failure", - "event.provider": "login", - "event.type": [ - "info" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.challenge_method": "backup_code", - "gsuite.login.is_second_factor": false, - "gsuite.login.type": "exchange", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4743, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "logout", - "event.category": [ - "authentication", - "session" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"logout\",\"parameters\":[{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", - "event.provider": "login", - "event.type": [ - "end" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.type": "exchange", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5273, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "login_success", - "event.category": [ - "authentication", - "session" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"is_suspicious\",\"boolValue\":false},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", - "event.outcome": "success", - "event.provider": "login", - "event.type": [ - "start" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.challenge_method": "backup_code", - "gsuite.login.is_suspicious": false, - "gsuite.login.type": "exchange", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5627, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml b/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml deleted file mode 100644 index fc0adfcb55c..00000000000 --- a/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: saml - type: group - fields: - - name: application_name - type: keyword - description: > - Saml SP application name. - - name: failure_type - type: keyword - description: > - Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. - - name: initiated_by - type: keyword - description: > - Requester of SAML authentication. - - name: orgunit_path - type: keyword - description: > - User orgunit. - - name: status_code - type: keyword - description: > - SAML status code. - - name: second_level_status_code - type: keyword - description: > - SAML second level status code. diff --git a/x-pack/filebeat/module/gsuite/saml/config/config.yml b/x-pack/filebeat/module/gsuite/saml/config/config.yml deleted file mode 100644 index 1db5796e670..00000000000 --- a/x-pack/filebeat/module/gsuite/saml/config/config.yml +++ /dev/null @@ -1,54 +0,0 @@ -{{ if eq .input "httpjson" }} -type: httpjson - -url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/saml -json_objects_array: items -split_events_by: events - -interval: {{ .interval }} - -{{ if .http_client_timeout }} -http_client_timeout: {{ .http_client_timeout }} -{{ end }} - -oauth2.provider: google -oauth2.google.jwt_file: {{ .jwt_file }} -oauth2.google.delegated_account: {{ .delegated_account }} -oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly - -date_cursor.url_field: startTime -date_cursor.initial_interval: {{ .initial_interval }} - -pagination.id_field: nextPageToken -pagination.url_field: pageToken - -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} - -{{ else if eq .input "file" }} -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.11.0 - - script: - lang: javascript - id: gsuite-common - file: ${path.home}/module/gsuite/config/common.js - - script: - lang: javascript - id: gsuite-saml - file: ${path.home}/module/gsuite/saml/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/saml/config/pipeline.js b/x-pack/filebeat/module/gsuite/saml/config/pipeline.js deleted file mode 100644 index 705db7f2f1e..00000000000 --- a/x-pack/filebeat/module/gsuite/saml/config/pipeline.js +++ /dev/null @@ -1,53 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var saml = (function () { - var processor = require("processor"); - - var categorizeEvent = function(evt) { - evt.Put("event.type", ["start"]); - evt.Put("event.category", ["authentication", "session"]); - switch (evt.Get("event.action")) { - case "login_failure": - evt.Put("event.outcome", "failure"); - break; - case "login_success": - evt.Put("event.outcome", "success"); - break; - } - }; - - var processParams = function(evt) { - var params = evt.Get("json.events.parameters"); - if (!params || !Array.isArray(params)) { - return; - } - - var prefixRegex = /^(saml_)/; - - params.forEach(function(p){ - p.name = p.name.replace(prefixRegex, ""); - - // all saml event parameters are strings. - // for this reason we know for sure they are in the 'value' field. - // https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml - evt.Put("google_workspace.saml."+p.name, p.value); - }); - - evt.Delete("json.events.parameters"); - }; - - var pipeline = new processor.Chain() - .Add(categorizeEvent) - .Add(processParams) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return saml.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/saml/manifest.yml b/x-pack/filebeat/module/gsuite/saml/manifest.yml deleted file mode 100644 index c5992776ac0..00000000000 --- a/x-pack/filebeat/module/gsuite/saml/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: jwt_file - - name: delegated_account - - name: initial_interval - default: 24h - - name: http_client_timeout - default: 60s - - name: user_key - default: all - - name: interval - default: 2h - - name: tags - default: [forwarded] - - name: proxy_url - -input: config/config.yml -ingest_pipeline: ../ingest/common.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log deleted file mode 100644 index ed672b58a56..00000000000 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log +++ /dev/null @@ -1,2 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"application_name","value":"app"},{"name":"failure_type","value":"failure_app_not_configured_for_user"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_second_level_status_code","value":"SUCCESS_URI"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:01Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"application_name","value":"app"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json deleted file mode 100644 index 7763ca17881..00000000000 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json +++ /dev/null @@ -1,116 +0,0 @@ -[ - { - "event.action": "login_failure", - "event.category": [ - "authentication", - "session" - ], - "event.dataset": "gsuite.saml", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", - "event.outcome": "failure", - "event.provider": "saml", - "event.type": [ - "start" - ], - "fileset.name": "saml", - "google_workspace.saml.application_name": "app", - "google_workspace.saml.failure_type": "failure_app_not_configured_for_user", - "google_workspace.saml.initiated_by": "idp", - "google_workspace.saml.orgunit_path": "ounit", - "google_workspace.saml.second_level_status_code": "SUCCESS_URI", - "google_workspace.saml.status_code": "SUCCESS_URI", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "login_success", - "event.category": [ - "authentication", - "session" - ], - "event.dataset": "gsuite.saml", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", - "event.outcome": "success", - "event.provider": "saml", - "event.type": [ - "start" - ], - "fileset.name": "saml", - "google_workspace.saml.application_name": "app", - "google_workspace.saml.initiated_by": "idp", - "google_workspace.saml.orgunit_path": "ounit", - "google_workspace.saml.status_code": "SUCCESS_URI", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 622, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml deleted file mode 100644 index 1200b3ac499..00000000000 --- a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml +++ /dev/null @@ -1,54 +0,0 @@ -{{ if eq .input "httpjson" }} -type: httpjson - -url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/user_accounts -json_objects_array: items -split_events_by: events - -interval: {{ .interval }} - -{{ if .http_client_timeout }} -http_client_timeout: {{ .http_client_timeout }} -{{ end }} - -oauth2.provider: google -oauth2.google.jwt_file: {{ .jwt_file }} -oauth2.google.delegated_account: {{ .delegated_account }} -oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly - -date_cursor.url_field: startTime -date_cursor.initial_interval: {{ .initial_interval }} - -pagination.id_field: nextPageToken -pagination.url_field: pageToken - -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} - -{{ else if eq .input "file" }} -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.11.0 - - script: - lang: javascript - id: gsuite-common - file: ${path.home}/module/gsuite/config/common.js - - script: - lang: javascript - id: gsuite-user_accounts - file: ${path.home}/module/gsuite/user_accounts/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/user_accounts/config/pipeline.js b/x-pack/filebeat/module/gsuite/user_accounts/config/pipeline.js deleted file mode 100644 index 89b54fa72db..00000000000 --- a/x-pack/filebeat/module/gsuite/user_accounts/config/pipeline.js +++ /dev/null @@ -1,24 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var userAccounts = (function () { - var processor = require("processor"); - - var categorizeEvent = function(evt) { - evt.Put("event.type", ["change", "user"]); - evt.Put("event.category", ["iam"]); - }; - - var pipeline = new processor.Chain() - .Add(categorizeEvent) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return userAccounts.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml b/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml deleted file mode 100644 index c5992776ac0..00000000000 --- a/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: jwt_file - - name: delegated_account - - name: initial_interval - default: 24h - - name: http_client_timeout - default: 60s - - name: user_key - default: all - - name: interval - default: 2h - - name: tags - default: [forwarded] - - name: proxy_url - -input: config/config.yml -ingest_pipeline: ../ingest/common.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log deleted file mode 100644 index 7da8fdec935..00000000000 --- a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log +++ /dev/null @@ -1,8 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"2sv_change","name":"2sv_disable"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"2sv_change","name":"2sv_enroll"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"password_change","name":"password_edit"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_email_edit"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_phone_edit"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_secret_qa_edit"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"titanium_change","name":"titanium_enroll"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"titanium_change","name":"titanium_unenroll"}} diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json deleted file mode 100644 index 5943488f324..00000000000 --- a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json +++ /dev/null @@ -1,410 +0,0 @@ -[ - { - "event.action": "2sv_disable", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_disable\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "2sv_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "2sv_enroll", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_enroll\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "2sv_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 316, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "password_edit", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"password_change\",\"name\":\"password_edit\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "password_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 631, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "recovery_email_edit", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_email_edit\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "recovery_info_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 954, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "recovery_phone_edit", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_phone_edit\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "recovery_info_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1288, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "recovery_secret_qa_edit", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_secret_qa_edit\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "recovery_info_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1622, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "titanium_enroll", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_enroll\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "titanium_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1960, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "titanium_unenroll", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_unenroll\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "titanium_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2285, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/ibmmq/_meta/config.yml b/x-pack/filebeat/module/ibmmq/_meta/config.yml index 320922d37e0..e81a5fca28e 100644 --- a/x-pack/filebeat/module/ibmmq/_meta/config.yml +++ b/x-pack/filebeat/module/ibmmq/_meta/config.yml @@ -1,7 +1,7 @@ - module: ibmmq # All logs errorlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/imperva/_meta/config.yml b/x-pack/filebeat/module/imperva/_meta/config.yml index 2b5660cd4c2..1ffb9f5d708 100644 --- a/x-pack/filebeat/module/imperva/_meta/config.yml +++ b/x-pack/filebeat/module/imperva/_meta/config.yml @@ -1,6 +1,6 @@ - module: imperva securesphere: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/infoblox/_meta/config.yml b/x-pack/filebeat/module/infoblox/_meta/config.yml index 85df3964b38..03c704cc5ba 100644 --- a/x-pack/filebeat/module/infoblox/_meta/config.yml +++ b/x-pack/filebeat/module/infoblox/_meta/config.yml @@ -1,6 +1,6 @@ - module: infoblox nios: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/iptables/_meta/config.yml b/x-pack/filebeat/module/iptables/_meta/config.yml index 0de64687f6e..3b791196985 100644 --- a/x-pack/filebeat/module/iptables/_meta/config.yml +++ b/x-pack/filebeat/module/iptables/_meta/config.yml @@ -1,6 +1,6 @@ - module: iptables log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml index 7f992656788..2ad874d9c4f 100644 --- a/x-pack/filebeat/module/juniper/_meta/config.yml +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -1,6 +1,6 @@ - module: juniper junos: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -19,7 +19,7 @@ # var.tz_offset: local netscreen: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -38,7 +38,7 @@ # var.tz_offset: local srx: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml index a168b621ba5..96b1f3db1db 100644 --- a/x-pack/filebeat/module/microsoft/_meta/config.yml +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -1,7 +1,7 @@ - module: microsoft # ATP configuration defender_atp: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -14,7 +14,7 @@ # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" m365_defender: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -31,7 +31,7 @@ #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" dhcp: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/misp/_meta/config.yml b/x-pack/filebeat/module/misp/_meta/config.yml index 0eab72db205..1e6ce8928d1 100644 --- a/x-pack/filebeat/module/misp/_meta/config.yml +++ b/x-pack/filebeat/module/misp/_meta/config.yml @@ -2,7 +2,7 @@ - module: misp threat: - enabled: true + enabled: false # API key to access MISP #var.api_key diff --git a/x-pack/filebeat/module/mssql/_meta/config.yml b/x-pack/filebeat/module/mssql/_meta/config.yml index a56e658f7b7..3735debfcfd 100644 --- a/x-pack/filebeat/module/mssql/_meta/config.yml +++ b/x-pack/filebeat/module/mssql/_meta/config.yml @@ -1,7 +1,7 @@ - module: mssql # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml b/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml index a4350a0ac60..ee13c51ec1e 100644 --- a/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml +++ b/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml @@ -1,6 +1,6 @@ - module: mysqlenterprise audit: - enabled: true + enabled: false # Sets the input type. Currently only supports file #var.input: file diff --git a/x-pack/filebeat/module/netflow/_meta/config.yml b/x-pack/filebeat/module/netflow/_meta/config.yml index 91fe3953e94..5fed6db3581 100644 --- a/x-pack/filebeat/module/netflow/_meta/config.yml +++ b/x-pack/filebeat/module/netflow/_meta/config.yml @@ -1,6 +1,6 @@ - module: netflow log: - enabled: true + enabled: false var: netflow_host: localhost netflow_port: 2055 diff --git a/x-pack/filebeat/module/netscout/_meta/config.yml b/x-pack/filebeat/module/netscout/_meta/config.yml index 168d7284a9f..d7bcfcf2e7f 100644 --- a/x-pack/filebeat/module/netscout/_meta/config.yml +++ b/x-pack/filebeat/module/netscout/_meta/config.yml @@ -1,6 +1,6 @@ - module: netscout sightline: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/o365/_meta/config.yml b/x-pack/filebeat/module/o365/_meta/config.yml index b1a30d6dbe9..9ff4f9fb926 100644 --- a/x-pack/filebeat/module/o365/_meta/config.yml +++ b/x-pack/filebeat/module/o365/_meta/config.yml @@ -1,6 +1,6 @@ - module: o365 audit: - enabled: true + enabled: false # Set the application_id (also known as client ID): var.application_id: "" diff --git a/x-pack/filebeat/module/o365/_meta/kibana/7/map/dbae13c0-685c-11ea-8d6a-292ef5d68366.json b/x-pack/filebeat/module/o365/_meta/kibana/7/map/dbae13c0-685c-11ea-8d6a-292ef5d68366.json index 1c3afa633e7..bc30cc657b4 100644 --- a/x-pack/filebeat/module/o365/_meta/kibana/7/map/dbae13c0-685c-11ea-8d6a-292ef5d68366.json +++ b/x-pack/filebeat/module/o365/_meta/kibana/7/map/dbae13c0-685c-11ea-8d6a-292ef5d68366.json @@ -1,8 +1,162 @@ { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"0b910b6c-77c8-4223-892a-1ebf69b0ccb4\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"id\":\"3ba31ffc-7051-44bf-96a0-a684020cd2a3\",\"geoField\":\"source.geo.location\",\"requestType\":\"point\",\"resolution\":\"FINE\",\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\",\"useCustomColorRamp\":false}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":0}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"minSize\":8,\"maxSize\":32,\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3}}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"}}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}}},\"isTimeAware\":true},\"id\":\"acc53b7b-3411-406b-9371-6fa62b6b9365\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\"}]", - "mapStateJSON": "{\"zoom\":2.88,\"center\":{\"lon\":16.67387,\"lat\":30.87292},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"event.dataset:\\\"o365.audit\\\" \",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "0b910b6c-77c8-4223-892a-1ebf69b0ccb4", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": {}, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "acc53b7b-3411-406b-9371-6fa62b6b9365", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "geoField": "source.geo.location", + "id": "3ba31ffc-7051-44bf-96a0-a684020cd2a3", + "indexPatternRefName": "layer_1_source_index_pattern", + "requestType": "point", + "resolution": "FINE", + "type": "ES_GEO_GRID" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "Yellow to Red", + "colorCategory": "palette_0", + "field": { + "name": "doc_count", + "origin": "source" + }, + "fieldMetaOptions": { + "isEnabled": true, + "sigma": 3 + }, + "type": "ORDINAL", + "useCustomColorRamp": false + }, + "type": "DYNAMIC" + }, + "icon": { + "options": { + "value": "airfield" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "field": { + "name": "doc_count", + "origin": "source" + }, + "fieldMetaOptions": { + "isEnabled": true, + "sigma": 3 + }, + "maxSize": 32, + "minSize": 8 + }, + "type": "DYNAMIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "field": { + "name": "doc_count", + "origin": "source" + } + }, + "type": "DYNAMIC" + }, + "lineColor": { + "options": { + "color": "#FFF" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 0 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 30.87292, + "lon": 16.67387 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "event.dataset:\"o365.audit\" " + }, + "refreshConfig": { + "interval": 0, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false + }, + "timeFilters": { + "from": "now-7d", + "to": "now" + }, + "zoom": 2.88 + }, "title": "Client Geo Map [Filebeat o365 audit]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/okta/_meta/config.yml b/x-pack/filebeat/module/okta/_meta/config.yml index bb2da13eca4..21fc87b737d 100644 --- a/x-pack/filebeat/module/okta/_meta/config.yml +++ b/x-pack/filebeat/module/okta/_meta/config.yml @@ -1,6 +1,6 @@ - module: okta system: - enabled: true + enabled: false # You must configure the URL with your Okta domain and provide an # API token to access the logs API. #var.url: https://yourOktaDomain/api/v1/logs diff --git a/x-pack/filebeat/module/okta/_meta/kibana/7/map/281ca660-67b1-11ea-a76f-bf44814e437d.json b/x-pack/filebeat/module/okta/_meta/kibana/7/map/281ca660-67b1-11ea-a76f-bf44814e437d.json index 8e84bedce4a..1daf57ec1d8 100644 --- a/x-pack/filebeat/module/okta/_meta/kibana/7/map/281ca660-67b1-11ea-a76f-bf44814e437d.json +++ b/x-pack/filebeat/module/okta/_meta/kibana/7/map/281ca660-67b1-11ea-a76f-bf44814e437d.json @@ -1,8 +1,169 @@ { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"6908e81b-1695-4445-aee4-8bc8c9f65600\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"4b8bd321-4b90-4d97-83e0-2b12bf091f66\",\"geoField\":\"client.geo.location\",\"filterByMapBounds\":false,\"type\":\"ES_SEARCH\",\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":1,\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"dc52e707-92d7-4de7-becf-a3a8bfaa2c2d\",\"label\":\"Okta \",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"query\":{\"query\":\"event.dataset : \\\"okta.system\\\" \",\"language\":\"kuery\"}}]", - "mapStateJSON": "{\"zoom\":2.75,\"center\":{\"lon\":-44.69098,\"lat\":26.54701},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"filebeat-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"okta.system\"}}}],\"settings\":{\"autoFitToDataBounds\":false}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "6908e81b-1695-4445-aee4-8bc8c9f65600", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": {}, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "dc52e707-92d7-4de7-becf-a3a8bfaa2c2d", + "label": "Okta ", + "maxZoom": 24, + "minZoom": 0, + "query": { + "language": "kuery", + "query": "event.dataset : \"okta.system\" " + }, + "sourceDescriptor": { + "applyGlobalQuery": true, + "filterByMapBounds": false, + "geoField": "client.geo.location", + "id": "4b8bd321-4b90-4d97-83e0-2b12bf091f66", + "indexPatternRefName": "layer_1_source_index_pattern", + "scalingType": "LIMIT", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [], + "topHitsSize": 1, + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#54B399" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#41937c" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 26.54701, + "lon": -44.69098 + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "okta.system" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "okta.system" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false + }, + "timeFilters": { + "from": "now-15w", + "to": "now" + }, + "zoom": 2.75 + }, "title": "Geolocation [Filebeat Okta]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/oracle/_meta/config.yml b/x-pack/filebeat/module/oracle/_meta/config.yml index 7b1f569b835..230ad88e684 100644 --- a/x-pack/filebeat/module/oracle/_meta/config.yml +++ b/x-pack/filebeat/module/oracle/_meta/config.yml @@ -1,6 +1,6 @@ - module: oracle database_audit: - enabled: true + enabled: false # Set which input to use between syslog or file (default). #var.input: file diff --git a/x-pack/filebeat/module/panw/_meta/config.yml b/x-pack/filebeat/module/panw/_meta/config.yml index 737825f598c..8b28631ddd9 100644 --- a/x-pack/filebeat/module/panw/_meta/config.yml +++ b/x-pack/filebeat/module/panw/_meta/config.yml @@ -1,6 +1,6 @@ - module: panw panos: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/module/proofpoint/_meta/config.yml b/x-pack/filebeat/module/proofpoint/_meta/config.yml index d25f23041e3..05dcc780bcd 100644 --- a/x-pack/filebeat/module/proofpoint/_meta/config.yml +++ b/x-pack/filebeat/module/proofpoint/_meta/config.yml @@ -1,6 +1,6 @@ - module: proofpoint emailsecurity: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/rabbitmq/_meta/config.yml b/x-pack/filebeat/module/rabbitmq/_meta/config.yml index 246c13225c6..966f2169acc 100644 --- a/x-pack/filebeat/module/rabbitmq/_meta/config.yml +++ b/x-pack/filebeat/module/rabbitmq/_meta/config.yml @@ -1,7 +1,7 @@ - module: rabbitmq # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/radware/_meta/config.yml b/x-pack/filebeat/module/radware/_meta/config.yml index dc134fbe59f..5341bf6064f 100644 --- a/x-pack/filebeat/module/radware/_meta/config.yml +++ b/x-pack/filebeat/module/radware/_meta/config.yml @@ -1,6 +1,6 @@ - module: radware defensepro: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/snort/_meta/config.yml b/x-pack/filebeat/module/snort/_meta/config.yml index e3804a605b9..e428234a180 100644 --- a/x-pack/filebeat/module/snort/_meta/config.yml +++ b/x-pack/filebeat/module/snort/_meta/config.yml @@ -1,6 +1,6 @@ - module: snort log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/snyk/_meta/config.yml b/x-pack/filebeat/module/snyk/_meta/config.yml index 2d433139638..6c224738076 100644 --- a/x-pack/filebeat/module/snyk/_meta/config.yml +++ b/x-pack/filebeat/module/snyk/_meta/config.yml @@ -1,6 +1,6 @@ - module: snyk audit: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # @@ -29,7 +29,7 @@ #var.email_address: "" vulnerabilities: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # How often the API should be polled. Data from the Snyk API is automatically updated diff --git a/x-pack/filebeat/module/sonicwall/_meta/config.yml b/x-pack/filebeat/module/sonicwall/_meta/config.yml index fcc2abefb79..92a71910286 100644 --- a/x-pack/filebeat/module/sonicwall/_meta/config.yml +++ b/x-pack/filebeat/module/sonicwall/_meta/config.yml @@ -1,6 +1,6 @@ - module: sonicwall firewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/sophos/_meta/config.yml b/x-pack/filebeat/module/sophos/_meta/config.yml index 5388cbdfcbc..4b07d941401 100644 --- a/x-pack/filebeat/module/sophos/_meta/config.yml +++ b/x-pack/filebeat/module/sophos/_meta/config.yml @@ -1,6 +1,6 @@ - module: sophos xg: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -24,7 +24,7 @@ utm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc index 58d9add8037..19b6df5e14a 100644 --- a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc @@ -11,17 +11,17 @@ logs in syslog format or from a file for the following devices: - `xg` fileset: supports Sophos XG SFOS logs. - `utm` fileset: supports Sophos UTM logs. -To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. +To configure a remote syslog destination, please reference the https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/SyslogServerAdd.html[SophosXG/SFOS Documentation]. -The syslog format choosen should be `Default`. +The syslog format choosen in Sophos configuration should be `Central Reporting Format`. include::../include/gs-link.asciidoc[] [float] === Compatibility -This module has been tested against SFOS version 17.5.x and 18.0.x. -Versions above this are expected to work but have not been tested. +This module has been tested against SFOS version 17.5.x, 18.0.x, and 18.5.x. +Versions above this and between 18.0 - 18.5 are expected to work but have not been tested. include::../include/configuring-intro.asciidoc[] diff --git a/x-pack/filebeat/module/squid/_meta/config.yml b/x-pack/filebeat/module/squid/_meta/config.yml index e3d681dac2a..ad0f3f2053c 100644 --- a/x-pack/filebeat/module/squid/_meta/config.yml +++ b/x-pack/filebeat/module/squid/_meta/config.yml @@ -1,6 +1,6 @@ - module: squid log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/suricata/_meta/config.yml b/x-pack/filebeat/module/suricata/_meta/config.yml index 1556d5d0451..1ad37b0427e 100644 --- a/x-pack/filebeat/module/suricata/_meta/config.yml +++ b/x-pack/filebeat/module/suricata/_meta/config.yml @@ -1,7 +1,7 @@ - module: suricata # All logs eve: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/threatintel/_meta/config.yml b/x-pack/filebeat/module/threatintel/_meta/config.yml index f2cf00bcf0d..41451f6e33a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/config.yml +++ b/x-pack/filebeat/module/threatintel/_meta/config.yml @@ -1,6 +1,6 @@ - module: threatintel abuseurl: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -12,7 +12,7 @@ var.interval: 10m abusemalware: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -24,7 +24,7 @@ var.interval: 10m malwarebazaar: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -36,7 +36,7 @@ var.interval: 10m misp: - enabled: true + enabled: false # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson @@ -65,7 +65,7 @@ var.interval: 5m otx: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -92,7 +92,7 @@ var.interval: 5m anomali: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -114,7 +114,7 @@ var.interval: 5m anomalithreatstream: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: http_endpoint @@ -139,7 +139,7 @@ # var.ssl_key: path/to/ssl_key.pem recordedfuture: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json index a5db3f4515c..63e7825a56b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json @@ -1,8 +1,184 @@ { "attributes": { "description": "Origin country of the indicator ingested by the threat intel Filebeat module.", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"ea2479ec-b43e-4377-a068-91d93265081d\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\"},{\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"81d209f7-b068-4b0d-90f4-baf9a3eefb55\",\"indexPatternTitle\":\"filebeat-*\",\"term\":\"threatintel.indicator.geo.country_iso_code\",\"metrics\":[{\"type\":\"count\"}],\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"indexPatternRefName\":\"layer_1_join_0_index_pattern\"}}],\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"name\"]},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"__kbnjoin__count__81d209f7-b068-4b0d-90f4-baf9a3eefb55\",\"origin\":\"join\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#3d3d3d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"66df8b3a-7f7c-4969-929e-2c1ac5b64584\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\"}]", - "mapStateJSON": "{\"zoom\":2.08,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-30d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showSpatialFilters\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "ea2479ec-b43e-4377-a068-91d93265081d", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "66df8b3a-7f7c-4969-929e-2c1ac5b64584", + "joins": [ + { + "leftField": "iso2", + "right": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "id": "81d209f7-b068-4b0d-90f4-baf9a3eefb55", + "indexPatternRefName": "layer_1_join_0_index_pattern", + "indexPatternTitle": "filebeat-*", + "metrics": [ + { + "type": "count" + } + ], + "term": "threatintel.indicator.geo.country_iso_code", + "type": "ES_TERM_SOURCE" + } + } + ], + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "id": "world_countries", + "tooltipProperties": [ + "name" + ], + "type": "EMS_FILE" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "Yellow to Red", + "colorCategory": "palette_0", + "field": { + "name": "__kbnjoin__count__81d209f7-b068-4b0d-90f4-baf9a3eefb55", + "origin": "join" + }, + "fieldMetaOptions": { + "isEnabled": true, + "sigma": 3 + }, + "type": "ORDINAL" + }, + "type": "DYNAMIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#3d3d3d" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 19.94277, + "lon": 0 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showSpatialFilters": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-30d", + "to": "now" + }, + "zoom": 2.08 + }, "title": "Indicator Origin Country [Filebeat Threat Intel]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json index 6f7918fe90d..8100b60e6b3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json @@ -1,8 +1,174 @@ { "attributes": { "description": "Geographic location of Anomali indicators ingested by the threat intel Filebeat module.", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"9027343a-f725-4467-9b08-8566ad0b2a52\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"geoField\":\"threatintel.indicator.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"LIMIT\",\"id\":\"a3ecc6af-0299-4cb9-a29c-0b70f666b011\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"tooltipProperties\":[\"threatintel.indicator.as.number\",\"threatintel.indicator.as.organization.name\",\"threatintel.indicator.geo.country_iso_code\"],\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSplitField\":\"\",\"topHitsSize\":1,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"id\":\"83ede860-fe89-43c9-8e74-fa2703efbb85\",\"label\":\"Indicator Geographic Location\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"danger\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#D36086\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"type\":\"VECTOR\",\"joins\":[]}]", - "mapStateJSON": "{\"zoom\":2.08,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"event.dataset:\\\"threatintel.anomalithreatstream\\\" \",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "9027343a-f725-4467-9b08-8566ad0b2a52", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "83ede860-fe89-43c9-8e74-fa2703efbb85", + "joins": [], + "label": "Indicator Geographic Location", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "filterByMapBounds": true, + "geoField": "threatintel.indicator.geo.location", + "id": "a3ecc6af-0299-4cb9-a29c-0b70f666b011", + "indexPatternRefName": "layer_1_source_index_pattern", + "scalingType": "LIMIT", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [ + "threatintel.indicator.as.number", + "threatintel.indicator.as.organization.name", + "threatintel.indicator.geo.country_iso_code" + ], + "topHitsSize": 1, + "topHitsSplitField": "", + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#D36086" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "danger" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#41937c" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 19.94277, + "lon": 0 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "event.dataset:\"threatintel.anomalithreatstream\" " + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-7d", + "to": "now" + }, + "zoom": 2.08 + }, "title": "Anomali Indicator Geographic Location [Filebeat Threat Intel]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/tomcat/_meta/config.yml b/x-pack/filebeat/module/tomcat/_meta/config.yml index e3640165f61..e04b9201704 100644 --- a/x-pack/filebeat/module/tomcat/_meta/config.yml +++ b/x-pack/filebeat/module/tomcat/_meta/config.yml @@ -1,6 +1,6 @@ - module: tomcat log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/zeek/_meta/config.yml b/x-pack/filebeat/module/zeek/_meta/config.yml index dbe6012df6b..496581963fa 100644 --- a/x-pack/filebeat/module/zeek/_meta/config.yml +++ b/x-pack/filebeat/module/zeek/_meta/config.yml @@ -1,82 +1,82 @@ - module: zeek capture_loss: - enabled: true + enabled: false connection: - enabled: true + enabled: false dce_rpc: - enabled: true + enabled: false dhcp: - enabled: true + enabled: false dnp3: - enabled: true + enabled: false dns: - enabled: true + enabled: false dpd: - enabled: true + enabled: false files: - enabled: true + enabled: false ftp: - enabled: true + enabled: false http: - enabled: true + enabled: false intel: - enabled: true + enabled: false irc: - enabled: true + enabled: false kerberos: - enabled: true + enabled: false modbus: - enabled: true + enabled: false mysql: - enabled: true + enabled: false notice: - enabled: true + enabled: false ntp: - enabled: true + enabled: false ntlm: - enabled: true + enabled: false ocsp: - enabled: true + enabled: false pe: - enabled: true + enabled: false radius: - enabled: true + enabled: false rdp: - enabled: true + enabled: false rfb: - enabled: true + enabled: false signature: - enabled: true + enabled: false sip: - enabled: true + enabled: false smb_cmd: - enabled: true + enabled: false smb_files: - enabled: true + enabled: false smb_mapping: - enabled: true + enabled: false smtp: - enabled: true + enabled: false snmp: - enabled: true + enabled: false socks: - enabled: true + enabled: false ssh: - enabled: true + enabled: false ssl: - enabled: true + enabled: false stats: - enabled: true + enabled: false syslog: - enabled: true + enabled: false traceroute: - enabled: true + enabled: false tunnel: - enabled: true + enabled: false weird: - enabled: true + enabled: false x509: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/zookeeper/_meta/config.yml b/x-pack/filebeat/module/zookeeper/_meta/config.yml index a31d217a5ec..e14f9d1020f 100644 --- a/x-pack/filebeat/module/zookeeper/_meta/config.yml +++ b/x-pack/filebeat/module/zookeeper/_meta/config.yml @@ -1,14 +1,14 @@ - module: zookeeper # All logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/zoom/_meta/config.yml b/x-pack/filebeat/module/zoom/_meta/config.yml index 43c8ed43628..a010f43f3a9 100644 --- a/x-pack/filebeat/module/zoom/_meta/config.yml +++ b/x-pack/filebeat/module/zoom/_meta/config.yml @@ -1,6 +1,6 @@ - module: zoom webhook: - enabled: true + enabled: false # The type of input to use #var.input: http_endpoint diff --git a/x-pack/filebeat/module/zscaler/_meta/config.yml b/x-pack/filebeat/module/zscaler/_meta/config.yml index 9afb8712afb..d7c47dc6e70 100644 --- a/x-pack/filebeat/module/zscaler/_meta/config.yml +++ b/x-pack/filebeat/module/zscaler/_meta/config.yml @@ -1,6 +1,6 @@ - module: zscaler zia: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/activemq.yml.disabled b/x-pack/filebeat/modules.d/activemq.yml.disabled index 1c6728dd8c4..82c70b16947 100644 --- a/x-pack/filebeat/modules.d/activemq.yml.disabled +++ b/x-pack/filebeat/modules.d/activemq.yml.disabled @@ -4,7 +4,7 @@ - module: activemq # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Application logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/azure.yml.disabled b/x-pack/filebeat/modules.d/azure.yml.disabled index dcf5b1764d7..89ccfff8204 100644 --- a/x-pack/filebeat/modules.d/azure.yml.disabled +++ b/x-pack/filebeat/modules.d/azure.yml.disabled @@ -4,7 +4,7 @@ - module: azure # All logs activitylogs: - enabled: true + enabled: false var: # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub eventhub: "insights-operational-logs" diff --git a/x-pack/filebeat/modules.d/barracuda.yml.disabled b/x-pack/filebeat/modules.d/barracuda.yml.disabled index 20552d4c503..6327b8d6a75 100644 --- a/x-pack/filebeat/modules.d/barracuda.yml.disabled +++ b/x-pack/filebeat/modules.d/barracuda.yml.disabled @@ -3,7 +3,7 @@ - module: barracuda waf: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -22,7 +22,7 @@ # var.tz_offset: local spamfirewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/bluecoat.yml.disabled b/x-pack/filebeat/modules.d/bluecoat.yml.disabled index df71bb8ab04..98a4cef099b 100644 --- a/x-pack/filebeat/modules.d/bluecoat.yml.disabled +++ b/x-pack/filebeat/modules.d/bluecoat.yml.disabled @@ -3,7 +3,7 @@ - module: bluecoat director: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/cef.yml.disabled b/x-pack/filebeat/modules.d/cef.yml.disabled index bb8eca97d6b..cda083f4a5e 100644 --- a/x-pack/filebeat/modules.d/cef.yml.disabled +++ b/x-pack/filebeat/modules.d/cef.yml.disabled @@ -3,7 +3,7 @@ - module: cef log: - enabled: true + enabled: false var: syslog_host: localhost syslog_port: 9003 diff --git a/x-pack/filebeat/modules.d/checkpoint.yml.disabled b/x-pack/filebeat/modules.d/checkpoint.yml.disabled index 03db911f192..05fdfc0aa27 100644 --- a/x-pack/filebeat/modules.d/checkpoint.yml.disabled +++ b/x-pack/filebeat/modules.d/checkpoint.yml.disabled @@ -3,7 +3,7 @@ - module: checkpoint firewall: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index 6a933610336..3ad2d76a875 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -3,7 +3,7 @@ - module: cisco asa: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -29,7 +29,7 @@ #var.external_zones: [ "External" ] ftd: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -55,7 +55,7 @@ #var.external_zones: [ "External" ] ios: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -72,7 +72,7 @@ #var.paths: nexus: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -91,7 +91,7 @@ # var.tz_offset: local meraki: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -110,7 +110,7 @@ # var.tz_offset: local umbrella: - enabled: true + enabled: false #var.input: aws-s3 # AWS SQS queue url @@ -125,7 +125,7 @@ #var.api_timeout: 120s amp: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson diff --git a/x-pack/filebeat/modules.d/coredns.yml.disabled b/x-pack/filebeat/modules.d/coredns.yml.disabled index d4a871455fd..fb7e9995130 100644 --- a/x-pack/filebeat/modules.d/coredns.yml.disabled +++ b/x-pack/filebeat/modules.d/coredns.yml.disabled @@ -4,7 +4,7 @@ - module: coredns # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/crowdstrike.yml.disabled b/x-pack/filebeat/modules.d/crowdstrike.yml.disabled index a51bf2818a1..aea362f2e40 100644 --- a/x-pack/filebeat/modules.d/crowdstrike.yml.disabled +++ b/x-pack/filebeat/modules.d/crowdstrike.yml.disabled @@ -4,7 +4,7 @@ - module: crowdstrike falcon: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/cyberark.yml.disabled b/x-pack/filebeat/modules.d/cyberark.yml.disabled deleted file mode 100644 index 833a92645b1..00000000000 --- a/x-pack/filebeat/modules.d/cyberark.yml.disabled +++ /dev/null @@ -1,24 +0,0 @@ -# Module: cyberark -# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-cyberark.html - -# The cyberark module is deprecated and will be removed in future releases. -# Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. -- module: cyberark - corepas: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9527 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled b/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled index 2045718a6b7..f2168e9d453 100644 --- a/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled +++ b/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled @@ -3,7 +3,7 @@ - module: cyberarkpas audit: - enabled: true + enabled: false # Set which input to use between tcp (default), udp, or file. # diff --git a/x-pack/filebeat/modules.d/cylance.yml.disabled b/x-pack/filebeat/modules.d/cylance.yml.disabled index 8f16f29ca5b..164642f0738 100644 --- a/x-pack/filebeat/modules.d/cylance.yml.disabled +++ b/x-pack/filebeat/modules.d/cylance.yml.disabled @@ -3,7 +3,7 @@ - module: cylance protect: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/envoyproxy.yml.disabled b/x-pack/filebeat/modules.d/envoyproxy.yml.disabled index a46cf279282..d95316b3c30 100644 --- a/x-pack/filebeat/modules.d/envoyproxy.yml.disabled +++ b/x-pack/filebeat/modules.d/envoyproxy.yml.disabled @@ -4,7 +4,7 @@ - module: envoyproxy # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/f5.yml.disabled b/x-pack/filebeat/modules.d/f5.yml.disabled index fdf357dae44..4db5209693d 100644 --- a/x-pack/filebeat/modules.d/f5.yml.disabled +++ b/x-pack/filebeat/modules.d/f5.yml.disabled @@ -3,7 +3,7 @@ - module: f5 bigipapm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -22,7 +22,7 @@ # var.tz_offset: local bigipafm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/fortinet.yml.disabled b/x-pack/filebeat/modules.d/fortinet.yml.disabled index f77f2169d6d..e31eb967d73 100644 --- a/x-pack/filebeat/modules.d/fortinet.yml.disabled +++ b/x-pack/filebeat/modules.d/fortinet.yml.disabled @@ -3,7 +3,7 @@ - module: fortinet firewall: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -26,7 +26,7 @@ #var.external_interfaces: [ "WAN" ] clientendpoint: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -45,7 +45,7 @@ # var.tz_offset: local fortimail: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -64,7 +64,7 @@ # var.tz_offset: local fortimanager: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/gcp.yml.disabled b/x-pack/filebeat/modules.d/gcp.yml.disabled index 0a1971525a3..b0b5f636b10 100644 --- a/x-pack/filebeat/modules.d/gcp.yml.disabled +++ b/x-pack/filebeat/modules.d/gcp.yml.disabled @@ -3,7 +3,7 @@ - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -31,7 +31,7 @@ #var.internal_networks: [ "private" ] firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -58,7 +58,7 @@ #var.internal_networks: [ "private" ] audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id diff --git a/x-pack/filebeat/modules.d/google_workspace.yml.disabled b/x-pack/filebeat/modules.d/google_workspace.yml.disabled index b5eb0051965..85142dfcaf0 100644 --- a/x-pack/filebeat/modules.d/google_workspace.yml.disabled +++ b/x-pack/filebeat/modules.d/google_workspace.yml.disabled @@ -3,7 +3,7 @@ - module: google_workspace saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -11,7 +11,7 @@ # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -19,7 +19,7 @@ # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -27,7 +27,7 @@ # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -35,7 +35,7 @@ # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -43,7 +43,7 @@ # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h diff --git a/x-pack/filebeat/modules.d/googlecloud.yml.disabled b/x-pack/filebeat/modules.d/googlecloud.yml.disabled deleted file mode 100644 index 6f3e6b53e21..00000000000 --- a/x-pack/filebeat/modules.d/googlecloud.yml.disabled +++ /dev/null @@ -1,58 +0,0 @@ -# Module: googlecloud -# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-googlecloud.html - -# googlecloud module is deprecated, please use gcp instead -- module: gcp - vpcflow: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be - # configured to use this topic as a sink for VPC flow logs. - var.topic: gcp-vpc-flowlogs - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-vpc-flowlogs-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - firewall: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-firewall - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-firewall-sub - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json - - audit: - enabled: true - - # Google Cloud project ID. - var.project_id: my-gcp-project-id - - # Google Pub/Sub topic containing firewall logs. Stackdriver must be - # configured to use this topic as a sink for firewall logs. - var.topic: gcp-vpc-audit - - # Google Pub/Sub subscription for the topic. Filebeat will create this - # subscription if it does not exist. - var.subscription_name: filebeat-gcp-audit - - # Credentials file for the service account with authorization to read from - # the subscription. - var.credentials_file: ${path.config}/gcp-service-account-xyz.json diff --git a/x-pack/filebeat/modules.d/gsuite.yml.disabled b/x-pack/filebeat/modules.d/gsuite.yml.disabled deleted file mode 100644 index ddb160dcbac..00000000000 --- a/x-pack/filebeat/modules.d/gsuite.yml.disabled +++ /dev/null @@ -1,53 +0,0 @@ -# Module: gsuite -# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-gsuite.html - -# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. -- module: gsuite - saml: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - user_accounts: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - login: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - admin: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - drive: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - groups: - enabled: true - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h diff --git a/x-pack/filebeat/modules.d/ibmmq.yml.disabled b/x-pack/filebeat/modules.d/ibmmq.yml.disabled index 0acfa0b0bce..4ad3209a90e 100644 --- a/x-pack/filebeat/modules.d/ibmmq.yml.disabled +++ b/x-pack/filebeat/modules.d/ibmmq.yml.disabled @@ -4,7 +4,7 @@ - module: ibmmq # All logs errorlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/imperva.yml.disabled b/x-pack/filebeat/modules.d/imperva.yml.disabled index f5e69959cf9..cd864075960 100644 --- a/x-pack/filebeat/modules.d/imperva.yml.disabled +++ b/x-pack/filebeat/modules.d/imperva.yml.disabled @@ -3,7 +3,7 @@ - module: imperva securesphere: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/infoblox.yml.disabled b/x-pack/filebeat/modules.d/infoblox.yml.disabled index ec5385c6df7..24d524d259d 100644 --- a/x-pack/filebeat/modules.d/infoblox.yml.disabled +++ b/x-pack/filebeat/modules.d/infoblox.yml.disabled @@ -3,7 +3,7 @@ - module: infoblox nios: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/iptables.yml.disabled b/x-pack/filebeat/modules.d/iptables.yml.disabled index 833fd91537b..2d51c67f24e 100644 --- a/x-pack/filebeat/modules.d/iptables.yml.disabled +++ b/x-pack/filebeat/modules.d/iptables.yml.disabled @@ -3,7 +3,7 @@ - module: iptables log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled index 6ffe87834a4..583f47bb7f7 100644 --- a/x-pack/filebeat/modules.d/juniper.yml.disabled +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -3,7 +3,7 @@ - module: juniper junos: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -22,7 +22,7 @@ # var.tz_offset: local netscreen: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -41,7 +41,7 @@ # var.tz_offset: local srx: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp diff --git a/x-pack/filebeat/modules.d/microsoft.yml.disabled b/x-pack/filebeat/modules.d/microsoft.yml.disabled index 43944caad29..e4af73ad6ed 100644 --- a/x-pack/filebeat/modules.d/microsoft.yml.disabled +++ b/x-pack/filebeat/modules.d/microsoft.yml.disabled @@ -4,7 +4,7 @@ - module: microsoft # ATP configuration defender_atp: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -17,7 +17,7 @@ # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" m365_defender: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -34,7 +34,7 @@ #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" dhcp: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/misp.yml.disabled b/x-pack/filebeat/modules.d/misp.yml.disabled index 610cc874073..4e405aaac70 100644 --- a/x-pack/filebeat/modules.d/misp.yml.disabled +++ b/x-pack/filebeat/modules.d/misp.yml.disabled @@ -5,7 +5,7 @@ - module: misp threat: - enabled: true + enabled: false # API key to access MISP #var.api_key diff --git a/x-pack/filebeat/modules.d/mssql.yml.disabled b/x-pack/filebeat/modules.d/mssql.yml.disabled index 3fdaac9e8a6..c8473c91dd5 100644 --- a/x-pack/filebeat/modules.d/mssql.yml.disabled +++ b/x-pack/filebeat/modules.d/mssql.yml.disabled @@ -4,7 +4,7 @@ - module: mssql # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled b/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled index c04fb9c1908..33c1731cd19 100644 --- a/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled +++ b/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled @@ -3,7 +3,7 @@ - module: mysqlenterprise audit: - enabled: true + enabled: false # Sets the input type. Currently only supports file #var.input: file diff --git a/x-pack/filebeat/modules.d/netflow.yml.disabled b/x-pack/filebeat/modules.d/netflow.yml.disabled index f0d03a1fef2..7f365e90b43 100644 --- a/x-pack/filebeat/modules.d/netflow.yml.disabled +++ b/x-pack/filebeat/modules.d/netflow.yml.disabled @@ -3,7 +3,7 @@ - module: netflow log: - enabled: true + enabled: false var: netflow_host: localhost netflow_port: 2055 diff --git a/x-pack/filebeat/modules.d/netscout.yml.disabled b/x-pack/filebeat/modules.d/netscout.yml.disabled index 988f1b98899..c6d5520629b 100644 --- a/x-pack/filebeat/modules.d/netscout.yml.disabled +++ b/x-pack/filebeat/modules.d/netscout.yml.disabled @@ -3,7 +3,7 @@ - module: netscout sightline: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/o365.yml.disabled b/x-pack/filebeat/modules.d/o365.yml.disabled index a2bdc1ecee3..ab61528d6f9 100644 --- a/x-pack/filebeat/modules.d/o365.yml.disabled +++ b/x-pack/filebeat/modules.d/o365.yml.disabled @@ -3,7 +3,7 @@ - module: o365 audit: - enabled: true + enabled: false # Set the application_id (also known as client ID): var.application_id: "" diff --git a/x-pack/filebeat/modules.d/okta.yml.disabled b/x-pack/filebeat/modules.d/okta.yml.disabled index 66965ac4ba2..062856ce4e4 100644 --- a/x-pack/filebeat/modules.d/okta.yml.disabled +++ b/x-pack/filebeat/modules.d/okta.yml.disabled @@ -3,7 +3,7 @@ - module: okta system: - enabled: true + enabled: false # You must configure the URL with your Okta domain and provide an # API token to access the logs API. #var.url: https://yourOktaDomain/api/v1/logs diff --git a/x-pack/filebeat/modules.d/oracle.yml.disabled b/x-pack/filebeat/modules.d/oracle.yml.disabled index d8b1d8c58e2..aa24b1f6755 100644 --- a/x-pack/filebeat/modules.d/oracle.yml.disabled +++ b/x-pack/filebeat/modules.d/oracle.yml.disabled @@ -3,7 +3,7 @@ - module: oracle database_audit: - enabled: true + enabled: false # Set which input to use between syslog or file (default). #var.input: file diff --git a/x-pack/filebeat/modules.d/panw.yml.disabled b/x-pack/filebeat/modules.d/panw.yml.disabled index 0bd5bf33419..1a630f8fb4e 100644 --- a/x-pack/filebeat/modules.d/panw.yml.disabled +++ b/x-pack/filebeat/modules.d/panw.yml.disabled @@ -3,7 +3,7 @@ - module: panw panos: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/modules.d/proofpoint.yml.disabled b/x-pack/filebeat/modules.d/proofpoint.yml.disabled index b0f94ac3022..34b31277086 100644 --- a/x-pack/filebeat/modules.d/proofpoint.yml.disabled +++ b/x-pack/filebeat/modules.d/proofpoint.yml.disabled @@ -3,7 +3,7 @@ - module: proofpoint emailsecurity: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/rabbitmq.yml.disabled b/x-pack/filebeat/modules.d/rabbitmq.yml.disabled index c446834f99e..437cf9a5721 100644 --- a/x-pack/filebeat/modules.d/rabbitmq.yml.disabled +++ b/x-pack/filebeat/modules.d/rabbitmq.yml.disabled @@ -4,7 +4,7 @@ - module: rabbitmq # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/radware.yml.disabled b/x-pack/filebeat/modules.d/radware.yml.disabled index ad17e4fcd7d..553d8459127 100644 --- a/x-pack/filebeat/modules.d/radware.yml.disabled +++ b/x-pack/filebeat/modules.d/radware.yml.disabled @@ -3,7 +3,7 @@ - module: radware defensepro: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/snort.yml.disabled b/x-pack/filebeat/modules.d/snort.yml.disabled index b8abbd3e370..89d25c4b556 100644 --- a/x-pack/filebeat/modules.d/snort.yml.disabled +++ b/x-pack/filebeat/modules.d/snort.yml.disabled @@ -3,7 +3,7 @@ - module: snort log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/snyk.yml.disabled b/x-pack/filebeat/modules.d/snyk.yml.disabled index b8f62d7b885..f92cf1d71f0 100644 --- a/x-pack/filebeat/modules.d/snyk.yml.disabled +++ b/x-pack/filebeat/modules.d/snyk.yml.disabled @@ -3,7 +3,7 @@ - module: snyk audit: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # @@ -32,7 +32,7 @@ #var.email_address: "" vulnerabilities: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # How often the API should be polled. Data from the Snyk API is automatically updated diff --git a/x-pack/filebeat/modules.d/sonicwall.yml.disabled b/x-pack/filebeat/modules.d/sonicwall.yml.disabled index 975b4577c13..f267d355b37 100644 --- a/x-pack/filebeat/modules.d/sonicwall.yml.disabled +++ b/x-pack/filebeat/modules.d/sonicwall.yml.disabled @@ -3,7 +3,7 @@ - module: sonicwall firewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/sophos.yml.disabled b/x-pack/filebeat/modules.d/sophos.yml.disabled index d0a7b23c632..e875354ad62 100644 --- a/x-pack/filebeat/modules.d/sophos.yml.disabled +++ b/x-pack/filebeat/modules.d/sophos.yml.disabled @@ -3,7 +3,7 @@ - module: sophos xg: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -27,7 +27,7 @@ utm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/squid.yml.disabled b/x-pack/filebeat/modules.d/squid.yml.disabled index 3656c1b8eed..81d5f6e0af0 100644 --- a/x-pack/filebeat/modules.d/squid.yml.disabled +++ b/x-pack/filebeat/modules.d/squid.yml.disabled @@ -3,7 +3,7 @@ - module: squid log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/suricata.yml.disabled b/x-pack/filebeat/modules.d/suricata.yml.disabled index d710dac848f..98e905fff23 100644 --- a/x-pack/filebeat/modules.d/suricata.yml.disabled +++ b/x-pack/filebeat/modules.d/suricata.yml.disabled @@ -4,7 +4,7 @@ - module: suricata # All logs eve: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/threatintel.yml.disabled b/x-pack/filebeat/modules.d/threatintel.yml.disabled index e150fe8835a..55f192feb11 100644 --- a/x-pack/filebeat/modules.d/threatintel.yml.disabled +++ b/x-pack/filebeat/modules.d/threatintel.yml.disabled @@ -3,7 +3,7 @@ - module: threatintel abuseurl: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -15,7 +15,7 @@ var.interval: 10m abusemalware: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -27,7 +27,7 @@ var.interval: 10m malwarebazaar: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -39,7 +39,7 @@ var.interval: 10m misp: - enabled: true + enabled: false # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson @@ -68,7 +68,7 @@ var.interval: 5m otx: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -95,7 +95,7 @@ var.interval: 5m anomali: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -117,7 +117,7 @@ var.interval: 5m anomalithreatstream: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: http_endpoint @@ -142,7 +142,7 @@ # var.ssl_key: path/to/ssl_key.pem recordedfuture: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson diff --git a/x-pack/filebeat/modules.d/tomcat.yml.disabled b/x-pack/filebeat/modules.d/tomcat.yml.disabled index 3dde8911ac0..dc7a8d7eadd 100644 --- a/x-pack/filebeat/modules.d/tomcat.yml.disabled +++ b/x-pack/filebeat/modules.d/tomcat.yml.disabled @@ -3,7 +3,7 @@ - module: tomcat log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/zeek.yml.disabled b/x-pack/filebeat/modules.d/zeek.yml.disabled index d1349bf1388..2ceeeea911d 100644 --- a/x-pack/filebeat/modules.d/zeek.yml.disabled +++ b/x-pack/filebeat/modules.d/zeek.yml.disabled @@ -3,83 +3,83 @@ - module: zeek capture_loss: - enabled: true + enabled: false connection: - enabled: true + enabled: false dce_rpc: - enabled: true + enabled: false dhcp: - enabled: true + enabled: false dnp3: - enabled: true + enabled: false dns: - enabled: true + enabled: false dpd: - enabled: true + enabled: false files: - enabled: true + enabled: false ftp: - enabled: true + enabled: false http: - enabled: true + enabled: false intel: - enabled: true + enabled: false irc: - enabled: true + enabled: false kerberos: - enabled: true + enabled: false modbus: - enabled: true + enabled: false mysql: - enabled: true + enabled: false notice: - enabled: true + enabled: false ntp: - enabled: true + enabled: false ntlm: - enabled: true + enabled: false ocsp: - enabled: true + enabled: false pe: - enabled: true + enabled: false radius: - enabled: true + enabled: false rdp: - enabled: true + enabled: false rfb: - enabled: true + enabled: false signature: - enabled: true + enabled: false sip: - enabled: true + enabled: false smb_cmd: - enabled: true + enabled: false smb_files: - enabled: true + enabled: false smb_mapping: - enabled: true + enabled: false smtp: - enabled: true + enabled: false snmp: - enabled: true + enabled: false socks: - enabled: true + enabled: false ssh: - enabled: true + enabled: false ssl: - enabled: true + enabled: false stats: - enabled: true + enabled: false syslog: - enabled: true + enabled: false traceroute: - enabled: true + enabled: false tunnel: - enabled: true + enabled: false weird: - enabled: true + enabled: false x509: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/zookeeper.yml.disabled b/x-pack/filebeat/modules.d/zookeeper.yml.disabled index 34273eacff4..f632c0de9e7 100644 --- a/x-pack/filebeat/modules.d/zookeeper.yml.disabled +++ b/x-pack/filebeat/modules.d/zookeeper.yml.disabled @@ -4,14 +4,14 @@ - module: zookeeper # All logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/zoom.yml.disabled b/x-pack/filebeat/modules.d/zoom.yml.disabled index f5320d112b9..a04706cf15a 100644 --- a/x-pack/filebeat/modules.d/zoom.yml.disabled +++ b/x-pack/filebeat/modules.d/zoom.yml.disabled @@ -3,7 +3,7 @@ - module: zoom webhook: - enabled: true + enabled: false # The type of input to use #var.input: http_endpoint diff --git a/x-pack/filebeat/modules.d/zscaler.yml.disabled b/x-pack/filebeat/modules.d/zscaler.yml.disabled index 2c8f03ebcc3..732a033073b 100644 --- a/x-pack/filebeat/modules.d/zscaler.yml.disabled +++ b/x-pack/filebeat/modules.d/zscaler.yml.disabled @@ -3,7 +3,7 @@ - module: zscaler zia: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/heartbeat/monitors/browser/source/zipurl.go b/x-pack/heartbeat/monitors/browser/source/zipurl.go index 400bf258910..9dc9c8ab633 100644 --- a/x-pack/heartbeat/monitors/browser/source/zipurl.go +++ b/x-pack/heartbeat/monitors/browser/source/zipurl.go @@ -14,6 +14,8 @@ import ( "path/filepath" "strings" "time" + + "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" ) type ZipURLSource struct { @@ -23,13 +25,25 @@ type ZipURLSource struct { Password string `config:"password" json:"password"` Retries int `config:"retries" default:"3" json:"retries"` BaseSource - // Etag from last successful fetch - etag string TargetDirectory string `config:"target_directory" json:"target_directory"` + + // Etag from last successful fetch + etag string + + Transport httpcommon.HTTPTransportSettings `config:",inline" yaml:",inline"` + + httpClient *http.Client } var ErrNoEtag = fmt.Errorf("No ETag header in zip file response. Heartbeat requires an etag to efficiently cache downloaded code") +func (z *ZipURLSource) Validate() (err error) { + if z.httpClient == nil { + z.httpClient, _ = z.Transport.Client() + } + return err +} + func (z *ZipURLSource) Fetch() error { changed, err := checkIfChanged(z) if err != nil { @@ -181,6 +195,7 @@ func retryingZipRequest(method string, z *ZipURLSource) (resp *http.Response, er } func zipRequest(method string, z *ZipURLSource) (*http.Response, error) { + req, err := http.NewRequest(method, z.URL, nil) if err != nil { return nil, fmt.Errorf("could not issue request to: %s %w", z.URL, err) @@ -188,7 +203,7 @@ func zipRequest(method string, z *ZipURLSource) (*http.Response, error) { if z.Username != "" && z.Password != "" { req.SetBasicAuth(z.Username, z.Password) } - return http.DefaultClient.Do(req) + return z.httpClient.Do(req) } func download(z *ZipURLSource, tf *os.File) (etag string, err error) { diff --git a/x-pack/heartbeat/monitors/browser/source/zipurl_test.go b/x-pack/heartbeat/monitors/browser/source/zipurl_test.go index 2283fcf443f..9c160684642 100644 --- a/x-pack/heartbeat/monitors/browser/source/zipurl_test.go +++ b/x-pack/heartbeat/monitors/browser/source/zipurl_test.go @@ -5,9 +5,9 @@ package source import ( - "context" "fmt" "net/http" + "net/http/httptest" "os" "path" "path/filepath" @@ -15,59 +15,121 @@ import ( "testing" "github.com/stretchr/testify/require" + "gopkg.in/yaml.v2" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/x-pack/heartbeat/monitors/browser/source/fixtures" ) -func TestZipUrlFetchNoAuth(t *testing.T) { - address, teardown := setupTests() - defer teardown() - - zus := &ZipURLSource{ - URL: fmt.Sprintf("http://%s/fixtures/todos.zip", address), - Folder: "/", - Retries: 3, +func TestSimpleCases(t *testing.T) { + type testCase struct { + name string + cfg common.MapStr + tlsServer bool + wantFetchErr bool + } + testCases := []testCase{ + { + "basics", + common.MapStr{ + "folder": "/", + "retries": 3, + }, + false, + false, + }, + { + "targetdir", + common.MapStr{ + "folder": "/", + "retries": 3, + "target_directory": "/tmp/synthetics/blah", + }, + false, + false, + }, + { + "auth success", + common.MapStr{ + "folder": "/", + "retries": 3, + "username": "testuser", + "password": "testpass", + }, + false, + false, + }, + { + "auth failure", + common.MapStr{ + "folder": "/", + "retries": 3, + "username": "testuser", + "password": "badpass", + }, + false, + true, + }, + { + "ssl ignore cert errors", + common.MapStr{ + "folder": "/", + "retries": 3, + "ssl": common.MapStr{ + "enabled": "true", + "verification_mode": "none", + }, + }, + true, + false, + }, + { + "bad ssl", + common.MapStr{ + "folder": "/", + "retries": 3, + "ssl": common.MapStr{ + "enabled": "true", + "certificate_authorities": []string{}, + }, + }, + true, + true, + }, } - fetchAndCheckDir(t, zus) -} -func TestZipUrlFetchWithAuth(t *testing.T) { - address, teardown := setupTests() - defer teardown() + for _, tc := range testCases { + url, teardown := setupTests(tc.tlsServer) + defer teardown() + t.Run(tc.name, func(t *testing.T) { + tc.cfg["url"] = fmt.Sprintf("%s/fixtures/todos.zip", url) + zus, err := dummyZus(tc.cfg) + require.NoError(t, err) - zus := &ZipURLSource{ - URL: fmt.Sprintf("http://%s/fixtures/todos.zip", address), - Folder: "/", - Retries: 3, - Username: "testuser", - Password: "testpass", - } - fetchAndCheckDir(t, zus) -} + require.NotNil(t, zus.httpClient) -func TestZipUrlTargetDirectory(t *testing.T) { - address, teardown := setupTests() - defer teardown() + if tc.wantFetchErr == true { + err := zus.Fetch() + require.Error(t, err) + return + } - zus := &ZipURLSource{ - URL: fmt.Sprintf("http://%s/fixtures/todos.zip", address), - Folder: "/", - Retries: 3, - TargetDirectory: "/tmp/synthetics/blah", + fetchAndCheckDir(t, zus) + }) } - fetchAndCheckDir(t, zus) } func TestZipUrlWithSameEtag(t *testing.T) { - address, teardown := setupTests() + address, teardown := setupTests(false) defer teardown() - zus := ZipURLSource{ - URL: fmt.Sprintf("http://%s/fixtures/todos.zip", address), - Folder: "/", - Retries: 3, - } - err := zus.Fetch() + zus, err := dummyZus(common.MapStr{ + "url": fmt.Sprintf("%s/fixtures/todos.zip", address), + "folder": "/", + "retries": 3, + }) + require.NoError(t, err) + err = zus.Fetch() defer zus.Close() require.NoError(t, err) @@ -80,32 +142,33 @@ func TestZipUrlWithSameEtag(t *testing.T) { } func TestZipUrlWithBadUrl(t *testing.T) { - _, teardown := setupTests() + _, teardown := setupTests(false) defer teardown() - zus := ZipURLSource{ - URL: "http://notahost.notadomaintoehutoeuhn", - Folder: "/", - Retries: 2, - } - err := zus.Fetch() + zus, err := dummyZus(common.MapStr{ + "url": "http://notahost.notadomaintoehutoeuhn", + "folder": "/", + "retries": 2, + }) + require.NoError(t, err) + err = zus.Fetch() defer zus.Close() require.Error(t, err) } -func setupTests() (addr string, teardown func()) { +func setupTests(tls bool) (addr string, teardown func()) { // go offline, so we dont invoke npm install for unit tests GoOffline() - srv := createServer() - address := srv.Addr + srv := createServer(tls) + address := srv.URL return address, func() { GoOnline() - srv.Shutdown(context.Background()) + srv.Close() } } -func createServer() (addr *http.Server) { +func createServer(tls bool) (addr *httptest.Server) { _, filename, _, _ := runtime.Caller(0) fixturesPath := path.Join(filepath.Dir(filename), "fixtures") fileServer := http.FileServer(http.Dir(fixturesPath)) @@ -121,10 +184,12 @@ func createServer() (addr *http.Server) { http.StripPrefix("/fixtures", fileServer).ServeHTTP(resp, req) }) - srv := &http.Server{Addr: "localhost:1234", Handler: mux} - go func() { - srv.ListenAndServe() - }() + var srv *httptest.Server + if tls { + srv = httptest.NewTLSServer(mux) + } else { + srv = httptest.NewServer(mux) + } return srv } @@ -140,3 +205,14 @@ func fetchAndCheckDir(t *testing.T, zip *ZipURLSource) { _, err = os.Stat(zip.TargetDirectory) require.True(t, os.IsNotExist(err), "TargetDirectory %s should have been deleted", zip.TargetDirectory) } + +func dummyZus(conf map[string]interface{}) (*ZipURLSource, error) { + zus := &ZipURLSource{} + y, _ := yaml.Marshal(conf) + c, err := common.NewConfigWithYAML(y, string(y)) + if err != nil { + return nil, err + } + err = c.Unpack(zus) + return zus, err +} diff --git a/x-pack/libbeat/persistentcache/store.go b/x-pack/libbeat/persistentcache/store.go index e14b90fedda..a114a51cc3f 100644 --- a/x-pack/libbeat/persistentcache/store.go +++ b/x-pack/libbeat/persistentcache/store.go @@ -10,7 +10,7 @@ import ( "path/filepath" "time" - badger "github.com/dgraph-io/badger/v2" + badger "github.com/dgraph-io/badger/v3" "github.com/elastic/beats/v7/libbeat/logp" ) diff --git a/x-pack/metricbeat/module/gcp/billing/_meta/docs.asciidoc b/x-pack/metricbeat/module/gcp/billing/_meta/docs.asciidoc index ccf26a17600..d66330f927f 100644 --- a/x-pack/metricbeat/module/gcp/billing/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/gcp/billing/_meta/docs.asciidoc @@ -27,7 +27,7 @@ tax, adjustment, or rounding error. Default to `regular`. === Configuration example [source,yaml] ---- -- module: googlecloud +- module: gcp metricsets: - billing period: 24h diff --git a/x-pack/metricbeat/module/gcp/metrics/_meta/docs.asciidoc b/x-pack/metricbeat/module/gcp/metrics/_meta/docs.asciidoc index 157e336e08b..45b5be522a0 100644 --- a/x-pack/metricbeat/module/gcp/metrics/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/gcp/metrics/_meta/docs.asciidoc @@ -58,7 +58,7 @@ given aggregation aligner applied for each metric type. + [source,yaml] ---- -- module: googlecloud +- module: gcp metricsets: - metrics zone: "europe-west1-c" @@ -91,7 +91,7 @@ ignored. + [source,yaml] ---- -- module: googlecloud +- module: gcp metricsets: - metrics zone: "europe-west1-c" @@ -125,7 +125,7 @@ every minute with no aggregation. The metric types in `compute` service with + [source,yaml] ---- -- module: googlecloud +- module: gcp metricsets: - metrics zone: "europe-west1-c" @@ -149,7 +149,7 @@ metric prefix, as for GKE metrics the required prefix is `kubernetes.io/` + [source,yaml] ---- -- module: googlecloud +- module: gcp metricsets: - metrics zone: "europe-west1-c" diff --git a/x-pack/osquerybeat/beater/logger_plugin.go b/x-pack/osquerybeat/beater/logger_plugin.go index bbf327eef44..deefbc6d9b0 100644 --- a/x-pack/osquerybeat/beater/logger_plugin.go +++ b/x-pack/osquerybeat/beater/logger_plugin.go @@ -35,15 +35,19 @@ const osqueryLogMessageFieldsCount = 6 type osqLogSeverity int +// The severity levels are taken from osquery source +// https://github.com/osquery/osquery/blob/master/osquery/core/plugins/logger.h#L39 +// enum StatusLogSeverity { +// O_INFO = 0, +// O_WARNING = 1, +// O_ERROR = 2, +// O_FATAL = 3, +// }; const ( - severityEmerg osqLogSeverity = iota - severityAlert - severityCrit - severityErr - severityWarn - severityNotice - severityInfo - severityDebug + severityInfo osqLogSeverity = iota + severityWarning + severityError + severityFatal ) func (m *osqueryLogMessage) Log(typ logger.LogType, log *logp.Logger) { @@ -65,14 +69,12 @@ func (m *osqueryLogMessage) Log(typ logger.LogType, log *logp.Logger) { args = append(args, m.UnixTime) switch osqLogSeverity(m.Severity) { - case severityEmerg, severityAlert, severityCrit: + case severityError, severityFatal: log.Errorw(m.Message, args...) - case severityWarn, severityNotice: + case severityWarning: log.Warnw(m.Message, args...) case severityInfo: log.Infow(m.Message, args...) - case severityDebug: - log.Debugw(m.Message, args...) default: log.Debugw(m.Message, args...) } diff --git a/x-pack/osquerybeat/beater/osquerybeat.go b/x-pack/osquerybeat/beater/osquerybeat.go index 6e1406b739f..5e5923bc909 100644 --- a/x-pack/osquerybeat/beater/osquerybeat.go +++ b/x-pack/osquerybeat/beater/osquerybeat.go @@ -194,7 +194,7 @@ func (bt *osquerybeat) Run(b *beat.Beat) error { for { select { case <-ctx.Done(): - bt.log.Info("context cancelled, exiting") + bt.log.Info("osquerybeat context cancelled, exiting") return ctx.Err() case inputConfigs := <-inputConfigCh: bt.pub.Configure(inputConfigs) @@ -258,11 +258,6 @@ func (bt *osquerybeat) runOsquery(ctx context.Context, b *beat.Beat, osq *osqd.O bt.handleSnapshotResult(ctx, cli, configPlugin, res) }) - // Run extensions - g.Go(func() error { - return runExtensionServer(ctx, socketPath, configPlugin, loggerPlugin, osqueryTimeout) - }) - // Run main loop g.Go(func() error { // Connect to osqueryd @@ -272,6 +267,11 @@ func (bt *osquerybeat) runOsquery(ctx context.Context, b *beat.Beat, osq *osqd.O } defer cli.Close() + // Run extensions only after succesful connect, otherwise the extension server fails with windows pipes if the pipe was not created by osqueryd yet + g.Go(func() error { + return runExtensionServer(ctx, socketPath, configPlugin, loggerPlugin, osqueryTimeout) + }) + // Register action handler ah := bt.registerActionHandler(b, cli) defer bt.unregisterActionHandler(b, ah) @@ -280,7 +280,7 @@ func (bt *osquerybeat) runOsquery(ctx context.Context, b *beat.Beat, osq *osqd.O for { select { case <-ctx.Done(): - bt.log.Info("context cancelled, exiting") + bt.log.Info("runOsquery context cancelled, exiting") return ctx.Err() case inputConfigs := <-inputCh: err = configPlugin.Set(inputConfigs) From aa1d6540f494d5a549972b9e6db7c576608db324 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 09:16:54 -0700 Subject: [PATCH 23/63] Revert "Merge remote-tracking branch 'beats_upstream/master' into openmetrics-collector" This reverts commit ea797f09e61f19ff59cd48817102e354fdae62e9. --- .ci/packaging.groovy | 1 + CHANGELOG-developer.next.asciidoc | 1 - CHANGELOG.asciidoc | 6 - CHANGELOG.next.asciidoc | 18 +- NOTICE.txt | 75 +- .../module/file_integrity/metricset_test.go | 2 +- auditbeat/module/file_integrity/scanner.go | 5 - deploy/kubernetes/metricbeat-kubernetes.yaml | 3 - .../metricbeat-daemonset-configmap.yaml | 3 - dev-tools/ecs-migration.yml | 160 +- dev-tools/mage/check.go | 9 - dev-tools/mage/common.go | 47 - dev-tools/mage/crossbuild.go | 4 +- dev-tools/mage/modules.go | 70 - dev-tools/mage/pkg.go | 36 - dev-tools/mage/semver.go | 67 - dev-tools/vagrant_scripts/winProvision.ps1 | 4 +- filebeat/autodiscover/builder/hints/logs.go | 2 +- .../autodiscover/builder/hints/logs_test.go | 32 +- filebeat/beater/filebeat.go | 13 - filebeat/docs/fields.asciidoc | 29842 ++++++++++------ .../docs/filebeat-modules-options.asciidoc | 4 - filebeat/docs/filebeat-options.asciidoc | 3 - filebeat/docs/getting-started.asciidoc | 5 +- filebeat/docs/inputs/input-journald.asciidoc | 223 - filebeat/docs/modules/aws.asciidoc | 23 - filebeat/docs/modules/cyberark.asciidoc | 79 + filebeat/docs/modules/gsuite.asciidoc | 146 + filebeat/docs/modules/sophos.asciidoc | 8 +- filebeat/docs/modules_list.asciidoc | 4 + filebeat/filebeat.reference.yml | 30 +- filebeat/fileset/compatibility.go | 26 +- filebeat/fileset/compatibility_test.go | 116 +- filebeat/fileset/modules.go | 75 +- filebeat/fileset/modules_integration_test.go | 8 +- filebeat/fileset/modules_test.go | 180 +- filebeat/input/default-inputs/inputs_linux.go | 11 +- filebeat/input/filestream/input.go | 22 +- .../filestream/parsers_integration_test.go | 6 - filebeat/input/journald/input_stub.go | 30 - filebeat/input/v2/simplemanager.go | 6 +- filebeat/magefile.go | 25 +- filebeat/module/apache/_meta/config.yml | 4 +- filebeat/module/apache/_meta/fields.yml | 128 + filebeat/module/apache/fields.go | 2 +- filebeat/module/apache2/module.yml | 1 + filebeat/module/auditd/_meta/config.yml | 2 +- .../module/elasticsearch/_meta/config.yml | 10 +- filebeat/module/haproxy/_meta/config.yml | 2 +- filebeat/module/icinga/_meta/config.yml | 6 +- filebeat/module/iis/_meta/config.yml | 6 +- filebeat/module/kafka/_meta/config.yml | 2 +- filebeat/module/kibana/_meta/config.yml | 4 +- filebeat/module/logstash/_meta/config.yml | 4 +- filebeat/module/mongodb/_meta/config.yml | 2 +- filebeat/module/mysql/_meta/config.yml | 4 +- filebeat/module/nats/_meta/config.yml | 2 +- filebeat/module/nginx/_meta/config.yml | 4 +- .../module/osquery/_meta/config.reference.yml | 6 +- filebeat/module/osquery/_meta/config.yml | 2 +- filebeat/module/pensando/_meta/config.yml | 2 +- filebeat/module/postgresql/_meta/config.yml | 2 +- filebeat/module/redis/_meta/config.yml | 4 +- filebeat/module/santa/_meta/config.yml | 2 +- filebeat/module/system/_meta/config.yml | 4 +- filebeat/module/traefik/_meta/config.yml | 2 +- filebeat/modules.d/apache.yml.disabled | 4 +- filebeat/modules.d/auditd.yml.disabled | 2 +- filebeat/modules.d/elasticsearch.yml.disabled | 10 +- filebeat/modules.d/haproxy.yml.disabled | 2 +- filebeat/modules.d/icinga.yml.disabled | 6 +- filebeat/modules.d/iis.yml.disabled | 6 +- filebeat/modules.d/kafka.yml.disabled | 2 +- filebeat/modules.d/kibana.yml.disabled | 4 +- filebeat/modules.d/logstash.yml.disabled | 4 +- filebeat/modules.d/mongodb.yml.disabled | 2 +- filebeat/modules.d/mysql.yml.disabled | 4 +- filebeat/modules.d/nats.yml.disabled | 2 +- filebeat/modules.d/nginx.yml.disabled | 4 +- filebeat/modules.d/osquery.yml.disabled | 2 +- filebeat/modules.d/pensando.yml.disabled | 2 +- filebeat/modules.d/postgresql.yml.disabled | 2 +- filebeat/modules.d/redis.yml.disabled | 4 +- filebeat/modules.d/santa.yml.disabled | 2 +- filebeat/modules.d/system.yml.disabled | 4 +- filebeat/modules.d/traefik.yml.disabled | 2 +- filebeat/scripts/mage/build.go | 85 - filebeat/tests/system/test_modules.py | 24 +- go.mod | 7 +- go.sum | 30 +- .../docs/monitors/monitor-browser.asciidoc | 6 +- heartbeat/hbtest/hbtestutil.go | 9 - heartbeat/monitors/active/http/http_test.go | 106 - heartbeat/tests/system/test_monitor.py | 82 + libbeat/cmd/instance/beat_test.go | 17 +- libbeat/cmd/instance/metrics/metrics.go | 3 +- libbeat/common/encoding/xml/decode.go | 2 +- libbeat/common/encoding/xml/decode_test.go | 14 +- libbeat/dashboards/decode.go | 46 +- libbeat/dashboards/modify_json.go | 202 +- libbeat/dashboards/modify_json_test.go | 29 +- libbeat/docs/shared-docker.asciidoc | 5 +- .../metric/system/cgroup/cgcommon/metrics.go | 1 + libbeat/metric/system/cgroup/cgstats.go | 8 +- libbeat/metric/system/cpu/cpu.go | 5 +- .../metric/system/diskio/diskstat_linux.go | 6 +- libbeat/metric/system/numcpu/cpu_bsd.go | 55 - libbeat/metric/system/numcpu/cpu_cgo.go | 26 - libbeat/metric/system/numcpu/cpu_linux.go | 93 - .../metric/system/numcpu/cpu_linux_test.go | 49 - libbeat/metric/system/numcpu/cpu_other.go | 26 - libbeat/metric/system/numcpu/cpu_windows.go | 38 - libbeat/metric/system/numcpu/numcpu.go | 46 - libbeat/metric/system/numcpu/numcpu_test.go | 40 - libbeat/metric/system/process/process.go | 3 +- .../processors/decode_xml/decode_xml_test.go | 35 - libbeat/reader/message.go | 19 - libbeat/reader/message_test.go | 66 - libbeat/reader/readfile/bench_test.go | 83 - libbeat/reader/readfile/line.go | 32 +- libbeat/reader/readfile/metafields.go | 4 +- libbeat/reader/readfile/metafields_test.go | 4 +- metricbeat/docs/fields.asciidoc | 137 + metricbeat/mb/module/wrapper.go | 4 +- .../module/docker/diskio/_meta/fields.yml | 21 +- metricbeat/module/docker/diskio/data.go | 3 + metricbeat/module/docker/fields.go | 2 +- .../module/docker/network/_meta/fields.yml | 46 + metricbeat/module/docker/network/data.go | 14 + metricbeat/module/system/load/load.go | 5 +- monitors.d/plaintodos.yml | 12 - testing/environments/docker/kafka/Dockerfile | 8 +- .../environments/docker/kafka/healthcheck.sh | 2 +- x-pack/elastic-agent/CHANGELOG.next.asciidoc | 4 - .../pkg/agent/application/application.go | 3 +- .../handlers/handler_action_settings.go | 5 +- .../handlers/handler_action_upgrade.go | 3 +- .../pkg/agent/application/reexec/manager.go | 15 +- .../pkg/agent/application/upgrade/upgrade.go | 113 +- .../agent/application/upgrade/upgrade_test.go | 56 - x-pack/elastic-agent/pkg/agent/cmd/run.go | 2 +- x-pack/elastic-agent/pkg/agent/cmd/status.go | 9 +- .../pkg/agent/cmd/status_test.go | 125 - .../pkg/agent/control/server/server.go | 6 +- .../pkg/agent/install/perms_unix.go | 3 - .../pkg/agent/install/perms_windows.go | 3 - .../pkg/agent/operation/operator.go | 6 +- .../pkg/agent/program/supported.go | 2 +- .../artifact/download/snapshot/downloader.go | 13 +- x-pack/elastic-agent/pkg/release/version.go | 15 +- x-pack/elastic-agent/spec/filebeat.yml | 1 - .../docs/inputs/input-httpjson.asciidoc | 7 +- x-pack/filebeat/filebeat.reference.yml | 396 +- x-pack/filebeat/include/list.go | 2 + x-pack/filebeat/input/awss3/config.go | 4 +- x-pack/filebeat/input/awss3/config_test.go | 8 +- .../httpjson/internal/v2/config_response.go | 15 +- .../input/httpjson/internal/v2/pagination.go | 2 +- .../input/httpjson/internal/v2/request.go | 2 +- .../input/httpjson/internal/v2/split.go | 77 +- .../input/httpjson/internal/v2/split_test.go | 264 - .../httpjson/internal/v2/transform_set.go | 26 +- .../internal/v2/transform_set_test.go | 52 +- .../httpjson/internal/v2/transform_test.go | 4 +- x-pack/filebeat/magefile.go | 5 +- .../filebeat/module/activemq/_meta/config.yml | 4 +- .../filebeat/module/aws/_meta/docs.asciidoc | 23 - .../0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json | 150 +- .../513a3d70-4482-11ea-ad63-791a5dc86f10.json | 185 +- .../dae24080-739a-11ea-a345-f985c61fe654.json | 144 +- x-pack/filebeat/module/azure/_meta/config.yml | 2 +- .../module/barracuda/_meta/config.yml | 4 +- .../filebeat/module/bluecoat/_meta/config.yml | 2 +- x-pack/filebeat/module/cef/_meta/config.yml | 2 +- .../module/checkpoint/_meta/config.yml | 2 +- x-pack/filebeat/module/cisco/_meta/config.yml | 14 +- .../module/cisco/asa/_meta/fields.yml | 12 - .../cisco/asa/test/additional_messages.log | 9 +- .../additional_messages.log-expected.json | 509 +- .../cisco/asa/test/asa-fix.log-expected.json | 21 +- .../cisco/asa/test/asa.log-expected.json | 268 +- .../cisco/asa/test/filtered.log-expected.json | 1 - .../asa/test/hostnames.log-expected.json | 1 - .../cisco/asa/test/not-ip.log-expected.json | 2 - .../filebeat/module/cisco/asa/test/sample.log | 15 - .../cisco/asa/test/sample.log-expected.json | 1151 +- x-pack/filebeat/module/cisco/fields.go | 2 +- .../module/cisco/ftd/_meta/fields.yml | 6 - .../cisco/ftd/test/asa-fix.log-expected.json | 16 +- .../cisco/ftd/test/asa.log-expected.json | 268 +- .../cisco/ftd/test/dns.log-expected.json | 21 - .../ftd/test/intrusion.log-expected.json | 4 - .../cisco/ftd/test/not-ip.log-expected.json | 2 - .../cisco/ftd/test/sample.log-expected.json | 66 +- .../security-connection.log-expected.json | 10 - .../security-file-malware.log-expected.json | 10 - .../security-malware-site.log-expected.json | 1 - .../cisco/shared/ingest/asa-ftd-pipeline.yml | 125 +- .../filebeat/module/coredns/_meta/config.yml | 2 +- .../module/crowdstrike/_meta/config.yml | 2 +- x-pack/filebeat/module/cyberark/README.md | 7 + .../filebeat/module/cyberark/_meta/config.yml | 21 + .../module/cyberark/_meta/docs.asciidoc | 66 + .../filebeat/module/cyberark/_meta/fields.yml | 5 + .../module/cyberark/corepas/_meta/fields.yml | 2637 ++ .../module/cyberark/corepas/config/input.yml | 87 + .../cyberark/corepas/config/liblogparser.js | 2514 ++ .../cyberark/corepas/config/pipeline.js | 6239 ++++ .../cyberark/corepas/ingest/pipeline.yml | 64 + .../module/cyberark/corepas/manifest.yml | 31 + .../cyberark/corepas/test/generated.log | 100 + .../corepas/test/generated.log-expected.json | 5584 +++ x-pack/filebeat/module/cyberark/fields.go | 23 + .../module/cyberarkpas/_meta/config.yml | 2 +- .../dashboard/Filebeat-cyberarkpas-audit.json | 398 +- .../filebeat/module/cylance/_meta/config.yml | 2 +- .../module/envoyproxy/_meta/config.yml | 2 +- x-pack/filebeat/module/f5/_meta/config.yml | 4 +- .../filebeat/module/fortinet/_meta/config.yml | 8 +- x-pack/filebeat/module/gcp/_meta/config.yml | 6 +- .../a97de660-73a5-11ea-a345-f985c61fe654.json | 144 +- .../module/google_workspace/_meta/config.yml | 12 +- .../module/googlecloud/_meta/config.yml | 55 + x-pack/filebeat/module/googlecloud/module.yml | 1 + .../filebeat/module/gsuite/_meta/config.yml | 50 + .../module/gsuite/_meta/docs.asciidoc | 133 + .../filebeat/module/gsuite/_meta/fields.yml | 42 + .../module/gsuite/admin/_meta/fields.yml | 271 + .../module/gsuite/admin/config/config.yml | 54 + .../module/gsuite/admin/config/pipeline.js | 967 + .../filebeat/module/gsuite/admin/manifest.yml | 25 + .../gsuite-admin-application-test.json.log | 9 + ...in-application-test.json.log-expected.json | 499 + .../test/gsuite-admin-calendar-test.json.log | 13 + ...admin-calendar-test.json.log-expected.json | 702 + .../test/gsuite-admin-chat-test.json.log | 4 + ...ite-admin-chat-test.json.log-expected.json | 215 + .../test/gsuite-admin-chromeos-test.json.log | 21 + ...admin-chromeos-test.json.log-expected.json | 1132 + .../test/gsuite-admin-contacts-test.json.log | 1 + ...admin-contacts-test.json.log-expected.json | 58 + .../gsuite-admin-delegatedadmin-test.json.log | 8 + ...delegatedadmin-test.json.log-expected.json | 430 + .../test/gsuite-admin-docs-test.json.log | 3 + ...ite-admin-docs-test.json.log-expected.json | 176 + .../test/gsuite-admin-domain-test.json.log | 85 + ...e-admin-domain-test.json.log-expected.json | 4459 +++ .../test/gsuite-admin-gmail-test.json.log | 9 + ...te-admin-gmail-test.json.log-expected.json | 497 + .../test/gsuite-admin-groups-test.json.log | 14 + ...e-admin-groups-test.json.log-expected.json | 798 + .../test/gsuite-admin-licenses-test.json.log | 8 + ...admin-licenses-test.json.log-expected.json | 440 + .../test/gsuite-admin-mobile-test.json.log | 31 + ...e-admin-mobile-test.json.log-expected.json | 1688 + .../admin/test/gsuite-admin-org-test.json.log | 17 + ...uite-admin-org-test.json.log-expected.json | 890 + .../test/gsuite-admin-security-test.json.log | 24 + ...admin-security-test.json.log-expected.json | 1309 + .../test/gsuite-admin-sites-test.json.log | 5 + ...te-admin-sites-test.json.log-expected.json | 275 + .../test/gsuite-admin-user-test.json.log | 74 + ...ite-admin-user-test.json.log-expected.json | 4198 +++ .../filebeat/module/gsuite/config/common.js | 86 + .../module/gsuite/drive/_meta/fields.yml | 89 + .../module/gsuite/drive/config/config.yml | 54 + .../module/gsuite/drive/config/pipeline.js | 191 + .../filebeat/module/gsuite/drive/manifest.yml | 25 + .../drive/test/gsuite-drive-test.json.log | 28 + .../gsuite-drive-test.json.log-expected.json | 1801 + x-pack/filebeat/module/gsuite/fields.go | 23 + .../module/gsuite/groups/_meta/fields.yml | 57 + .../module/gsuite/groups/config/config.yml | 54 + .../module/gsuite/groups/config/pipeline.js | 223 + .../module/gsuite/groups/manifest.yml | 25 + .../groups/test/gsuite-groups-test.json.log | 25 + .../gsuite-groups-test.json.log-expected.json | 1476 + .../filebeat/module/gsuite/ingest/common.yml | 33 + .../module/gsuite/login/_meta/fields.yml | 21 + .../module/gsuite/login/config/config.yml | 54 + .../module/gsuite/login/config/pipeline.js | 117 + .../filebeat/module/gsuite/login/manifest.yml | 25 + .../login/test/gsuite-login-test.json.log | 14 + .../gsuite-login-test.json.log-expected.json | 738 + .../module/gsuite/saml/_meta/fields.yml | 27 + .../module/gsuite/saml/config/config.yml | 54 + .../module/gsuite/saml/config/pipeline.js | 53 + .../filebeat/module/gsuite/saml/manifest.yml | 25 + .../saml/test/gsuite-saml-test.json.log | 2 + .../gsuite-saml-test.json.log-expected.json | 116 + .../gsuite/user_accounts/config/config.yml | 54 + .../gsuite/user_accounts/config/pipeline.js | 24 + .../module/gsuite/user_accounts/manifest.yml | 25 + .../test/gsuite-user_accounts-test.json.log | 8 + ...-user_accounts-test.json.log-expected.json | 410 + x-pack/filebeat/module/ibmmq/_meta/config.yml | 2 +- .../filebeat/module/imperva/_meta/config.yml | 2 +- .../filebeat/module/infoblox/_meta/config.yml | 2 +- .../filebeat/module/iptables/_meta/config.yml | 2 +- .../filebeat/module/juniper/_meta/config.yml | 6 +- .../module/microsoft/_meta/config.yml | 6 +- x-pack/filebeat/module/misp/_meta/config.yml | 2 +- x-pack/filebeat/module/mssql/_meta/config.yml | 2 +- .../module/mysqlenterprise/_meta/config.yml | 2 +- .../filebeat/module/netflow/_meta/config.yml | 2 +- .../filebeat/module/netscout/_meta/config.yml | 2 +- x-pack/filebeat/module/o365/_meta/config.yml | 2 +- .../dbae13c0-685c-11ea-8d6a-292ef5d68366.json | 158 +- x-pack/filebeat/module/okta/_meta/config.yml | 2 +- .../281ca660-67b1-11ea-a76f-bf44814e437d.json | 165 +- .../filebeat/module/oracle/_meta/config.yml | 2 +- x-pack/filebeat/module/panw/_meta/config.yml | 2 +- .../module/proofpoint/_meta/config.yml | 2 +- .../filebeat/module/rabbitmq/_meta/config.yml | 2 +- .../filebeat/module/radware/_meta/config.yml | 2 +- x-pack/filebeat/module/snort/_meta/config.yml | 2 +- x-pack/filebeat/module/snyk/_meta/config.yml | 4 +- .../module/sonicwall/_meta/config.yml | 2 +- .../filebeat/module/sophos/_meta/config.yml | 4 +- .../module/sophos/_meta/docs.asciidoc | 8 +- x-pack/filebeat/module/squid/_meta/config.yml | 2 +- .../filebeat/module/suricata/_meta/config.yml | 2 +- .../module/threatintel/_meta/config.yml | 16 +- .../63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json | 180 +- .../ec5aa090-df42-11eb-8f2b-753caedf727d.json | 170 +- .../filebeat/module/tomcat/_meta/config.yml | 2 +- x-pack/filebeat/module/zeek/_meta/config.yml | 78 +- .../module/zookeeper/_meta/config.yml | 4 +- x-pack/filebeat/module/zoom/_meta/config.yml | 2 +- .../filebeat/module/zscaler/_meta/config.yml | 2 +- .../filebeat/modules.d/activemq.yml.disabled | 4 +- x-pack/filebeat/modules.d/azure.yml.disabled | 2 +- .../filebeat/modules.d/barracuda.yml.disabled | 4 +- .../filebeat/modules.d/bluecoat.yml.disabled | 2 +- x-pack/filebeat/modules.d/cef.yml.disabled | 2 +- .../modules.d/checkpoint.yml.disabled | 2 +- x-pack/filebeat/modules.d/cisco.yml.disabled | 14 +- .../filebeat/modules.d/coredns.yml.disabled | 2 +- .../modules.d/crowdstrike.yml.disabled | 2 +- .../filebeat/modules.d/cyberark.yml.disabled | 24 + .../modules.d/cyberarkpas.yml.disabled | 2 +- .../filebeat/modules.d/cylance.yml.disabled | 2 +- .../modules.d/envoyproxy.yml.disabled | 2 +- x-pack/filebeat/modules.d/f5.yml.disabled | 4 +- .../filebeat/modules.d/fortinet.yml.disabled | 8 +- x-pack/filebeat/modules.d/gcp.yml.disabled | 6 +- .../modules.d/google_workspace.yml.disabled | 12 +- .../modules.d/googlecloud.yml.disabled | 58 + x-pack/filebeat/modules.d/gsuite.yml.disabled | 53 + x-pack/filebeat/modules.d/ibmmq.yml.disabled | 2 +- .../filebeat/modules.d/imperva.yml.disabled | 2 +- .../filebeat/modules.d/infoblox.yml.disabled | 2 +- .../filebeat/modules.d/iptables.yml.disabled | 2 +- .../filebeat/modules.d/juniper.yml.disabled | 6 +- .../filebeat/modules.d/microsoft.yml.disabled | 6 +- x-pack/filebeat/modules.d/misp.yml.disabled | 2 +- x-pack/filebeat/modules.d/mssql.yml.disabled | 2 +- .../modules.d/mysqlenterprise.yml.disabled | 2 +- .../filebeat/modules.d/netflow.yml.disabled | 2 +- .../filebeat/modules.d/netscout.yml.disabled | 2 +- x-pack/filebeat/modules.d/o365.yml.disabled | 2 +- x-pack/filebeat/modules.d/okta.yml.disabled | 2 +- x-pack/filebeat/modules.d/oracle.yml.disabled | 2 +- x-pack/filebeat/modules.d/panw.yml.disabled | 2 +- .../modules.d/proofpoint.yml.disabled | 2 +- .../filebeat/modules.d/rabbitmq.yml.disabled | 2 +- .../filebeat/modules.d/radware.yml.disabled | 2 +- x-pack/filebeat/modules.d/snort.yml.disabled | 2 +- x-pack/filebeat/modules.d/snyk.yml.disabled | 4 +- .../filebeat/modules.d/sonicwall.yml.disabled | 2 +- x-pack/filebeat/modules.d/sophos.yml.disabled | 4 +- x-pack/filebeat/modules.d/squid.yml.disabled | 2 +- .../filebeat/modules.d/suricata.yml.disabled | 2 +- .../modules.d/threatintel.yml.disabled | 16 +- x-pack/filebeat/modules.d/tomcat.yml.disabled | 2 +- x-pack/filebeat/modules.d/zeek.yml.disabled | 78 +- .../filebeat/modules.d/zookeeper.yml.disabled | 4 +- x-pack/filebeat/modules.d/zoom.yml.disabled | 2 +- .../filebeat/modules.d/zscaler.yml.disabled | 2 +- .../monitors/browser/source/zipurl.go | 21 +- .../monitors/browser/source/zipurl_test.go | 186 +- x-pack/libbeat/persistentcache/store.go | 2 +- .../module/gcp/billing/_meta/docs.asciidoc | 2 +- .../module/gcp/metrics/_meta/docs.asciidoc | 8 +- x-pack/osquerybeat/beater/logger_plugin.go | 26 +- x-pack/osquerybeat/beater/osquerybeat.go | 14 +- 386 files changed, 63546 insertions(+), 19101 deletions(-) delete mode 100644 dev-tools/mage/semver.go delete mode 100644 filebeat/docs/inputs/input-journald.asciidoc create mode 100644 filebeat/docs/modules/cyberark.asciidoc create mode 100644 filebeat/docs/modules/gsuite.asciidoc delete mode 100644 filebeat/input/journald/input_stub.go create mode 100644 filebeat/module/apache2/module.yml delete mode 100644 filebeat/scripts/mage/build.go delete mode 100644 libbeat/metric/system/numcpu/cpu_bsd.go delete mode 100644 libbeat/metric/system/numcpu/cpu_cgo.go delete mode 100644 libbeat/metric/system/numcpu/cpu_linux.go delete mode 100644 libbeat/metric/system/numcpu/cpu_linux_test.go delete mode 100644 libbeat/metric/system/numcpu/cpu_other.go delete mode 100644 libbeat/metric/system/numcpu/cpu_windows.go delete mode 100644 libbeat/metric/system/numcpu/numcpu.go delete mode 100644 libbeat/metric/system/numcpu/numcpu_test.go delete mode 100644 libbeat/reader/message_test.go delete mode 100644 libbeat/reader/readfile/bench_test.go delete mode 100644 monitors.d/plaintodos.yml delete mode 100644 x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade_test.go delete mode 100644 x-pack/elastic-agent/pkg/agent/cmd/status_test.go create mode 100644 x-pack/filebeat/module/cyberark/README.md create mode 100644 x-pack/filebeat/module/cyberark/_meta/config.yml create mode 100644 x-pack/filebeat/module/cyberark/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/cyberark/_meta/fields.yml create mode 100644 x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml create mode 100644 x-pack/filebeat/module/cyberark/corepas/config/input.yml create mode 100644 x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js create mode 100644 x-pack/filebeat/module/cyberark/corepas/config/pipeline.js create mode 100644 x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/cyberark/corepas/manifest.yml create mode 100644 x-pack/filebeat/module/cyberark/corepas/test/generated.log create mode 100644 x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json create mode 100644 x-pack/filebeat/module/cyberark/fields.go create mode 100644 x-pack/filebeat/module/googlecloud/_meta/config.yml create mode 100644 x-pack/filebeat/module/googlecloud/module.yml create mode 100644 x-pack/filebeat/module/gsuite/_meta/config.yml create mode 100644 x-pack/filebeat/module/gsuite/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/gsuite/_meta/fields.yml create mode 100644 x-pack/filebeat/module/gsuite/admin/_meta/fields.yml create mode 100644 x-pack/filebeat/module/gsuite/admin/config/config.yml create mode 100644 x-pack/filebeat/module/gsuite/admin/config/pipeline.js create mode 100644 x-pack/filebeat/module/gsuite/admin/manifest.yml create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/config/common.js create mode 100644 x-pack/filebeat/module/gsuite/drive/_meta/fields.yml create mode 100644 x-pack/filebeat/module/gsuite/drive/config/config.yml create mode 100644 x-pack/filebeat/module/gsuite/drive/config/pipeline.js create mode 100644 x-pack/filebeat/module/gsuite/drive/manifest.yml create mode 100644 x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/fields.go create mode 100644 x-pack/filebeat/module/gsuite/groups/_meta/fields.yml create mode 100644 x-pack/filebeat/module/gsuite/groups/config/config.yml create mode 100644 x-pack/filebeat/module/gsuite/groups/config/pipeline.js create mode 100644 x-pack/filebeat/module/gsuite/groups/manifest.yml create mode 100644 x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/ingest/common.yml create mode 100644 x-pack/filebeat/module/gsuite/login/_meta/fields.yml create mode 100644 x-pack/filebeat/module/gsuite/login/config/config.yml create mode 100644 x-pack/filebeat/module/gsuite/login/config/pipeline.js create mode 100644 x-pack/filebeat/module/gsuite/login/manifest.yml create mode 100644 x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/saml/_meta/fields.yml create mode 100644 x-pack/filebeat/module/gsuite/saml/config/config.yml create mode 100644 x-pack/filebeat/module/gsuite/saml/config/pipeline.js create mode 100644 x-pack/filebeat/module/gsuite/saml/manifest.yml create mode 100644 x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/user_accounts/config/config.yml create mode 100644 x-pack/filebeat/module/gsuite/user_accounts/config/pipeline.js create mode 100644 x-pack/filebeat/module/gsuite/user_accounts/manifest.yml create mode 100644 x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json create mode 100644 x-pack/filebeat/modules.d/cyberark.yml.disabled create mode 100644 x-pack/filebeat/modules.d/googlecloud.yml.disabled create mode 100644 x-pack/filebeat/modules.d/gsuite.yml.disabled diff --git a/.ci/packaging.groovy b/.ci/packaging.groovy index 04301526e4d..0e29bdd7ebb 100644 --- a/.ci/packaging.groovy +++ b/.ci/packaging.groovy @@ -440,6 +440,7 @@ def triggerE2ETests(String suite) { booleanParam(name: 'forceSkipPresubmit', value: true), booleanParam(name: 'notifyOnGreenBuilds', value: !isPR()), string(name: 'BEAT_VERSION', value: beatVersion), + booleanParam(name: 'BEATS_USE_CI_SNAPSHOTS', value: true), string(name: 'runTestsSuites', value: suite), string(name: 'GITHUB_CHECK_NAME', value: env.GITHUB_CHECK_E2E_TESTS_NAME), string(name: 'GITHUB_CHECK_REPO', value: env.REPO), diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 1957c6f0ca7..0a8b9b76099 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -62,7 +62,6 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Metricbeat module builders call host parser only once when instantiating light modules. {pull}20149[20149] - Fix export dashboard command when running against Elastic Cloud hosted Kibana. {pull}22746[22746] - Remove `event.dataset` (ECS) annotion from `libbeat.logp`. {issue}27404[27404] -- Errors should be thrown as errors. Metricsets inside Metricbeat will now throw errors as the `error` log level. {pull}27804[27804] ==== Added diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 7280d1039b8..5c25d138679 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,16 +3,10 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ -[[release-notes-8.0.0-alpha2]] -=== Beats version 8.0.0-alpha2 - -Changes will be described in a later alpha / beta. - [[release-notes-8.0.0-alpha1]] === Beats version 8.0.0-alpha1 Changes will be described in a later alpha / beta. - [[release-notes-7.14.1]] === Beats version 7.14.1 https://github.com/elastic/beats/compare/v7.14.0...v7.14.1[View commits] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c189adabc67..5083477f18a 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -84,11 +84,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Remove all alias fields pointing to ECS fields from modules. This affects the Suricata and Traefik modules. {issue}10535[10535] {pull}26627[26627] - Add option for S3 input to work without SQS notification {issue}18205[18205] {pull}27332[27332] - Fix Crowdstrike ingest pipeline that was creating flattened `process` fields. {issue}27622[27622] {pull}27623[27623] -- Rename `log.path` to `log.file.path` in filestream to be consistent with `log` input and ECS. {pull}27761[27761] -- Removes old module aliases for `googlecloud` (moved to gcp) and `apache2` (moved to apache). {pull}27919[27919] -- Removes old module name aliases (gsuite) and removing old cyberark module in favor of the new cyberarkpas{pull}27915[27915] -- Only filesets that are explicitly configured will be enabled. {issue}17256[17256] {pull}27526[27526] -- All filesets are disabled in the default configuration. {issue}17256[17256] {pull}27762[27762] *Heartbeat* - Remove long deprecated `watch_poll` functionality. {pull}27166[27166] @@ -113,8 +108,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add Linux pressure metricset {pull}27355[27355] - Add support for kube-state-metrics v2.0.0 {pull}27552[27552] - Add User-Agent header to HTTP requests. {issue}18160[18160] {pull}27509[27509] -- Errors should be thrown as errors. Metricsets inside Metricbeat will now throw errors as the `error` log level. {pull}27804[27804] -- Remove deprecated fields in Docker module. {issue}11835[11835] {pull}27933[27933] *Packetbeat* @@ -214,9 +207,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Do not try to load ILM policy if `check_exists` is `false`. {pull}27508[27508] {issue}26322[26322] - Fix bug with cgroups hierarchy override path in cgroups {pull}27620[27620] - Beat `setup kibana` command may use the elasticsearch API key defined in `output.elasticsearch.api_key`. {issue}24015[24015] {pull}27540[27540] -- Fix `decode_xml` handling of array merging when using `to_lower: true`. {pull}27922[27922] - Seperate namespaces for V1 and V2 controller paths {pull}27676[27676] -- Beats dashboards use custom index when `setup.dashboards.index` is set. {issue}21232[21232] {pull}27901[27901] *Auditbeat* @@ -226,7 +217,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - system/package: Fix an error that can occur while trying to persist package metadata. {issue}18536[18536] {pull}18887[18887] - system/socket: Fix dataset using 100% CPU and becoming unresponsive in some scenarios. {pull}19033[19033] {pull}19764[19764] - system/socket: Fixed tracking of long-running connections. {pull}19033[19033] -- file_integrity: honor include_files when doing initial scan. {issue}27273[27273] {pull}27722[27722] *Filebeat* @@ -321,8 +311,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Auditd: Fix Top Exec Commands dashboard visualization. {pull}27638[27638] - Store offset in `log.offset` field of events from the filestream input. {pull}27688[27688] - Fix `httpjson` input rate limit processing and documentation. {pull}[] -- Update Filebeat compatibility function to remove processor description field on ES < 7.9.0 {pull}27774[27774] -- Make filestream events ECS compliant. {issue}27776[27776] *Heartbeat* @@ -758,10 +746,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added support for parsing syslog dates containing a leading 0 (e.g. `Sep 01`) rather than a space. {pull}27775[27775] - Add base64 Encode functionality to httpjson input. {pull}27681[27681] - Add `join` and `sprintf` functions to `httpjson` input. {pull}27735[27735] -- Improve memory usage of line reader of `log` and `filestream` input. {pull}27782[27782] -- Add `ignore_empty_value` flag to `httpjson` `split` processor. {pull}27880[27880] -- Update Cisco ASA/FTD ingest pipeline grok/dissect patterns for multiple message IDs. {issue}26869[26869] {pull}26879[26879] -- Add write access to `url.value` from `request.transforms` in `httpjson` input. {pull}27937[27937] + *Heartbeat* @@ -889,7 +874,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Apache: convert status.total_kbytes to status.total_bytes in fleet mode. {pull}23022[23022] - Release MSSQL as GA {pull}23146[23146] - Add AWS Kinesis metricset. {pull}25989[25989] -- Enable `journald` input type in Filebeat. {issue}7955[7955] {pull}27351[27351] - Move openmetrics module to oss. {pull}26561[26561] - Add `gke` metricset collection to `gcp` module {pull}26824[26824] diff --git a/NOTICE.txt b/NOTICE.txt index 9a9ae8e35f8..1f1cbb8d288 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -4440,12 +4440,12 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- -Dependency : github.com/dgraph-io/badger/v3 -Version: v3.2103.1 +Dependency : github.com/dgraph-io/badger/v2 +Version: v2.2007.3-0.20201012072640-f5a7e0a1c83b Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/dgraph-io/badger/v3@v3.2103.1/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/dgraph-io/badger/v2@v2.2007.3-0.20201012072640-f5a7e0a1c83b/LICENSE: Apache License Version 2.0, January 2004 @@ -9722,11 +9722,11 @@ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- Dependency : github.com/gogo/protobuf -Version: v1.3.2 +Version: v1.3.1 Licence type (autodetected): BSD-3-Clause -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/gogo/protobuf@v1.3.2/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/gogo/protobuf@v1.3.1/LICENSE: Copyright (c) 2013, The GoGo Authors. All rights reserved. @@ -10241,11 +10241,11 @@ Contents of probable licence file $GOMODCACHE/github.com/gomodule/redigo@v1.8.3/ -------------------------------------------------------------------------------- Dependency : github.com/google/flatbuffers -Version: v1.12.0 +Version: v1.7.2-0.20170925184458-7a6b2bf521e9 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/google/flatbuffers@v1.12.0/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/google/flatbuffers@v1.7.2-0.20170925184458-7a6b2bf521e9/LICENSE.txt: Apache License @@ -10436,7 +10436,7 @@ Contents of probable licence file $GOMODCACHE/github.com/google/flatbuffers@v1.1 same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright [yyyy] [name of copyright owner] + Copyright 2014 Google Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -21728,6 +21728,43 @@ Contents of probable licence file $GOMODCACHE/github.com/!burnt!sushi/xgb@v0.0.0 // such litigation is filed. +-------------------------------------------------------------------------------- +Dependency : github.com/DataDog/zstd +Version: v1.4.1 +Licence type (autodetected): BSD-3-Clause +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/!data!dog/zstd@v1.4.1/LICENSE: + +Simplified BSD License + +Copyright (c) 2016, Datadog +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + * Neither the name of the copyright holder nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + -------------------------------------------------------------------------------- Dependency : github.com/Microsoft/hcsshim Version: v0.8.7 @@ -26328,11 +26365,11 @@ SOFTWARE. -------------------------------------------------------------------------------- Dependency : github.com/dgraph-io/ristretto -Version: v0.1.0 +Version: v0.0.3-0.20200630154024-f66de99634de Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/dgraph-io/ristretto@v0.1.0/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/dgraph-io/ristretto@v0.0.3-0.20200630154024-f66de99634de/LICENSE: Apache License Version 2.0, January 2004 @@ -29749,12 +29786,12 @@ Contents of probable licence file $GOMODCACHE/github.com/golang-sql/civil@v0.0.0 limitations under the License. -------------------------------------------------------------------------------- -Dependency : github.com/elastic/glog -Version: v1.0.1-0.20210831205241-7d8b5c89dfc4 +Dependency : github.com/golang/glog +Version: v0.0.0-20160126235308-23def4e6c14b Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/glog@v1.0.1-0.20210831205241-7d8b5c89dfc4/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/golang/glog@v0.0.0-20160126235308-23def4e6c14b/LICENSE: Apache License Version 2.0, January 2004 @@ -36034,11 +36071,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Dependency : github.com/kisielk/errcheck -Version: v1.5.0 +Version: v1.2.0 Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/kisielk/errcheck@v1.5.0/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/kisielk/errcheck@v1.2.0/LICENSE: Copyright (c) 2013 Kamil Kisiel @@ -36108,11 +36145,11 @@ match.go, match_test.go: -------------------------------------------------------------------------------- Dependency : github.com/klauspost/compress -Version: v1.12.3 +Version: v1.12.2 Licence type (autodetected): BSD-3-Clause -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/klauspost/compress@v1.12.3/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/klauspost/compress@v1.12.2/LICENSE: Copyright (c) 2012 The Go Authors. All rights reserved. Copyright (c) 2019 Klaus Post. All rights reserved. @@ -41758,11 +41795,11 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI -------------------------------------------------------------------------------- Dependency : go.opencensus.io -Version: v0.22.5 +Version: v0.22.2 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/go.opencensus.io@v0.22.5/LICENSE: +Contents of probable licence file $GOMODCACHE/go.opencensus.io@v0.22.2/LICENSE: Apache License diff --git a/auditbeat/module/file_integrity/metricset_test.go b/auditbeat/module/file_integrity/metricset_test.go index 14522bcd627..aad49679c49 100644 --- a/auditbeat/module/file_integrity/metricset_test.go +++ b/auditbeat/module/file_integrity/metricset_test.go @@ -258,7 +258,7 @@ func TestIncludedExcludedFiles(t *testing.T) { } config := getConfig(dir) - config["include_files"] = []string{`\.ssh`} + config["include_files"] = []string{`\.ssh/`} config["recursive"] = true ms := mbtest.NewPushMetricSetV2(t, config) diff --git a/auditbeat/module/file_integrity/scanner.go b/auditbeat/module/file_integrity/scanner.go index a4bf7277633..6a960065d1c 100644 --- a/auditbeat/module/file_integrity/scanner.go +++ b/auditbeat/module/file_integrity/scanner.go @@ -140,11 +140,6 @@ func (s *scanner) walkDir(dir string, action Action) error { } return nil } - - if !info.IsDir() && !s.config.IsIncludedPath(path) { - return nil - } - defer func() { startTime = time.Now() }() event := s.newScanEvent(path, info, err, action) diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index ae81804a606..abbb3baec8d 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -19,9 +19,6 @@ data: - type: kubernetes scope: cluster node: ${NODE_NAME} - # In large Kubernetes clusters consider setting unique to false - # to avoid using the leader election strategy and - # instead run a dedicated Metricbeat instance using a Deployment in addition to the DaemonSet unique: true templates: - config: diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml index a51845f4f9a..a60395f4490 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml @@ -19,9 +19,6 @@ data: - type: kubernetes scope: cluster node: ${NODE_NAME} - # In large Kubernetes clusters consider setting unique to false - # to avoid using the leader election strategy and - # instead run a dedicated Metricbeat instance using a Deployment in addition to the DaemonSet unique: true templates: - config: diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml index fba03edb34e..6d8cea78a21 100644 --- a/dev-tools/ecs-migration.yml +++ b/dev-tools/ecs-migration.yml @@ -54,7 +54,7 @@ alias6: true alias: true -- from: docker.container.labels # TODO: How to map these? +- from: docker.container.labels # TODO: How to map these? to: container.labels alias6: false alias: true @@ -115,8 +115,8 @@ - from: source to: - - log.file.path - - log.source.address + - log.file.path + - log.source.address alias: false beat: filebeat @@ -428,7 +428,7 @@ beat: filebeat - from: suricata.eve.timestamp - to: "@timestamp" + to: '@timestamp' alias: true beat: filebeat @@ -476,7 +476,7 @@ beat: filebeat - from: system.auth.timestamp - to: "@timestamp" + to: '@timestamp' alias: true beat: filebeat @@ -560,6 +560,155 @@ alias: true beat: filebeat +## Apache module + +- from: apache2.access.remote_ip + to: source.address + alias: true + beat: filebeat + +- from: apache2.access.user_name + to: user.name + alias: true + beat: filebeat + +- from: apache2.access.method + to: http.request.method + alias: true + beat: filebeat + +- from: apache2.access.url + to: url.original + alias: true + beat: filebeat + +- from: apache2.access.http_version + to: http.version + alias: true + beat: filebeat + +- from: apache2.access.response_code + to: http.response.status_code + alias: true + beat: filebeat + +- from: apache2.access.referrer + to: http.request.referrer + alias: true + beat: filebeat + +- from: apache2.access.agent + to: user_agent.original + alias: true + beat: filebeat + +- from: apache2.access.body_sent.bytes + to: http.response.body.bytes + alias: true + beat: filebeat + +- from: apache2.access.geoip.continent_name + to: source.geo.continent_name + alias: true + beat: filebeat + +- from: apache2.access.geoip.country_iso_code + to: source.geo.country_iso_code + alias: true + beat: filebeat + +- from: apache2.access.geoip.location + to: source.geo.location + alias: true + beat: filebeat + +- from: apache2.access.geoip.region_name + to: source.geo.region_name + alias: true + beat: filebeat + +- from: apache2.access.geoip.city_name + to: source.geo.city_name + alias: true + beat: filebeat + +- from: apache2.access.geoip.region_iso_code + to: source.geo.region_iso_code + alias: true + beat: filebeat + +- from: apache2.access.user_agent.original + to: user_agent.original + alias: true + beat: filebeat +- from: apache2.access.user_agent.device + to: user_agent.device.name + alias: true + beat: filebeat +- from: apache2.access.user_agent.name + to: user_agent.name + alias: true + beat: filebeat +- from: apache2.access.user_agent.os + to: user_agent.os.full_name + alias: true + beat: filebeat +- from: apache2.access.user_agent.os_name + to: user_agent.os.name + alias: true + beat: filebeat + +- from: apache2.access.user_agent.major + to: user_agent.version + alias: false + beat: filebeat +- from: apache2.access.user_agent.minor + to: user_agent.version + alias: false + beat: filebeat +- from: apache2.access.user_agent.patch + to: user_agent.version + alias: false + beat: filebeat +- from: apache2.access.user_agent.os_major + to: user_agent.os.version + alias: false + beat: filebeat +- from: apache2.access.user_agent.os_minor + to: user_agent.os.version + alias: false + beat: filebeat +- from: apache2.access.user_agent.os_patch + to: user_agent.os.version + alias: false + beat: filebeat + +### Error fileset +- from: apache2.error.message + to: message + alias: true + beat: filebeat + +- from: apache2.error.level + to: log.level + alias: true + beat: filebeat + +- from: apache2.error.client + to: source.address + alias: true + beat: filebeat + +- from: apache2.error.pid + to: process.pid + alias: true + beat: filebeat + +- from: apache2.error.tid + to: process.thread.id + alias: true + beat: filebeat + ## Elasticsearch module - from: elasticsearch.audit.origin_address @@ -1599,6 +1748,7 @@ alias: true beat: metricbeat + ### Redis - from: php_fpm.status.pid diff --git a/dev-tools/mage/check.go b/dev-tools/mage/check.go index c34255420cd..f61501b06eb 100644 --- a/dev-tools/mage/check.go +++ b/dev-tools/mage/check.go @@ -36,7 +36,6 @@ import ( "github.com/pkg/errors" "github.com/elastic/beats/v7/dev-tools/mage/gotool" - "github.com/elastic/beats/v7/libbeat/dashboards" "github.com/elastic/beats/v7/libbeat/processors/dissect" ) @@ -261,14 +260,6 @@ func checkDashboardForErrors(file string, d []byte) bool { fmt.Println(" ", err) } - replaced := dashboards.ReplaceIndexInDashboardObject("my-test-index-*", d) - if bytes.Contains(replaced, []byte(BeatName+"-*")) { - hasErrors = true - fmt.Printf(">> Cannot modify all index pattern references in dashboard - %s\n", file) - fmt.Println("Please edit the dashboard override function named ReplaceIndexInDashboardObject in libbeat.") - fmt.Println(string(replaced)) - } - return hasErrors } diff --git a/dev-tools/mage/common.go b/dev-tools/mage/common.go index f61dd43e03e..208ae02d974 100644 --- a/dev-tools/mage/common.go +++ b/dev-tools/mage/common.go @@ -26,7 +26,6 @@ import ( "context" "crypto/sha256" "crypto/sha512" - "debug/elf" "encoding/hex" "encoding/json" "fmt" @@ -39,7 +38,6 @@ import ( "path/filepath" "regexp" "runtime" - "sort" "strconv" "strings" "sync" @@ -915,48 +913,3 @@ func IntegrationTestEnvVars() []string { } return vars } - -// ReadGLIBCRequirement returns the required glibc version for a dynamically -// linked ELF binary. The target machine must have a version equal to or -// greater than (newer) the returned value. -func ReadGLIBCRequirement(elfFile string) (*SemanticVersion, error) { - e, err := elf.Open(elfFile) - if err != nil { - return nil, err - } - - symbols, err := e.DynamicSymbols() - if err != nil { - return nil, err - } - - versionSet := map[SemanticVersion]struct{}{} - for _, sym := range symbols { - if strings.HasPrefix(sym.Version, "GLIBC_") { - semver, err := NewSemanticVersion(strings.TrimPrefix(sym.Version, "GLIBC_")) - if err != nil { - continue - } - - versionSet[*semver] = struct{}{} - } - } - - if len(versionSet) == 0 { - return nil, errors.New("no GLIBC symbols found in binary (is this a static binary?)") - } - - var versions []SemanticVersion - for ver := range versionSet { - versions = append(versions, ver) - } - - sort.Slice(versions, func(i, j int) bool { - a := versions[i] - b := versions[j] - return a.LessThan(&b) - }) - - max := versions[len(versions)-1] - return &max, nil -} diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go index c2f87784063..10d73c3876c 100644 --- a/dev-tools/mage/crossbuild.go +++ b/dev-tools/mage/crossbuild.go @@ -129,7 +129,7 @@ type crossBuildParams struct { // CrossBuild executes a given build target once for each target platform. func CrossBuild(options ...CrossBuildOption) error { - params := crossBuildParams{Platforms: Platforms, Target: defaultCrossBuildTarget, ImageSelector: CrossBuildImage} + params := crossBuildParams{Platforms: Platforms, Target: defaultCrossBuildTarget, ImageSelector: crossBuildImage} for _, opt := range options { opt(¶ms) } @@ -193,7 +193,7 @@ func buildMage() error { "-compile", CreateDir(filepath.Join("build", "mage-linux-"+arch))) } -func CrossBuildImage(platform string) (string, error) { +func crossBuildImage(platform string) (string, error) { tagSuffix := "main" switch { diff --git a/dev-tools/mage/modules.go b/dev-tools/mage/modules.go index a65c2c2a121..80fc4c2f7c5 100644 --- a/dev-tools/mage/modules.go +++ b/dev-tools/mage/modules.go @@ -18,15 +18,10 @@ package mage import ( - "fmt" "io/ioutil" "os" "path/filepath" "strings" - - "github.com/joeshaw/multierror" - "github.com/pkg/errors" - "gopkg.in/yaml.v2" ) var modulesDConfigTemplate = ` @@ -76,68 +71,3 @@ func GenerateDirModulesD() error { } return nil } - -type datasetDefinition struct { - Enabled *bool -} - -type moduleDefinition struct { - Name string `yaml:"module"` - Filesets map[string]datasetDefinition `yaml:",inline"` -} - -// ValidateDirModulesD validates a modules.d directory containing the -// .yml.disabled files. It checks that the files are valid -// yaml and conform to module definitions. -func ValidateDirModulesD() error { - _, err := loadModulesD() - return err -} - -// ValidateDirModulesDDatasetsDisabled ensures that all the datasets -// are disabled by default. -func ValidateDirModulesDDatasetsDisabled() error { - cfgs, err := loadModulesD() - if err != nil { - return err - } - var errs multierror.Errors - for path, cfg := range cfgs { - // A config.yml is a list of module configurations. - for modIdx, mod := range cfg { - // A module config is a map of datasets. - for dsName, ds := range mod.Filesets { - if ds.Enabled == nil || *ds.Enabled { - var entry string - if len(cfg) > 1 { - entry = fmt.Sprintf(" (entry #%d)", modIdx+1) - } - err = fmt.Errorf("in file '%s': %s module%s dataset %s must be explicitly disabled (needs `enabled: false`)", - path, mod.Name, entry, dsName) - errs = append(errs, err) - } - } - } - } - return errs.Err() -} - -func loadModulesD() (modules map[string][]moduleDefinition, err error) { - files, err := filepath.Glob("modules.d/*.disabled") - if err != nil { - return nil, err - } - modules = make(map[string][]moduleDefinition, len(files)) - for _, file := range files { - contents, err := ioutil.ReadFile(file) - if err != nil { - return nil, errors.Wrapf(err, "reading %s", file) - } - var cfg []moduleDefinition - if err = yaml.Unmarshal(contents, &cfg); err != nil { - return nil, errors.Wrapf(err, "parsing %s as YAML", file) - } - modules[file] = cfg - } - return modules, nil -} diff --git a/dev-tools/mage/pkg.go b/dev-tools/mage/pkg.go index f4381291cfe..2341724b350 100644 --- a/dev-tools/mage/pkg.go +++ b/dev-tools/mage/pkg.go @@ -21,7 +21,6 @@ import ( "fmt" "log" "os" - "path/filepath" "runtime" "strconv" @@ -243,38 +242,3 @@ func TestPackages(options ...TestPackagesOption) error { return nil } - -// TestLinuxForCentosGLIBC checks the GLIBC requirements of linux/amd64 and -// linux/386 binaries to ensure they meet the requirements for RHEL 6 which has -// glibc 2.12. -func TestLinuxForCentosGLIBC() error { - switch Platform.Name { - case "linux/amd64", "linux/386": - return TestBinaryGLIBCVersion(filepath.Join("build/golang-crossbuild", BeatName+"-linux-"+Platform.GOARCH), "2.12") - default: - return nil - } -} - -func TestBinaryGLIBCVersion(elfPath, maxGlibcVersion string) error { - requiredGlibc, err := ReadGLIBCRequirement(elfPath) - if err != nil { - if errors.Is(err, os.ErrNotExist) { - return nil - } - return err - } - - upperBound, err := NewSemanticVersion(maxGlibcVersion) - if err != nil { - return err - } - - if !requiredGlibc.LessThanOrEqual(upperBound) { - return fmt.Errorf("dynamically linked binary %q requires glibc "+ - "%v, but maximum allowed glibc is %v", - elfPath, requiredGlibc, upperBound) - } - fmt.Printf(">> testBinaryGLIBCVersion: %q requires glibc %v or greater\n", elfPath, requiredGlibc) - return nil -} diff --git a/dev-tools/mage/semver.go b/dev-tools/mage/semver.go deleted file mode 100644 index 22801f5b2af..00000000000 --- a/dev-tools/mage/semver.go +++ /dev/null @@ -1,67 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package mage - -import ( - "fmt" - "regexp" - "strconv" -) - -var SemanticVersionRegex = regexp.MustCompile(`(?m)^(\d+)\.(\d+)(?:\.(\d+))?`) - -type SemanticVersion struct { - Major, Minor, Patch int -} - -// NewSemanticVersion return a new SemanticVersion parsed from string in the -// format of 'x.y' or 'x.y.z'. -func NewSemanticVersion(s string) (*SemanticVersion, error) { - matches := SemanticVersionRegex.FindStringSubmatch(s) - if len(matches) < 4 { - return nil, fmt.Errorf("invalid version format %q", s) - } - - major, _ := strconv.Atoi(matches[1]) - Minor, _ := strconv.Atoi(matches[2]) - Patch, _ := strconv.Atoi(matches[3]) - return &SemanticVersion{major, Minor, Patch}, nil -} - -// LessThan return true iff s is less than x. -func (s *SemanticVersion) LessThan(x *SemanticVersion) bool { - if s.Major != x.Major { - return s.Major < x.Major - } - if s.Minor != x.Minor { - return s.Minor < x.Minor - } - return s.Patch < x.Patch -} - -// LessThanOrEqual return true iff s is less than or equal to x. -func (s *SemanticVersion) LessThanOrEqual(x *SemanticVersion) bool { - if s.LessThan(x) { - return true - } - return !x.LessThan(s) -} - -func (s SemanticVersion) String() string { - return fmt.Sprintf("%d.%d.%d", s.Major, s.Minor, s.Patch) -} diff --git a/dev-tools/vagrant_scripts/winProvision.ps1 b/dev-tools/vagrant_scripts/winProvision.ps1 index 1916a1471b7..62b40c34970 100644 --- a/dev-tools/vagrant_scripts/winProvision.ps1 +++ b/dev-tools/vagrant_scripts/winProvision.ps1 @@ -7,7 +7,7 @@ if (-Not (Test-Path $gopath_beats)) { echo 'Creating github.com\\elastic in the GOPATH' New-Item -itemtype directory -path "C:\\Gopath\\src\\github.com\\elastic" -force echo "Symlinking C:\\Vagrant to C:\\Gopath\\src\\github.com\\elastic" - cmd /c mklink /d $gopath_beats \\vboxsvr\vagrant + cmd /c mklink /d $gopath_beats \\\\vboxsvr\\vagrant } if (-Not (Get-Command "gvm" -ErrorAction SilentlyContinue)) { @@ -71,4 +71,4 @@ if (-Not (Get-Command "gcc" -ErrorAction SilentlyContinue)) { } echo "Setting PYTHON_ENV in VM to point to C:\\beats-python-env." -[System.Environment]::SetEnvironmentVariable("PYTHON_ENV", "C:\\beats-python-env", [System.EnvironmentVariableTarget]::Machine) +[System.Environment]::SetEnvironmentVariable("PYTHON_ENV", "C:\\beats-python-env", [System.EnvironmentVariableTarget]::Machine) \ No newline at end of file diff --git a/filebeat/autodiscover/builder/hints/logs.go b/filebeat/autodiscover/builder/hints/logs.go index 5a09bb41780..4fb86cd9e18 100644 --- a/filebeat/autodiscover/builder/hints/logs.go +++ b/filebeat/autodiscover/builder/hints/logs.go @@ -201,7 +201,7 @@ func (l *logHints) getFilesets(hints common.MapStr, module string) map[string]*f var configured bool filesets := make(map[string]*filesetConfig) - moduleFilesets, err := l.registry.ModuleAvailableFilesets(module) + moduleFilesets, err := l.registry.ModuleFilesets(module) if err != nil { logp.Err("Error retrieving module filesets: %+v", err) return nil diff --git a/filebeat/autodiscover/builder/hints/logs_test.go b/filebeat/autodiscover/builder/hints/logs_test.go index ae1ca208313..e00ec39920e 100644 --- a/filebeat/autodiscover/builder/hints/logs_test.go +++ b/filebeat/autodiscover/builder/hints/logs_test.go @@ -405,14 +405,14 @@ func TestGenerateHints(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache", + "module": "apache2", }, }, }, len: 1, result: []common.MapStr{ { - "module": "apache", + "module": "apache2", "error": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -455,7 +455,7 @@ func TestGenerateHints(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache", + "module": "apache2", "fileset": "access", }, }, @@ -463,7 +463,7 @@ func TestGenerateHints(t *testing.T) { len: 1, result: []common.MapStr{ { - "module": "apache", + "module": "apache2", "access": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -506,7 +506,7 @@ func TestGenerateHints(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache", + "module": "apache2", "fileset.stdout": "access", "fileset.stderr": "error", }, @@ -515,7 +515,7 @@ func TestGenerateHints(t *testing.T) { len: 1, result: []common.MapStr{ { - "module": "apache", + "module": "apache2", "access": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -558,14 +558,14 @@ func TestGenerateHints(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache", + "module": "apache2", }, }, }, len: 1, result: []common.MapStr{ { - "module": "apache", + "module": "apache2", "error": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -606,7 +606,7 @@ func TestGenerateHints(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache", + "module": "apache2", "fileset": "access", }, }, @@ -614,7 +614,7 @@ func TestGenerateHints(t *testing.T) { len: 1, result: []common.MapStr{ { - "module": "apache", + "module": "apache2", "access": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -655,7 +655,7 @@ func TestGenerateHints(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache", + "module": "apache2", "fileset.stdout": "access", "fileset.stderr": "error", }, @@ -664,7 +664,7 @@ func TestGenerateHints(t *testing.T) { len: 1, result: []common.MapStr{ { - "module": "apache", + "module": "apache2", "access": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -826,14 +826,14 @@ func TestGenerateHintsWithPaths(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache", + "module": "apache2", }, }, }, len: 1, path: "/var/log/pods/${data.kubernetes.pod.uid}/${data.kubernetes.container.name}/*.log", result: common.MapStr{ - "module": "apache", + "module": "apache2", "error": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ @@ -878,7 +878,7 @@ func TestGenerateHintsWithPaths(t *testing.T) { }, "hints": common.MapStr{ "logs": common.MapStr{ - "module": "apache", + "module": "apache2", "fileset": "access", }, }, @@ -886,7 +886,7 @@ func TestGenerateHintsWithPaths(t *testing.T) { len: 1, path: "/var/log/pods/${data.kubernetes.pod.uid}/${data.kubernetes.container.name}/*.log", result: common.MapStr{ - "module": "apache", + "module": "apache2", "access": map[string]interface{}{ "enabled": true, "input": map[string]interface{}{ diff --git a/filebeat/beater/filebeat.go b/filebeat/beater/filebeat.go index 435161bb9f4..a66a674b525 100644 --- a/filebeat/beater/filebeat.go +++ b/filebeat/beater/filebeat.go @@ -113,19 +113,6 @@ func newBeater(b *beat.Beat, plugins PluginFactory, rawConfig *common.Config) (b } if !moduleRegistry.Empty() { logp.Info("Enabled modules/filesets: %s", moduleRegistry.InfoString()) - for _, mod := range moduleRegistry.ModuleNames() { - if mod == "" { - continue - } - filesets, err := moduleRegistry.ModuleConfiguredFilesets(mod) - if err != nil { - logp.Err("Failed listing filesets for module %s", mod) - continue - } - if len(filesets) == 0 { - logp.Warn("Module %s is enabled but has no enabled filesets", mod) - } - } } moduleInputs, err := moduleRegistry.GetInputConfigs() diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index b05f90afa28..6e40ec0107f 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -29,6 +29,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -39,6 +40,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -164,6 +166,260 @@ Apache Module +[float] +=== apache2 + +Aliases for backward compatibility with old apache2 fields + + + + +*`apache2.access.remote_ip`*:: ++ +-- +type: alias + +alias to: source.address + +-- + +*`apache2.access.ssl.protocol`*:: ++ +-- +type: alias + +alias to: apache.access.ssl.protocol + +-- + +*`apache2.access.ssl.cipher`*:: ++ +-- +type: alias + +alias to: apache.access.ssl.cipher + +-- + +*`apache2.access.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`apache2.access.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`apache2.access.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`apache2.access.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`apache2.access.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`apache2.access.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`apache2.access.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`apache2.access.agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`apache2.access.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`apache2.access.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`apache2.access.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`apache2.access.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`apache2.access.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`apache2.access.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`apache2.access.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`apache2.access.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`apache2.access.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`apache2.access.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`apache2.access.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + + +*`apache2.error.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`apache2.error.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +*`apache2.error.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`apache2.error.tid`*:: ++ +-- +type: alias + +alias to: process.thread.id + +-- + +*`apache2.error.module`*:: ++ +-- +type: alias + +alias to: apache.error.module + +-- + [float] === apache @@ -21553,26 +21809,6 @@ type: keyword The WebVPN group name the user belongs to -type: keyword - --- - -*`cisco.asa.termination_initiator`*:: -+ --- -Interface name of the side that initiated the teardown - - -type: keyword - --- - -*`cisco.asa.tunnel_type`*:: -+ --- -SA type (remote access or L2L) - - type: keyword -- @@ -21811,16 +22047,6 @@ type: keyword The WebVPN group name the user belongs to -type: keyword - --- - -*`cisco.ftd.termination_initiator`*:: -+ --- -Interface name of the side that initiated the teardown - - type: keyword -- @@ -28534,13462 +28760,11696 @@ type: keyword -- -[[exported-fields-cyberarkpas]] -== CyberArk PAS fields +[[exported-fields-cyberark]] +== Cyber-Ark fields -cyberarkpas fields. +cyberark fields. +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. -[float] -=== audit -Cyberark Privileged Access Security Audit fields. +type: keyword + +-- -*`cyberarkpas.audit.action`*:: +*`rsa.internal.msg`*:: + -- -A description of the audit record. +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -[float] -=== ca_properties - -Account metadata. - - -*`cyberarkpas.audit.ca_properties.address`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.cpm_disabled`*:: +*`rsa.internal.event_desc`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.cpm_error_details`*:: +*`rsa.internal.message`*:: + -- +This key captures the contents of instant messages + type: keyword -- -*`cyberarkpas.audit.ca_properties.cpm_status`*:: +*`rsa.internal.time`*:: + -- -type: keyword +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date -- -*`cyberarkpas.audit.ca_properties.creation_method`*:: +*`rsa.internal.level`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`cyberarkpas.audit.ca_properties.customer`*:: +*`rsa.internal.msg_id`*:: + -- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.ca_properties.database`*:: +*`rsa.internal.msg_vid`*:: + -- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.ca_properties.device_type`*:: +*`rsa.internal.data`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.ca_properties.dual_account_status`*:: +*`rsa.internal.obj_server`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.ca_properties.group_name`*:: +*`rsa.internal.obj_val`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.ca_properties.in_process`*:: +*`rsa.internal.resource`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.ca_properties.index`*:: +*`rsa.internal.obj_id`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.ca_properties.last_fail_date`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.ca_properties.last_success_change`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.ca_properties.last_success_reconciliation`*:: +*`rsa.internal.entry`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.ca_properties.last_success_verification`*:: +*`rsa.internal.hcode`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.ca_properties.last_task`*:: +*`rsa.internal.inode`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`cyberarkpas.audit.ca_properties.logon_domain`*:: +*`rsa.internal.resource_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.ca_properties.policy_id`*:: +*`rsa.internal.dead`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`cyberarkpas.audit.ca_properties.port`*:: +*`rsa.internal.feed_desc`*:: + -- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.ca_properties.privcloud`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.ca_properties.reset_immediately`*:: +*`rsa.internal.cid`*:: + -- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.ca_properties.retries_count`*:: +*`rsa.internal.device_class`*:: + -- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.ca_properties.sequence_id`*:: +*`rsa.internal.device_group`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.ca_properties.tags`*:: +*`rsa.internal.device_host`*:: + -- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.ca_properties.user_dn`*:: +*`rsa.internal.device_ip`*:: + -- -type: keyword +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`cyberarkpas.audit.ca_properties.user_name`*:: +*`rsa.internal.device_ipv6`*:: + -- -type: keyword +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`cyberarkpas.audit.ca_properties.virtual_username`*:: +*`rsa.internal.device_type`*:: + -- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.ca_properties.other`*:: +*`rsa.internal.device_type_id`*:: + -- -type: flattened +Deprecated key defined only in table map. + +type: long -- -*`cyberarkpas.audit.category`*:: +*`rsa.internal.did`*:: + -- -The category name (for category-related operations). +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cyberarkpas.audit.desc`*:: +*`rsa.internal.entropy_req`*:: + -- -A static value that displays a description of the audit codes. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -[float] -=== extra_details +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -Specific extra details of the audit records. +type: long +-- -*`cyberarkpas.audit.extra_details.ad_process_id`*:: +*`rsa.internal.event_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.extra_details.ad_process_name`*:: +*`rsa.internal.feed_category`*:: + -- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.extra_details.application_type`*:: +*`rsa.internal.forward_ip`*:: + -- -type: keyword +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip -- -*`cyberarkpas.audit.extra_details.command`*:: +*`rsa.internal.forward_ipv6`*:: + -- -type: keyword +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`cyberarkpas.audit.extra_details.connection_component_id`*:: +*`rsa.internal.header_id`*:: + -- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.extra_details.dst_host`*:: +*`rsa.internal.lc_cid`*:: + -- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.extra_details.logon_account`*:: +*`rsa.internal.lc_ctime`*:: + -- -type: keyword +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date -- -*`cyberarkpas.audit.extra_details.managed_account`*:: +*`rsa.internal.mcb_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`cyberarkpas.audit.extra_details.process_id`*:: +*`rsa.internal.mcb_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`cyberarkpas.audit.extra_details.process_name`*:: +*`rsa.internal.mcbc_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`cyberarkpas.audit.extra_details.protocol`*:: +*`rsa.internal.mcbc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`cyberarkpas.audit.extra_details.psmid`*:: +*`rsa.internal.medium`*:: + -- -type: keyword +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long -- -*`cyberarkpas.audit.extra_details.session_duration`*:: +*`rsa.internal.node_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.extra_details.session_id`*:: +*`rsa.internal.nwe_callback_id`*:: + -- +This key denotes that event is endpoint related + type: keyword -- -*`cyberarkpas.audit.extra_details.src_host`*:: +*`rsa.internal.parse_error`*:: + -- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`cyberarkpas.audit.extra_details.username`*:: +*`rsa.internal.payload_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`cyberarkpas.audit.extra_details.other`*:: +*`rsa.internal.payload_res`*:: + -- -type: flattened +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`cyberarkpas.audit.file`*:: +*`rsa.internal.process_vid_dst`*:: + -- -The name of the target file. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`cyberarkpas.audit.gateway_station`*:: +*`rsa.internal.process_vid_src`*:: + -- -The IP of the web application machine (PVWA). +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. -type: ip +type: keyword -- -*`cyberarkpas.audit.hostname`*:: +*`rsa.internal.rid`*:: + -- -The hostname, in upper case. - -type: keyword +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: MY-COMPUTER +type: long -- -*`cyberarkpas.audit.iso_timestamp`*:: +*`rsa.internal.session_split`*:: + -- -The timestamp, in ISO Timestamp format (RFC 3339). - -type: date +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: 2013-06-25 10:47:19+00:00 +type: keyword -- -*`cyberarkpas.audit.issuer`*:: +*`rsa.internal.site`*:: + -- -The Vault user who wrote the audit. This is usually the user who performed the operation. +Deprecated key defined only in table map. type: keyword -- -*`cyberarkpas.audit.location`*:: +*`rsa.internal.size`*:: + -- -The target Location (for Location operations). - -type: keyword +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -Field is not indexed. +type: long -- -*`cyberarkpas.audit.message`*:: +*`rsa.internal.sourcefile`*:: + -- -A description of the audit records (same information as in the Desc field). +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cyberarkpas.audit.message_id`*:: +*`rsa.internal.ubc_req`*:: + -- -The code ID of the audit records. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`cyberarkpas.audit.product`*:: +*`rsa.internal.ubc_res`*:: + -- -A static value that represents the product. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`cyberarkpas.audit.pvwa_details`*:: +*`rsa.internal.word`*:: + -- -Specific details of the PVWA audit records. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log -type: flattened +type: keyword -- -*`cyberarkpas.audit.raw`*:: + +*`rsa.time.event_time`*:: + -- -Raw XML for the original audit record. Only present when XSLT file has debugging enabled. - - -type: keyword +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -Field is not indexed. +type: date -- -*`cyberarkpas.audit.reason`*:: +*`rsa.time.duration_time`*:: + -- -The reason entered by the user. +This key is used to capture the normalized duration/lifetime in seconds. -type: text +type: double -- -*`cyberarkpas.audit.rfc5424`*:: +*`rsa.time.event_time_str`*:: + -- -Whether the syslog format complies with RFC5424. - -type: boolean +This key is used to capture the incomplete time mentioned in a session as a string -example: True +type: keyword -- -*`cyberarkpas.audit.safe`*:: +*`rsa.time.starttime`*:: + -- -The name of the target Safe. +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`cyberarkpas.audit.severity`*:: +*`rsa.time.month`*:: + -- -The severity of the audit records. - type: keyword -- -*`cyberarkpas.audit.source_user`*:: +*`rsa.time.day`*:: + -- -The name of the Vault user who performed the operation. - type: keyword -- -*`cyberarkpas.audit.station`*:: +*`rsa.time.endtime`*:: + -- -The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. +This key is used to capture the End time mentioned in a session in a standard form -type: ip +type: date -- -*`cyberarkpas.audit.target_user`*:: +*`rsa.time.timezone`*:: + -- -The name of the Vault user on which the operation was performed. +This key is used to capture the timezone of the Event Time type: keyword -- -*`cyberarkpas.audit.timestamp`*:: +*`rsa.time.duration_str`*:: + -- -The timestamp, in MMM DD HH:MM:SS format. +A text string version of the duration type: keyword -example: Jun 25 10:47:19 - -- -*`cyberarkpas.audit.vendor`*:: +*`rsa.time.date`*:: + -- -A static value that represents the vendor. - type: keyword -- -*`cyberarkpas.audit.version`*:: +*`rsa.time.year`*:: + -- -A static value that represents the version of the Vault. - type: keyword -- -[[exported-fields-cylance]] -== CylanceProtect fields +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -cylance fields. +type: date +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword +-- -*`network.interface.name`*:: +*`rsa.time.effective_time`*:: + -- -Name of the network interface where the traffic has been observed. +This key is the effective time referenced by an individual event in a Standard Timestamp format +type: date -type: keyword +-- +*`rsa.time.expire_time`*:: ++ -- +This key is the timestamp that explicitly refers to an expiration. +type: date +-- -*`rsa.internal.msg`*:: +*`rsa.time.process_time`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +Deprecated, use duration.time type: keyword -- -*`rsa.internal.messageid`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`rsa.internal.message`*:: +*`rsa.time.timestamp`*:: + -- -This key captures the contents of instant messages - type: keyword -- -*`rsa.internal.time`*:: +*`rsa.time.event_queue_time`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +This key is the Time that the event was queued. type: date -- -*`rsa.internal.level`*:: +*`rsa.time.p_time1`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.time.tzone`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.time.eventtime`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.data`*:: +*`rsa.time.gmtdate`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.time.gmttime`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.time.p_date`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.time.p_month`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.time.p_time`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.time.p_time2`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.audit_class`*:: +*`rsa.time.p_year`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.time.expire_time_str`*:: + -- -Deprecated key defined only in table map. +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`rsa.internal.hcode`*:: +*`rsa.time.stamp`*:: + -- Deprecated key defined only in table map. -type: keyword +type: date -- -*`rsa.internal.inode`*:: + +*`rsa.misc.action`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.result`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.severity`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the severity given the session -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.event_type`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the event category type as specified by the event source. type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.reference_id`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture an event id from the session directly type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.misc.version`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Version of the application or OS which is generating the event. type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.misc.disposition`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the The end state of an action. type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.result_code`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.misc.category`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.obj_name`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is used to capture name of object -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.obj_type`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is used to capture type of object -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.misc.event_source`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Source of the event that’s not a hostname type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.log_session_id`*:: + -- -Deprecated key defined only in table map. +This key is used to capture a sessionid from the session directly -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.misc.group`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Group Name value type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.policy_name`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +This key is used to capture the Policy Name only. -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.rule_name`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +This key captures the Rule Name -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.misc.context`*:: + -- -Deprecated key defined only in table map. +This key captures Information which adds additional context to the event. type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.change_new`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.misc.space`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.client`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.msgIdPart1`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.msgIdPart2`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.change_old`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the old value of the attribute that’s changing in a session -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.operation_id`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +An alert number or operation number. The values should be unique and non-repeating. -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.event_state`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +This key captures the current state of the object/item referenced within the event. Describing an on-going event. -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.group_object`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +This key captures a collection/grouping of entities. Specific usage -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.node`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +Common use case is the node name within a cluster. The cluster name is reflected by the host name. -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.rule`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +This key captures the Rule number -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.misc.device_name`*:: + -- -Deprecated key defined only in table map. +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.param`*:: + -- -This key denotes that event is endpoint related +This key is the parameters passed as part of a command or application, etc. type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.change_attrib`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.event_computer`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.reference_id1`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +This key is for Linked ID to be used as an addition to "reference.id" -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.event_log`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +This key captures the Name of the event log type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.OS`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +This key captures the Name of the Operating System type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.misc.terminal`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Terminal Names only -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.misc.msgIdPart3`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.site`*:: +*`rsa.misc.filter`*:: + -- -Deprecated key defined only in table map. +This key captures Filter used to reduce result set type: keyword -- -*`rsa.internal.size`*:: +*`rsa.misc.serial_number`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is the Serial number associated with a physical asset. -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`rsa.misc.checksum`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.event_user`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.virusname`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +This key captures the name of the virus -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.misc.content_type`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +This key is used to capture Content Type only. type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.misc.group_id`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +This key captures Group ID Number (related to the group name) -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.misc.policy_id`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.vsys`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +This key captures Virtual System Name type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.connection_id`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form +This key captures the Connection ID -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.sensor`*:: + -- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + type: keyword -- -*`rsa.time.endtime`*:: +*`rsa.misc.sig_id`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +This key captures IDS/IPS Int Signature ID -type: date +type: long -- -*`rsa.time.timezone`*:: +*`rsa.misc.port_name`*:: + -- -This key is used to capture the timezone of the Event Time +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`rsa.time.duration_str`*:: +*`rsa.misc.rule_group`*:: + -- -A text string version of the duration +This key captures the Rule group name type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.risk_num`*:: + -- -type: keyword +This key captures a Numeric Risk value + +type: double -- -*`rsa.time.year`*:: +*`rsa.misc.trigger_val`*:: + -- +This key captures the Value of the trigger or threshold condition. + type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.log_session_id1`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. +This key is used to capture a Linked (Related) Session ID from the session directly -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.comp_version`*:: + -- +This key captures the Version level of a sub-component of a product. + type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.content_version`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format +This key captures Version level of a signature or database content. -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.hardware_id`*:: + -- -This key is the timestamp that explicitly refers to an expiration. +This key is used to capture unique identifier for a device or system (NOT a Mac address) -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.risk`*:: + -- -Deprecated, use duration.time +This key captures the non-numeric risk value type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.mail_id`*:: + -- -This key is the Time that the event was queued. +This key is used to capture the mailbox id/name -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.misc.rule_uid`*:: + -- +This key is the Unique Identifier for a rule. + type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.trigger_desc`*:: + -- +This key captures the Description of the trigger or threshold condition. + type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.listnum`*:: + -- +This key is used to capture listname or listnumber, primarily for collecting access-list + type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.observed_val`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.misc.policy_value`*:: + -- -Deprecated key defined only in table map. +This key captures the contents of the policy. This contains details about the policy -type: date +type: keyword -- - -*`rsa.misc.action`*:: +*`rsa.misc.pool_name`*:: + -- +This key captures the name of a resource pool + type: keyword -- -*`rsa.misc.result`*:: +*`rsa.misc.rule_template`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.misc.count`*:: + -- -This key is used to capture the severity given the session - type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.number`*:: + -- -This key captures the event category type as specified by the event source. - type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.sigcat`*:: + -- -This key is used to capture an event id from the session directly - type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.type`*:: + -- -This key captures Version of the application or OS which is generating the event. - type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.comments`*:: + -- -This key captures the The end state of an action. +Comment information provided in the log message type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.doc_number`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session +This key captures File Identification number -type: keyword +type: long -- -*`rsa.misc.category`*:: +*`rsa.misc.expected_val`*:: + -- -This key is used to capture the category of an event given by the vendor in the session +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.job_num`*:: + -- -This is used to capture name of object +This key captures the Job Number type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.spi_dst`*:: + -- -This is used to capture type of object +Destination SPI Index type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.spi_src`*:: + -- -This key captures Source of the event that’s not a hostname +Source SPI Index type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.code`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.agent_id`*:: + -- -This key captures the Group Name value +This key is used to capture agent id type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.message_body`*:: + -- -This key is used to capture the Policy Name only. +This key captures the The contents of the message body. type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.phone`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.sig_id_str`*:: + -- -This key captures Information which adds additional context to the event. +This key captures a string object of the sigid variable. type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.cmd`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.name`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.cpu`*:: + -- -type: keyword +This key is the CPU time used in the execution of the event being recorded. + +type: long -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.event_desc`*:: + -- +This key is used to capture a description of an event available directly or inferred + type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.sig_id1`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.im_buddyid`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.im_client`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.im_userid`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.pid`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.priority`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.context_subject`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc +This key is to be used in an audit context where the subject is the object being identified type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.context_target`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.cve`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.fcatnum`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.library`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +This key is used to capture library information in mainframe devices type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.parent_node`*:: + -- -This key captures the Name of the event log +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.misc.risk_info`*:: + -- -This key captures the Name of the Operating System +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.tcp_flags`*:: + -- -This key captures the Terminal Names only +This key is captures the TCP flags set in any packet of session -type: keyword +type: long -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.tos`*:: + -- -type: keyword +This key describes the type of service + +type: long -- -*`rsa.misc.filter`*:: +*`rsa.misc.vm_target`*:: + -- -This key captures Filter used to reduce result set +VMWare Target **VMWARE** only varaible. type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.workspace`*:: + -- -This key is the Serial number associated with a physical asset. +This key captures Workspace Description type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.misc.command`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.event_category`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.facilityname`*:: + -- -This key captures the name of the virus - type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.forensic_info`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.jobname`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.mode`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.policy`*:: + -- -This key captures Virtual System Name - type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.policy_waiver`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.misc.second`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.misc.space1`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.misc.subcategory`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.misc.tbdstr2`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.misc.alert_id`*:: + -- -This key captures the Rule group name +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.misc.checksum_dst`*:: + -- -This key captures a Numeric Risk value +This key is used to capture the checksum or hash of the the target entity such as a process or file. -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.misc.checksum_src`*:: + -- -This key captures the Value of the trigger or threshold condition. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.misc.fresult`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +This key captures the Filter Result -type: keyword +type: long -- -*`rsa.misc.comp_version`*:: +*`rsa.misc.payload_dst`*:: + -- -This key captures the Version level of a sub-component of a product. +This key is used to capture destination payload type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.misc.payload_src`*:: + -- -This key captures Version level of a signature or database content. +This key is used to capture source payload type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.misc.pool_id`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.misc.process_id_val`*:: + -- -This key captures the non-numeric risk value +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.misc.risk_num_comm`*:: + -- -type: keyword +This key captures Risk Number Community + +type: double -- -*`rsa.misc.reason`*:: +*`rsa.misc.risk_num_next`*:: + -- -type: keyword +This key captures Risk Number NextGen + +type: double -- -*`rsa.misc.status`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: keyword +This key captures Risk Number SandBox + +type: double -- -*`rsa.misc.mail_id`*:: +*`rsa.misc.risk_num_static`*:: + -- -This key is used to capture the mailbox id/name +This key captures Risk Number Static -type: keyword +type: double -- -*`rsa.misc.rule_uid`*:: +*`rsa.misc.risk_suspicious`*:: + -- -This key is the Unique Identifier for a rule. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.misc.risk_warning`*:: + -- -This key captures the Description of the trigger or threshold condition. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.misc.snmp_oid`*:: + -- +SNMP Object Identifier + type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.misc.sql`*:: + -- +This key captures the SQL query + type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.misc.vuln_ref`*:: + -- +This key captures the Vulnerability Reference details + type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`rsa.misc.acl_op`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.misc.acl_table`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.misc.alarm_id`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.misc.alarmname`*:: + -- -This key captures the contents of the policy. This contains details about the policy - type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.misc.app_id`*:: + -- -This key captures the name of a resource pool - type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.misc.audit`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - type: keyword -- -*`rsa.misc.count`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`rsa.misc.number`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`rsa.misc.type`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.misc.cache`*:: + -- -Comment information provided in the log message - type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.misc.cache_hit`*:: + -- -This key captures File Identification number - -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.misc.cefversion`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.misc.cfg_attr`*:: + -- -This key captures the Job Number - type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.misc.cfg_obj`*:: + -- -Destination SPI Index - type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.misc.cfg_path`*:: + -- -Source SPI Index - type: keyword -- -*`rsa.misc.code`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.misc.client_ip`*:: + -- -This key is used to capture agent id - type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.misc.clustermembers`*:: + -- -This key captures the The contents of the message body. - type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.misc.cn_asn_src`*:: + -- -This key captures a string object of the sigid variable. - type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`rsa.misc.name`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.misc.cn_engine_id`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.misc.cn_engine_type`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -This key is to be used in an audit context where the subject is the object being identified - type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.misc.cn_invalid`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -This key captures Filter Category Number. Legacy Usage - type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.cn_l_switch`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.cn_log_did`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.cn_log_rid`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.cn_sampint`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.cn_seqctr`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.cn_spackets`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.cn_src_tos`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.cn_template_id`*:: + -- -This key captures Risk Number Static - -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.criticality`*:: + -- type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.cs_agency_dst`*:: + -- type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.cs_analyzedby`*:: + -- type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.cs_av_other`*:: + -- type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.cs_av_primary`*:: + -- type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.cs_av_secondary`*:: + -- type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.cs_bit9status`*:: + -- type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.cs_context`*:: + -- type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.cs_control`*:: + -- type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.cs_datecret`*:: + -- type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.cs_dst_tld`*:: + -- type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.cs_event_uuid`*:: + -- type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.cs_fld`*:: + -- type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.cs_lifetime`*:: + -- type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.cs_log_medium`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.cs_loginname`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.cs_modulescore`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.cs_modulesign`*:: + -- type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.cs_payload`*:: + -- type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.cs_registrant`*:: + -- type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.cs_registrar`*:: + -- type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.cs_represult`*:: + -- type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.cs_rpayload`*:: + -- type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.cs_yararesult`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.description`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.devvendor`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.edomain`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.edomaub`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.euid`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.finterface`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.misc.mbug_data`*:: + -- type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.misc.misc_name`*:: + -- type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.number2`*:: + -- type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.misc.opkt`*:: + -- type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.misc.orig_from`*:: + -- type: keyword -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`rsa.misc.description`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`rsa.misc.dstburb`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`rsa.misc.flags`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.misc.autorun_type`*:: + -- +This is used to capture Auto Run type + type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.misc.cc_number`*:: + -- -type: keyword +Valid Credit Card Numbers only + +type: long -- -*`rsa.misc.location_mark`*:: +*`rsa.misc.content`*:: + -- +This key captures the content type from protocol headers + type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.misc.log_type`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.misc.language`*:: + -- +This is used to capture list of languages the client support and what it prefers + type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.misc.lifetime`*:: + -- -type: keyword +This key is used to capture the session lifetime in seconds. + +type: long -- -*`rsa.misc.logname`*:: +*`rsa.misc.link`*:: + -- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.misc.param_dst`*:: + -- +This key captures the command line/launch argument of the target process or file + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.misc.sig_name`*:: + -- +This key is used to capture the Signature Name only. + type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.misc.snmp_value`*:: + -- +SNMP set request value + type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.misc.streams`*:: + -- -type: keyword +This key captures number of streams in session + +type: long -- -*`rsa.misc.num`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.db.instance`*:: + -- +This key is used to capture the database server instance name + type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.db.database`*:: + -- +This key is used to capture the name of a database or an instance as seen in a session + type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.misc.object`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.misc.owner_id`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.misc.p_action`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.misc.p_filter`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`rsa.misc.p_group_object`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.network.network_port`*:: + -- -type: keyword +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long -- -*`rsa.misc.password_expire`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`rsa.misc.policyUUID`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`rsa.misc.program`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.misc.recordnum`*:: +*`rsa.network.protocol_detail`*:: + -- +This key should be used to capture additional protocol information + type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.misc.seqnum`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.misc.session`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.misc.state`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.tgtdomain`*:: +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`rsa.misc.vpnid`*:: + +*`rsa.investigations.ec_activity`*:: + -- +This key captures the particular event activity(Ex:Logoff) + type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.investigations.ec_theme`*:: + -- -This is used to capture Auto Run type +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.investigations.ec_subject`*:: + -- -Valid Credit Card Numbers only +This key captures the Subject of a particular Event(Ex:User) -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.investigations.ec_outcome`*:: + -- -This key captures the content type from protocol headers +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.investigations.event_cat`*:: + -- -Employee Identification Numbers only +This key captures the Event category number type: long -- -*`rsa.misc.found`*:: +*`rsa.investigations.event_cat_name`*:: + -- -This is used to capture the results of regex match +This key captures the event category name corresponding to the event cat code type: keyword -- -*`rsa.misc.language`*:: +*`rsa.investigations.event_vcat`*:: + -- -This is used to capture list of languages the client support and what it prefers +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.investigations.analysis_file`*:: + -- -This key is used to capture the session lifetime in seconds. +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.investigations.analysis_service`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service type: keyword -- -*`rsa.misc.match`*:: +*`rsa.investigations.analysis_session`*:: + -- -This key is for regex match name from search.ini +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.investigations.boc`*:: + -- -This key captures the command line/launch argument of the target process or file +This is used to capture behaviour of compromise type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.investigations.eoc`*:: + -- -This key captures source parameter +This is used to capture Enablers of Compromise type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.investigations.inv_category`*:: + -- -This key captures the Search Text used +This used to capture investigation category type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.investigations.inv_context`*:: + -- -This key is used to capture the Signature Name only. +This used to capture investigation context type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.investigations.ioc`*:: + -- -SNMP set request value +This is key capture indicator of compromise type: keyword -- -*`rsa.misc.streams`*:: + +*`rsa.counters.dclass_c1`*:: + -- -This key captures number of streams in session +This is a generic counter key that should be used with the label dclass.c1.str only type: long -- - -*`rsa.db.index`*:: +*`rsa.counters.dclass_c2`*:: + -- -This key captures IndexID of the index. +This is a generic counter key that should be used with the label dclass.c2.str only -type: keyword +type: long -- -*`rsa.db.instance`*:: +*`rsa.counters.event_counter`*:: + -- -This key is used to capture the database server instance name +This is used to capture the number of times an event repeated -type: keyword +type: long -- -*`rsa.db.database`*:: +*`rsa.counters.dclass_r1`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.counters.dclass_c3`*:: + -- -This key captures the SQL transantion ID of the current session +This is a generic counter key that should be used with the label dclass.c3.str only -type: keyword +type: long -- -*`rsa.db.permissions`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -This key captures permission or privilege level assigned to a resource. +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -This key is used to capture the table name +This is a generic counter string key that should be used with the label dclass.c2 only type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -This key is used to capture the unique identifier for a database +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.counters.dclass_r2`*:: + -- -This key captures the process id of a connection with database server +This is a generic ratio key that should be used with the label dclass.r2.str only -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -This key is used for the number of logical reads +This is a generic counter string key that should be used with the label dclass.c3 only -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.counters.dclass_r3`*:: + -- -This key is used for the number of logical writes +This is a generic ratio key that should be used with the label dclass.r3.str only -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -This key is used for the number of physical writes +This is a generic ratio string key that should be used with the label dclass.r2 only -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -*`rsa.network.domain`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.identity.user_role`*:: + -- -This key should only be used when it’s a Destination Hostname +This key is used to capture the Role of a user only type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.identity.dn`*:: + -- -This is used to capture layer 7 protocols/service names +X.500 (LDAP) Distinguished Name type: keyword -- -*`rsa.network.interface`*:: +*`rsa.identity.logon_type`*:: + -- -This key should be used when the source or destination context of an interface is not clear +This key is used to capture the type of logon method used. type: keyword -- -*`rsa.network.network_port`*:: +*`rsa.identity.profile`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +This key is used to capture the user profile -type: long +type: keyword -- -*`rsa.network.eth_host`*:: +*`rsa.identity.accesses`*:: + -- -Deprecated, use alias.mac +This key is used to capture actual privileges used in accessing an object type: keyword -- -*`rsa.network.sinterface`*:: +*`rsa.identity.realm`*:: + -- -This key should only be used when it’s a Source Interface +Radius realm or similar grouping of accounts type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.identity.user_sid_dst`*:: + -- -This key should only be used when it’s a Destination Interface +This key captures Destination User Session ID type: keyword -- -*`rsa.network.vlan`*:: +*`rsa.identity.dn_src`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.identity.org`*:: + -- -This key should only be used when it’s a Source Zone. +This key captures the User organization type: keyword -- -*`rsa.network.zone`*:: +*`rsa.identity.dn_dst`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.identity.firstname`*:: + -- -This key should only be used when it’s a Destination Zone. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.identity.lastname`*:: + -- -This key is used to capture the IP Address of the gateway +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.identity.user_dept`*:: + -- -This key is used to capture the ICMP type only +User's Department Names only -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.identity.user_sid_src`*:: + -- -This key is used to capture the device network IPmask. +This key captures Source User Session ID type: keyword -- -*`rsa.network.icmp_code`*:: +*`rsa.identity.federated_sp`*:: + -- -This key is used to capture the ICMP code only +This key is the Federated Service Provider. This is the application requesting authentication. -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.identity.federated_idp`*:: + -- -This key should be used to capture additional protocol information +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.identity.logon_type_desc`*:: + -- -This key is used for Destionation Device network mask +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -*`rsa.network.port`*:: +*`rsa.identity.middlename`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.identity.password`*:: + -- -This key is used for capturing source Network Mask +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`rsa.network.netname`*:: +*`rsa.identity.host_role`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +This key should only be used to capture the role of a Host Machine type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.identity.ldap`*:: + -- -Deprecated +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context -type: ip +type: keyword -- -*`rsa.network.faddr`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.network.origin`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.network.addr`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.network.fport`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.linterface`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.network.phost`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.file.filesystem`*:: + -- -Deprecated, use host.dst - type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.file.binary`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.file.filename_dst`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +This is used to capture name of the file targeted by the action -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`rsa.network.dns_id`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`rsa.network.domain1`*:: +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`rsa.network.packet_length`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.web.web_cookie`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +This key is used to capture the Web cookies specifically. type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.web.alias_host`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - type: keyword -- -*`rsa.network.vlan_name`*:: +*`rsa.web.reputation_num`*:: + -- -This key should only be used to capture the name of the Virtual LAN +Reputation Number of an entity. Typically used for Web Domains -type: keyword +type: double -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.web.web_ref_domain`*:: + -- -This key captures the particular event activity(Ex:Logoff) +Web referer's domain type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.web.web_ref_query`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +This key captures Web referer's query portion of the URL type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.web.remote_domain`*:: + -- -This key captures the Subject of a particular Event(Ex:User) - type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.web.web_ref_page`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +This key captures Web referer's page information type: keyword -- -*`rsa.investigations.event_cat`*:: +*`rsa.web.web_ref_root`*:: + -- -This key captures the Event category number +Web referer's root URL path -type: long +type: keyword -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.web.cn_asn_dst`*:: + -- -This key captures the event category name corresponding to the event cat code - type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.web.cn_rpackets`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.web.urlpage`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`rsa.web.urlroot`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.web.p_url`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - type: keyword -- -*`rsa.investigations.boc`*:: +*`rsa.web.p_user_agent`*:: + -- -This is used to capture behaviour of compromise - type: keyword -- -*`rsa.investigations.eoc`*:: +*`rsa.web.p_web_cookie`*:: + -- -This is used to capture Enablers of Compromise - type: keyword -- -*`rsa.investigations.inv_category`*:: +*`rsa.web.p_web_method`*:: + -- -This used to capture investigation category - type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.web.p_web_referer`*:: + -- -This used to capture investigation context - type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.web.web_extension_tmp`*:: + -- -This is key capture indicator of compromise - type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.web.web_page`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- +type: keyword -*`rsa.counters.dclass_c2`*:: -+ -- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long --- -*`rsa.counters.event_counter`*:: +*`rsa.threat.threat_category`*:: + -- -This is used to capture the number of times an event repeated +This key captures Threat Name/Threat Category/Categorization of alert -type: long +type: keyword -- -*`rsa.counters.dclass_r1`*:: +*`rsa.threat.threat_desc`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +This key is used to capture the threat description from the session directly or inferred type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.threat.alert`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +This key is used to capture name of the alert -type: long +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.threat.threat_source`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +This key is used to capture source of the threat type: keyword -- -*`rsa.counters.dclass_c2_str`*:: + +*`rsa.crypto.crypto`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +This key is used to capture the Encryption Type or Encryption Key only type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.crypto.cipher_src`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +This key is for Source (Client) Cipher type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.crypto.cert_subject`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +This key is used to capture the Certificate organization only type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.crypto.peer`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +This key is for Encryption peer's IP Address type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +This key captures Source (Client) Cipher Size -type: keyword +type: long -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.crypto.ike`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +IKE negotiation phase. type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.crypto.scheme`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +This key captures the Encryption scheme used type: keyword -- - -*`rsa.identity.auth_method`*:: +*`rsa.crypto.peer_id`*:: + -- -This key is used to capture authentication methods used only +This key is for Encryption peer’s identity type: keyword -- -*`rsa.identity.user_role`*:: +*`rsa.crypto.sig_type`*:: + -- -This key is used to capture the Role of a user only +This key captures the Signature Type type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.crypto.cert_issuer`*:: + -- -X.500 (LDAP) Distinguished Name - type: keyword -- -*`rsa.identity.logon_type`*:: +*`rsa.crypto.cert_host_name`*:: + -- -This key is used to capture the type of logon method used. +Deprecated key defined only in table map. type: keyword -- -*`rsa.identity.profile`*:: +*`rsa.crypto.cert_error`*:: + -- -This key is used to capture the user profile +This key captures the Certificate Error String type: keyword -- -*`rsa.identity.accesses`*:: +*`rsa.crypto.cipher_dst`*:: + -- -This key is used to capture actual privileges used in accessing an object +This key is for Destination (Server) Cipher type: keyword -- -*`rsa.identity.realm`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -Radius realm or similar grouping of accounts +This key captures Destination (Server) Cipher Size -type: keyword +type: long -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -This key captures Destination User Session ID +Deprecated, use version type: keyword -- -*`rsa.identity.dn_src`*:: +*`rsa.crypto.d_certauth`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - type: keyword -- -*`rsa.identity.org`*:: +*`rsa.crypto.s_certauth`*:: + -- -This key captures the User organization - type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +ID of the negotiation — sent for ISAKMP Phase Two type: keyword -- -*`rsa.identity.lastname`*:: +*`rsa.crypto.cert_checksum`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.user_dept`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -User's Department Names only +This key is used for the hostname category value of a certificate type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`rsa.crypto.cert_serial`*:: + -- -This key captures Source User Session ID +This key is used to capture the Certificate serial number only type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.crypto.cert_status`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +This key captures Certificate validation status type: keyword -- -*`rsa.identity.federated_idp`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +Deprecated, use version type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.crypto.cert_keysize`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.crypto.cert_username`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.password`*:: +*`rsa.crypto.https_insact`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted - type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.crypto.https_valid`*:: + -- -This key should only be used to capture the role of a Host Machine - type: keyword -- -*`rsa.identity.ldap`*:: +*`rsa.crypto.cert_ca`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +This key is used to capture the Certificate signing authority only type: keyword -- -*`rsa.identity.ldap_query`*:: +*`rsa.crypto.cert_common`*:: + -- -This key is the Search criteria from an LDAP search +This key is used to capture the Certificate common name only type: keyword -- -*`rsa.identity.ldap_response`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -This key is to capture Results from an LDAP search +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.wireless.access_point`*:: + -- -This is used to capture username the process or service is running as, the author of the task +This key is used to capture the access point name. type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.wireless.wlan_channel`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage +This is used to capture the channel names -type: keyword +type: long -- - -*`rsa.email.email_dst`*:: +*`rsa.wireless.wlan_name`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email +This key captures either WLAN number/name type: keyword -- -*`rsa.email.email_src`*:: + +*`rsa.storage.disk_volume`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`rsa.email.subject`*:: +*`rsa.storage.lun`*:: + -- -This key is used to capture the subject string from an Email only. +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`rsa.email.email`*:: +*`rsa.storage.pwwn`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +This uniquely identifies a port on a HBA. type: keyword -- -*`rsa.email.trans_from`*:: + +*`rsa.physical.org_dst`*:: + -- -Deprecated key defined only in table map. +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.physical.org_src`*:: + -- -Deprecated key defined only in table map. +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.file.privilege`*:: +*`rsa.healthcare.patient_fname`*:: + -- -Deprecated, use permissions +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.healthcare.patient_id`*:: + -- -This key captures the attachment file name +This key captures the unique ID for a patient type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.healthcare.patient_lname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.file.binary`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Deprecated key defined only in table map. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.file.filename_dst`*:: + +*`rsa.endpoint.host_state`*:: + -- -This is used to capture name of the file targeted by the action +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.file.filename_src`*:: +*`rsa.endpoint.registry_key`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +This key captures the path to the registry key type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.endpoint.registry_value`*:: + -- +This key captures values or decorators used within a registry entry + type: keyword -- -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file +[[exported-fields-cyberarkpas]] +== CyberArk PAS fields -type: keyword +cyberarkpas fields. --- -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file -type: keyword --- +[float] +=== audit -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file +Cyberark Privileged Access Security Audit fields. -type: double --- -*`rsa.file.file_vendor`*:: +*`cyberarkpas.audit.action`*:: + -- -This is used to capture Company name of file located in version_info +A description of the audit record. type: keyword -- -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword +[float] +=== ca_properties --- +Account metadata. -*`rsa.web.fqdn`*:: +*`cyberarkpas.audit.ca_properties.address`*:: + -- -Fully Qualified Domain Names - type: keyword -- -*`rsa.web.web_cookie`*:: +*`cyberarkpas.audit.ca_properties.cpm_disabled`*:: + -- -This key is used to capture the Web cookies specifically. - type: keyword -- -*`rsa.web.alias_host`*:: +*`cyberarkpas.audit.ca_properties.cpm_error_details`*:: + -- type: keyword -- -*`rsa.web.reputation_num`*:: +*`cyberarkpas.audit.ca_properties.cpm_status`*:: + -- -Reputation Number of an entity. Typically used for Web Domains - -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`cyberarkpas.audit.ca_properties.creation_method`*:: + -- -Web referer's domain - type: keyword -- -*`rsa.web.web_ref_query`*:: +*`cyberarkpas.audit.ca_properties.customer`*:: + -- -This key captures Web referer's query portion of the URL - type: keyword -- -*`rsa.web.remote_domain`*:: +*`cyberarkpas.audit.ca_properties.database`*:: + -- type: keyword -- -*`rsa.web.web_ref_page`*:: +*`cyberarkpas.audit.ca_properties.device_type`*:: + -- -This key captures Web referer's page information - type: keyword -- -*`rsa.web.web_ref_root`*:: +*`cyberarkpas.audit.ca_properties.dual_account_status`*:: + -- -Web referer's root URL path - type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`cyberarkpas.audit.ca_properties.group_name`*:: + -- type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`cyberarkpas.audit.ca_properties.in_process`*:: + -- type: keyword -- -*`rsa.web.urlpage`*:: +*`cyberarkpas.audit.ca_properties.index`*:: + -- type: keyword -- -*`rsa.web.urlroot`*:: +*`cyberarkpas.audit.ca_properties.last_fail_date`*:: + -- type: keyword -- -*`rsa.web.p_url`*:: +*`cyberarkpas.audit.ca_properties.last_success_change`*:: + -- type: keyword -- -*`rsa.web.p_user_agent`*:: +*`cyberarkpas.audit.ca_properties.last_success_reconciliation`*:: + -- type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`cyberarkpas.audit.ca_properties.last_success_verification`*:: + -- type: keyword -- -*`rsa.web.p_web_method`*:: +*`cyberarkpas.audit.ca_properties.last_task`*:: + -- type: keyword -- -*`rsa.web.p_web_referer`*:: +*`cyberarkpas.audit.ca_properties.logon_domain`*:: + -- type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`cyberarkpas.audit.ca_properties.policy_id`*:: + -- type: keyword -- -*`rsa.web.web_page`*:: +*`cyberarkpas.audit.ca_properties.port`*:: + -- type: keyword -- - -*`rsa.threat.threat_category`*:: +*`cyberarkpas.audit.ca_properties.privcloud`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert - type: keyword -- -*`rsa.threat.threat_desc`*:: +*`cyberarkpas.audit.ca_properties.reset_immediately`*:: + -- -This key is used to capture the threat description from the session directly or inferred - type: keyword -- -*`rsa.threat.alert`*:: +*`cyberarkpas.audit.ca_properties.retries_count`*:: + -- -This key is used to capture name of the alert - type: keyword -- -*`rsa.threat.threat_source`*:: +*`cyberarkpas.audit.ca_properties.sequence_id`*:: + -- -This key is used to capture source of the threat - type: keyword -- - -*`rsa.crypto.crypto`*:: +*`cyberarkpas.audit.ca_properties.tags`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only - type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`cyberarkpas.audit.ca_properties.user_dn`*:: + -- -This key is for Source (Client) Cipher - type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`cyberarkpas.audit.ca_properties.user_name`*:: + -- -This key is used to capture the Certificate organization only - type: keyword -- -*`rsa.crypto.peer`*:: +*`cyberarkpas.audit.ca_properties.virtual_username`*:: + -- -This key is for Encryption peer's IP Address - type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`cyberarkpas.audit.ca_properties.other`*:: + -- -This key captures Source (Client) Cipher Size - -type: long +type: flattened -- -*`rsa.crypto.ike`*:: +*`cyberarkpas.audit.category`*:: + -- -IKE negotiation phase. +The category name (for category-related operations). type: keyword -- -*`rsa.crypto.scheme`*:: +*`cyberarkpas.audit.desc`*:: + -- -This key captures the Encryption scheme used +A static value that displays a description of the audit codes. type: keyword -- -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity +[float] +=== extra_details -type: keyword +Specific extra details of the audit records. --- -*`rsa.crypto.sig_type`*:: +*`cyberarkpas.audit.extra_details.ad_process_id`*:: + -- -This key captures the Signature Type - type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`cyberarkpas.audit.extra_details.ad_process_name`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`cyberarkpas.audit.extra_details.application_type`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.crypto.cert_error`*:: +*`cyberarkpas.audit.extra_details.command`*:: + -- -This key captures the Certificate Error String - type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`cyberarkpas.audit.extra_details.connection_component_id`*:: + -- -This key is for Destination (Server) Cipher - type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`cyberarkpas.audit.extra_details.dst_host`*:: + -- -This key captures Destination (Server) Cipher Size - -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`cyberarkpas.audit.extra_details.logon_account`*:: + -- -Deprecated, use version - type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`cyberarkpas.audit.extra_details.managed_account`*:: + -- type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`cyberarkpas.audit.extra_details.process_id`*:: + -- type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`cyberarkpas.audit.extra_details.process_name`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One - type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`cyberarkpas.audit.extra_details.protocol`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two - type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`cyberarkpas.audit.extra_details.psmid`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`cyberarkpas.audit.extra_details.session_duration`*:: + -- -This key is used for the hostname category value of a certificate - type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`cyberarkpas.audit.extra_details.session_id`*:: + -- -This key is used to capture the Certificate serial number only - type: keyword -- -*`rsa.crypto.cert_status`*:: +*`cyberarkpas.audit.extra_details.src_host`*:: + -- -This key captures Certificate validation status - type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`cyberarkpas.audit.extra_details.username`*:: + -- -Deprecated, use version - type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`cyberarkpas.audit.extra_details.other`*:: + -- -type: keyword +type: flattened -- -*`rsa.crypto.cert_username`*:: +*`cyberarkpas.audit.file`*:: + -- +The name of the target file. + type: keyword -- -*`rsa.crypto.https_insact`*:: +*`cyberarkpas.audit.gateway_station`*:: + -- -type: keyword +The IP of the web application machine (PVWA). + +type: ip -- -*`rsa.crypto.https_valid`*:: +*`cyberarkpas.audit.hostname`*:: + -- -type: keyword +The hostname, in upper case. + +type: keyword + +example: MY-COMPUTER -- -*`rsa.crypto.cert_ca`*:: +*`cyberarkpas.audit.iso_timestamp`*:: + -- -This key is used to capture the Certificate signing authority only +The timestamp, in ISO Timestamp format (RFC 3339). -type: keyword +type: date + +example: 2013-06-25 10:47:19+00:00 -- -*`rsa.crypto.cert_common`*:: +*`cyberarkpas.audit.issuer`*:: + -- -This key is used to capture the Certificate common name only +The Vault user who wrote the audit. This is usually the user who performed the operation. type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`cyberarkpas.audit.location`*:: + -- -This key is used to capture the ssid of a Wireless Session +The target Location (for Location operations). type: keyword +Field is not indexed. + -- -*`rsa.wireless.access_point`*:: +*`cyberarkpas.audit.message`*:: + -- -This key is used to capture the access point name. +A description of the audit records (same information as in the Desc field). type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`cyberarkpas.audit.message_id`*:: + -- -This is used to capture the channel names +The code ID of the audit records. -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`cyberarkpas.audit.product`*:: + -- -This key captures either WLAN number/name +A static value that represents the product. type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`cyberarkpas.audit.pvwa_details`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +Specific details of the PVWA audit records. -type: keyword +type: flattened -- -*`rsa.storage.lun`*:: +*`cyberarkpas.audit.raw`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +Raw XML for the original audit record. Only present when XSLT file has debugging enabled. + type: keyword +Field is not indexed. + -- -*`rsa.storage.pwwn`*:: +*`cyberarkpas.audit.reason`*:: + -- -This uniquely identifies a port on a HBA. +The reason entered by the user. -type: keyword +type: text -- - -*`rsa.physical.org_dst`*:: +*`cyberarkpas.audit.rfc5424`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +Whether the syslog format complies with RFC5424. -type: keyword +type: boolean + +example: True -- -*`rsa.physical.org_src`*:: +*`cyberarkpas.audit.safe`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +The name of the target Safe. type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`cyberarkpas.audit.severity`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +The severity of the audit records. type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`cyberarkpas.audit.source_user`*:: + -- -This key captures the unique ID for a patient +The name of the Vault user who performed the operation. type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`cyberarkpas.audit.station`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. -type: keyword +type: ip -- -*`rsa.healthcare.patient_mname`*:: +*`cyberarkpas.audit.target_user`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +The name of the Vault user on which the operation was performed. type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`cyberarkpas.audit.timestamp`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +The timestamp, in MMM DD HH:MM:SS format. type: keyword +example: Jun 25 10:47:19 + -- -*`rsa.endpoint.registry_key`*:: +*`cyberarkpas.audit.vendor`*:: + -- -This key captures the path to the registry key +A static value that represents the vendor. type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`cyberarkpas.audit.version`*:: + -- -This key captures values or decorators used within a registry entry +A static value that represents the version of the Vault. type: keyword -- -[[exported-fields-docker-processor]] -== Docker fields - -Docker stats collected from Docker. +[[exported-fields-cylance]] +== CylanceProtect fields +cylance fields. -*`docker.container.id`*:: +*`network.interface.name`*:: + -- -type: alias +Name of the network interface where the traffic has been observed. -alias to: container.id --- +type: keyword -*`docker.container.image`*:: -+ -- -type: alias -alias to: container.image.name --- -*`docker.container.name`*:: +*`rsa.internal.msg`*:: + -- -type: alias +This key is used to capture the raw message that comes into the Log Decoder -alias to: container.name +type: keyword -- -*`docker.container.labels`*:: +*`rsa.internal.messageid`*:: + -- -Image labels. - - -type: object +type: keyword -- -[[exported-fields-ecs]] -== ECS fields +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword +-- -This section defines Elastic Common Schema (ECS) fields—a common set of fields -to be used when storing event data in {es}. +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages -This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. -The goal of ECS is to enable and encourage users of {es} to normalize their event data, -so that they can better analyze, visualize, and correlate the data represented in their events. +type: keyword -See the {ecs-ref}[ECS reference] for more information. +-- -*`@timestamp`*:: +*`rsa.internal.time`*:: + -- -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. type: date -example: 2016-05-23T08:05:34.853Z - -required: True - -- -*`labels`*:: +*`rsa.internal.level`*:: + -- -Custom key/value pairs. -Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. -Example: `docker` and `k8s` labels. - -type: object +Deprecated key defined only in table map. -example: {"application": "foo-bar", "env": "production"} +type: long -- -*`message`*:: +*`rsa.internal.msg_id`*:: + -- -For log events the message field contains the log message, optimized for viewing in a log viewer. -For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. -If multiple messages exist, they can be combined into one message. - -type: text +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: Hello World +type: keyword -- -*`tags`*:: +*`rsa.internal.msg_vid`*:: + -- -List of keywords used to tag each event. +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: ["production", "env2"] - -- -[float] -=== agent - -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. -Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. - - -*`agent.build.original`*:: +*`rsa.internal.data`*:: + -- -Extended build information for the agent. -This field is intended to contain any build information that a data source may provide, no specific formatting is required. +Deprecated key defined only in table map. type: keyword -example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] - -- -*`agent.ephemeral_id`*:: +*`rsa.internal.obj_server`*:: + -- -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. +Deprecated key defined only in table map. type: keyword -example: 8a4f500f - -- -*`agent.id`*:: +*`rsa.internal.obj_val`*:: + -- -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. +Deprecated key defined only in table map. type: keyword -example: 8a4f500d - -- -*`agent.name`*:: +*`rsa.internal.resource`*:: + -- -Custom name of the agent. -This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. -If no name is given, the name is often left empty. +Deprecated key defined only in table map. type: keyword -example: foo - -- -*`agent.type`*:: +*`rsa.internal.obj_id`*:: + -- -Type of the agent. -The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +Deprecated key defined only in table map. type: keyword -example: filebeat - -- -*`agent.version`*:: +*`rsa.internal.statement`*:: + -- -Version of the agent. +Deprecated key defined only in table map. type: keyword -example: 6.0.0-rc2 - -- -[float] -=== as - -An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. - - -*`as.number`*:: +*`rsa.internal.audit_class`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +Deprecated key defined only in table map. -example: 15169 +type: keyword -- -*`as.organization.name`*:: +*`rsa.internal.entry`*:: + -- -Organization name. +Deprecated key defined only in table map. type: keyword -example: Google LLC - -- -*`as.organization.name.text`*:: +*`rsa.internal.hcode`*:: + -- -type: text +Deprecated key defined only in table map. + +type: keyword -- -[float] -=== client +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +type: long +-- -*`client.address`*:: +*`rsa.internal.resource_class`*:: + -- -Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +Deprecated key defined only in table map. type: keyword -- -*`client.as.number`*:: +*`rsa.internal.dead`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +Deprecated key defined only in table map. type: long -example: 15169 - -- -*`client.as.organization.name`*:: +*`rsa.internal.feed_desc`*:: + -- -Organization name. +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: Google LLC - -- -*`client.as.organization.name.text`*:: +*`rsa.internal.feed_name`*:: + -- -type: text +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`client.bytes`*:: +*`rsa.internal.cid`*:: + -- -Bytes sent from the client to the server. - -type: long - -example: 184 +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -format: bytes +type: keyword -- -*`client.domain`*:: +*`rsa.internal.device_class`*:: + -- -Client domain. +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`client.geo.city_name`*:: +*`rsa.internal.device_group`*:: + -- -City name. +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: Montreal - -- -*`client.geo.continent_code`*:: +*`rsa.internal.device_host`*:: + -- -Two-letter code representing continent's name. +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: NA - -- -*`client.geo.continent_name`*:: +*`rsa.internal.device_ip`*:: + -- -Name of the continent. - -type: keyword +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: North America +type: ip -- -*`client.geo.country_iso_code`*:: +*`rsa.internal.device_ipv6`*:: + -- -Country ISO code. - -type: keyword +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: CA +type: ip -- -*`client.geo.country_name`*:: +*`rsa.internal.device_type`*:: + -- -Country name. +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: Canada - -- -*`client.geo.location`*:: +*`rsa.internal.device_type_id`*:: + -- -Longitude and latitude. - -type: geo_point +Deprecated key defined only in table map. -example: { "lon": -73.614830, "lat": 45.505918 } +type: long -- -*`client.geo.name`*:: +*`rsa.internal.did`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: boston-dc - -- -*`client.geo.postal_code`*:: +*`rsa.internal.entropy_req`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -example: 94040 +type: long -- -*`client.geo.region_iso_code`*:: +*`rsa.internal.entropy_res`*:: + -- -Region ISO code. - -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -example: CA-QC +type: long -- -*`client.geo.region_name`*:: +*`rsa.internal.event_name`*:: + -- -Region name. +Deprecated key defined only in table map. type: keyword -example: Quebec - -- -*`client.geo.timezone`*:: +*`rsa.internal.feed_category`*:: + -- -The time zone of the location, such as IANA time zone name. +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: America/Argentina/Buenos_Aires +-- +*`rsa.internal.forward_ip`*:: ++ -- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -*`client.ip`*:: +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: + -- -IP address of the client (IPv4 or IPv6). +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: ip -- -*`client.mac`*:: +*`rsa.internal.header_id`*:: + -- -MAC address of the client. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: 00-00-5E-00-53-23 - -- -*`client.nat.ip`*:: +*`rsa.internal.lc_cid`*:: + -- -Translated IP of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: ip +type: keyword -- -*`client.nat.port`*:: +*`rsa.internal.lc_ctime`*:: + -- -Translated port of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. - -type: long +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -format: string +type: date -- -*`client.packets`*:: +*`rsa.internal.mcb_req`*:: + -- -Packets sent from the client to the server. +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most type: long -example: 12 - -- -*`client.port`*:: +*`rsa.internal.mcb_res`*:: + -- -Port of the client. +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most type: long -format: string - -- -*`client.registered_domain`*:: +*`rsa.internal.mcbc_req`*:: + -- -The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -example: example.com +type: long -- -*`client.subdomain`*:: +*`rsa.internal.mcbc_res`*:: + -- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -example: east +type: long -- -*`client.top_level_domain`*:: +*`rsa.internal.medium`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -example: co.uk +type: long -- -*`client.user.domain`*:: +*`rsa.internal.node_name`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Deprecated key defined only in table map. type: keyword -- -*`client.user.email`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -User email address. +This key denotes that event is endpoint related type: keyword -- -*`client.user.full_name`*:: +*`rsa.internal.parse_error`*:: + -- -User's full name, if available. +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: Albert Einstein - -- -*`client.user.full_name.text`*:: +*`rsa.internal.payload_req`*:: + -- -type: text +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`client.user.group.domain`*:: +*`rsa.internal.payload_res`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`client.user.group.id`*:: +*`rsa.internal.process_vid_dst`*:: + -- -Unique identifier for the group on the system/platform. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`client.user.group.name`*:: +*`rsa.internal.process_vid_src`*:: + -- -Name of the group. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`client.user.hash`*:: +*`rsa.internal.rid`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`client.user.id`*:: +*`rsa.internal.session_split`*:: + -- -Unique identifier of the user. +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`client.user.name`*:: +*`rsa.internal.site`*:: + -- -Short name or login of the user. +Deprecated key defined only in table map. type: keyword -example: albert - -- -*`client.user.name.text`*:: +*`rsa.internal.size`*:: + -- -type: text +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`client.user.roles`*:: +*`rsa.internal.sourcefile`*:: + -- -Array of user roles at the time of the event. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: ["kibana_admin", "reporting_user"] - -- -[float] -=== cloud +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -Fields related to the cloud or infrastructure the events are coming from. +type: long +-- -*`cloud.account.id`*:: +*`rsa.internal.ubc_res`*:: + -- -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -example: 666777888999 +type: long -- -*`cloud.account.name`*:: +*`rsa.internal.word`*:: + -- -The cloud account name or alias used to identify different entities in a multi-tenant environment. -Examples: AWS account name, Google Cloud ORG display name. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -example: elastic-dev - -- -*`cloud.availability_zone`*:: + +*`rsa.time.event_time`*:: + -- -Availability zone in which this host, resource, or service is located. - -type: keyword +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -example: us-east-1c +type: date -- -*`cloud.instance.id`*:: +*`rsa.time.duration_time`*:: + -- -Instance ID of the host machine. - -type: keyword +This key is used to capture the normalized duration/lifetime in seconds. -example: i-1234567890abcdef0 +type: double -- -*`cloud.instance.name`*:: +*`rsa.time.event_time_str`*:: + -- -Instance name of the host machine. +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`cloud.machine.type`*:: +*`rsa.time.starttime`*:: + -- -Machine type of the host machine. - -type: keyword +This key is used to capture the Start time mentioned in a session in a standard form -example: t2.medium +type: date -- -*`cloud.project.id`*:: +*`rsa.time.month`*:: + -- -The cloud project identifier. -Examples: Google Cloud Project id, Azure Project id. - type: keyword -example: my-project - -- -*`cloud.project.name`*:: +*`rsa.time.day`*:: + -- -The cloud project name. -Examples: Google Cloud Project name, Azure Project name. - type: keyword -example: my project - -- -*`cloud.provider`*:: +*`rsa.time.endtime`*:: + -- -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - -type: keyword +This key is used to capture the End time mentioned in a session in a standard form -example: aws +type: date -- -*`cloud.region`*:: +*`rsa.time.timezone`*:: + -- -Region in which this host, resource, or service is located. +This key is used to capture the timezone of the Event Time type: keyword -example: us-east-1 - -- -*`cloud.service.name`*:: +*`rsa.time.duration_str`*:: + -- -The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. -Examples: app engine, app service, cloud run, fargate, lambda. +A text string version of the duration type: keyword -example: lambda +-- +*`rsa.time.date`*:: ++ -- +type: keyword -[float] -=== code_signature +-- -These fields contain information about binary code signatures. +*`rsa.time.year`*:: ++ +-- +type: keyword +-- -*`code_signature.exists`*:: +*`rsa.time.recorded_time`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -example: true +type: date -- -*`code_signature.signing_id`*:: +*`rsa.time.datetime`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - type: keyword -example: com.apple.xpc.proxy - -- -*`code_signature.status`*:: +*`rsa.time.effective_time`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - -type: keyword +This key is the effective time referenced by an individual event in a Standard Timestamp format -example: ERROR_UNTRUSTED_ROOT +type: date -- -*`code_signature.subject_name`*:: +*`rsa.time.expire_time`*:: + -- -Subject name of the code signer - -type: keyword +This key is the timestamp that explicitly refers to an expiration. -example: Microsoft Corporation +type: date -- -*`code_signature.team_id`*:: +*`rsa.time.process_time`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +Deprecated, use duration.time type: keyword -example: EQHXZ8M8AV - -- -*`code_signature.trusted`*:: +*`rsa.time.hour`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true +type: keyword -- -*`code_signature.valid`*:: +*`rsa.time.min`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +type: keyword -type: boolean +-- -example: true +*`rsa.time.timestamp`*:: ++ +-- +type: keyword -- -[float] -=== container +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. -Container fields are used for meta information about the specific container that is the source of information. -These fields help correlate data based containers from any runtime. +type: date +-- -*`container.id`*:: +*`rsa.time.p_time1`*:: + -- -Unique container id. - type: keyword -- -*`container.image.name`*:: +*`rsa.time.tzone`*:: + -- -Name of the image the container was built on. - type: keyword -- -*`container.image.tag`*:: +*`rsa.time.eventtime`*:: + -- -Container image tags. - type: keyword -- -*`container.labels`*:: +*`rsa.time.gmtdate`*:: + -- -Image labels. - -type: object +type: keyword -- -*`container.name`*:: +*`rsa.time.gmttime`*:: + -- -Container name. - type: keyword -- -*`container.runtime`*:: +*`rsa.time.p_date`*:: + -- -Runtime managing this container. - type: keyword -example: docker - -- -[float] -=== data_stream - -The data_stream fields take part in defining the new data stream naming scheme. -In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. -An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. - - -*`data_stream.dataset`*:: +*`rsa.time.p_month`*:: + -- -The field can contain anything that makes sense to signify the source of the data. -Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. -Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: - * Must not contain `-` - * No longer than 100 characters +type: keyword -type: constant_keyword +-- -example: nginx.access +*`rsa.time.p_time`*:: ++ +-- +type: keyword -- -*`data_stream.namespace`*:: +*`rsa.time.p_time2`*:: + -- -A user defined namespace. Namespaces are useful to allow grouping of data. -Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. -Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: - * Must not contain `-` - * No longer than 100 characters +type: keyword -type: constant_keyword +-- -example: production +*`rsa.time.p_year`*:: ++ +-- +type: keyword -- -*`data_stream.type`*:: +*`rsa.time.expire_time_str`*:: + -- -An overarching type for the data stream. -Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -type: constant_keyword +type: keyword -example: logs +-- +*`rsa.time.stamp`*:: ++ -- +Deprecated key defined only in table map. -[float] -=== destination +type: date -Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. -Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +-- -*`destination.address`*:: +*`rsa.misc.action`*:: + -- -Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - type: keyword -- -*`destination.as.number`*:: +*`rsa.misc.result`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +This key is used to capture the outcome/result string value of an action in a session. -example: 15169 +type: keyword -- -*`destination.as.organization.name`*:: +*`rsa.misc.severity`*:: + -- -Organization name. +This key is used to capture the severity given the session type: keyword -example: Google LLC - -- -*`destination.as.organization.name.text`*:: +*`rsa.misc.event_type`*:: + -- -type: text +This key captures the event category type as specified by the event source. + +type: keyword -- -*`destination.bytes`*:: +*`rsa.misc.reference_id`*:: + -- -Bytes sent from the destination to the source. - -type: long - -example: 184 +This key is used to capture an event id from the session directly -format: bytes +type: keyword -- -*`destination.domain`*:: +*`rsa.misc.version`*:: + -- -Destination domain. +This key captures Version of the application or OS which is generating the event. type: keyword -- -*`destination.geo.city_name`*:: +*`rsa.misc.disposition`*:: + -- -City name. +This key captures the The end state of an action. type: keyword -example: Montreal - -- -*`destination.geo.continent_code`*:: +*`rsa.misc.result_code`*:: + -- -Two-letter code representing continent's name. +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -example: NA - -- -*`destination.geo.continent_name`*:: +*`rsa.misc.category`*:: + -- -Name of the continent. +This key is used to capture the category of an event given by the vendor in the session type: keyword -example: North America - -- -*`destination.geo.country_iso_code`*:: +*`rsa.misc.obj_name`*:: + -- -Country ISO code. +This is used to capture name of object type: keyword -example: CA - -- -*`destination.geo.country_name`*:: +*`rsa.misc.obj_type`*:: + -- -Country name. +This is used to capture type of object type: keyword -example: Canada - -- -*`destination.geo.location`*:: +*`rsa.misc.event_source`*:: + -- -Longitude and latitude. - -type: geo_point +This key captures Source of the event that’s not a hostname -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`destination.geo.name`*:: +*`rsa.misc.log_session_id`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +This key is used to capture a sessionid from the session directly type: keyword -example: boston-dc - -- -*`destination.geo.postal_code`*:: +*`rsa.misc.group`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. +This key captures the Group Name value type: keyword -example: 94040 - -- -*`destination.geo.region_iso_code`*:: +*`rsa.misc.policy_name`*:: + -- -Region ISO code. +This key is used to capture the Policy Name only. type: keyword -example: CA-QC - -- -*`destination.geo.region_name`*:: +*`rsa.misc.rule_name`*:: + -- -Region name. +This key captures the Rule Name type: keyword -example: Quebec - -- -*`destination.geo.timezone`*:: +*`rsa.misc.context`*:: + -- -The time zone of the location, such as IANA time zone name. +This key captures Information which adds additional context to the event. type: keyword -example: America/Argentina/Buenos_Aires - -- -*`destination.ip`*:: +*`rsa.misc.change_new`*:: + -- -IP address of the destination (IPv4 or IPv6). +This key is used to capture the new values of the attribute that’s changing in a session -type: ip +type: keyword -- -*`destination.mac`*:: +*`rsa.misc.space`*:: + -- -MAC address of the destination. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - type: keyword -example: 00-00-5E-00-53-23 - -- -*`destination.nat.ip`*:: +*`rsa.misc.client`*:: + -- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. -type: ip +type: keyword -- -*`destination.nat.port`*:: +*`rsa.misc.msgIdPart1`*:: + -- -Port the source session is translated to by NAT Device. -Typically used with load balancers, firewalls, or routers. - -type: long - -format: string +type: keyword -- -*`destination.packets`*:: +*`rsa.misc.msgIdPart2`*:: + -- -Packets sent from the destination to the source. - -type: long - -example: 12 +type: keyword -- -*`destination.port`*:: +*`rsa.misc.change_old`*:: + -- -Port of the destination. - -type: long +This key is used to capture the old value of the attribute that’s changing in a session -format: string +type: keyword -- -*`destination.registered_domain`*:: +*`rsa.misc.operation_id`*:: + -- -The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +An alert number or operation number. The values should be unique and non-repeating. type: keyword -example: example.com - -- -*`destination.subdomain`*:: +*`rsa.misc.event_state`*:: + -- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. +This key captures the current state of the object/item referenced within the event. Describing an on-going event. type: keyword -example: east - -- -*`destination.top_level_domain`*:: +*`rsa.misc.group_object`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +This key captures a collection/grouping of entities. Specific usage type: keyword -example: co.uk - -- -*`destination.user.domain`*:: +*`rsa.misc.node`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`destination.user.email`*:: +*`rsa.misc.rule`*:: + -- -User email address. +This key captures the Rule number type: keyword -- -*`destination.user.full_name`*:: +*`rsa.misc.device_name`*:: + -- -User's full name, if available. +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -example: Albert Einstein - -- -*`destination.user.full_name.text`*:: +*`rsa.misc.param`*:: + -- -type: text +This key is the parameters passed as part of a command or application, etc. + +type: keyword -- -*`destination.user.group.domain`*:: +*`rsa.misc.change_attrib`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`destination.user.group.id`*:: +*`rsa.misc.event_computer`*:: + -- -Unique identifier for the group on the system/platform. +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`destination.user.group.name`*:: +*`rsa.misc.reference_id1`*:: + -- -Name of the group. +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`destination.user.hash`*:: +*`rsa.misc.event_log`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +This key captures the Name of the event log type: keyword -- -*`destination.user.id`*:: +*`rsa.misc.OS`*:: + -- -Unique identifier of the user. +This key captures the Name of the Operating System type: keyword -- -*`destination.user.name`*:: +*`rsa.misc.terminal`*:: + -- -Short name or login of the user. +This key captures the Terminal Names only type: keyword -example: albert - -- -*`destination.user.name.text`*:: +*`rsa.misc.msgIdPart3`*:: + -- -type: text +type: keyword -- -*`destination.user.roles`*:: +*`rsa.misc.filter`*:: + -- -Array of user roles at the time of the event. +This key captures Filter used to reduce result set type: keyword -example: ["kibana_admin", "reporting_user"] - -- -[float] -=== dll - -These fields contain information about code libraries dynamically loaded into processes. - -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: -* Dynamic-link library (`.dll`) commonly used on Windows -* Shared Object (`.so`) commonly used on Unix-like operating systems -* Dynamic library (`.dylib`) commonly used on macOS - - -*`dll.code_signature.exists`*:: +*`rsa.misc.serial_number`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +This key is the Serial number associated with a physical asset. -example: true +type: keyword -- -*`dll.code_signature.signing_id`*:: +*`rsa.misc.checksum`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -example: com.apple.xpc.proxy - -- -*`dll.code_signature.status`*:: +*`rsa.misc.event_user`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`dll.code_signature.subject_name`*:: +*`rsa.misc.virusname`*:: + -- -Subject name of the code signer +This key captures the name of the virus type: keyword -example: Microsoft Corporation - -- -*`dll.code_signature.team_id`*:: +*`rsa.misc.content_type`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +This key is used to capture Content Type only. type: keyword -example: EQHXZ8M8AV - -- -*`dll.code_signature.trusted`*:: +*`rsa.misc.group_id`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean +This key captures Group ID Number (related to the group name) -example: true +type: keyword -- -*`dll.code_signature.valid`*:: +*`rsa.misc.policy_id`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise -example: true +type: keyword -- -*`dll.hash.md5`*:: +*`rsa.misc.vsys`*:: + -- -MD5 hash. +This key captures Virtual System Name type: keyword -- -*`dll.hash.sha1`*:: +*`rsa.misc.connection_id`*:: + -- -SHA1 hash. +This key captures the Connection ID type: keyword -- -*`dll.hash.sha256`*:: +*`rsa.misc.reference_id2`*:: + -- -SHA256 hash. +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. type: keyword -- -*`dll.hash.sha512`*:: +*`rsa.misc.sensor`*:: + -- -SHA512 hash. +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -*`dll.hash.ssdeep`*:: +*`rsa.misc.sig_id`*:: + -- -SSDEEP hash. +This key captures IDS/IPS Int Signature ID -type: keyword +type: long -- -*`dll.name`*:: +*`rsa.misc.port_name`*:: + -- -Name of the library. -This generally maps to the name of the file on disk. +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -example: kernel32.dll - -- -*`dll.path`*:: +*`rsa.misc.rule_group`*:: + -- -Full file path of the library. +This key captures the Rule group name type: keyword -example: C:\Windows\System32\kernel32.dll - -- -*`dll.pe.architecture`*:: +*`rsa.misc.risk_num`*:: + -- -CPU architecture target for the file. - -type: keyword +This key captures a Numeric Risk value -example: x64 +type: double -- -*`dll.pe.company`*:: +*`rsa.misc.trigger_val`*:: + -- -Internal company name of the file, provided at compile-time. +This key captures the Value of the trigger or threshold condition. type: keyword -example: Microsoft Corporation - -- -*`dll.pe.description`*:: +*`rsa.misc.log_session_id1`*:: + -- -Internal description of the file, provided at compile-time. +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -example: Paint - -- -*`dll.pe.file_version`*:: +*`rsa.misc.comp_version`*:: + -- -Internal version of the file, provided at compile-time. +This key captures the Version level of a sub-component of a product. type: keyword -example: 6.3.9600.17415 - -- -*`dll.pe.imphash`*:: +*`rsa.misc.content_version`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. +This key captures Version level of a signature or database content. type: keyword -example: 0c6803c4e922103c4dca5963aad36ddf - -- -*`dll.pe.original_file_name`*:: +*`rsa.misc.hardware_id`*:: + -- -Internal name of the file, provided at compile-time. +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -example: MSPAINT.EXE - -- -*`dll.pe.product`*:: +*`rsa.misc.risk`*:: + -- -Internal product name of the file, provided at compile-time. +This key captures the non-numeric risk value type: keyword -example: Microsoft® Windows® Operating System - -- -[float] -=== dns - -Fields describing DNS queries and answers. -DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). - - -*`dns.answers`*:: +*`rsa.misc.event_id`*:: + -- -An array containing an object for each answer section returned by the server. -The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. -Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - -type: object +type: keyword -- -*`dns.answers.class`*:: +*`rsa.misc.reason`*:: + -- -The class of DNS data contained in this resource record. - type: keyword -example: IN - -- -*`dns.answers.data`*:: +*`rsa.misc.status`*:: + -- -The data describing the resource. -The meaning of this data depends on the type and class of the resource record. - type: keyword -example: 10.10.10.10 - -- -*`dns.answers.name`*:: +*`rsa.misc.mail_id`*:: + -- -The domain name to which this resource record pertains. -If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. +This key is used to capture the mailbox id/name type: keyword -example: www.example.com - -- -*`dns.answers.ttl`*:: +*`rsa.misc.rule_uid`*:: + -- -The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - -type: long +This key is the Unique Identifier for a rule. -example: 180 +type: keyword -- -*`dns.answers.type`*:: +*`rsa.misc.trigger_desc`*:: + -- -The type of data contained in this resource record. +This key captures the Description of the trigger or threshold condition. type: keyword -example: CNAME - -- -*`dns.header_flags`*:: +*`rsa.misc.inout`*:: + -- -Array of 2 letter DNS header flags. -Expected values are: AA, TC, RD, RA, AD, CD, DO. - type: keyword -example: ["RD", "RA"] - -- -*`dns.id`*:: +*`rsa.misc.p_msgid`*:: + -- -The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - type: keyword -example: 62111 - -- -*`dns.op_code`*:: +*`rsa.misc.data_type`*:: + -- -The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - type: keyword -example: QUERY - -- -*`dns.question.class`*:: +*`rsa.misc.msgIdPart4`*:: + -- -The class of records being queried. - type: keyword -example: IN - -- -*`dns.question.name`*:: +*`rsa.misc.error`*:: + -- -The name being queried. -If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. +This key captures All non successful Error codes or responses type: keyword -example: www.example.com - -- -*`dns.question.registered_domain`*:: +*`rsa.misc.index`*:: + -- -The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - type: keyword -example: example.com - -- -*`dns.question.subdomain`*:: +*`rsa.misc.listnum`*:: + -- -The subdomain is all of the labels under the registered_domain. -If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -example: www - -- -*`dns.question.top_level_domain`*:: +*`rsa.misc.ntype`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - type: keyword -example: co.uk - -- -*`dns.question.type`*:: +*`rsa.misc.observed_val`*:: + -- -The type of record being queried. +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -example: AAAA - -- -*`dns.resolved_ip`*:: +*`rsa.misc.policy_value`*:: + -- -Array containing all IPs seen in `answers.data`. -The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - -type: ip +This key captures the contents of the policy. This contains details about the policy -example: ["10.10.10.10", "10.10.10.11"] +type: keyword -- -*`dns.response_code`*:: +*`rsa.misc.pool_name`*:: + -- -The DNS response code. +This key captures the name of a resource pool type: keyword -example: NOERROR - -- -*`dns.type`*:: +*`rsa.misc.rule_template`*:: + -- -The type of DNS event captured, query or answer. -If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. -If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -example: answer - -- -[float] -=== ecs - -Meta-information specific to ECS. +*`rsa.misc.count`*:: ++ +-- +type: keyword +-- -*`ecs.version`*:: +*`rsa.misc.number`*:: + -- -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - type: keyword -example: 1.0.0 - -required: True +-- +*`rsa.misc.sigcat`*:: ++ -- +type: keyword -[float] -=== elf +-- -These fields contain Linux Executable Linkable Format (ELF) metadata. +*`rsa.misc.type`*:: ++ +-- +type: keyword +-- -*`elf.architecture`*:: +*`rsa.misc.comments`*:: + -- -Machine architecture of the ELF file. +Comment information provided in the log message type: keyword -example: x86-64 - -- -*`elf.byte_order`*:: +*`rsa.misc.doc_number`*:: + -- -Byte sequence of ELF file. - -type: keyword +This key captures File Identification number -example: Little Endian +type: long -- -*`elf.cpu_type`*:: +*`rsa.misc.expected_val`*:: + -- -CPU type of the ELF file. +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -example: Intel - -- -*`elf.creation_date`*:: +*`rsa.misc.job_num`*:: + -- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +This key captures the Job Number -type: date +type: keyword -- -*`elf.exports`*:: +*`rsa.misc.spi_dst`*:: + -- -List of exported element names and types. +Destination SPI Index -type: flattened +type: keyword -- -*`elf.header.abi_version`*:: +*`rsa.misc.spi_src`*:: + -- -Version of the ELF Application Binary Interface (ABI). +Source SPI Index type: keyword -- -*`elf.header.class`*:: +*`rsa.misc.code`*:: + -- -Header class of the ELF file. - type: keyword -- -*`elf.header.data`*:: +*`rsa.misc.agent_id`*:: + -- -Data table of the ELF header. +This key is used to capture agent id type: keyword -- -*`elf.header.entrypoint`*:: +*`rsa.misc.message_body`*:: + -- -Header entrypoint of the ELF file. - -type: long +This key captures the The contents of the message body. -format: string +type: keyword -- -*`elf.header.object_version`*:: +*`rsa.misc.phone`*:: + -- -"0x1" for original ELF files. - type: keyword -- -*`elf.header.os_abi`*:: +*`rsa.misc.sig_id_str`*:: + -- -Application Binary Interface (ABI) of the Linux OS. +This key captures a string object of the sigid variable. type: keyword -- -*`elf.header.type`*:: +*`rsa.misc.cmd`*:: + -- -Header type of the ELF file. - type: keyword -- -*`elf.header.version`*:: +*`rsa.misc.misc`*:: + -- -Version of the ELF header. - type: keyword -- -*`elf.imports`*:: +*`rsa.misc.name`*:: + -- -List of imported element names and types. - -type: flattened +type: keyword -- -*`elf.sections`*:: +*`rsa.misc.cpu`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. +This key is the CPU time used in the execution of the event being recorded. -type: nested +type: long -- -*`elf.sections.chi2`*:: +*`rsa.misc.event_desc`*:: + -- -Chi-square probability distribution of the section. - -type: long +This key is used to capture a description of an event available directly or inferred -format: number +type: keyword -- -*`elf.sections.entropy`*:: +*`rsa.misc.sig_id1`*:: + -- -Shannon entropy calculation from the section. +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id type: long -format: number - -- -*`elf.sections.flags`*:: +*`rsa.misc.im_buddyid`*:: + -- -ELF Section List flags. - type: keyword -- -*`elf.sections.name`*:: +*`rsa.misc.im_client`*:: + -- -ELF Section List name. - type: keyword -- -*`elf.sections.physical_offset`*:: +*`rsa.misc.im_userid`*:: + -- -ELF Section List offset. - type: keyword -- -*`elf.sections.physical_size`*:: +*`rsa.misc.pid`*:: + -- -ELF Section List physical size. +type: keyword -type: long +-- -format: bytes +*`rsa.misc.priority`*:: ++ +-- +type: keyword -- -*`elf.sections.type`*:: +*`rsa.misc.context_subject`*:: + -- -ELF Section List type. +This key is to be used in an audit context where the subject is the object being identified type: keyword -- -*`elf.sections.virtual_address`*:: +*`rsa.misc.context_target`*:: + -- -ELF Section List virtual address. - -type: long - -format: string +type: keyword -- -*`elf.sections.virtual_size`*:: +*`rsa.misc.cve`*:: + -- -ELF Section List virtual size. - -type: long +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -format: string +type: keyword -- -*`elf.segments`*:: +*`rsa.misc.fcatnum`*:: + -- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. +This key captures Filter Category Number. Legacy Usage -type: nested +type: keyword -- -*`elf.segments.sections`*:: +*`rsa.misc.library`*:: + -- -ELF object segment sections. +This key is used to capture library information in mainframe devices type: keyword -- -*`elf.segments.type`*:: +*`rsa.misc.parent_node`*:: + -- -ELF object segment type. +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`elf.shared_libraries`*:: +*`rsa.misc.risk_info`*:: + -- -List of shared libraries used by this ELF object. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`elf.telfhash`*:: +*`rsa.misc.tcp_flags`*:: + -- -telfhash symbol hash for ELF file. +This key is captures the TCP flags set in any packet of session -type: keyword +type: long -- -[float] -=== error +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service -These fields can represent errors of any kind. -Use them for errors that happen while fetching events or in cases where the event itself contains an error. +type: long +-- -*`error.code`*:: +*`rsa.misc.vm_target`*:: + -- -Error code describing the error. +VMWare Target **VMWARE** only varaible. type: keyword -- -*`error.id`*:: +*`rsa.misc.workspace`*:: + -- -Unique identifier for the error. +This key captures Workspace Description type: keyword -- -*`error.message`*:: +*`rsa.misc.command`*:: + -- -Error message. - -type: text +type: keyword -- -*`error.stack_trace`*:: +*`rsa.misc.event_category`*:: + -- -The stack trace of this error in plain text. - type: keyword -Field is not indexed. - -- -*`error.stack_trace.text`*:: +*`rsa.misc.facilityname`*:: + -- -type: text +type: keyword -- -*`error.type`*:: +*`rsa.misc.forensic_info`*:: + -- -The type of the error, for example the class name of the exception. - type: keyword -example: java.lang.NullPointerException - -- -[float] -=== event - -The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. - - -*`event.action`*:: +*`rsa.misc.jobname`*:: + -- -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - type: keyword -example: user-password-change - -- -*`event.agent_id_status`*:: +*`rsa.misc.mode`*:: + -- -Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. -For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. -If no validation is performed then the field should be omitted. -The allowed values are: -`verified` - The `agent.id` field value matches expected value obtained from auth metadata. -`mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. -`missing` - There was no `agent.id` field in the event to validate. -`auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. - type: keyword -example: verified - -- -*`event.category`*:: +*`rsa.misc.policy`*:: + -- -This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. -`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. -This field is an array. This will allow proper categorization of some events that fall in multiple categories. - type: keyword -example: authentication - -- -*`event.code`*:: +*`rsa.misc.policy_waiver`*:: + -- -Identification code for this event, if one exists. -Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - type: keyword -example: 4648 - -- -*`event.created`*:: +*`rsa.misc.second`*:: + -- -event.created contains the date/time when the event was first read by an agent, or by your pipeline. -This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. -In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. -In case the two timestamps are identical, @timestamp should be used. - -type: date - -example: 2016-05-23T08:05:34.857Z +type: keyword -- -*`event.dataset`*:: +*`rsa.misc.space1`*:: + -- -Name of the dataset. -If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. -It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - type: keyword -example: apache.access - -- -*`event.duration`*:: +*`rsa.misc.subcategory`*:: + -- -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. - -type: long - -format: duration +type: keyword -- -*`event.end`*:: +*`rsa.misc.tbdstr2`*:: + -- -event.end contains the date when the event ended or when the activity was last observed. - -type: date +type: keyword -- -*`event.hash`*:: +*`rsa.misc.alert_id`*:: + -- -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -example: 123456789012345678901234567890ABCD - -- -*`event.id`*:: +*`rsa.misc.checksum_dst`*:: + -- -Unique ID to describe the event. +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -example: 8a4f500d - -- -*`event.ingested`*:: +*`rsa.misc.checksum_src`*:: + -- -Timestamp when an event arrived in the central data store. -This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. -In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - -type: date +This key is used to capture the checksum or hash of the source entity such as a file or process. -example: 2016-05-23T08:05:35.101Z +type: keyword -- -*`event.kind`*:: +*`rsa.misc.fresult`*:: + -- -This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. -`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. -The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - -type: keyword +This key captures the Filter Result -example: alert +type: long -- -*`event.module`*:: +*`rsa.misc.payload_dst`*:: + -- -Name of the module this data is coming from. -If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. +This key is used to capture destination payload type: keyword -example: apache - -- -*`event.original`*:: +*`rsa.misc.payload_src`*:: + -- -Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. +This key is used to capture source payload type: keyword -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - -Field is not indexed. - -- -*`event.outcome`*:: +*`rsa.misc.pool_id`*:: + -- -This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. -Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. -Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. -Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. +This key captures the identifier (typically numeric field) of a resource pool type: keyword -example: success - -- -*`event.provider`*:: +*`rsa.misc.process_id_val`*:: + -- -Source of the event. -Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). +This key is a failure key for Process ID when it is not an integer value type: keyword -example: kernel - -- -*`event.reason`*:: +*`rsa.misc.risk_num_comm`*:: + -- -Reason why this event happened, according to the source. -This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - -type: keyword +This key captures Risk Number Community -example: Terminated an unexpected process +type: double -- -*`event.reference`*:: +*`rsa.misc.risk_num_next`*:: + -- -Reference URL linking to additional information about this event. -This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - -type: keyword +This key captures Risk Number NextGen -example: https://system.example.com/event/#0001234 +type: double -- -*`event.risk_score`*:: +*`rsa.misc.risk_num_sand`*:: + -- -Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +This key captures Risk Number SandBox -type: float +type: double -- -*`event.risk_score_norm`*:: +*`rsa.misc.risk_num_static`*:: + -- -Normalized risk score or priority of the event, on a scale of 0 to 100. -This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. +This key captures Risk Number Static -type: float +type: double -- -*`event.sequence`*:: +*`rsa.misc.risk_suspicious`*:: + -- -Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - -type: long +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -format: string +type: keyword -- -*`event.severity`*:: +*`rsa.misc.risk_warning`*:: + -- -The numeric severity of the event according to your event source. -What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. -The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - -type: long - -example: 7 +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -format: string +type: keyword -- -*`event.start`*:: +*`rsa.misc.snmp_oid`*:: + -- -event.start contains the date when the event started or when the activity was first observed. +SNMP Object Identifier -type: date +type: keyword -- -*`event.timezone`*:: +*`rsa.misc.sql`*:: + -- -This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. -Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +This key captures the SQL query type: keyword -- -*`event.type`*:: +*`rsa.misc.vuln_ref`*:: + -- -This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. -`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. -This field is an array. This will allow proper categorization of some events that fall in multiple event types. +This key captures the Vulnerability Reference details type: keyword -- -*`event.url`*:: +*`rsa.misc.acl_id`*:: + -- -URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - type: keyword -example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe - -- -[float] -=== file - -A file is defined as a set of information that has been created on, or has existed on a filesystem. -File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. - - -*`file.accessed`*:: +*`rsa.misc.acl_op`*:: + -- -Last time the file was accessed. -Note that not all filesystems keep track of access time. - -type: date +type: keyword -- -*`file.attributes`*:: +*`rsa.misc.acl_pos`*:: + -- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - type: keyword -example: ["readonly", "system"] - -- -*`file.code_signature.exists`*:: +*`rsa.misc.acl_table`*:: + -- -Boolean to capture if a signature is present. - -type: boolean - -example: true +type: keyword -- -*`file.code_signature.signing_id`*:: +*`rsa.misc.admin`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - type: keyword -example: com.apple.xpc.proxy - -- -*`file.code_signature.status`*:: +*`rsa.misc.alarm_id`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`file.code_signature.subject_name`*:: +*`rsa.misc.alarmname`*:: + -- -Subject name of the code signer - type: keyword -example: Microsoft Corporation - -- -*`file.code_signature.team_id`*:: +*`rsa.misc.app_id`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. - type: keyword -example: EQHXZ8M8AV - -- -*`file.code_signature.trusted`*:: +*`rsa.misc.audit`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true +type: keyword -- -*`file.code_signature.valid`*:: +*`rsa.misc.audit_object`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean - -example: true +type: keyword -- -*`file.created`*:: +*`rsa.misc.auditdata`*:: + -- -File creation time. -Note that not all filesystems store the creation time. - -type: date +type: keyword -- -*`file.ctime`*:: +*`rsa.misc.benchmark`*:: + -- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - -type: date +type: keyword -- -*`file.device`*:: +*`rsa.misc.bypass`*:: + -- -Device that is the source of the file. - type: keyword -example: sda - -- -*`file.directory`*:: +*`rsa.misc.cache`*:: + -- -Directory where the file is located. It should include the drive letter, when appropriate. - type: keyword -example: /home/alice - -- -*`file.drive_letter`*:: +*`rsa.misc.cache_hit`*:: + -- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. - type: keyword -example: C - -- -*`file.elf.architecture`*:: +*`rsa.misc.cefversion`*:: + -- -Machine architecture of the ELF file. - type: keyword -example: x86-64 - -- -*`file.elf.byte_order`*:: +*`rsa.misc.cfg_attr`*:: + -- -Byte sequence of ELF file. - type: keyword -example: Little Endian - -- -*`file.elf.cpu_type`*:: +*`rsa.misc.cfg_obj`*:: + -- -CPU type of the ELF file. - type: keyword -example: Intel - -- -*`file.elf.creation_date`*:: +*`rsa.misc.cfg_path`*:: + -- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - -type: date +type: keyword -- -*`file.elf.exports`*:: +*`rsa.misc.changes`*:: + -- -List of exported element names and types. - -type: flattened +type: keyword -- -*`file.elf.header.abi_version`*:: +*`rsa.misc.client_ip`*:: + -- -Version of the ELF Application Binary Interface (ABI). - type: keyword -- -*`file.elf.header.class`*:: +*`rsa.misc.clustermembers`*:: + -- -Header class of the ELF file. - type: keyword -- -*`file.elf.header.data`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Data table of the ELF header. - type: keyword -- -*`file.elf.header.entrypoint`*:: +*`rsa.misc.cn_asn_src`*:: + -- -Header entrypoint of the ELF file. - -type: long - -format: string +type: keyword -- -*`file.elf.header.object_version`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -"0x1" for original ELF files. - type: keyword -- -*`file.elf.header.os_abi`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -Application Binary Interface (ABI) of the Linux OS. - type: keyword -- -*`file.elf.header.type`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -Header type of the ELF file. - type: keyword -- -*`file.elf.header.version`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -Version of the ELF header. - type: keyword -- -*`file.elf.imports`*:: +*`rsa.misc.cn_engine_id`*:: + -- -List of imported element names and types. - -type: flattened +type: keyword -- -*`file.elf.sections`*:: +*`rsa.misc.cn_engine_type`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. - -type: nested +type: keyword -- -*`file.elf.sections.chi2`*:: +*`rsa.misc.cn_f_switch`*:: + -- -Chi-square probability distribution of the section. - -type: long - -format: number +type: keyword -- -*`file.elf.sections.entropy`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -Shannon entropy calculation from the section. - -type: long - -format: number +type: keyword -- -*`file.elf.sections.flags`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -ELF Section List flags. - type: keyword -- -*`file.elf.sections.name`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -ELF Section List name. - type: keyword -- -*`file.elf.sections.physical_offset`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -ELF Section List offset. - type: keyword -- -*`file.elf.sections.physical_size`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -ELF Section List physical size. - -type: long - -format: bytes +type: keyword -- -*`file.elf.sections.type`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -ELF Section List type. - type: keyword -- -*`file.elf.sections.virtual_address`*:: +*`rsa.misc.cn_invalid`*:: + -- -ELF Section List virtual address. - -type: long - -format: string +type: keyword -- -*`file.elf.sections.virtual_size`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -ELF Section List virtual size. - -type: long - -format: string +type: keyword -- -*`file.elf.segments`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. - -type: nested +type: keyword -- -*`file.elf.segments.sections`*:: +*`rsa.misc.cn_l_switch`*:: + -- -ELF object segment sections. - type: keyword -- -*`file.elf.segments.type`*:: +*`rsa.misc.cn_log_did`*:: + -- -ELF object segment type. - type: keyword -- -*`file.elf.shared_libraries`*:: +*`rsa.misc.cn_log_rid`*:: + -- -List of shared libraries used by this ELF object. - type: keyword -- -*`file.elf.telfhash`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -telfhash symbol hash for ELF file. - type: keyword -- -*`file.extension`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -File extension, excluding the leading dot. -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - type: keyword -example: png - -- -*`file.gid`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -Primary group ID (GID) of the file. - type: keyword -example: 1001 - -- -*`file.group`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -Primary group name of the file. - type: keyword -example: alice - -- -*`file.hash.md5`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -MD5 hash. - type: keyword -- -*`file.hash.sha1`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -SHA1 hash. - type: keyword -- -*`file.hash.sha256`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -SHA256 hash. - type: keyword -- -*`file.hash.sha512`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -SHA512 hash. - type: keyword -- -*`file.hash.ssdeep`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -SSDEEP hash. - type: keyword -- -*`file.inode`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -Inode representing the file in the filesystem. - type: keyword -example: 256383 - -- -*`file.mime_type`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - type: keyword -- -*`file.mode`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -Mode of the file in octal representation. - type: keyword -example: 0640 - -- -*`file.mtime`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -Last time the file content was modified. - -type: date +type: keyword -- -*`file.name`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -Name of the file including the extension, without the directory. - type: keyword -example: example.png - -- -*`file.owner`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -File owner's username. - type: keyword -example: alice - -- -*`file.path`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -Full path to the file, including the file name. It should include the drive letter, when appropriate. - type: keyword -example: /home/alice/example.png - -- -*`file.path.text`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -type: text +type: keyword -- -*`file.pe.architecture`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -CPU architecture target for the file. - type: keyword -example: x64 - -- -*`file.pe.company`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -Internal company name of the file, provided at compile-time. - type: keyword -example: Microsoft Corporation - -- -*`file.pe.description`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -Internal description of the file, provided at compile-time. - type: keyword -example: Paint - -- -*`file.pe.file_version`*:: +*`rsa.misc.cn_sampint`*:: + -- -Internal version of the file, provided at compile-time. - type: keyword -example: 6.3.9600.17415 - -- -*`file.pe.imphash`*:: +*`rsa.misc.cn_seqctr`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - type: keyword -example: 0c6803c4e922103c4dca5963aad36ddf - -- -*`file.pe.original_file_name`*:: +*`rsa.misc.cn_spackets`*:: + -- -Internal name of the file, provided at compile-time. - type: keyword -example: MSPAINT.EXE - -- -*`file.pe.product`*:: +*`rsa.misc.cn_src_tos`*:: + -- -Internal product name of the file, provided at compile-time. - type: keyword -example: Microsoft® Windows® Operating System - -- -*`file.size`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". - -type: long - -example: 16384 +type: keyword -- -*`file.target_path`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -Target path for symlinks. - type: keyword -- -*`file.target_path.text`*:: +*`rsa.misc.cn_template_id`*:: + -- -type: text +type: keyword -- -*`file.type`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -File type (file, dir, or symlink). - type: keyword -example: file - -- -*`file.uid`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -The user ID (UID) or security identifier (SID) of the file owner. - type: keyword -example: 1001 - -- -*`file.x509.alternative_names`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - type: keyword -example: *.elastic.co - -- -*`file.x509.issuer.common_name`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -List of common name (CN) of issuing certificate authority. - type: keyword -example: Example SHA2 High Assurance Server CA - -- -*`file.x509.issuer.country`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -List of country (C) codes - type: keyword -example: US - -- -*`file.x509.issuer.distinguished_name`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -Distinguished name (DN) of issuing certificate authority. - type: keyword -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - -- -*`file.x509.issuer.locality`*:: +*`rsa.misc.comp_class`*:: + -- -List of locality names (L) - type: keyword -example: Mountain View - -- -*`file.x509.issuer.organization`*:: +*`rsa.misc.comp_name`*:: + -- -List of organizations (O) of issuing certificate authority. - type: keyword -example: Example Inc - -- -*`file.x509.issuer.organizational_unit`*:: +*`rsa.misc.comp_rbytes`*:: + -- -List of organizational units (OU) of issuing certificate authority. - type: keyword -example: www.example.com - -- -*`file.x509.issuer.state_or_province`*:: +*`rsa.misc.comp_sbytes`*:: + -- -List of state or province names (ST, S, or P) - type: keyword -example: California - -- -*`file.x509.not_after`*:: +*`rsa.misc.cpu_data`*:: + -- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39+00:00 +type: keyword -- -*`file.x509.not_before`*:: +*`rsa.misc.criticality`*:: + -- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25+00:00 +type: keyword -- -*`file.x509.public_key_algorithm`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -Algorithm used to generate the public key. - type: keyword -example: RSA - -- -*`file.x509.public_key_curve`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - type: keyword -example: nistp521 - -- -*`file.x509.public_key_exponent`*:: +*`rsa.misc.cs_av_other`*:: + -- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - -Field is not indexed. +type: keyword -- -*`file.x509.public_key_size`*:: +*`rsa.misc.cs_av_primary`*:: + -- -The size of the public key space in bits. - -type: long - -example: 2048 +type: keyword -- -*`file.x509.serial_number`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - type: keyword -example: 55FBB9C7DEBF09809D12CCAA - -- -*`file.x509.signature_algorithm`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - type: keyword -example: SHA256-RSA - -- -*`file.x509.subject.common_name`*:: +*`rsa.misc.cs_bit9status`*:: + -- -List of common names (CN) of subject. - type: keyword -example: shared.global.example.net - -- -*`file.x509.subject.country`*:: +*`rsa.misc.cs_context`*:: + -- -List of country (C) code - type: keyword -example: US - -- -*`file.x509.subject.distinguished_name`*:: +*`rsa.misc.cs_control`*:: + -- -Distinguished name (DN) of the certificate subject entity. - type: keyword -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - -- -*`file.x509.subject.locality`*:: +*`rsa.misc.cs_data`*:: + -- -List of locality names (L) - type: keyword -example: San Francisco - -- -*`file.x509.subject.organization`*:: +*`rsa.misc.cs_datecret`*:: + -- -List of organizations (O) of subject. - type: keyword -example: Example, Inc. - -- -*`file.x509.subject.organizational_unit`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -List of organizational units (OU) of subject. - type: keyword -- -*`file.x509.subject.state_or_province`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -List of state or province names (ST, S, or P) - type: keyword -example: California - -- -*`file.x509.version_number`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -Version of x509 format. - type: keyword -example: 3 - -- -[float] -=== geo - -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. - - -*`geo.city_name`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`geo.continent_code`*:: +*`rsa.misc.cs_filetype`*:: + -- -Two-letter code representing continent's name. - type: keyword -example: NA - -- -*`geo.continent_name`*:: +*`rsa.misc.cs_fld`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`geo.country_iso_code`*:: +*`rsa.misc.cs_if_desc`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`geo.country_name`*:: +*`rsa.misc.cs_if_name`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`geo.location`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`geo.name`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`geo.postal_code`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - type: keyword -example: 94040 - -- -*`geo.region_iso_code`*:: +*`rsa.misc.cs_lifetime`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`geo.region_name`*:: +*`rsa.misc.cs_log_medium`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`geo.timezone`*:: +*`rsa.misc.cs_loginname`*:: + -- -The time zone of the location, such as IANA time zone name. - type: keyword -example: America/Argentina/Buenos_Aires - -- -[float] -=== group - -The group fields are meant to represent groups that are relevant to the event. - - -*`group.domain`*:: +*`rsa.misc.cs_modulescore`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`group.id`*:: +*`rsa.misc.cs_modulesign`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`group.name`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -Name of the group. - type: keyword -- -[float] -=== hash - -The hash fields represent different bitwise hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). -Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). - - -*`hash.md5`*:: +*`rsa.misc.cs_payload`*:: + -- -MD5 hash. - type: keyword -- -*`hash.sha1`*:: +*`rsa.misc.cs_registrant`*:: + -- -SHA1 hash. - type: keyword -- -*`hash.sha256`*:: +*`rsa.misc.cs_registrar`*:: + -- -SHA256 hash. - type: keyword -- -*`hash.sha512`*:: +*`rsa.misc.cs_represult`*:: + -- -SHA512 hash. - type: keyword -- -*`hash.ssdeep`*:: +*`rsa.misc.cs_rpayload`*:: + -- -SSDEEP hash. - type: keyword -- -[float] -=== host - -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. - - -*`host.architecture`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -Operating system architecture. - type: keyword -example: x86_64 - -- -*`host.cpu.usage`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. -Scaling factor: 1000. -For example: For a two core host, this value should be the average of the two cores, between 0 and 1. - -type: scaled_float +type: keyword -- -*`host.disk.read.bytes`*:: +*`rsa.misc.cs_streams`*:: + -- -The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. - -type: long +type: keyword -- -*`host.disk.write.bytes`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. - -type: long +type: keyword -- -*`host.domain`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - type: keyword -example: CONTOSO - -- -*`host.geo.city_name`*:: +*`rsa.misc.cs_whois_server`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`host.geo.continent_code`*:: +*`rsa.misc.cs_yararesult`*:: + -- -Two-letter code representing continent's name. - type: keyword -example: NA - -- -*`host.geo.continent_name`*:: +*`rsa.misc.description`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`host.geo.country_iso_code`*:: +*`rsa.misc.devvendor`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`host.geo.country_name`*:: +*`rsa.misc.distance`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`host.geo.location`*:: +*`rsa.misc.dstburb`*:: + -- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`host.geo.name`*:: +*`rsa.misc.edomain`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`host.geo.postal_code`*:: +*`rsa.misc.edomaub`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - type: keyword -example: 94040 - -- -*`host.geo.region_iso_code`*:: +*`rsa.misc.euid`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`host.geo.region_name`*:: +*`rsa.misc.facility`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`host.geo.timezone`*:: +*`rsa.misc.finterface`*:: + -- -The time zone of the location, such as IANA time zone name. - type: keyword -example: America/Argentina/Buenos_Aires - -- -*`host.hostname`*:: +*`rsa.misc.flags`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. - type: keyword -- -*`host.id`*:: +*`rsa.misc.gaddr`*:: + -- -Unique host id. -As hostname is not always unique, use values that are meaningful in your environment. -Example: The current usage of `beat.name`. - type: keyword -- -*`host.ip`*:: +*`rsa.misc.id3`*:: + -- -Host ip addresses. - -type: ip +type: keyword -- -*`host.mac`*:: +*`rsa.misc.im_buddyname`*:: + -- -Host MAC addresses. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - type: keyword -example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] - -- -*`host.name`*:: +*`rsa.misc.im_croomid`*:: + -- -Name of the host. -It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - type: keyword -- -*`host.network.egress.bytes`*:: +*`rsa.misc.im_croomtype`*:: + -- -The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. - -type: long +type: keyword -- -*`host.network.egress.packets`*:: +*`rsa.misc.im_members`*:: + -- -The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. - -type: long +type: keyword -- -*`host.network.ingress.bytes`*:: +*`rsa.misc.im_username`*:: + -- -The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. - -type: long +type: keyword -- -*`host.network.ingress.packets`*:: +*`rsa.misc.ipkt`*:: + -- -The number of packets (gauge) received on all network interfaces by the host since the last metric collection. - -type: long +type: keyword -- -*`host.os.family`*:: +*`rsa.misc.ipscat`*:: + -- -OS family (such as redhat, debian, freebsd, windows). - type: keyword -example: debian - -- -*`host.os.full`*:: +*`rsa.misc.ipspri`*:: + -- -Operating system name, including the version or code name. - type: keyword -example: Mac OS Mojave - -- -*`host.os.full.text`*:: +*`rsa.misc.latitude`*:: + -- -type: text +type: keyword -- -*`host.os.kernel`*:: +*`rsa.misc.linenum`*:: + -- -Operating system kernel version as a raw string. - type: keyword -example: 4.4.0-112-generic - -- -*`host.os.name`*:: +*`rsa.misc.list_name`*:: + -- -Operating system name, without the version. - type: keyword -example: Mac OS X - -- -*`host.os.name.text`*:: +*`rsa.misc.load_data`*:: + -- -type: text +type: keyword -- -*`host.os.platform`*:: +*`rsa.misc.location_floor`*:: + -- -Operating system platform (such centos, ubuntu, windows). - type: keyword -example: darwin - -- -*`host.os.type`*:: +*`rsa.misc.location_mark`*:: + -- -Use the `os.type` field to categorize the operating system into one of the broad commercial families. -One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - type: keyword -example: macos - -- -*`host.os.version`*:: +*`rsa.misc.log_id`*:: + -- -Operating system version as a raw string. - type: keyword -example: 10.14.1 - -- -*`host.type`*:: +*`rsa.misc.log_type`*:: + -- -Type of host. -For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - type: keyword -- -*`host.uptime`*:: +*`rsa.misc.logid`*:: + -- -Seconds the host has been up. - -type: long - -example: 1325 +type: keyword -- -*`host.user.domain`*:: +*`rsa.misc.logip`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`host.user.email`*:: +*`rsa.misc.logname`*:: + -- -User email address. - type: keyword -- -*`host.user.full_name`*:: +*`rsa.misc.longitude`*:: + -- -User's full name, if available. - type: keyword -example: Albert Einstein - -- -*`host.user.full_name.text`*:: +*`rsa.misc.lport`*:: + -- -type: text +type: keyword -- -*`host.user.group.domain`*:: +*`rsa.misc.mbug_data`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`host.user.group.id`*:: +*`rsa.misc.misc_name`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`host.user.group.name`*:: +*`rsa.misc.msg_type`*:: + -- -Name of the group. - type: keyword -- -*`host.user.hash`*:: +*`rsa.misc.msgid`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - type: keyword -- -*`host.user.id`*:: +*`rsa.misc.netsessid`*:: + -- -Unique identifier of the user. - type: keyword -- -*`host.user.name`*:: +*`rsa.misc.num`*:: + -- -Short name or login of the user. - type: keyword -example: albert - -- -*`host.user.name.text`*:: +*`rsa.misc.number1`*:: + -- -type: text +type: keyword -- -*`host.user.roles`*:: +*`rsa.misc.number2`*:: + -- -Array of user roles at the time of the event. - type: keyword -example: ["kibana_admin", "reporting_user"] - -- -[float] -=== http - -Fields related to HTTP activity. Use the `url` field set to store the url of the request. - - -*`http.request.body.bytes`*:: +*`rsa.misc.nwwn`*:: + -- -Size in bytes of the request body. - -type: long - -example: 887 - -format: bytes +type: keyword -- -*`http.request.body.content`*:: +*`rsa.misc.object`*:: + -- -The full HTTP request body. - type: keyword -example: Hello world - -- -*`http.request.body.content.text`*:: +*`rsa.misc.operation`*:: + -- -type: text +type: keyword -- -*`http.request.bytes`*:: +*`rsa.misc.opkt`*:: + -- -Total size in bytes of the request (body and headers). - -type: long - -example: 1437 - -format: bytes +type: keyword -- -*`http.request.id`*:: +*`rsa.misc.orig_from`*:: + -- -A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. -The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. - type: keyword -example: 123e4567-e89b-12d3-a456-426614174000 - -- -*`http.request.method`*:: +*`rsa.misc.owner_id`*:: + -- -HTTP request method. -Prior to ECS 1.6.0 the following guidance was provided: -"The field value must be normalized to lowercase for querying." -As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 - type: keyword -example: GET, POST, PUT, PoST - -- -*`http.request.mime_type`*:: +*`rsa.misc.p_action`*:: + -- -Mime type of the body of the request. -This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. - type: keyword -example: image/gif - -- -*`http.request.referrer`*:: +*`rsa.misc.p_filter`*:: + -- -Referrer for this HTTP request. - type: keyword -example: https://blog.example.com/ - -- -*`http.response.body.bytes`*:: +*`rsa.misc.p_group_object`*:: + -- -Size in bytes of the response body. - -type: long - -example: 887 - -format: bytes +type: keyword -- -*`http.response.body.content`*:: +*`rsa.misc.p_id`*:: + -- -The full HTTP response body. - type: keyword -example: Hello world - -- -*`http.response.body.content.text`*:: +*`rsa.misc.p_msgid1`*:: + -- -type: text +type: keyword -- -*`http.response.bytes`*:: +*`rsa.misc.p_msgid2`*:: + -- -Total size in bytes of the response (body and headers). - -type: long - -example: 1437 - -format: bytes +type: keyword -- -*`http.response.mime_type`*:: +*`rsa.misc.p_result1`*:: + -- -Mime type of the body of the response. -This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. - type: keyword -example: image/gif - -- -*`http.response.status_code`*:: +*`rsa.misc.password_chg`*:: + -- -HTTP response status code. - -type: long - -example: 404 - -format: string +type: keyword -- -*`http.version`*:: +*`rsa.misc.password_expire`*:: + -- -HTTP version. - type: keyword -example: 1.1 - -- -[float] -=== interface - -The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. - - -*`interface.alias`*:: +*`rsa.misc.permgranted`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - type: keyword -example: outside - -- -*`interface.id`*:: +*`rsa.misc.permwanted`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). - type: keyword -example: 10 - -- -*`interface.name`*:: +*`rsa.misc.pgid`*:: + -- -Interface name as reported by the system. - type: keyword -example: eth0 - -- -[float] -=== log - -Details about the event's logging mechanism or logging transport. -The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. -The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. - - -*`log.file.path`*:: +*`rsa.misc.policyUUID`*:: + -- -Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. -If the event wasn't read from a log file, do not populate this field. - type: keyword -example: /var/log/fun-times.log - -- -*`log.level`*:: +*`rsa.misc.prog_asp_num`*:: + -- -Original log level of the log event. -If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). -Some examples are `warn`, `err`, `i`, `informational`. - type: keyword -example: error - -- -*`log.logger`*:: +*`rsa.misc.program`*:: + -- -The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - type: keyword -example: org.elasticsearch.bootstrap.Bootstrap - -- -*`log.origin.file.line`*:: +*`rsa.misc.real_data`*:: + -- -The line number of the file containing the source code which originated the log event. - -type: integer - -example: 42 +type: keyword -- -*`log.origin.file.name`*:: +*`rsa.misc.rec_asp_device`*:: + -- -The name of the file containing the source code which originated the log event. -Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. - type: keyword -example: Bootstrap.java - -- -*`log.origin.function`*:: +*`rsa.misc.rec_asp_num`*:: + -- -The name of the function or method which originated the log event. - type: keyword -example: init - -- -*`log.original`*:: +*`rsa.misc.rec_library`*:: + -- -Deprecated for removal in next major version release. This field is superseded by `event.original`. -This is the original log message and contains the full log message before splitting it up in multiple parts. -In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. -This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. - type: keyword -example: Sep 19 08:26:10 localhost My log - -Field is not indexed. - -- -*`log.syslog`*:: +*`rsa.misc.recordnum`*:: + -- -The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. - -type: object +type: keyword -- -*`log.syslog.facility.code`*:: +*`rsa.misc.ruid`*:: + -- -The Syslog numeric facility of the log event, if available. -According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - -type: long - -example: 23 - -format: string +type: keyword -- -*`log.syslog.facility.name`*:: +*`rsa.misc.sburb`*:: + -- -The Syslog text-based facility of the log event, if available. - type: keyword -example: local7 - -- -*`log.syslog.priority`*:: +*`rsa.misc.sdomain_fld`*:: + -- -Syslog numeric priority of the event, if available. -According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - -type: long - -example: 135 - -format: string +type: keyword -- -*`log.syslog.severity.code`*:: +*`rsa.misc.sec`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - -type: long - -example: 3 +type: keyword -- -*`log.syslog.severity.name`*:: +*`rsa.misc.sensorname`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - type: keyword -example: Error - -- -[float] -=== network - -The network is defined as the communication path over which a host or network event happens. -The network.* fields should be populated with details about the network activity associated with an event. - - -*`network.application`*:: +*`rsa.misc.seqnum`*:: + -- -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - type: keyword -example: aim - -- -*`network.bytes`*:: +*`rsa.misc.session`*:: + -- -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -type: long - -example: 368 - -format: bytes +type: keyword -- -*`network.community_id`*:: +*`rsa.misc.sessiontype`*:: + -- -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. - type: keyword -example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= - -- -*`network.direction`*:: +*`rsa.misc.sigUUID`*:: + -- -Direction of the network traffic. -Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - -When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". -When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". -Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - type: keyword -example: inbound - -- -*`network.forwarded_ip`*:: +*`rsa.misc.spi`*:: + -- -Host IP address when the source IP address is the proxy. - -type: ip - -example: 192.1.1.2 +type: keyword -- -*`network.iana_number`*:: +*`rsa.misc.srcburb`*:: + -- -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - type: keyword -example: 6 - -- -*`network.inner`*:: +*`rsa.misc.srcdom`*:: + -- -Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) - -type: object +type: keyword -- -*`network.inner.vlan.id`*:: +*`rsa.misc.srcservice`*:: + -- -VLAN ID as reported by the observer. - type: keyword -example: 10 - -- -*`network.inner.vlan.name`*:: +*`rsa.misc.state`*:: + -- -Optional VLAN name as reported by the observer. - type: keyword -example: outside - -- -*`network.name`*:: +*`rsa.misc.status1`*:: + -- -Name given by operators to sections of their network. - type: keyword -example: Guest Wifi - -- -*`network.packets`*:: +*`rsa.misc.svcno`*:: + -- -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - -type: long - -example: 24 +type: keyword -- -*`network.protocol`*:: +*`rsa.misc.system`*:: + -- -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - type: keyword -example: http - -- -*`network.transport`*:: +*`rsa.misc.tbdstr1`*:: + -- -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - type: keyword -example: tcp - -- -*`network.type`*:: +*`rsa.misc.tgtdom`*:: + -- -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - type: keyword -example: ipv4 - -- -*`network.vlan.id`*:: +*`rsa.misc.tgtdomain`*:: + -- -VLAN ID as reported by the observer. - type: keyword -example: 10 - -- -*`network.vlan.name`*:: +*`rsa.misc.threshold`*:: + -- -Optional VLAN name as reported by the observer. - type: keyword -example: outside - -- -[float] -=== observer - -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. -This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`rsa.misc.type1`*:: ++ +-- +type: keyword +-- -*`observer.egress`*:: +*`rsa.misc.udb_class`*:: + -- -Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - -type: object +type: keyword -- -*`observer.egress.interface.alias`*:: +*`rsa.misc.url_fld`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - type: keyword -example: outside - -- -*`observer.egress.interface.id`*:: +*`rsa.misc.user_div`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). - type: keyword -example: 10 - -- -*`observer.egress.interface.name`*:: +*`rsa.misc.userid`*:: + -- -Interface name as reported by the system. - type: keyword -example: eth0 - -- -*`observer.egress.vlan.id`*:: +*`rsa.misc.username_fld`*:: + -- -VLAN ID as reported by the observer. - type: keyword -example: 10 - -- -*`observer.egress.vlan.name`*:: +*`rsa.misc.utcstamp`*:: + -- -Optional VLAN name as reported by the observer. - type: keyword -example: outside - -- -*`observer.egress.zone`*:: +*`rsa.misc.v_instafname`*:: + -- -Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - type: keyword -example: Public_Internet - -- -*`observer.geo.city_name`*:: +*`rsa.misc.virt_data`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`observer.geo.continent_code`*:: +*`rsa.misc.vpnid`*:: + -- -Two-letter code representing continent's name. - type: keyword -example: NA - -- -*`observer.geo.continent_name`*:: +*`rsa.misc.autorun_type`*:: + -- -Name of the continent. +This is used to capture Auto Run type type: keyword -example: North America - -- -*`observer.geo.country_iso_code`*:: +*`rsa.misc.cc_number`*:: + -- -Country ISO code. - -type: keyword +Valid Credit Card Numbers only -example: CA +type: long -- -*`observer.geo.country_name`*:: +*`rsa.misc.content`*:: + -- -Country name. +This key captures the content type from protocol headers type: keyword -example: Canada - -- -*`observer.geo.location`*:: +*`rsa.misc.ein_number`*:: + -- -Longitude and latitude. - -type: geo_point +Employee Identification Numbers only -example: { "lon": -73.614830, "lat": 45.505918 } +type: long -- -*`observer.geo.name`*:: +*`rsa.misc.found`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +This is used to capture the results of regex match type: keyword -example: boston-dc - -- -*`observer.geo.postal_code`*:: +*`rsa.misc.language`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. +This is used to capture list of languages the client support and what it prefers type: keyword -example: 94040 - -- -*`observer.geo.region_iso_code`*:: +*`rsa.misc.lifetime`*:: + -- -Region ISO code. - -type: keyword +This key is used to capture the session lifetime in seconds. -example: CA-QC +type: long -- -*`observer.geo.region_name`*:: +*`rsa.misc.link`*:: + -- -Region name. +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: Quebec - -- -*`observer.geo.timezone`*:: +*`rsa.misc.match`*:: + -- -The time zone of the location, such as IANA time zone name. +This key is for regex match name from search.ini type: keyword -example: America/Argentina/Buenos_Aires - -- -*`observer.hostname`*:: +*`rsa.misc.param_dst`*:: + -- -Hostname of the observer. +This key captures the command line/launch argument of the target process or file type: keyword -- -*`observer.ingress`*:: +*`rsa.misc.param_src`*:: + -- -Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. +This key captures source parameter -type: object +type: keyword -- -*`observer.ingress.interface.alias`*:: +*`rsa.misc.search_text`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +This key captures the Search Text used type: keyword -example: outside - -- -*`observer.ingress.interface.id`*:: +*`rsa.misc.sig_name`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +This key is used to capture the Signature Name only. type: keyword -example: 10 - -- -*`observer.ingress.interface.name`*:: +*`rsa.misc.snmp_value`*:: + -- -Interface name as reported by the system. +SNMP set request value type: keyword -example: eth0 - -- -*`observer.ingress.vlan.id`*:: +*`rsa.misc.streams`*:: + -- -VLAN ID as reported by the observer. - -type: keyword +This key captures number of streams in session -example: 10 +type: long -- -*`observer.ingress.vlan.name`*:: + +*`rsa.db.index`*:: + -- -Optional VLAN name as reported by the observer. +This key captures IndexID of the index. type: keyword -example: outside - -- -*`observer.ingress.zone`*:: +*`rsa.db.instance`*:: + -- -Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. +This key is used to capture the database server instance name type: keyword -example: DMZ - -- -*`observer.ip`*:: +*`rsa.db.database`*:: + -- -IP addresses of the observer. +This key is used to capture the name of a database or an instance as seen in a session -type: ip +type: keyword -- -*`observer.mac`*:: +*`rsa.db.transact_id`*:: + -- -MAC addresses of the observer. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. +This key captures the SQL transantion ID of the current session type: keyword -example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] - -- -*`observer.name`*:: +*`rsa.db.permissions`*:: + -- -Custom name of the observer. -This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. -If no custom name is needed, the field can be left empty. +This key captures permission or privilege level assigned to a resource. type: keyword -example: 1_proxySG - -- -*`observer.os.family`*:: +*`rsa.db.table_name`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +This key is used to capture the table name type: keyword -example: debian - -- -*`observer.os.full`*:: +*`rsa.db.db_id`*:: + -- -Operating system name, including the version or code name. +This key is used to capture the unique identifier for a database type: keyword -example: Mac OS Mojave - -- -*`observer.os.full.text`*:: +*`rsa.db.db_pid`*:: + -- -type: text +This key captures the process id of a connection with database server + +type: long -- -*`observer.os.kernel`*:: +*`rsa.db.lread`*:: + -- -Operating system kernel version as a raw string. - -type: keyword +This key is used for the number of logical reads -example: 4.4.0-112-generic +type: long -- -*`observer.os.name`*:: +*`rsa.db.lwrite`*:: + -- -Operating system name, without the version. - -type: keyword +This key is used for the number of logical writes -example: Mac OS X +type: long -- -*`observer.os.name.text`*:: +*`rsa.db.pread`*:: + -- -type: text +This key is used for the number of physical writes + +type: long -- -*`observer.os.platform`*:: + +*`rsa.network.alias_host`*:: + -- -Operating system platform (such centos, ubuntu, windows). +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -example: darwin - -- -*`observer.os.type`*:: +*`rsa.network.domain`*:: + -- -Use the `os.type` field to categorize the operating system into one of the broad commercial families. -One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - type: keyword -example: macos - -- -*`observer.os.version`*:: +*`rsa.network.host_dst`*:: + -- -Operating system version as a raw string. +This key should only be used when it’s a Destination Hostname type: keyword -example: 10.14.1 - -- -*`observer.product`*:: +*`rsa.network.network_service`*:: + -- -The product name of the observer. +This is used to capture layer 7 protocols/service names type: keyword -example: s200 - -- -*`observer.serial_number`*:: +*`rsa.network.interface`*:: + -- -Observer serial number. +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`observer.type`*:: +*`rsa.network.network_port`*:: + -- -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - -type: keyword +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -example: firewall +type: long -- -*`observer.vendor`*:: +*`rsa.network.eth_host`*:: + -- -Vendor name of the observer. +Deprecated, use alias.mac type: keyword -example: Symantec - -- -*`observer.version`*:: +*`rsa.network.sinterface`*:: + -- -Observer version. +This key should only be used when it’s a Source Interface type: keyword -- -[float] -=== orchestrator - -Fields that describe the resources which container orchestrators manage or act upon. - - -*`orchestrator.api_version`*:: +*`rsa.network.dinterface`*:: + -- -API version being used to carry out the action +This key should only be used when it’s a Destination Interface type: keyword -example: v1beta1 - -- -*`orchestrator.cluster.name`*:: +*`rsa.network.vlan`*:: + -- -Name of the cluster. +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`orchestrator.cluster.url`*:: +*`rsa.network.zone_src`*:: + -- -URL of the API used to manage the cluster. +This key should only be used when it’s a Source Zone. type: keyword -- -*`orchestrator.cluster.version`*:: +*`rsa.network.zone`*:: + -- -The version of the cluster. +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`orchestrator.namespace`*:: +*`rsa.network.zone_dst`*:: + -- -Namespace in which the action is taking place. +This key should only be used when it’s a Destination Zone. type: keyword -example: kube-system - -- -*`orchestrator.organization`*:: +*`rsa.network.gateway`*:: + -- -Organization affected by the event (for multi-tenant orchestrator setups). +This key is used to capture the IP Address of the gateway type: keyword -example: elastic - -- -*`orchestrator.resource.name`*:: +*`rsa.network.icmp_type`*:: + -- -Name of the resource being acted upon. - -type: keyword +This key is used to capture the ICMP type only -example: test-pod-cdcws +type: long -- -*`orchestrator.resource.type`*:: +*`rsa.network.mask`*:: + -- -Type of resource being acted upon. +This key is used to capture the device network IPmask. type: keyword -example: service - -- -*`orchestrator.type`*:: +*`rsa.network.icmp_code`*:: + -- -Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - -type: keyword +This key is used to capture the ICMP code only -example: kubernetes +type: long -- -[float] -=== organization - -The organization fields enrich data with information about the company or entity the data is associated with. -These fields help you arrange or filter data stored in an index by one or multiple organizations. - - -*`organization.id`*:: +*`rsa.network.protocol_detail`*:: + -- -Unique identifier for the organization. +This key should be used to capture additional protocol information type: keyword -- -*`organization.name`*:: +*`rsa.network.dmask`*:: + -- -Organization name. +This key is used for Destionation Device network mask type: keyword -- -*`organization.name.text`*:: +*`rsa.network.port`*:: + -- -type: text - --- - -[float] -=== os +This key should only be used to capture a Network Port when the directionality is not clear -The OS fields contain information about the operating system. +type: long +-- -*`os.family`*:: +*`rsa.network.smask`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +This key is used for capturing source Network Mask type: keyword -example: debian - -- -*`os.full`*:: +*`rsa.network.netname`*:: + -- -Operating system name, including the version or code name. +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -example: Mac OS Mojave - -- -*`os.full.text`*:: +*`rsa.network.paddr`*:: + -- -type: text +Deprecated + +type: ip -- -*`os.kernel`*:: +*`rsa.network.faddr`*:: + -- -Operating system kernel version as a raw string. - type: keyword -example: 4.4.0-112-generic - -- -*`os.name`*:: +*`rsa.network.lhost`*:: + -- -Operating system name, without the version. - type: keyword -example: Mac OS X - -- -*`os.name.text`*:: +*`rsa.network.origin`*:: + -- -type: text +type: keyword -- -*`os.platform`*:: +*`rsa.network.remote_domain_id`*:: + -- -Operating system platform (such centos, ubuntu, windows). - type: keyword -example: darwin - -- -*`os.type`*:: +*`rsa.network.addr`*:: + -- -Use the `os.type` field to categorize the operating system into one of the broad commercial families. -One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - type: keyword -example: macos - -- -*`os.version`*:: +*`rsa.network.dns_a_record`*:: + -- -Operating system version as a raw string. - type: keyword -example: 10.14.1 - -- -[float] -=== package - -These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. - - -*`package.architecture`*:: +*`rsa.network.dns_ptr_record`*:: + -- -Package architecture. - type: keyword -example: x86_64 - -- -*`package.build_version`*:: +*`rsa.network.fhost`*:: + -- -Additional information about the build version of the installed package. -For example use the commit SHA of a non-released package. - type: keyword -example: 36f4f7e89dd61b0988b12ee000b98966867710cd - -- -*`package.checksum`*:: +*`rsa.network.fport`*:: + -- -Checksum of the installed package for verification. - type: keyword -example: 68b329da9893e34099c7d8ad5cb9c940 - -- -*`package.description`*:: +*`rsa.network.laddr`*:: + -- -Description of the package. - type: keyword -example: Open source programming language to build simple/reliable/efficient software. - -- -*`package.install_scope`*:: +*`rsa.network.linterface`*:: + -- -Indicating how the package was installed, e.g. user-local, global. - type: keyword -example: global - -- -*`package.installed`*:: +*`rsa.network.phost`*:: + -- -Time when package was installed. - -type: date +type: keyword -- -*`package.license`*:: +*`rsa.network.ad_computer_dst`*:: + -- -License under which the package was released. -Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). +Deprecated, use host.dst type: keyword -example: Apache License 2.0 - -- -*`package.name`*:: +*`rsa.network.eth_type`*:: + -- -Package name - -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only -example: go +type: long -- -*`package.path`*:: +*`rsa.network.ip_proto`*:: + -- -Path where the package is installed. - -type: keyword +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -example: /usr/local/Cellar/go/1.12.9/ +type: long -- -*`package.reference`*:: +*`rsa.network.dns_cname_record`*:: + -- -Home page or reference URL of the software in this package, if available. - type: keyword -example: https://golang.org - -- -*`package.size`*:: +*`rsa.network.dns_id`*:: + -- -Package size in bytes. - -type: long - -example: 62231 - -format: string +type: keyword -- -*`package.type`*:: +*`rsa.network.dns_opcode`*:: + -- -Type of package. -This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. - type: keyword -example: rpm - -- -*`package.version`*:: +*`rsa.network.dns_resp`*:: + -- -Package version - type: keyword -example: 1.12.9 - -- -[float] -=== pe - -These fields contain Windows Portable Executable (PE) metadata. - - -*`pe.architecture`*:: +*`rsa.network.dns_type`*:: + -- -CPU architecture target for the file. - type: keyword -example: x64 - -- -*`pe.company`*:: +*`rsa.network.domain1`*:: + -- -Internal company name of the file, provided at compile-time. - type: keyword -example: Microsoft Corporation - -- -*`pe.description`*:: +*`rsa.network.host_type`*:: + -- -Internal description of the file, provided at compile-time. - type: keyword -example: Paint - -- -*`pe.file_version`*:: +*`rsa.network.packet_length`*:: + -- -Internal version of the file, provided at compile-time. - type: keyword -example: 6.3.9600.17415 - -- -*`pe.imphash`*:: +*`rsa.network.host_orig`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -example: 0c6803c4e922103c4dca5963aad36ddf - -- -*`pe.original_file_name`*:: +*`rsa.network.rpayload`*:: + -- -Internal name of the file, provided at compile-time. +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -example: MSPAINT.EXE - -- -*`pe.product`*:: +*`rsa.network.vlan_name`*:: + -- -Internal product name of the file, provided at compile-time. +This key should only be used to capture the name of the Virtual LAN type: keyword -example: Microsoft® Windows® Operating System - -- -[float] -=== process - -These fields contain information about a process. -These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. - -*`process.args`*:: +*`rsa.investigations.ec_activity`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +This key captures the particular event activity(Ex:Logoff) type: keyword -example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] - -- -*`process.args_count`*:: +*`rsa.investigations.ec_theme`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - -type: long +This key captures the Theme of a particular Event(Ex:Authentication) -example: 4 +type: keyword -- -*`process.code_signature.exists`*:: +*`rsa.investigations.ec_subject`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +This key captures the Subject of a particular Event(Ex:User) -example: true +type: keyword -- -*`process.code_signature.signing_id`*:: +*`rsa.investigations.ec_outcome`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. +This key captures the outcome of a particular Event(Ex:Success) type: keyword -example: com.apple.xpc.proxy - -- -*`process.code_signature.status`*:: +*`rsa.investigations.event_cat`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - -type: keyword +This key captures the Event category number -example: ERROR_UNTRUSTED_ROOT +type: long -- -*`process.code_signature.subject_name`*:: +*`rsa.investigations.event_cat_name`*:: + -- -Subject name of the code signer +This key captures the event category name corresponding to the event cat code type: keyword -example: Microsoft Corporation - -- -*`process.code_signature.team_id`*:: +*`rsa.investigations.event_vcat`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. type: keyword -example: EQHXZ8M8AV - -- -*`process.code_signature.trusted`*:: +*`rsa.investigations.analysis_file`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file -example: true +type: keyword -- -*`process.code_signature.valid`*:: +*`rsa.investigations.analysis_service`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service -example: true +type: keyword -- -*`process.command_line`*:: +*`rsa.investigations.analysis_session`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 - -- -*`process.command_line.text`*:: +*`rsa.investigations.boc`*:: + -- -type: text +This is used to capture behaviour of compromise + +type: keyword -- -*`process.elf.architecture`*:: +*`rsa.investigations.eoc`*:: + -- -Machine architecture of the ELF file. +This is used to capture Enablers of Compromise type: keyword -example: x86-64 - -- -*`process.elf.byte_order`*:: +*`rsa.investigations.inv_category`*:: + -- -Byte sequence of ELF file. +This used to capture investigation category type: keyword -example: Little Endian - -- -*`process.elf.cpu_type`*:: +*`rsa.investigations.inv_context`*:: + -- -CPU type of the ELF file. +This used to capture investigation context type: keyword -example: Intel - -- -*`process.elf.creation_date`*:: +*`rsa.investigations.ioc`*:: + -- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +This is key capture indicator of compromise -type: date +type: keyword -- -*`process.elf.exports`*:: + +*`rsa.counters.dclass_c1`*:: + -- -List of exported element names and types. +This is a generic counter key that should be used with the label dclass.c1.str only -type: flattened +type: long -- -*`process.elf.header.abi_version`*:: +*`rsa.counters.dclass_c2`*:: + -- -Version of the ELF Application Binary Interface (ABI). +This is a generic counter key that should be used with the label dclass.c2.str only -type: keyword +type: long -- -*`process.elf.header.class`*:: +*`rsa.counters.event_counter`*:: + -- -Header class of the ELF file. +This is used to capture the number of times an event repeated -type: keyword +type: long -- -*`process.elf.header.data`*:: +*`rsa.counters.dclass_r1`*:: + -- -Data table of the ELF header. +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -- -*`process.elf.header.entrypoint`*:: +*`rsa.counters.dclass_c3`*:: + -- -Header entrypoint of the ELF file. +This is a generic counter key that should be used with the label dclass.c3.str only type: long -format: string - -- -*`process.elf.header.object_version`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -"0x1" for original ELF files. +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -*`process.elf.header.os_abi`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -Application Binary Interface (ABI) of the Linux OS. +This is a generic counter string key that should be used with the label dclass.c2 only type: keyword -- -*`process.elf.header.type`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Header type of the ELF file. +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`process.elf.header.version`*:: +*`rsa.counters.dclass_r2`*:: + -- -Version of the ELF header. +This is a generic ratio key that should be used with the label dclass.r2.str only type: keyword -- -*`process.elf.imports`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -List of imported element names and types. +This is a generic counter string key that should be used with the label dclass.c3 only -type: flattened +type: keyword -- -*`process.elf.sections`*:: +*`rsa.counters.dclass_r3`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. +This is a generic ratio key that should be used with the label dclass.r3.str only -type: nested +type: keyword -- -*`process.elf.sections.chi2`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -Chi-square probability distribution of the section. - -type: long +This is a generic ratio string key that should be used with the label dclass.r2 only -format: number +type: keyword -- -*`process.elf.sections.entropy`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -Shannon entropy calculation from the section. - -type: long +This is a generic ratio string key that should be used with the label dclass.r3 only -format: number +type: keyword -- -*`process.elf.sections.flags`*:: + +*`rsa.identity.auth_method`*:: + -- -ELF Section List flags. +This key is used to capture authentication methods used only type: keyword -- -*`process.elf.sections.name`*:: +*`rsa.identity.user_role`*:: + -- -ELF Section List name. +This key is used to capture the Role of a user only type: keyword -- -*`process.elf.sections.physical_offset`*:: +*`rsa.identity.dn`*:: + -- -ELF Section List offset. +X.500 (LDAP) Distinguished Name type: keyword -- -*`process.elf.sections.physical_size`*:: +*`rsa.identity.logon_type`*:: + -- -ELF Section List physical size. - -type: long +This key is used to capture the type of logon method used. -format: bytes +type: keyword -- -*`process.elf.sections.type`*:: +*`rsa.identity.profile`*:: + -- -ELF Section List type. +This key is used to capture the user profile type: keyword -- -*`process.elf.sections.virtual_address`*:: +*`rsa.identity.accesses`*:: + -- -ELF Section List virtual address. - -type: long +This key is used to capture actual privileges used in accessing an object -format: string +type: keyword -- -*`process.elf.sections.virtual_size`*:: +*`rsa.identity.realm`*:: + -- -ELF Section List virtual size. - -type: long +Radius realm or similar grouping of accounts -format: string +type: keyword -- -*`process.elf.segments`*:: +*`rsa.identity.user_sid_dst`*:: + -- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. +This key captures Destination User Session ID -type: nested +type: keyword -- -*`process.elf.segments.sections`*:: +*`rsa.identity.dn_src`*:: + -- -ELF object segment sections. +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -- -*`process.elf.segments.type`*:: +*`rsa.identity.org`*:: + -- -ELF object segment type. +This key captures the User organization type: keyword -- -*`process.elf.shared_libraries`*:: +*`rsa.identity.dn_dst`*:: + -- -List of shared libraries used by this ELF object. +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`process.elf.telfhash`*:: +*`rsa.identity.firstname`*:: + -- -telfhash symbol hash for ELF file. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`process.entity_id`*:: +*`rsa.identity.lastname`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: c2c455d9f99375d - -- -*`process.executable`*:: +*`rsa.identity.user_dept`*:: + -- -Absolute path to the process executable. +User's Department Names only type: keyword -example: /usr/bin/ssh - -- -*`process.executable.text`*:: +*`rsa.identity.user_sid_src`*:: + -- -type: text +This key captures Source User Session ID + +type: keyword -- -*`process.exit_code`*:: +*`rsa.identity.federated_sp`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). - -type: long +This key is the Federated Service Provider. This is the application requesting authentication. -example: 137 +type: keyword -- -*`process.hash.md5`*:: +*`rsa.identity.federated_idp`*:: + -- -MD5 hash. +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -- -*`process.hash.sha1`*:: +*`rsa.identity.logon_type_desc`*:: + -- -SHA1 hash. +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -*`process.hash.sha256`*:: +*`rsa.identity.middlename`*:: + -- -SHA256 hash. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`process.hash.sha512`*:: +*`rsa.identity.password`*:: + -- -SHA512 hash. +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`process.hash.ssdeep`*:: +*`rsa.identity.host_role`*:: + -- -SSDEEP hash. +This key should only be used to capture the role of a Host Machine type: keyword -- -*`process.name`*:: +*`rsa.identity.ldap`*:: + -- -Process name. -Sometimes called program name or similar. +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -example: ssh - -- -*`process.name.text`*:: +*`rsa.identity.ldap_query`*:: + -- -type: text +This key is the Search criteria from an LDAP search + +type: keyword -- -*`process.parent.args`*:: +*`rsa.identity.ldap_response`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +This key is to capture Results from an LDAP search type: keyword -example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] - -- -*`process.parent.args_count`*:: +*`rsa.identity.owner`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - -type: long +This is used to capture username the process or service is running as, the author of the task -example: 4 +type: keyword -- -*`process.parent.code_signature.exists`*:: +*`rsa.identity.service_account`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage -example: true +type: keyword -- -*`process.parent.code_signature.signing_id`*:: + +*`rsa.email.email_dst`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -example: com.apple.xpc.proxy - -- -*`process.parent.code_signature.status`*:: +*`rsa.email.email_src`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`process.parent.code_signature.subject_name`*:: +*`rsa.email.subject`*:: + -- -Subject name of the code signer +This key is used to capture the subject string from an Email only. type: keyword -example: Microsoft Corporation - -- -*`process.parent.code_signature.team_id`*:: +*`rsa.email.email`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -example: EQHXZ8M8AV - -- -*`process.parent.code_signature.trusted`*:: +*`rsa.email.trans_from`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean +Deprecated key defined only in table map. -example: true +type: keyword -- -*`process.parent.code_signature.valid`*:: +*`rsa.email.trans_to`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +Deprecated key defined only in table map. -example: true +type: keyword -- -*`process.parent.command_line`*:: + +*`rsa.file.privilege`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +Deprecated, use permissions type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 - -- -*`process.parent.command_line.text`*:: +*`rsa.file.attachment`*:: + -- -type: text +This key captures the attachment file name + +type: keyword -- -*`process.parent.elf.architecture`*:: +*`rsa.file.filesystem`*:: + -- -Machine architecture of the ELF file. - type: keyword -example: x86-64 - -- -*`process.parent.elf.byte_order`*:: +*`rsa.file.binary`*:: + -- -Byte sequence of ELF file. +Deprecated key defined only in table map. type: keyword -example: Little Endian - -- -*`process.parent.elf.cpu_type`*:: +*`rsa.file.filename_dst`*:: + -- -CPU type of the ELF file. +This is used to capture name of the file targeted by the action type: keyword -example: Intel - --- - -*`process.parent.elf.creation_date`*:: -+ --- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - -type: date - -- -*`process.parent.elf.exports`*:: +*`rsa.file.filename_src`*:: + -- -List of exported element names and types. +This is used to capture name of the parent filename, the file which performed the action -type: flattened +type: keyword -- -*`process.parent.elf.header.abi_version`*:: +*`rsa.file.filename_tmp`*:: + -- -Version of the ELF Application Binary Interface (ABI). - type: keyword -- -*`process.parent.elf.header.class`*:: +*`rsa.file.directory_dst`*:: + -- -Header class of the ELF file. +This key is used to capture the directory of the target process or file type: keyword -- -*`process.parent.elf.header.data`*:: +*`rsa.file.directory_src`*:: + -- -Data table of the ELF header. +This key is used to capture the directory of the source process or file type: keyword -- -*`process.parent.elf.header.entrypoint`*:: +*`rsa.file.file_entropy`*:: + -- -Header entrypoint of the ELF file. - -type: long +This is used to capture entropy vale of a file -format: string +type: double -- -*`process.parent.elf.header.object_version`*:: +*`rsa.file.file_vendor`*:: + -- -"0x1" for original ELF files. +This is used to capture Company name of file located in version_info type: keyword -- -*`process.parent.elf.header.os_abi`*:: +*`rsa.file.task_name`*:: + -- -Application Binary Interface (ABI) of the Linux OS. +This is used to capture name of the task type: keyword -- -*`process.parent.elf.header.type`*:: + +*`rsa.web.fqdn`*:: + -- -Header type of the ELF file. +Fully Qualified Domain Names type: keyword -- -*`process.parent.elf.header.version`*:: +*`rsa.web.web_cookie`*:: + -- -Version of the ELF header. +This key is used to capture the Web cookies specifically. type: keyword -- -*`process.parent.elf.imports`*:: +*`rsa.web.alias_host`*:: + -- -List of imported element names and types. - -type: flattened +type: keyword -- -*`process.parent.elf.sections`*:: +*`rsa.web.reputation_num`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. +Reputation Number of an entity. Typically used for Web Domains -type: nested +type: double -- -*`process.parent.elf.sections.chi2`*:: +*`rsa.web.web_ref_domain`*:: + -- -Chi-square probability distribution of the section. - -type: long +Web referer's domain -format: number +type: keyword -- -*`process.parent.elf.sections.entropy`*:: +*`rsa.web.web_ref_query`*:: + -- -Shannon entropy calculation from the section. - -type: long +This key captures Web referer's query portion of the URL -format: number +type: keyword -- -*`process.parent.elf.sections.flags`*:: +*`rsa.web.remote_domain`*:: + -- -ELF Section List flags. - type: keyword -- -*`process.parent.elf.sections.name`*:: +*`rsa.web.web_ref_page`*:: + -- -ELF Section List name. +This key captures Web referer's page information type: keyword -- -*`process.parent.elf.sections.physical_offset`*:: +*`rsa.web.web_ref_root`*:: + -- -ELF Section List offset. +Web referer's root URL path type: keyword -- -*`process.parent.elf.sections.physical_size`*:: +*`rsa.web.cn_asn_dst`*:: + -- -ELF Section List physical size. - -type: long - -format: bytes +type: keyword -- -*`process.parent.elf.sections.type`*:: +*`rsa.web.cn_rpackets`*:: + -- -ELF Section List type. - type: keyword -- -*`process.parent.elf.sections.virtual_address`*:: +*`rsa.web.urlpage`*:: + -- -ELF Section List virtual address. - -type: long - -format: string +type: keyword -- -*`process.parent.elf.sections.virtual_size`*:: +*`rsa.web.urlroot`*:: + -- -ELF Section List virtual size. - -type: long - -format: string +type: keyword -- -*`process.parent.elf.segments`*:: +*`rsa.web.p_url`*:: + -- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. - -type: nested +type: keyword -- -*`process.parent.elf.segments.sections`*:: +*`rsa.web.p_user_agent`*:: + -- -ELF object segment sections. - type: keyword -- -*`process.parent.elf.segments.type`*:: +*`rsa.web.p_web_cookie`*:: + -- -ELF object segment type. - type: keyword -- -*`process.parent.elf.shared_libraries`*:: +*`rsa.web.p_web_method`*:: + -- -List of shared libraries used by this ELF object. - type: keyword -- -*`process.parent.elf.telfhash`*:: +*`rsa.web.p_web_referer`*:: + -- -telfhash symbol hash for ELF file. - type: keyword -- -*`process.parent.entity_id`*:: +*`rsa.web.web_extension_tmp`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - type: keyword -example: c2c455d9f99375d - -- -*`process.parent.executable`*:: +*`rsa.web.web_page`*:: + -- -Absolute path to the process executable. - type: keyword -example: /usr/bin/ssh - -- -*`process.parent.executable.text`*:: + +*`rsa.threat.threat_category`*:: + -- -type: text +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword -- -*`process.parent.exit_code`*:: +*`rsa.threat.threat_desc`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). - -type: long +This key is used to capture the threat description from the session directly or inferred -example: 137 +type: keyword -- -*`process.parent.hash.md5`*:: +*`rsa.threat.alert`*:: + -- -MD5 hash. +This key is used to capture name of the alert type: keyword -- -*`process.parent.hash.sha1`*:: +*`rsa.threat.threat_source`*:: + -- -SHA1 hash. +This key is used to capture source of the threat type: keyword -- -*`process.parent.hash.sha256`*:: + +*`rsa.crypto.crypto`*:: + -- -SHA256 hash. +This key is used to capture the Encryption Type or Encryption Key only type: keyword -- -*`process.parent.hash.sha512`*:: +*`rsa.crypto.cipher_src`*:: + -- -SHA512 hash. +This key is for Source (Client) Cipher type: keyword -- -*`process.parent.hash.ssdeep`*:: +*`rsa.crypto.cert_subject`*:: + -- -SSDEEP hash. +This key is used to capture the Certificate organization only type: keyword -- -*`process.parent.name`*:: +*`rsa.crypto.peer`*:: + -- -Process name. -Sometimes called program name or similar. +This key is for Encryption peer's IP Address type: keyword -example: ssh - -- -*`process.parent.name.text`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: text +This key captures Source (Client) Cipher Size + +type: long -- -*`process.parent.pe.architecture`*:: +*`rsa.crypto.ike`*:: + -- -CPU architecture target for the file. +IKE negotiation phase. type: keyword -example: x64 - -- -*`process.parent.pe.company`*:: +*`rsa.crypto.scheme`*:: + -- -Internal company name of the file, provided at compile-time. +This key captures the Encryption scheme used type: keyword -example: Microsoft Corporation - -- -*`process.parent.pe.description`*:: +*`rsa.crypto.peer_id`*:: + -- -Internal description of the file, provided at compile-time. +This key is for Encryption peer’s identity type: keyword -example: Paint - -- -*`process.parent.pe.file_version`*:: +*`rsa.crypto.sig_type`*:: + -- -Internal version of the file, provided at compile-time. +This key captures the Signature Type type: keyword -example: 6.3.9600.17415 - -- -*`process.parent.pe.imphash`*:: +*`rsa.crypto.cert_issuer`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - type: keyword -example: 0c6803c4e922103c4dca5963aad36ddf - -- -*`process.parent.pe.original_file_name`*:: +*`rsa.crypto.cert_host_name`*:: + -- -Internal name of the file, provided at compile-time. +Deprecated key defined only in table map. type: keyword -example: MSPAINT.EXE - -- -*`process.parent.pe.product`*:: +*`rsa.crypto.cert_error`*:: + -- -Internal product name of the file, provided at compile-time. +This key captures the Certificate Error String type: keyword -example: Microsoft® Windows® Operating System - -- -*`process.parent.pgid`*:: +*`rsa.crypto.cipher_dst`*:: + -- -Identifier of the group of processes the process belongs to. - -type: long +This key is for Destination (Server) Cipher -format: string +type: keyword -- -*`process.parent.pid`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -Process id. +This key captures Destination (Server) Cipher Size type: long -example: 4242 - -format: string - -- -*`process.parent.ppid`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -Parent process' pid. - -type: long - -example: 4241 +Deprecated, use version -format: string +type: keyword -- -*`process.parent.start`*:: +*`rsa.crypto.d_certauth`*:: + -- -The time the process started. - -type: date - -example: 2016-05-23T08:05:34.853Z +type: keyword -- -*`process.parent.thread.id`*:: +*`rsa.crypto.s_certauth`*:: + -- -Thread ID. - -type: long - -example: 4242 - -format: string +type: keyword -- -*`process.parent.thread.name`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -Thread name. +ID of the negotiation — sent for ISAKMP Phase One type: keyword -example: thread-0 - -- -*`process.parent.title`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +ID of the negotiation — sent for ISAKMP Phase Two type: keyword -- -*`process.parent.title.text`*:: +*`rsa.crypto.cert_checksum`*:: + -- -type: text +type: keyword -- -*`process.parent.uptime`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -Seconds the process has been up. - -type: long +This key is used for the hostname category value of a certificate -example: 1325 +type: keyword -- -*`process.parent.working_directory`*:: +*`rsa.crypto.cert_serial`*:: + -- -The working directory of the process. +This key is used to capture the Certificate serial number only type: keyword -example: /home/alice - -- -*`process.parent.working_directory.text`*:: +*`rsa.crypto.cert_status`*:: + -- -type: text +This key captures Certificate validation status + +type: keyword -- -*`process.pe.architecture`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -CPU architecture target for the file. +Deprecated, use version type: keyword -example: x64 - -- -*`process.pe.company`*:: +*`rsa.crypto.cert_keysize`*:: + -- -Internal company name of the file, provided at compile-time. - type: keyword -example: Microsoft Corporation - -- -*`process.pe.description`*:: +*`rsa.crypto.cert_username`*:: + -- -Internal description of the file, provided at compile-time. - type: keyword -example: Paint - -- -*`process.pe.file_version`*:: +*`rsa.crypto.https_insact`*:: + -- -Internal version of the file, provided at compile-time. - type: keyword -example: 6.3.9600.17415 - -- -*`process.pe.imphash`*:: +*`rsa.crypto.https_valid`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - type: keyword -example: 0c6803c4e922103c4dca5963aad36ddf - -- -*`process.pe.original_file_name`*:: +*`rsa.crypto.cert_ca`*:: + -- -Internal name of the file, provided at compile-time. +This key is used to capture the Certificate signing authority only type: keyword -example: MSPAINT.EXE - -- -*`process.pe.product`*:: +*`rsa.crypto.cert_common`*:: + -- -Internal product name of the file, provided at compile-time. +This key is used to capture the Certificate common name only type: keyword -example: Microsoft® Windows® Operating System - -- -*`process.pgid`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -Identifier of the group of processes the process belongs to. - -type: long +This key is used to capture the ssid of a Wireless Session -format: string +type: keyword -- -*`process.pid`*:: +*`rsa.wireless.access_point`*:: + -- -Process id. - -type: long - -example: 4242 +This key is used to capture the access point name. -format: string +type: keyword -- -*`process.ppid`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Parent process' pid. +This is used to capture the channel names type: long -example: 4241 - -format: string - -- -*`process.start`*:: +*`rsa.wireless.wlan_name`*:: + -- -The time the process started. - -type: date +This key captures either WLAN number/name -example: 2016-05-23T08:05:34.853Z +type: keyword -- -*`process.thread.id`*:: + +*`rsa.storage.disk_volume`*:: + -- -Thread ID. - -type: long - -example: 4242 +A unique name assigned to logical units (volumes) within a physical disk -format: string +type: keyword -- -*`process.thread.name`*:: +*`rsa.storage.lun`*:: + -- -Thread name. +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -example: thread-0 - -- -*`process.title`*:: +*`rsa.storage.pwwn`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +This uniquely identifies a port on a HBA. type: keyword -- -*`process.title.text`*:: -+ --- -type: text - --- -*`process.uptime`*:: +*`rsa.physical.org_dst`*:: + -- -Seconds the process has been up. - -type: long +This is used to capture the destination organization based on the GEOPIP Maxmind database. -example: 1325 +type: keyword -- -*`process.working_directory`*:: +*`rsa.physical.org_src`*:: + -- -The working directory of the process. +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -example: /home/alice - -- -*`process.working_directory.text`*:: -+ --- -type: text +*`rsa.healthcare.patient_fname`*:: ++ -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -[float] -=== registry - -Fields related to Windows Registry operations. +type: keyword +-- -*`registry.data.bytes`*:: +*`rsa.healthcare.patient_id`*:: + -- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. +This key captures the unique ID for a patient type: keyword -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - -- -*`registry.data.strings`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: ["C:\rta\red_ttp\bin\myapp.exe"] - -- -*`registry.data.type`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Standard registry type for encoding contents +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: REG_SZ - -- -*`registry.hive`*:: + +*`rsa.endpoint.host_state`*:: + -- -Abbreviated name for the hive. +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -example: HKLM - -- -*`registry.key`*:: +*`rsa.endpoint.registry_key`*:: + -- -Hive-relative path of keys. +This key captures the path to the registry key type: keyword -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - -- -*`registry.path`*:: +*`rsa.endpoint.registry_value`*:: + -- -Full path, including hive, key and value +This key captures values or decorators used within a registry entry type: keyword -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - -- -*`registry.value`*:: -+ --- -Name of the value written. +[[exported-fields-docker-processor]] +== Docker fields -type: keyword +Docker stats collected from Docker. -example: Debugger --- -[float] -=== related -This field set is meant to facilitate pivoting around a piece of data. -Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. +*`docker.container.id`*:: ++ +-- +type: alias +alias to: container.id -*`related.hash`*:: +-- + +*`docker.container.image`*:: + -- -All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). +type: alias -type: keyword +alias to: container.image.name -- -*`related.hosts`*:: +*`docker.container.name`*:: + -- -All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. +type: alias -type: keyword +alias to: container.name -- -*`related.ip`*:: +*`docker.container.labels`*:: + -- -All of the IPs seen on your event. +Image labels. -type: ip + +type: object -- -*`related.user`*:: +[[exported-fields-ecs]] +== ECS fields + + +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {es}. + +This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. +The goal of ECS is to enable and encourage users of {es} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. + +See the {ecs-ref}[ECS reference] for more information. + +*`@timestamp`*:: + -- -All the user names or other user identifiers seen on the event. +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. -type: keyword +type: date + +example: 2016-05-23T08:05:34.853Z + +required: True -- -[float] -=== rule +*`labels`*:: ++ +-- +Custom key/value pairs. +Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. +Example: `docker` and `k8s` labels. -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. -Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +type: object +example: {"application": "foo-bar", "env": "production"} -*`rule.author`*:: +-- + +*`message`*:: + -- -Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. +For log events the message field contains the log message, optimized for viewing in a log viewer. +For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. +If multiple messages exist, they can be combined into one message. -type: keyword +type: text -example: ["Star-Lord"] +example: Hello World -- -*`rule.category`*:: +*`tags`*:: + -- -A categorization value keyword used by the entity using the rule for detection of this event. +List of keywords used to tag each event. type: keyword -example: Attempted Information Leak +example: ["production", "env2"] -- -*`rule.description`*:: +[float] +=== agent + +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. + + +*`agent.build.original`*:: + -- -The description of the rule generating the event. +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. type: keyword -example: Block requests to public DNS over HTTPS / TLS protocols +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] -- -*`rule.id`*:: +*`agent.ephemeral_id`*:: + -- -A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. type: keyword -example: 101 +example: 8a4f500f -- -*`rule.license`*:: +*`agent.id`*:: + -- -Name of the license under which the rule used to generate this event is made available. +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. type: keyword -example: Apache 2.0 +example: 8a4f500d -- -*`rule.name`*:: +*`agent.name`*:: + -- -The name of the rule or signature generating the event. +Custom name of the agent. +This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. +If no name is given, the name is often left empty. type: keyword -example: BLOCK_DNS_over_TLS +example: foo -- -*`rule.reference`*:: +*`agent.type`*:: + -- -Reference URL to additional information about the rule used to generate this event. -The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. +Type of the agent. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword -example: https://en.wikipedia.org/wiki/DNS_over_TLS +example: filebeat -- -*`rule.ruleset`*:: +*`agent.version`*:: + -- -Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. +Version of the agent. type: keyword -example: Standard_Protocol_Filters +example: 6.0.0-rc2 -- -*`rule.uuid`*:: +[float] +=== as + +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + + +*`as.number`*:: + -- -A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long -example: 1100110011 +example: 15169 -- -*`rule.version`*:: +*`as.organization.name`*:: + -- -The version / revision of the rule being used for analysis. +Organization name. type: keyword -example: 1.1 +example: Google LLC + +-- + +*`as.organization.name.text`*:: ++ +-- +type: text -- [float] -=== server +=== client -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. -*`server.address`*:: +*`client.address`*:: + -- -Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -- -*`server.as.number`*:: +*`client.as.number`*:: + -- Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. @@ -42000,7 +40460,7 @@ example: 15169 -- -*`server.as.organization.name`*:: +*`client.as.organization.name`*:: + -- Organization name. @@ -42011,17 +40471,17 @@ example: Google LLC -- -*`server.as.organization.name.text`*:: +*`client.as.organization.name.text`*:: + -- type: text -- -*`server.bytes`*:: +*`client.bytes`*:: + -- -Bytes sent from the server to the client. +Bytes sent from the client to the server. type: long @@ -42031,16 +40491,16 @@ format: bytes -- -*`server.domain`*:: +*`client.domain`*:: + -- -Server domain. +Client domain. type: keyword -- -*`server.geo.city_name`*:: +*`client.geo.city_name`*:: + -- City name. @@ -42051,7 +40511,7 @@ example: Montreal -- -*`server.geo.continent_code`*:: +*`client.geo.continent_code`*:: + -- Two-letter code representing continent's name. @@ -42062,7 +40522,7 @@ example: NA -- -*`server.geo.continent_name`*:: +*`client.geo.continent_name`*:: + -- Name of the continent. @@ -42073,7 +40533,7 @@ example: North America -- -*`server.geo.country_iso_code`*:: +*`client.geo.country_iso_code`*:: + -- Country ISO code. @@ -42084,7 +40544,7 @@ example: CA -- -*`server.geo.country_name`*:: +*`client.geo.country_name`*:: + -- Country name. @@ -42095,7 +40555,7 @@ example: Canada -- -*`server.geo.location`*:: +*`client.geo.location`*:: + -- Longitude and latitude. @@ -42106,7 +40566,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`server.geo.name`*:: +*`client.geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -42119,7 +40579,7 @@ example: boston-dc -- -*`server.geo.postal_code`*:: +*`client.geo.postal_code`*:: + -- Postal code associated with the location. @@ -42131,7 +40591,7 @@ example: 94040 -- -*`server.geo.region_iso_code`*:: +*`client.geo.region_iso_code`*:: + -- Region ISO code. @@ -42142,7 +40602,7 @@ example: CA-QC -- -*`server.geo.region_name`*:: +*`client.geo.region_name`*:: + -- Region name. @@ -42153,7 +40613,7 @@ example: Quebec -- -*`server.geo.timezone`*:: +*`client.geo.timezone`*:: + -- The time zone of the location, such as IANA time zone name. @@ -42164,19 +40624,19 @@ example: America/Argentina/Buenos_Aires -- -*`server.ip`*:: +*`client.ip`*:: + -- -IP address of the server (IPv4 or IPv6). +IP address of the client (IPv4 or IPv6). type: ip -- -*`server.mac`*:: +*`client.mac`*:: + -- -MAC address of the server. +MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: keyword @@ -42185,21 +40645,21 @@ example: 00-00-5E-00-53-23 -- -*`server.nat.ip`*:: +*`client.nat.ip`*:: + -- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. type: ip -- -*`server.nat.port`*:: +*`client.nat.port`*:: + -- -Translated port of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. type: long @@ -42207,10 +40667,10 @@ format: string -- -*`server.packets`*:: +*`client.packets`*:: + -- -Packets sent from the server to the client. +Packets sent from the client to the server. type: long @@ -42218,10 +40678,10 @@ example: 12 -- -*`server.port`*:: +*`client.port`*:: + -- -Port of the server. +Port of the client. type: long @@ -42229,10 +40689,10 @@ format: string -- -*`server.registered_domain`*:: +*`client.registered_domain`*:: + -- -The highest registered server domain, stripped of the subdomain. +The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". @@ -42242,7 +40702,7 @@ example: example.com -- -*`server.subdomain`*:: +*`client.subdomain`*:: + -- The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. @@ -42254,7 +40714,7 @@ example: east -- -*`server.top_level_domain`*:: +*`client.top_level_domain`*:: + -- The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -42266,7 +40726,7 @@ example: co.uk -- -*`server.user.domain`*:: +*`client.user.domain`*:: + -- Name of the directory the user is a member of. @@ -42276,7 +40736,7 @@ type: keyword -- -*`server.user.email`*:: +*`client.user.email`*:: + -- User email address. @@ -42285,7 +40745,7 @@ type: keyword -- -*`server.user.full_name`*:: +*`client.user.full_name`*:: + -- User's full name, if available. @@ -42296,14 +40756,14 @@ example: Albert Einstein -- -*`server.user.full_name.text`*:: +*`client.user.full_name.text`*:: + -- type: text -- -*`server.user.group.domain`*:: +*`client.user.group.domain`*:: + -- Name of the directory the group is a member of. @@ -42313,7 +40773,7 @@ type: keyword -- -*`server.user.group.id`*:: +*`client.user.group.id`*:: + -- Unique identifier for the group on the system/platform. @@ -42322,7 +40782,7 @@ type: keyword -- -*`server.user.group.name`*:: +*`client.user.group.name`*:: + -- Name of the group. @@ -42331,7 +40791,7 @@ type: keyword -- -*`server.user.hash`*:: +*`client.user.hash`*:: + -- Unique user hash to correlate information for a user in anonymized form. @@ -42341,7 +40801,7 @@ type: keyword -- -*`server.user.id`*:: +*`client.user.id`*:: + -- Unique identifier of the user. @@ -42350,7 +40810,7 @@ type: keyword -- -*`server.user.name`*:: +*`client.user.name`*:: + -- Short name or login of the user. @@ -42361,14 +40821,14 @@ example: albert -- -*`server.user.name.text`*:: +*`client.user.name.text`*:: + -- type: text -- -*`server.user.roles`*:: +*`client.user.roles`*:: + -- Array of user roles at the time of the event. @@ -42380,2898 +40840,2896 @@ example: ["kibana_admin", "reporting_user"] -- [float] -=== service +=== cloud -The service fields describe the service for or from which the data was collected. -These fields help you find and correlate logs for a specific service and version. +Fields related to the cloud or infrastructure the events are coming from. -*`service.ephemeral_id`*:: +*`cloud.account.id`*:: + -- -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. type: keyword -example: 8a4f500f +example: 666777888999 -- -*`service.id`*:: +*`cloud.account.name`*:: + -- -Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. -This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. -Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. type: keyword -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 +example: elastic-dev -- -*`service.name`*:: +*`cloud.availability_zone`*:: + -- -Name of the service data is collected from. -The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. -In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. +Availability zone in which this host, resource, or service is located. type: keyword -example: elasticsearch-metrics +example: us-east-1c -- -*`service.node.name`*:: +*`cloud.instance.id`*:: + -- -Name of a service node. -This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. -In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +Instance ID of the host machine. type: keyword -example: instance-0000000016 +example: i-1234567890abcdef0 -- -*`service.state`*:: +*`cloud.instance.name`*:: + -- -Current state of the service. +Instance name of the host machine. type: keyword -- -*`service.type`*:: +*`cloud.machine.type`*:: + -- -The type of the service data is collected from. -The type can be used to group and correlate logs and metrics from one service type. -Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +Machine type of the host machine. type: keyword -example: elasticsearch +example: t2.medium -- -*`service.version`*:: +*`cloud.project.id`*:: + -- -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. type: keyword -example: 3.2.4 +example: my-project -- -[float] -=== source - -Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. -Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. - - -*`source.address`*:: +*`cloud.project.name`*:: + -- -Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. type: keyword +example: my project + -- -*`source.as.number`*:: +*`cloud.provider`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. -type: long +type: keyword -example: 15169 +example: aws -- -*`source.as.organization.name`*:: +*`cloud.region`*:: + -- -Organization name. +Region in which this host, resource, or service is located. type: keyword -example: Google LLC +example: us-east-1 -- -*`source.as.organization.name.text`*:: +*`cloud.service.name`*:: + -- -type: text +The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. +Examples: app engine, app service, cloud run, fargate, lambda. --- +type: keyword -*`source.bytes`*:: -+ --- -Bytes sent from the source to the destination. +example: lambda -type: long +-- -example: 184 +[float] +=== code_signature -format: bytes +These fields contain information about binary code signatures. --- -*`source.domain`*:: +*`code_signature.exists`*:: + -- -Source domain. +Boolean to capture if a signature is present. -type: keyword +type: boolean + +example: true -- -*`source.geo.city_name`*:: +*`code_signature.signing_id`*:: + -- -City name. +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword -example: Montreal +example: com.apple.xpc.proxy -- -*`source.geo.continent_code`*:: +*`code_signature.status`*:: + -- -Two-letter code representing continent's name. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword -example: NA +example: ERROR_UNTRUSTED_ROOT -- -*`source.geo.continent_name`*:: +*`code_signature.subject_name`*:: + -- -Name of the continent. +Subject name of the code signer type: keyword -example: North America +example: Microsoft Corporation -- -*`source.geo.country_iso_code`*:: +*`code_signature.team_id`*:: + -- -Country ISO code. +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. type: keyword -example: CA +example: EQHXZ8M8AV -- -*`source.geo.country_name`*:: +*`code_signature.trusted`*:: + -- -Country name. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean -example: Canada +example: true -- -*`source.geo.location`*:: +*`code_signature.valid`*:: + -- -Longitude and latitude. - -type: geo_point +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -example: { "lon": -73.614830, "lat": 45.505918 } +type: boolean --- +example: true -*`source.geo.name`*:: -+ -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. -type: keyword +[float] +=== container -example: boston-dc +Container fields are used for meta information about the specific container that is the source of information. +These fields help correlate data based containers from any runtime. --- -*`source.geo.postal_code`*:: +*`container.id`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. +Unique container id. type: keyword -example: 94040 - -- -*`source.geo.region_iso_code`*:: +*`container.image.name`*:: + -- -Region ISO code. +Name of the image the container was built on. type: keyword -example: CA-QC - -- -*`source.geo.region_name`*:: +*`container.image.tag`*:: + -- -Region name. +Container image tags. type: keyword -example: Quebec - -- -*`source.geo.timezone`*:: +*`container.labels`*:: + -- -The time zone of the location, such as IANA time zone name. - -type: keyword +Image labels. -example: America/Argentina/Buenos_Aires +type: object -- -*`source.ip`*:: +*`container.name`*:: + -- -IP address of the source (IPv4 or IPv6). +Container name. -type: ip +type: keyword -- -*`source.mac`*:: +*`container.runtime`*:: + -- -MAC address of the source. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. +Runtime managing this container. type: keyword -example: 00-00-5E-00-53-23 +example: docker -- -*`source.nat.ip`*:: -+ --- -Translated ip of source based NAT sessions (e.g. internal client to internet) -Typically connections traversing load balancers, firewalls, or routers. +[float] +=== data_stream -type: ip +The data_stream fields take part in defining the new data stream naming scheme. +In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. +An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. --- -*`source.nat.port`*:: +*`data_stream.dataset`*:: + -- -Translated port of source based NAT sessions. (e.g. internal client to internet) -Typically used with load balancers, firewalls, or routers. - -type: long - -format: string +The field can contain anything that makes sense to signify the source of the data. +Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. +Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: + * Must not contain `-` + * No longer than 100 characters + +type: constant_keyword + +example: nginx.access -- -*`source.packets`*:: +*`data_stream.namespace`*:: + -- -Packets sent from the source to the destination. +A user defined namespace. Namespaces are useful to allow grouping of data. +Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. +Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: + * Must not contain `-` + * No longer than 100 characters -type: long +type: constant_keyword -example: 12 +example: production -- -*`source.port`*:: +*`data_stream.type`*:: + -- -Port of the source. - -type: long +An overarching type for the data stream. +Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. -format: string +type: constant_keyword --- +example: logs -*`source.registered_domain`*:: -+ -- -The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: keyword +[float] +=== destination -example: example.com +Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. --- -*`source.subdomain`*:: +*`destination.address`*:: + -- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. +Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -example: east - -- -*`source.top_level_domain`*:: +*`destination.as.number`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long -example: co.uk +example: 15169 -- -*`source.user.domain`*:: +*`destination.as.organization.name`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Organization name. type: keyword +example: Google LLC + -- -*`source.user.email`*:: +*`destination.as.organization.name.text`*:: + -- -User email address. - -type: keyword +type: text -- -*`source.user.full_name`*:: +*`destination.bytes`*:: + -- -User's full name, if available. - -type: keyword +Bytes sent from the destination to the source. -example: Albert Einstein +type: long --- +example: 184 -*`source.user.full_name.text`*:: -+ --- -type: text +format: bytes -- -*`source.user.group.domain`*:: +*`destination.domain`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Destination domain. type: keyword -- -*`source.user.group.id`*:: +*`destination.geo.city_name`*:: + -- -Unique identifier for the group on the system/platform. +City name. type: keyword +example: Montreal + -- -*`source.user.group.name`*:: +*`destination.geo.continent_code`*:: + -- -Name of the group. +Two-letter code representing continent's name. type: keyword +example: NA + -- -*`source.user.hash`*:: +*`destination.geo.continent_name`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +Name of the continent. type: keyword +example: North America + -- -*`source.user.id`*:: +*`destination.geo.country_iso_code`*:: + -- -Unique identifier of the user. +Country ISO code. type: keyword +example: CA + -- -*`source.user.name`*:: +*`destination.geo.country_name`*:: + -- -Short name or login of the user. +Country name. type: keyword -example: albert +example: Canada -- -*`source.user.name.text`*:: +*`destination.geo.location`*:: + -- -type: text +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`source.user.roles`*:: +*`destination.geo.name`*:: + -- -Array of user roles at the time of the event. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: ["kibana_admin", "reporting_user"] +example: boston-dc -- -[float] -=== threat - -Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. -These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). - - -*`threat.enrichments`*:: +*`destination.geo.postal_code`*:: + -- -A list of associated indicators objects enriching the event, and the context of that association/enrichment. +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. -type: nested +type: keyword + +example: 94040 -- -*`threat.enrichments.indicator`*:: +*`destination.geo.region_iso_code`*:: + -- -Object containing associated indicators enriching the event. +Region ISO code. -type: object +type: keyword + +example: CA-QC -- -*`threat.enrichments.indicator.as.number`*:: +*`destination.geo.region_name`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +Region name. -type: long +type: keyword -example: 15169 +example: Quebec -- -*`threat.enrichments.indicator.as.organization.name`*:: +*`destination.geo.timezone`*:: + -- -Organization name. +The time zone of the location, such as IANA time zone name. type: keyword -example: Google LLC +example: America/Argentina/Buenos_Aires -- -*`threat.enrichments.indicator.as.organization.name.text`*:: +*`destination.ip`*:: + -- -type: text +IP address of the destination (IPv4 or IPv6). + +type: ip -- -*`threat.enrichments.indicator.confidence`*:: +*`destination.mac`*:: + -- -Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values: - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) +MAC address of the destination. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: keyword -example: High +example: 00-00-5E-00-53-23 -- -*`threat.enrichments.indicator.description`*:: +*`destination.nat.ip`*:: + -- -Describes the type of action conducted by the threat. - -type: keyword +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. -example: IP x.x.x.x was observed delivering the Angler EK. +type: ip -- -*`threat.enrichments.indicator.email.address`*:: +*`destination.nat.port`*:: + -- -Identifies a threat indicator as an email address (irrespective of direction). +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. -type: keyword +type: long -example: phish@example.com +format: string -- -*`threat.enrichments.indicator.file.accessed`*:: +*`destination.packets`*:: + -- -Last time the file was accessed. -Note that not all filesystems keep track of access time. +Packets sent from the destination to the source. -type: date +type: long + +example: 12 -- -*`threat.enrichments.indicator.file.attributes`*:: +*`destination.port`*:: + -- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +Port of the destination. -type: keyword +type: long -example: ["readonly", "system"] +format: string -- -*`threat.enrichments.indicator.file.code_signature.exists`*:: +*`destination.registered_domain`*:: + -- -Boolean to capture if a signature is present. +The highest registered destination domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: boolean +type: keyword -example: true +example: example.com -- -*`threat.enrichments.indicator.file.code_signature.signing_id`*:: +*`destination.subdomain`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. type: keyword -example: com.apple.xpc.proxy +example: east -- -*`threat.enrichments.indicator.file.code_signature.status`*:: +*`destination.top_level_domain`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword -example: ERROR_UNTRUSTED_ROOT +example: co.uk -- -*`threat.enrichments.indicator.file.code_signature.subject_name`*:: +*`destination.user.domain`*:: + -- -Subject name of the code signer +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: Microsoft Corporation - -- -*`threat.enrichments.indicator.file.code_signature.team_id`*:: +*`destination.user.email`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +User email address. type: keyword -example: EQHXZ8M8AV - -- -*`threat.enrichments.indicator.file.code_signature.trusted`*:: +*`destination.user.full_name`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +User's full name, if available. -type: boolean +type: keyword -example: true +example: Albert Einstein -- -*`threat.enrichments.indicator.file.code_signature.valid`*:: +*`destination.user.full_name.text`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean - -example: true +type: text -- -*`threat.enrichments.indicator.file.created`*:: +*`destination.user.group.domain`*:: + -- -File creation time. -Note that not all filesystems store the creation time. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. -type: date +type: keyword -- -*`threat.enrichments.indicator.file.ctime`*:: +*`destination.user.group.id`*:: + -- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. +Unique identifier for the group on the system/platform. -type: date +type: keyword -- -*`threat.enrichments.indicator.file.device`*:: +*`destination.user.group.name`*:: + -- -Device that is the source of the file. +Name of the group. type: keyword -example: sda - -- -*`threat.enrichments.indicator.file.directory`*:: +*`destination.user.hash`*:: + -- -Directory where the file is located. It should include the drive letter, when appropriate. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -example: /home/alice - -- -*`threat.enrichments.indicator.file.drive_letter`*:: +*`destination.user.id`*:: + -- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. +Unique identifier of the user. type: keyword -example: C - -- -*`threat.enrichments.indicator.file.elf.architecture`*:: +*`destination.user.name`*:: + -- -Machine architecture of the ELF file. +Short name or login of the user. type: keyword -example: x86-64 +example: albert -- -*`threat.enrichments.indicator.file.elf.byte_order`*:: +*`destination.user.name.text`*:: + -- -Byte sequence of ELF file. - -type: keyword - -example: Little Endian +type: text -- -*`threat.enrichments.indicator.file.elf.cpu_type`*:: +*`destination.user.roles`*:: + -- -CPU type of the ELF file. +Array of user roles at the time of the event. type: keyword -example: Intel +example: ["kibana_admin", "reporting_user"] -- -*`threat.enrichments.indicator.file.elf.creation_date`*:: -+ --- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +[float] +=== dll -type: date +These fields contain information about code libraries dynamically loaded into processes. --- +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS -*`threat.enrichments.indicator.file.elf.exports`*:: + +*`dll.code_signature.exists`*:: + -- -List of exported element names and types. +Boolean to capture if a signature is present. -type: flattened +type: boolean + +example: true -- -*`threat.enrichments.indicator.file.elf.header.abi_version`*:: +*`dll.code_signature.signing_id`*:: + -- -Version of the ELF Application Binary Interface (ABI). +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword +example: com.apple.xpc.proxy + -- -*`threat.enrichments.indicator.file.elf.header.class`*:: +*`dll.code_signature.status`*:: + -- -Header class of the ELF file. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`threat.enrichments.indicator.file.elf.header.data`*:: +*`dll.code_signature.subject_name`*:: + -- -Data table of the ELF header. +Subject name of the code signer type: keyword +example: Microsoft Corporation + -- -*`threat.enrichments.indicator.file.elf.header.entrypoint`*:: +*`dll.code_signature.team_id`*:: + -- -Header entrypoint of the ELF file. +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. -type: long +type: keyword -format: string +example: EQHXZ8M8AV -- -*`threat.enrichments.indicator.file.elf.header.object_version`*:: +*`dll.code_signature.trusted`*:: + -- -"0x1" for original ELF files. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean + +example: true -- -*`threat.enrichments.indicator.file.elf.header.os_abi`*:: +*`dll.code_signature.valid`*:: + -- -Application Binary Interface (ABI) of the Linux OS. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: keyword +type: boolean + +example: true -- -*`threat.enrichments.indicator.file.elf.header.type`*:: +*`dll.hash.md5`*:: + -- -Header type of the ELF file. +MD5 hash. type: keyword -- -*`threat.enrichments.indicator.file.elf.header.version`*:: +*`dll.hash.sha1`*:: + -- -Version of the ELF header. +SHA1 hash. type: keyword -- -*`threat.enrichments.indicator.file.elf.imports`*:: +*`dll.hash.sha256`*:: + -- -List of imported element names and types. +SHA256 hash. -type: flattened +type: keyword -- -*`threat.enrichments.indicator.file.elf.sections`*:: +*`dll.hash.sha512`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. +SHA512 hash. -type: nested +type: keyword -- -*`threat.enrichments.indicator.file.elf.sections.chi2`*:: +*`dll.hash.ssdeep`*:: + -- -Chi-square probability distribution of the section. - -type: long +SSDEEP hash. -format: number +type: keyword -- -*`threat.enrichments.indicator.file.elf.sections.entropy`*:: +*`dll.name`*:: + -- -Shannon entropy calculation from the section. +Name of the library. +This generally maps to the name of the file on disk. -type: long +type: keyword -format: number +example: kernel32.dll -- -*`threat.enrichments.indicator.file.elf.sections.flags`*:: +*`dll.path`*:: + -- -ELF Section List flags. +Full file path of the library. type: keyword +example: C:\Windows\System32\kernel32.dll + -- -*`threat.enrichments.indicator.file.elf.sections.name`*:: +*`dll.pe.architecture`*:: + -- -ELF Section List name. +CPU architecture target for the file. type: keyword +example: x64 + -- -*`threat.enrichments.indicator.file.elf.sections.physical_offset`*:: +*`dll.pe.company`*:: + -- -ELF Section List offset. +Internal company name of the file, provided at compile-time. type: keyword +example: Microsoft Corporation + -- -*`threat.enrichments.indicator.file.elf.sections.physical_size`*:: +*`dll.pe.description`*:: + -- -ELF Section List physical size. +Internal description of the file, provided at compile-time. -type: long +type: keyword -format: bytes +example: Paint -- -*`threat.enrichments.indicator.file.elf.sections.type`*:: +*`dll.pe.file_version`*:: + -- -ELF Section List type. +Internal version of the file, provided at compile-time. type: keyword +example: 6.3.9600.17415 + -- -*`threat.enrichments.indicator.file.elf.sections.virtual_address`*:: +*`dll.pe.imphash`*:: + -- -ELF Section List virtual address. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. -type: long +type: keyword -format: string +example: 0c6803c4e922103c4dca5963aad36ddf -- -*`threat.enrichments.indicator.file.elf.sections.virtual_size`*:: +*`dll.pe.original_file_name`*:: + -- -ELF Section List virtual size. +Internal name of the file, provided at compile-time. -type: long +type: keyword -format: string +example: MSPAINT.EXE -- -*`threat.enrichments.indicator.file.elf.segments`*:: +*`dll.pe.product`*:: + -- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. +Internal product name of the file, provided at compile-time. -type: nested +type: keyword + +example: Microsoft® Windows® Operating System -- -*`threat.enrichments.indicator.file.elf.segments.sections`*:: -+ --- -ELF object segment sections. +[float] +=== dns -type: keyword +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). --- -*`threat.enrichments.indicator.file.elf.segments.type`*:: +*`dns.answers`*:: + -- -ELF object segment type. +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. -type: keyword +type: object -- -*`threat.enrichments.indicator.file.elf.shared_libraries`*:: +*`dns.answers.class`*:: + -- -List of shared libraries used by this ELF object. +The class of DNS data contained in this resource record. type: keyword +example: IN + -- -*`threat.enrichments.indicator.file.elf.telfhash`*:: +*`dns.answers.data`*:: + -- -telfhash symbol hash for ELF file. +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. type: keyword +example: 10.10.10.10 + -- -*`threat.enrichments.indicator.file.extension`*:: +*`dns.answers.name`*:: + -- -File extension, excluding the leading dot. -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. type: keyword -example: png +example: www.example.com -- -*`threat.enrichments.indicator.file.gid`*:: +*`dns.answers.ttl`*:: + -- -Primary group ID (GID) of the file. +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. -type: keyword +type: long -example: 1001 +example: 180 -- -*`threat.enrichments.indicator.file.group`*:: +*`dns.answers.type`*:: + -- -Primary group name of the file. +The type of data contained in this resource record. type: keyword -example: alice +example: CNAME -- -*`threat.enrichments.indicator.file.inode`*:: +*`dns.header_flags`*:: + -- -Inode representing the file in the filesystem. +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. type: keyword -example: 256383 +example: ["RD", "RA"] -- -*`threat.enrichments.indicator.file.mime_type`*:: +*`dns.id`*:: + -- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. type: keyword +example: 62111 + -- -*`threat.enrichments.indicator.file.mode`*:: +*`dns.op_code`*:: + -- -Mode of the file in octal representation. +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. type: keyword -example: 0640 +example: QUERY -- -*`threat.enrichments.indicator.file.mtime`*:: +*`dns.question.class`*:: + -- -Last time the file content was modified. +The class of records being queried. -type: date +type: keyword + +example: IN -- -*`threat.enrichments.indicator.file.name`*:: +*`dns.question.name`*:: + -- -Name of the file including the extension, without the directory. +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. type: keyword -example: example.png +example: www.example.com -- -*`threat.enrichments.indicator.file.owner`*:: +*`dns.question.registered_domain`*:: + -- -File owner's username. +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: alice +example: example.com -- -*`threat.enrichments.indicator.file.path`*:: +*`dns.question.subdomain`*:: + -- -Full path to the file, including the file name. It should include the drive letter, when appropriate. +The subdomain is all of the labels under the registered_domain. +If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. type: keyword -example: /home/alice/example.png - --- - -*`threat.enrichments.indicator.file.path.text`*:: -+ --- -type: text +example: www -- -*`threat.enrichments.indicator.file.size`*:: +*`dns.question.top_level_domain`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". -type: long +type: keyword -example: 16384 +example: co.uk -- -*`threat.enrichments.indicator.file.target_path`*:: +*`dns.question.type`*:: + -- -Target path for symlinks. +The type of record being queried. type: keyword +example: AAAA + -- -*`threat.enrichments.indicator.file.target_path.text`*:: +*`dns.resolved_ip`*:: + -- -type: text +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + +type: ip + +example: ["10.10.10.10", "10.10.10.11"] -- -*`threat.enrichments.indicator.file.type`*:: +*`dns.response_code`*:: + -- -File type (file, dir, or symlink). +The DNS response code. type: keyword -example: file +example: NOERROR -- -*`threat.enrichments.indicator.file.uid`*:: +*`dns.type`*:: + -- -The user ID (UID) or security identifier (SID) of the file owner. +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. type: keyword -example: 1001 - --- +example: answer -*`threat.enrichments.indicator.first_seen`*:: -+ -- -The date and time when intelligence source first reported sighting this indicator. -type: date +[float] +=== ecs -example: 2020-11-05T17:25:47.000Z +Meta-information specific to ECS. --- -*`threat.enrichments.indicator.geo.city_name`*:: +*`ecs.version`*:: + -- -City name. +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. type: keyword -example: Montreal +example: 1.0.0 + +required: True -- -*`threat.enrichments.indicator.geo.continent_code`*:: +[float] +=== elf + +These fields contain Linux Executable Linkable Format (ELF) metadata. + + +*`elf.architecture`*:: + -- -Two-letter code representing continent's name. +Machine architecture of the ELF file. type: keyword -example: NA +example: x86-64 -- -*`threat.enrichments.indicator.geo.continent_name`*:: +*`elf.byte_order`*:: + -- -Name of the continent. +Byte sequence of ELF file. type: keyword -example: North America +example: Little Endian -- -*`threat.enrichments.indicator.geo.country_iso_code`*:: +*`elf.cpu_type`*:: + -- -Country ISO code. +CPU type of the ELF file. type: keyword -example: CA +example: Intel -- -*`threat.enrichments.indicator.geo.country_name`*:: +*`elf.creation_date`*:: + -- -Country name. - -type: keyword +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. -example: Canada +type: date -- -*`threat.enrichments.indicator.geo.location`*:: +*`elf.exports`*:: + -- -Longitude and latitude. - -type: geo_point +List of exported element names and types. -example: { "lon": -73.614830, "lat": 45.505918 } +type: flattened -- -*`threat.enrichments.indicator.geo.name`*:: +*`elf.header.abi_version`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +Version of the ELF Application Binary Interface (ABI). type: keyword -example: boston-dc - -- -*`threat.enrichments.indicator.geo.postal_code`*:: +*`elf.header.class`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. +Header class of the ELF file. type: keyword -example: 94040 - -- -*`threat.enrichments.indicator.geo.region_iso_code`*:: +*`elf.header.data`*:: + -- -Region ISO code. +Data table of the ELF header. type: keyword -example: CA-QC - -- -*`threat.enrichments.indicator.geo.region_name`*:: +*`elf.header.entrypoint`*:: + -- -Region name. +Header entrypoint of the ELF file. -type: keyword +type: long -example: Quebec +format: string -- -*`threat.enrichments.indicator.geo.timezone`*:: +*`elf.header.object_version`*:: + -- -The time zone of the location, such as IANA time zone name. +"0x1" for original ELF files. type: keyword -example: America/Argentina/Buenos_Aires - -- -*`threat.enrichments.indicator.hash.md5`*:: +*`elf.header.os_abi`*:: + -- -MD5 hash. +Application Binary Interface (ABI) of the Linux OS. type: keyword -- -*`threat.enrichments.indicator.hash.sha1`*:: +*`elf.header.type`*:: + -- -SHA1 hash. +Header type of the ELF file. type: keyword -- -*`threat.enrichments.indicator.hash.sha256`*:: +*`elf.header.version`*:: + -- -SHA256 hash. +Version of the ELF header. type: keyword -- -*`threat.enrichments.indicator.hash.sha512`*:: +*`elf.imports`*:: + -- -SHA512 hash. +List of imported element names and types. -type: keyword +type: flattened -- -*`threat.enrichments.indicator.hash.ssdeep`*:: +*`elf.sections`*:: + -- -SSDEEP hash. +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. -type: keyword +type: nested -- -*`threat.enrichments.indicator.ip`*:: +*`elf.sections.chi2`*:: + -- -Identifies a threat indicator as an IP address (irrespective of direction). +Chi-square probability distribution of the section. -type: ip +type: long -example: 1.2.3.4 +format: number -- -*`threat.enrichments.indicator.last_seen`*:: +*`elf.sections.entropy`*:: + -- -The date and time when intelligence source last reported sighting this indicator. +Shannon entropy calculation from the section. -type: date +type: long -example: 2020-11-05T17:25:47.000Z +format: number -- -*`threat.enrichments.indicator.marking.tlp`*:: +*`elf.sections.flags`*:: + -- -Traffic Light Protocol sharing markings. Recommended values are: - * WHITE - * GREEN - * AMBER - * RED +ELF Section List flags. type: keyword -example: White - -- -*`threat.enrichments.indicator.modified_at`*:: +*`elf.sections.name`*:: + -- -The date and time when intelligence source last modified information for this indicator. - -type: date +ELF Section List name. -example: 2020-11-05T17:25:47.000Z +type: keyword -- -*`threat.enrichments.indicator.pe.architecture`*:: +*`elf.sections.physical_offset`*:: + -- -CPU architecture target for the file. +ELF Section List offset. type: keyword -example: x64 - -- -*`threat.enrichments.indicator.pe.company`*:: +*`elf.sections.physical_size`*:: + -- -Internal company name of the file, provided at compile-time. +ELF Section List physical size. -type: keyword +type: long -example: Microsoft Corporation +format: bytes -- -*`threat.enrichments.indicator.pe.description`*:: +*`elf.sections.type`*:: + -- -Internal description of the file, provided at compile-time. +ELF Section List type. type: keyword -example: Paint - -- -*`threat.enrichments.indicator.pe.file_version`*:: +*`elf.sections.virtual_address`*:: + -- -Internal version of the file, provided at compile-time. +ELF Section List virtual address. -type: keyword +type: long -example: 6.3.9600.17415 +format: string -- -*`threat.enrichments.indicator.pe.imphash`*:: +*`elf.sections.virtual_size`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. +ELF Section List virtual size. -type: keyword +type: long -example: 0c6803c4e922103c4dca5963aad36ddf +format: string -- -*`threat.enrichments.indicator.pe.original_file_name`*:: +*`elf.segments`*:: + -- -Internal name of the file, provided at compile-time. - -type: keyword +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. -example: MSPAINT.EXE +type: nested -- -*`threat.enrichments.indicator.pe.product`*:: +*`elf.segments.sections`*:: + -- -Internal product name of the file, provided at compile-time. +ELF object segment sections. type: keyword -example: Microsoft® Windows® Operating System - -- -*`threat.enrichments.indicator.port`*:: +*`elf.segments.type`*:: + -- -Identifies a threat indicator as a port number (irrespective of direction). - -type: long +ELF object segment type. -example: 443 +type: keyword -- -*`threat.enrichments.indicator.provider`*:: +*`elf.shared_libraries`*:: + -- -The name of the indicator's provider. +List of shared libraries used by this ELF object. type: keyword -example: lrz_urlhaus - -- -*`threat.enrichments.indicator.reference`*:: +*`elf.telfhash`*:: + -- -Reference URL linking to additional information about this indicator. +telfhash symbol hash for ELF file. type: keyword -example: https://system.example.com/indicator/0001234 - -- -*`threat.enrichments.indicator.registry.data.bytes`*:: +[float] +=== error + +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. + + +*`error.code`*:: + -- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. +Error code describing the error. type: keyword -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - -- -*`threat.enrichments.indicator.registry.data.strings`*:: +*`error.id`*:: + -- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). +Unique identifier for the error. type: keyword -example: ["C:\rta\red_ttp\bin\myapp.exe"] - -- -*`threat.enrichments.indicator.registry.data.type`*:: +*`error.message`*:: + -- -Standard registry type for encoding contents - -type: keyword +Error message. -example: REG_SZ +type: text -- -*`threat.enrichments.indicator.registry.hive`*:: +*`error.stack_trace`*:: + -- -Abbreviated name for the hive. +The stack trace of this error in plain text. type: keyword -example: HKLM +Field is not indexed. -- -*`threat.enrichments.indicator.registry.key`*:: +*`error.stack_trace.text`*:: + -- -Hive-relative path of keys. - -type: keyword - -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe +type: text -- -*`threat.enrichments.indicator.registry.path`*:: +*`error.type`*:: + -- -Full path, including hive, key and value +The type of the error, for example the class name of the exception. type: keyword -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger +example: java.lang.NullPointerException -- -*`threat.enrichments.indicator.registry.value`*:: +[float] +=== event + +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. + + +*`event.action`*:: + -- -Name of the value written. +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. type: keyword -example: Debugger +example: user-password-change -- -*`threat.enrichments.indicator.scanner_stats`*:: +*`event.agent_id_status`*:: + -- -Count of AV/EDR vendors that successfully detected malicious file or URL. +Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. +For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. +If no validation is performed then the field should be omitted. +The allowed values are: +`verified` - The `agent.id` field value matches expected value obtained from auth metadata. +`mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. +`missing` - There was no `agent.id` field in the event to validate. +`auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. -type: long +type: keyword -example: 4 +example: verified -- -*`threat.enrichments.indicator.sightings`*:: +*`event.category`*:: + -- -Number of times this indicator was observed conducting threat activity. +This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. +`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. +This field is an array. This will allow proper categorization of some events that fall in multiple categories. -type: long +type: keyword -example: 20 +example: authentication -- -*`threat.enrichments.indicator.type`*:: +*`event.code`*:: + -- -Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. type: keyword -example: ipv4-addr +example: 4648 -- -*`threat.enrichments.indicator.url.domain`*:: +*`event.created`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. +event.created contains the date/time when the event was first read by an agent, or by your pipeline. +This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. +In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. +In case the two timestamps are identical, @timestamp should be used. -type: keyword +type: date -example: www.elastic.co +example: 2016-05-23T08:05:34.857Z -- -*`threat.enrichments.indicator.url.extension`*:: +*`event.dataset`*:: + -- -The field contains the file extension from the original request url, excluding the leading dot. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). +Name of the dataset. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword -example: png +example: apache.access -- -*`threat.enrichments.indicator.url.fragment`*:: +*`event.duration`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. -type: keyword +type: long + +format: duration -- -*`threat.enrichments.indicator.url.full`*:: +*`event.end`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -type: keyword +event.end contains the date when the event ended or when the activity was last observed. -example: https://www.elastic.co:443/search?q=elasticsearch#top +type: date -- -*`threat.enrichments.indicator.url.full.text`*:: +*`event.hash`*:: + -- -type: text +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + +type: keyword + +example: 123456789012345678901234567890ABCD -- -*`threat.enrichments.indicator.url.original`*:: +*`event.id`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +Unique ID to describe the event. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: 8a4f500d -- -*`threat.enrichments.indicator.url.original.text`*:: +*`event.ingested`*:: + -- -type: text +Timestamp when an event arrived in the central data store. +This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. +In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + +type: date + +example: 2016-05-23T08:05:35.101Z -- -*`threat.enrichments.indicator.url.password`*:: +*`event.kind`*:: + -- -Password of the request. +This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. +`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. +The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. type: keyword +example: alert + -- -*`threat.enrichments.indicator.url.path`*:: +*`event.module`*:: + -- -Path of the request, such as "/search". +Name of the module this data is coming from. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword +example: apache + -- -*`threat.enrichments.indicator.url.port`*:: +*`event.original`*:: + -- -Port of the request, such as 443. +Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. -type: long +type: keyword -example: 443 +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 -format: string +Field is not indexed. -- -*`threat.enrichments.indicator.url.query`*:: +*`event.outcome`*:: + -- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword +example: success + -- -*`threat.enrichments.indicator.url.registered_domain`*:: +*`event.provider`*:: + -- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). type: keyword -example: example.com +example: kernel -- -*`threat.enrichments.indicator.url.scheme`*:: +*`event.reason`*:: + -- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). type: keyword -example: https +example: Terminated an unexpected process -- -*`threat.enrichments.indicator.url.subdomain`*:: +*`event.reference`*:: + -- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. +Reference URL linking to additional information about this event. +This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: east +example: https://system.example.com/event/#0001234 -- -*`threat.enrichments.indicator.url.top_level_domain`*:: +*`event.risk_score`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword +Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -example: co.uk +type: float -- -*`threat.enrichments.indicator.url.username`*:: +*`event.risk_score_norm`*:: + -- -Username of the request. +Normalized risk score or priority of the event, on a scale of 0 to 100. +This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. -type: keyword +type: float -- -*`threat.enrichments.indicator.x509.alternative_names`*:: +*`event.sequence`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. -type: keyword +type: long -example: *.elastic.co +format: string -- -*`threat.enrichments.indicator.x509.issuer.common_name`*:: +*`event.severity`*:: + -- -List of common name (CN) of issuing certificate authority. +The numeric severity of the event according to your event source. +What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. +The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. -type: keyword +type: long -example: Example SHA2 High Assurance Server CA +example: 7 + +format: string -- -*`threat.enrichments.indicator.x509.issuer.country`*:: +*`event.start`*:: + -- -List of country (C) codes - -type: keyword +event.start contains the date when the event started or when the activity was first observed. -example: US +type: date -- -*`threat.enrichments.indicator.x509.issuer.distinguished_name`*:: +*`event.timezone`*:: + -- -Distinguished name (DN) of issuing certificate authority. +This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. +Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). type: keyword -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - -- -*`threat.enrichments.indicator.x509.issuer.locality`*:: +*`event.type`*:: + -- -List of locality names (L) +This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. +`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. +This field is an array. This will allow proper categorization of some events that fall in multiple event types. type: keyword -example: Mountain View - -- -*`threat.enrichments.indicator.x509.issuer.organization`*:: +*`event.url`*:: + -- -List of organizations (O) of issuing certificate authority. +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: Example Inc +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- -*`threat.enrichments.indicator.x509.issuer.organizational_unit`*:: +[float] +=== file + +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + + +*`file.accessed`*:: + -- -List of organizational units (OU) of issuing certificate authority. - -type: keyword +Last time the file was accessed. +Note that not all filesystems keep track of access time. -example: www.example.com +type: date -- -*`threat.enrichments.indicator.x509.issuer.state_or_province`*:: +*`file.attributes`*:: + -- -List of state or province names (ST, S, or P) +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword -example: California +example: ["readonly", "system"] -- -*`threat.enrichments.indicator.x509.not_after`*:: +*`file.code_signature.exists`*:: + -- -Time at which the certificate is no longer considered valid. +Boolean to capture if a signature is present. -type: date +type: boolean -example: 2020-07-16 03:15:39+00:00 +example: true -- -*`threat.enrichments.indicator.x509.not_before`*:: +*`file.code_signature.signing_id`*:: + -- -Time at which the certificate is first considered valid. +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. -type: date +type: keyword -example: 2019-08-16 01:40:25+00:00 +example: com.apple.xpc.proxy -- -*`threat.enrichments.indicator.x509.public_key_algorithm`*:: +*`file.code_signature.status`*:: + -- -Algorithm used to generate the public key. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword -example: RSA +example: ERROR_UNTRUSTED_ROOT -- -*`threat.enrichments.indicator.x509.public_key_curve`*:: +*`file.code_signature.subject_name`*:: + -- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. +Subject name of the code signer type: keyword -example: nistp521 +example: Microsoft Corporation -- -*`threat.enrichments.indicator.x509.public_key_exponent`*:: +*`file.code_signature.team_id`*:: + -- -Exponent used to derive the public key. This is algorithm specific. - -type: long +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. -example: 65537 +type: keyword -Field is not indexed. +example: EQHXZ8M8AV -- -*`threat.enrichments.indicator.x509.public_key_size`*:: +*`file.code_signature.trusted`*:: + -- -The size of the public key space in bits. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: long +type: boolean -example: 2048 +example: true -- -*`threat.enrichments.indicator.x509.serial_number`*:: +*`file.code_signature.valid`*:: + -- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: keyword +type: boolean -example: 55FBB9C7DEBF09809D12CCAA +example: true -- -*`threat.enrichments.indicator.x509.signature_algorithm`*:: +*`file.created`*:: + -- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - -type: keyword +File creation time. +Note that not all filesystems store the creation time. -example: SHA256-RSA +type: date -- -*`threat.enrichments.indicator.x509.subject.common_name`*:: +*`file.ctime`*:: + -- -List of common names (CN) of subject. - -type: keyword +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. -example: shared.global.example.net +type: date -- -*`threat.enrichments.indicator.x509.subject.country`*:: +*`file.device`*:: + -- -List of country (C) code +Device that is the source of the file. type: keyword -example: US +example: sda -- -*`threat.enrichments.indicator.x509.subject.distinguished_name`*:: +*`file.directory`*:: + -- -Distinguished name (DN) of the certificate subject entity. +Directory where the file is located. It should include the drive letter, when appropriate. type: keyword -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net +example: /home/alice -- -*`threat.enrichments.indicator.x509.subject.locality`*:: +*`file.drive_letter`*:: + -- -List of locality names (L) +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. type: keyword -example: San Francisco +example: C -- -*`threat.enrichments.indicator.x509.subject.organization`*:: +*`file.elf.architecture`*:: + -- -List of organizations (O) of subject. +Machine architecture of the ELF file. type: keyword -example: Example, Inc. +example: x86-64 -- -*`threat.enrichments.indicator.x509.subject.organizational_unit`*:: +*`file.elf.byte_order`*:: + -- -List of organizational units (OU) of subject. +Byte sequence of ELF file. type: keyword +example: Little Endian + -- -*`threat.enrichments.indicator.x509.subject.state_or_province`*:: +*`file.elf.cpu_type`*:: + -- -List of state or province names (ST, S, or P) +CPU type of the ELF file. type: keyword -example: California +example: Intel -- -*`threat.enrichments.indicator.x509.version_number`*:: +*`file.elf.creation_date`*:: + -- -Version of x509 format. - -type: keyword +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. -example: 3 +type: date -- -*`threat.enrichments.matched.atomic`*:: +*`file.elf.exports`*:: + -- -Identifies the atomic indicator value that matched a local environment endpoint or network event. - -type: keyword +List of exported element names and types. -example: bad-domain.com +type: flattened -- -*`threat.enrichments.matched.field`*:: +*`file.elf.header.abi_version`*:: + -- -Identifies the field of the atomic indicator that matched a local environment endpoint or network event. +Version of the ELF Application Binary Interface (ABI). type: keyword -example: file.hash.sha256 - -- -*`threat.enrichments.matched.id`*:: +*`file.elf.header.class`*:: + -- -Identifies the _id of the indicator document enriching the event. +Header class of the ELF file. type: keyword -example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - -- -*`threat.enrichments.matched.index`*:: +*`file.elf.header.data`*:: + -- -Identifies the _index of the indicator document enriching the event. +Data table of the ELF header. type: keyword -example: filebeat-8.0.0-2021.05.23-000011 - -- -*`threat.enrichments.matched.type`*:: +*`file.elf.header.entrypoint`*:: + -- -Identifies the type of match that caused the event to be enriched with the given indicator +Header entrypoint of the ELF file. -type: keyword +type: long -example: indicator_match_rule +format: string -- -*`threat.framework`*:: +*`file.elf.header.object_version`*:: + -- -Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. +"0x1" for original ELF files. type: keyword -example: MITRE ATT&CK - -- -*`threat.group.alias`*:: +*`file.elf.header.os_abi`*:: + -- -The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). +Application Binary Interface (ABI) of the Linux OS. type: keyword -example: [ "Magecart Group 6" ] - -- -*`threat.group.id`*:: +*`file.elf.header.type`*:: + -- -The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. +Header type of the ELF file. type: keyword -example: G0037 - -- -*`threat.group.name`*:: +*`file.elf.header.version`*:: + -- -The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. +Version of the ELF header. type: keyword -example: FIN6 - -- -*`threat.group.reference`*:: +*`file.elf.imports`*:: + -- -The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. +List of imported element names and types. -type: keyword +type: flattened -example: https://attack.mitre.org/groups/G0037/ +-- + +*`file.elf.sections`*:: ++ +-- +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + +type: nested -- -*`threat.indicator.as.number`*:: +*`file.elf.sections.chi2`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +Chi-square probability distribution of the section. type: long -example: 15169 +format: number -- -*`threat.indicator.as.organization.name`*:: +*`file.elf.sections.entropy`*:: + -- -Organization name. +Shannon entropy calculation from the section. -type: keyword +type: long -example: Google LLC +format: number -- -*`threat.indicator.as.organization.name.text`*:: +*`file.elf.sections.flags`*:: + -- -type: text +ELF Section List flags. + +type: keyword -- -*`threat.indicator.confidence`*:: +*`file.elf.sections.name`*:: + -- -Identifies the confidence rating assigned by the provider using STIX confidence scales. -Recommended values: - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) +ELF Section List name. type: keyword -example: High - -- -*`threat.indicator.description`*:: +*`file.elf.sections.physical_offset`*:: + -- -Describes the type of action conducted by the threat. +ELF Section List offset. type: keyword -example: IP x.x.x.x was observed delivering the Angler EK. - -- -*`threat.indicator.email.address`*:: +*`file.elf.sections.physical_size`*:: + -- -Identifies a threat indicator as an email address (irrespective of direction). +ELF Section List physical size. -type: keyword +type: long -example: phish@example.com +format: bytes -- -*`threat.indicator.file.accessed`*:: +*`file.elf.sections.type`*:: + -- -Last time the file was accessed. -Note that not all filesystems keep track of access time. +ELF Section List type. -type: date +type: keyword -- -*`threat.indicator.file.attributes`*:: +*`file.elf.sections.virtual_address`*:: + -- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +ELF Section List virtual address. -type: keyword +type: long -example: ["readonly", "system"] +format: string -- -*`threat.indicator.file.code_signature.exists`*:: +*`file.elf.sections.virtual_size`*:: + -- -Boolean to capture if a signature is present. +ELF Section List virtual size. -type: boolean +type: long -example: true +format: string -- -*`threat.indicator.file.code_signature.signing_id`*:: +*`file.elf.segments`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - -type: keyword +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. -example: com.apple.xpc.proxy +type: nested -- -*`threat.indicator.file.code_signature.status`*:: +*`file.elf.segments.sections`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +ELF object segment sections. type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`threat.indicator.file.code_signature.subject_name`*:: +*`file.elf.segments.type`*:: + -- -Subject name of the code signer +ELF object segment type. type: keyword -example: Microsoft Corporation - -- -*`threat.indicator.file.code_signature.team_id`*:: +*`file.elf.shared_libraries`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +List of shared libraries used by this ELF object. type: keyword -example: EQHXZ8M8AV - -- -*`threat.indicator.file.code_signature.trusted`*:: +*`file.elf.telfhash`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean +telfhash symbol hash for ELF file. -example: true +type: keyword -- -*`threat.indicator.file.code_signature.valid`*:: +*`file.extension`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +File extension, excluding the leading dot. +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). -type: boolean +type: keyword -example: true +example: png -- -*`threat.indicator.file.created`*:: +*`file.gid`*:: + -- -File creation time. -Note that not all filesystems store the creation time. +Primary group ID (GID) of the file. -type: date +type: keyword + +example: 1001 -- -*`threat.indicator.file.ctime`*:: +*`file.group`*:: + -- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. +Primary group name of the file. -type: date +type: keyword + +example: alice -- -*`threat.indicator.file.device`*:: +*`file.hash.md5`*:: + -- -Device that is the source of the file. +MD5 hash. type: keyword -example: sda - -- -*`threat.indicator.file.directory`*:: +*`file.hash.sha1`*:: + -- -Directory where the file is located. It should include the drive letter, when appropriate. +SHA1 hash. type: keyword -example: /home/alice - -- -*`threat.indicator.file.drive_letter`*:: +*`file.hash.sha256`*:: + -- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. +SHA256 hash. type: keyword -example: C - -- -*`threat.indicator.file.elf.architecture`*:: +*`file.hash.sha512`*:: + -- -Machine architecture of the ELF file. +SHA512 hash. type: keyword -example: x86-64 - -- -*`threat.indicator.file.elf.byte_order`*:: +*`file.hash.ssdeep`*:: + -- -Byte sequence of ELF file. +SSDEEP hash. type: keyword -example: Little Endian - -- -*`threat.indicator.file.elf.cpu_type`*:: +*`file.inode`*:: + -- -CPU type of the ELF file. +Inode representing the file in the filesystem. type: keyword -example: Intel +example: 256383 -- -*`threat.indicator.file.elf.creation_date`*:: +*`file.mime_type`*:: + -- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. -type: date +type: keyword -- -*`threat.indicator.file.elf.exports`*:: +*`file.mode`*:: + -- -List of exported element names and types. +Mode of the file in octal representation. -type: flattened +type: keyword + +example: 0640 -- -*`threat.indicator.file.elf.header.abi_version`*:: +*`file.mtime`*:: + -- -Version of the ELF Application Binary Interface (ABI). +Last time the file content was modified. -type: keyword +type: date -- -*`threat.indicator.file.elf.header.class`*:: +*`file.name`*:: + -- -Header class of the ELF file. +Name of the file including the extension, without the directory. type: keyword +example: example.png + -- -*`threat.indicator.file.elf.header.data`*:: +*`file.owner`*:: + -- -Data table of the ELF header. +File owner's username. type: keyword +example: alice + -- -*`threat.indicator.file.elf.header.entrypoint`*:: +*`file.path`*:: + -- -Header entrypoint of the ELF file. +Full path to the file, including the file name. It should include the drive letter, when appropriate. -type: long +type: keyword -format: string +example: /home/alice/example.png -- -*`threat.indicator.file.elf.header.object_version`*:: +*`file.path.text`*:: + -- -"0x1" for original ELF files. - -type: keyword +type: text -- -*`threat.indicator.file.elf.header.os_abi`*:: +*`file.pe.architecture`*:: + -- -Application Binary Interface (ABI) of the Linux OS. +CPU architecture target for the file. type: keyword +example: x64 + -- -*`threat.indicator.file.elf.header.type`*:: +*`file.pe.company`*:: + -- -Header type of the ELF file. +Internal company name of the file, provided at compile-time. type: keyword +example: Microsoft Corporation + -- -*`threat.indicator.file.elf.header.version`*:: +*`file.pe.description`*:: + -- -Version of the ELF header. +Internal description of the file, provided at compile-time. type: keyword +example: Paint + -- -*`threat.indicator.file.elf.imports`*:: +*`file.pe.file_version`*:: + -- -List of imported element names and types. +Internal version of the file, provided at compile-time. -type: flattened +type: keyword + +example: 6.3.9600.17415 -- -*`threat.indicator.file.elf.sections`*:: +*`file.pe.imphash`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. -type: nested +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf -- -*`threat.indicator.file.elf.sections.chi2`*:: +*`file.pe.original_file_name`*:: + -- -Chi-square probability distribution of the section. +Internal name of the file, provided at compile-time. -type: long +type: keyword -format: number +example: MSPAINT.EXE -- -*`threat.indicator.file.elf.sections.entropy`*:: +*`file.pe.product`*:: + -- -Shannon entropy calculation from the section. +Internal product name of the file, provided at compile-time. -type: long +type: keyword -format: number +example: Microsoft® Windows® Operating System -- -*`threat.indicator.file.elf.sections.flags`*:: +*`file.size`*:: + -- -ELF Section List flags. +File size in bytes. +Only relevant when `file.type` is "file". -type: keyword +type: long + +example: 16384 -- -*`threat.indicator.file.elf.sections.name`*:: +*`file.target_path`*:: + -- -ELF Section List name. +Target path for symlinks. type: keyword -- -*`threat.indicator.file.elf.sections.physical_offset`*:: +*`file.target_path.text`*:: + -- -ELF Section List offset. - -type: keyword +type: text -- -*`threat.indicator.file.elf.sections.physical_size`*:: +*`file.type`*:: + -- -ELF Section List physical size. +File type (file, dir, or symlink). -type: long +type: keyword -format: bytes +example: file -- -*`threat.indicator.file.elf.sections.type`*:: +*`file.uid`*:: + -- -ELF Section List type. +The user ID (UID) or security identifier (SID) of the file owner. type: keyword +example: 1001 + -- -*`threat.indicator.file.elf.sections.virtual_address`*:: +*`file.x509.alternative_names`*:: + -- -ELF Section List virtual address. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -type: long +type: keyword -format: string +example: *.elastic.co -- -*`threat.indicator.file.elf.sections.virtual_size`*:: +*`file.x509.issuer.common_name`*:: + -- -ELF Section List virtual size. +List of common name (CN) of issuing certificate authority. -type: long +type: keyword -format: string +example: Example SHA2 High Assurance Server CA -- -*`threat.indicator.file.elf.segments`*:: +*`file.x509.issuer.country`*:: + -- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. +List of country (C) codes -type: nested +type: keyword + +example: US -- -*`threat.indicator.file.elf.segments.sections`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -ELF object segment sections. +Distinguished name (DN) of issuing certificate authority. type: keyword +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + -- -*`threat.indicator.file.elf.segments.type`*:: +*`file.x509.issuer.locality`*:: + -- -ELF object segment type. +List of locality names (L) type: keyword +example: Mountain View + -- -*`threat.indicator.file.elf.shared_libraries`*:: +*`file.x509.issuer.organization`*:: + -- -List of shared libraries used by this ELF object. +List of organizations (O) of issuing certificate authority. type: keyword +example: Example Inc + -- -*`threat.indicator.file.elf.telfhash`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -telfhash symbol hash for ELF file. +List of organizational units (OU) of issuing certificate authority. type: keyword +example: www.example.com + -- -*`threat.indicator.file.extension`*:: +*`file.x509.issuer.state_or_province`*:: + -- -File extension, excluding the leading dot. -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). +List of state or province names (ST, S, or P) type: keyword -example: png +example: California -- -*`threat.indicator.file.gid`*:: +*`file.x509.not_after`*:: + -- -Primary group ID (GID) of the file. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 1001 +example: 2020-07-16 03:15:39+00:00 -- -*`threat.indicator.file.group`*:: +*`file.x509.not_before`*:: + -- -Primary group name of the file. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: alice +example: 2019-08-16 01:40:25+00:00 -- -*`threat.indicator.file.inode`*:: +*`file.x509.public_key_algorithm`*:: + -- -Inode representing the file in the filesystem. +Algorithm used to generate the public key. type: keyword -example: 256383 +example: RSA -- -*`threat.indicator.file.mime_type`*:: +*`file.x509.public_key_curve`*:: + -- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`threat.indicator.file.mode`*:: +*`file.x509.public_key_exponent`*:: + -- -Mode of the file in octal representation. +Exponent used to derive the public key. This is algorithm specific. -type: keyword +type: long -example: 0640 +example: 65537 + +Field is not indexed. -- -*`threat.indicator.file.mtime`*:: +*`file.x509.public_key_size`*:: + -- -Last time the file content was modified. +The size of the public key space in bits. -type: date +type: long + +example: 2048 -- -*`threat.indicator.file.name`*:: +*`file.x509.serial_number`*:: + -- -Name of the file including the extension, without the directory. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: example.png +example: 55FBB9C7DEBF09809D12CCAA -- -*`threat.indicator.file.owner`*:: +*`file.x509.signature_algorithm`*:: + -- -File owner's username. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: alice +example: SHA256-RSA -- -*`threat.indicator.file.path`*:: +*`file.x509.subject.common_name`*:: + -- -Full path to the file, including the file name. It should include the drive letter, when appropriate. +List of common names (CN) of subject. type: keyword -example: /home/alice/example.png +example: shared.global.example.net -- -*`threat.indicator.file.path.text`*:: +*`file.x509.subject.country`*:: + -- -type: text +List of country (C) code + +type: keyword + +example: US -- -*`threat.indicator.file.size`*:: +*`file.x509.subject.distinguished_name`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +Distinguished name (DN) of the certificate subject entity. -type: long +type: keyword -example: 16384 +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`threat.indicator.file.target_path`*:: +*`file.x509.subject.locality`*:: + -- -Target path for symlinks. +List of locality names (L) type: keyword +example: San Francisco + -- -*`threat.indicator.file.target_path.text`*:: +*`file.x509.subject.organization`*:: + -- -type: text +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. -- -*`threat.indicator.file.type`*:: +*`file.x509.subject.organizational_unit`*:: + -- -File type (file, dir, or symlink). +List of organizational units (OU) of subject. type: keyword -example: file - -- -*`threat.indicator.file.uid`*:: +*`file.x509.subject.state_or_province`*:: + -- -The user ID (UID) or security identifier (SID) of the file owner. +List of state or province names (ST, S, or P) type: keyword -example: 1001 +example: California -- -*`threat.indicator.first_seen`*:: +*`file.x509.version_number`*:: + -- -The date and time when intelligence source first reported sighting this indicator. +Version of x509 format. -type: date +type: keyword -example: 2020-11-05T17:25:47.000Z +example: 3 -- -*`threat.indicator.geo.city_name`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- City name. @@ -45282,7 +43740,7 @@ example: Montreal -- -*`threat.indicator.geo.continent_code`*:: +*`geo.continent_code`*:: + -- Two-letter code representing continent's name. @@ -45293,7 +43751,7 @@ example: NA -- -*`threat.indicator.geo.continent_name`*:: +*`geo.continent_name`*:: + -- Name of the continent. @@ -45304,7 +43762,7 @@ example: North America -- -*`threat.indicator.geo.country_iso_code`*:: +*`geo.country_iso_code`*:: + -- Country ISO code. @@ -45315,7 +43773,7 @@ example: CA -- -*`threat.indicator.geo.country_name`*:: +*`geo.country_name`*:: + -- Country name. @@ -45326,7 +43784,7 @@ example: Canada -- -*`threat.indicator.geo.location`*:: +*`geo.location`*:: + -- Longitude and latitude. @@ -45337,7 +43795,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`threat.indicator.geo.name`*:: +*`geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -45350,7 +43808,7 @@ example: boston-dc -- -*`threat.indicator.geo.postal_code`*:: +*`geo.postal_code`*:: + -- Postal code associated with the location. @@ -45362,7 +43820,7 @@ example: 94040 -- -*`threat.indicator.geo.region_iso_code`*:: +*`geo.region_iso_code`*:: + -- Region ISO code. @@ -45373,7 +43831,7 @@ example: CA-QC -- -*`threat.indicator.geo.region_name`*:: +*`geo.region_name`*:: + -- Region name. @@ -45384,7 +43842,7 @@ example: Quebec -- -*`threat.indicator.geo.timezone`*:: +*`geo.timezone`*:: + -- The time zone of the location, such as IANA time zone name. @@ -45395,8652 +43853,17074 @@ example: America/Argentina/Buenos_Aires -- -*`threat.indicator.hash.md5`*:: +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: + -- -MD5 hash. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`threat.indicator.hash.sha1`*:: +*`group.id`*:: + -- -SHA1 hash. +Unique identifier for the group on the system/platform. type: keyword -- -*`threat.indicator.hash.sha256`*:: +*`group.name`*:: + -- -SHA256 hash. +Name of the group. type: keyword -- -*`threat.indicator.hash.sha512`*:: +[float] +=== hash + +The hash fields represent different bitwise hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). + + +*`hash.md5`*:: + -- -SHA512 hash. +MD5 hash. type: keyword -- -*`threat.indicator.hash.ssdeep`*:: +*`hash.sha1`*:: + -- -SSDEEP hash. +SHA1 hash. type: keyword -- -*`threat.indicator.ip`*:: +*`hash.sha256`*:: + -- -Identifies a threat indicator as an IP address (irrespective of direction). - -type: ip +SHA256 hash. -example: 1.2.3.4 +type: keyword -- -*`threat.indicator.last_seen`*:: +*`hash.sha512`*:: + -- -The date and time when intelligence source last reported sighting this indicator. - -type: date +SHA512 hash. -example: 2020-11-05T17:25:47.000Z +type: keyword -- -*`threat.indicator.marking.tlp`*:: +*`hash.ssdeep`*:: + -- -Traffic Light Protocol sharing markings. -Recommended values are: - * WHITE - * GREEN - * AMBER - * RED +SSDEEP hash. type: keyword -example: WHITE - -- -*`threat.indicator.modified_at`*:: +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: + -- -The date and time when intelligence source last modified information for this indicator. +Operating system architecture. -type: date +type: keyword -example: 2020-11-05T17:25:47.000Z +example: x86_64 -- -*`threat.indicator.pe.architecture`*:: +*`host.cpu.usage`*:: + -- -CPU architecture target for the file. - -type: keyword +Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. +Scaling factor: 1000. +For example: For a two core host, this value should be the average of the two cores, between 0 and 1. -example: x64 +type: scaled_float -- -*`threat.indicator.pe.company`*:: +*`host.disk.read.bytes`*:: + -- -Internal company name of the file, provided at compile-time. - -type: keyword +The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. -example: Microsoft Corporation +type: long -- -*`threat.indicator.pe.description`*:: +*`host.disk.write.bytes`*:: + -- -Internal description of the file, provided at compile-time. - -type: keyword +The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. -example: Paint +type: long -- -*`threat.indicator.pe.file_version`*:: +*`host.domain`*:: + -- -Internal version of the file, provided at compile-time. +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. type: keyword -example: 6.3.9600.17415 +example: CONTOSO -- -*`threat.indicator.pe.imphash`*:: +*`host.geo.city_name`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. +City name. type: keyword -example: 0c6803c4e922103c4dca5963aad36ddf +example: Montreal -- -*`threat.indicator.pe.original_file_name`*:: +*`host.geo.continent_code`*:: + -- -Internal name of the file, provided at compile-time. +Two-letter code representing continent's name. type: keyword -example: MSPAINT.EXE +example: NA -- -*`threat.indicator.pe.product`*:: +*`host.geo.continent_name`*:: + -- -Internal product name of the file, provided at compile-time. +Name of the continent. type: keyword -example: Microsoft® Windows® Operating System +example: North America -- -*`threat.indicator.port`*:: +*`host.geo.country_iso_code`*:: + -- -Identifies a threat indicator as a port number (irrespective of direction). +Country ISO code. -type: long +type: keyword -example: 443 +example: CA -- -*`threat.indicator.provider`*:: +*`host.geo.country_name`*:: + -- -The name of the indicator's provider. +Country name. type: keyword -example: lrz_urlhaus +example: Canada -- -*`threat.indicator.reference`*:: +*`host.geo.location`*:: + -- -Reference URL linking to additional information about this indicator. +Longitude and latitude. -type: keyword +type: geo_point -example: https://system.example.com/indicator/0001234 +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`threat.indicator.registry.data.bytes`*:: +*`host.geo.name`*:: + -- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= +example: boston-dc -- -*`threat.indicator.registry.data.strings`*:: +*`host.geo.postal_code`*:: + -- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. type: keyword -example: ["C:\rta\red_ttp\bin\myapp.exe"] +example: 94040 -- -*`threat.indicator.registry.data.type`*:: +*`host.geo.region_iso_code`*:: + -- -Standard registry type for encoding contents +Region ISO code. type: keyword -example: REG_SZ +example: CA-QC -- -*`threat.indicator.registry.hive`*:: +*`host.geo.region_name`*:: + -- -Abbreviated name for the hive. +Region name. type: keyword -example: HKLM +example: Quebec -- -*`threat.indicator.registry.key`*:: +*`host.geo.timezone`*:: + -- -Hive-relative path of keys. +The time zone of the location, such as IANA time zone name. type: keyword -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe +example: America/Argentina/Buenos_Aires -- -*`threat.indicator.registry.path`*:: +*`host.hostname`*:: + -- -Full path, including hive, key and value +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. type: keyword -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - -- -*`threat.indicator.registry.value`*:: +*`host.id`*:: + -- -Name of the value written. +Unique host id. +As hostname is not always unique, use values that are meaningful in your environment. +Example: The current usage of `beat.name`. type: keyword -example: Debugger - -- -*`threat.indicator.scanner_stats`*:: +*`host.ip`*:: + -- -Count of AV/EDR vendors that successfully detected malicious file or URL. - -type: long +Host ip addresses. -example: 4 +type: ip -- -*`threat.indicator.sightings`*:: +*`host.mac`*:: + -- -Number of times this indicator was observed conducting threat activity. +Host MAC addresses. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. -type: long +type: keyword -example: 20 +example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] -- -*`threat.indicator.type`*:: +*`host.name`*:: + -- -Type of indicator as represented by Cyber Observable in STIX 2.0. -Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate +Name of the host. +It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. type: keyword -example: ipv4-addr - -- -*`threat.indicator.url.domain`*:: +*`host.network.egress.bytes`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - -type: keyword +The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. -example: www.elastic.co +type: long -- -*`threat.indicator.url.extension`*:: +*`host.network.egress.packets`*:: + -- -The field contains the file extension from the original request url, excluding the leading dot. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - -type: keyword +The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. -example: png +type: long -- -*`threat.indicator.url.fragment`*:: +*`host.network.ingress.bytes`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. -type: keyword +type: long -- -*`threat.indicator.url.full`*:: +*`host.network.ingress.packets`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -type: keyword +The number of packets (gauge) received on all network interfaces by the host since the last metric collection. -example: https://www.elastic.co:443/search?q=elasticsearch#top +type: long -- -*`threat.indicator.url.full.text`*:: +*`host.os.family`*:: + -- -type: text +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian -- -*`threat.indicator.url.original`*:: +*`host.os.full`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +Operating system name, including the version or code name. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: Mac OS Mojave -- -*`threat.indicator.url.original.text`*:: +*`host.os.full.text`*:: + -- type: text -- -*`threat.indicator.url.password`*:: +*`host.os.kernel`*:: + -- -Password of the request. +Operating system kernel version as a raw string. type: keyword +example: 4.4.0-112-generic + -- -*`threat.indicator.url.path`*:: +*`host.os.name`*:: + -- -Path of the request, such as "/search". +Operating system name, without the version. type: keyword +example: Mac OS X + -- -*`threat.indicator.url.port`*:: +*`host.os.name.text`*:: + -- -Port of the request, such as 443. - -type: long - -example: 443 - -format: string +type: text -- -*`threat.indicator.url.query`*:: +*`host.os.platform`*:: + -- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +Operating system platform (such centos, ubuntu, windows). type: keyword +example: darwin + -- -*`threat.indicator.url.registered_domain`*:: +*`host.os.type`*:: + -- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword -example: example.com +example: macos -- -*`threat.indicator.url.scheme`*:: +*`host.os.version`*:: + -- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. +Operating system version as a raw string. type: keyword -example: https +example: 10.14.1 -- -*`threat.indicator.url.subdomain`*:: +*`host.type`*:: + -- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. +Type of host. +For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. type: keyword -example: east - -- -*`threat.indicator.url.top_level_domain`*:: +*`host.uptime`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +Seconds the host has been up. -type: keyword +type: long -example: co.uk +example: 1325 -- -*`threat.indicator.url.username`*:: +*`host.user.domain`*:: + -- -Username of the request. +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`threat.indicator.x509.alternative_names`*:: +*`host.user.email`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. +User email address. type: keyword -example: *.elastic.co - -- -*`threat.indicator.x509.issuer.common_name`*:: +*`host.user.full_name`*:: + -- -List of common name (CN) of issuing certificate authority. +User's full name, if available. type: keyword -example: Example SHA2 High Assurance Server CA +example: Albert Einstein -- -*`threat.indicator.x509.issuer.country`*:: +*`host.user.full_name.text`*:: + -- -List of country (C) codes - -type: keyword - -example: US +type: text -- -*`threat.indicator.x509.issuer.distinguished_name`*:: +*`host.user.group.domain`*:: + -- -Distinguished name (DN) of issuing certificate authority. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - -- -*`threat.indicator.x509.issuer.locality`*:: +*`host.user.group.id`*:: + -- -List of locality names (L) +Unique identifier for the group on the system/platform. type: keyword -example: Mountain View - -- -*`threat.indicator.x509.issuer.organization`*:: +*`host.user.group.name`*:: + -- -List of organizations (O) of issuing certificate authority. +Name of the group. type: keyword -example: Example Inc - -- -*`threat.indicator.x509.issuer.organizational_unit`*:: +*`host.user.hash`*:: + -- -List of organizational units (OU) of issuing certificate authority. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -example: www.example.com - -- -*`threat.indicator.x509.issuer.state_or_province`*:: +*`host.user.id`*:: + -- -List of state or province names (ST, S, or P) +Unique identifier of the user. type: keyword -example: California - -- -*`threat.indicator.x509.not_after`*:: +*`host.user.name`*:: + -- -Time at which the certificate is no longer considered valid. +Short name or login of the user. -type: date +type: keyword -example: 2020-07-16 03:15:39+00:00 +example: albert -- -*`threat.indicator.x509.not_before`*:: +*`host.user.name.text`*:: + -- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25+00:00 +type: text -- -*`threat.indicator.x509.public_key_algorithm`*:: +*`host.user.roles`*:: + -- -Algorithm used to generate the public key. +Array of user roles at the time of the event. type: keyword -example: RSA - --- +example: ["kibana_admin", "reporting_user"] -*`threat.indicator.x509.public_key_curve`*:: -+ -- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: keyword +[float] +=== http -example: nistp521 +Fields related to HTTP activity. Use the `url` field set to store the url of the request. --- -*`threat.indicator.x509.public_key_exponent`*:: +*`http.request.body.bytes`*:: + -- -Exponent used to derive the public key. This is algorithm specific. +Size in bytes of the request body. type: long -example: 65537 +example: 887 -Field is not indexed. +format: bytes -- -*`threat.indicator.x509.public_key_size`*:: +*`http.request.body.content`*:: + -- -The size of the public key space in bits. +The full HTTP request body. -type: long +type: keyword -example: 2048 +example: Hello world -- -*`threat.indicator.x509.serial_number`*:: +*`http.request.body.content.text`*:: + -- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA +type: text -- -*`threat.indicator.x509.signature_algorithm`*:: +*`http.request.bytes`*:: + -- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. +Total size in bytes of the request (body and headers). -type: keyword +type: long -example: SHA256-RSA +example: 1437 + +format: bytes -- -*`threat.indicator.x509.subject.common_name`*:: +*`http.request.id`*:: + -- -List of common names (CN) of subject. +A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. +The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. type: keyword -example: shared.global.example.net +example: 123e4567-e89b-12d3-a456-426614174000 -- -*`threat.indicator.x509.subject.country`*:: +*`http.request.method`*:: + -- -List of country (C) code +HTTP request method. +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: US +example: GET, POST, PUT, PoST -- -*`threat.indicator.x509.subject.distinguished_name`*:: +*`http.request.mime_type`*:: + -- -Distinguished name (DN) of the certificate subject entity. +Mime type of the body of the request. +This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. type: keyword -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net +example: image/gif -- -*`threat.indicator.x509.subject.locality`*:: +*`http.request.referrer`*:: + -- -List of locality names (L) +Referrer for this HTTP request. type: keyword -example: San Francisco +example: https://blog.example.com/ -- -*`threat.indicator.x509.subject.organization`*:: +*`http.response.body.bytes`*:: + -- -List of organizations (O) of subject. +Size in bytes of the response body. -type: keyword +type: long -example: Example, Inc. +example: 887 + +format: bytes -- -*`threat.indicator.x509.subject.organizational_unit`*:: +*`http.response.body.content`*:: + -- -List of organizational units (OU) of subject. +The full HTTP response body. type: keyword +example: Hello world + -- -*`threat.indicator.x509.subject.state_or_province`*:: +*`http.response.body.content.text`*:: + -- -List of state or province names (ST, S, or P) - -type: keyword - -example: California +type: text -- -*`threat.indicator.x509.version_number`*:: +*`http.response.bytes`*:: + -- -Version of x509 format. +Total size in bytes of the response (body and headers). -type: keyword +type: long -example: 3 +example: 1437 + +format: bytes -- -*`threat.software.id`*:: +*`http.response.mime_type`*:: + -- -The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. +Mime type of the body of the response. +This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. type: keyword -example: S0552 +example: image/gif -- -*`threat.software.name`*:: +*`http.response.status_code`*:: + -- -The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. +HTTP response status code. -type: keyword +type: long -example: AdFind +example: 404 + +format: string -- -*`threat.software.platforms`*:: +*`http.version`*:: + -- -The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. -Recommended Values: - * AWS - * Azure - * Azure AD - * GCP - * Linux - * macOS - * Network - * Office 365 - * SaaS - * Windows +HTTP version. type: keyword -example: [ "Windows" ] +example: 1.1 -- -*`threat.software.reference`*:: +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: + -- -The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. type: keyword -example: https://attack.mitre.org/software/S0552/ +example: outside -- -*`threat.software.type`*:: +*`interface.id`*:: + -- -The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. -Recommended values - * Malware - * Tool +Interface ID as reported by an observer (typically SNMP interface ID). type: keyword -example: Tool +example: 10 -- -*`threat.tactic.id`*:: +*`interface.name`*:: + -- -The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) +Interface name as reported by the system. type: keyword -example: TA0002 +example: eth0 -- -*`threat.tactic.name`*:: +[float] +=== log + +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. + + +*`log.file.path`*:: + -- -Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. type: keyword -example: Execution +example: /var/log/fun-times.log -- -*`threat.tactic.reference`*:: +*`log.level`*:: + -- -The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) +Original log level of the log event. +If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). +Some examples are `warn`, `err`, `i`, `informational`. type: keyword -example: https://attack.mitre.org/tactics/TA0002/ +example: error -- -*`threat.technique.id`*:: +*`log.logger`*:: + -- -The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. type: keyword -example: T1059 +example: org.elasticsearch.bootstrap.Bootstrap -- -*`threat.technique.name`*:: +*`log.origin.file.line`*:: + -- -The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) +The line number of the file containing the source code which originated the log event. -type: keyword +type: integer -example: Command and Scripting Interpreter +example: 42 -- -*`threat.technique.name.text`*:: +*`log.origin.file.name`*:: + -- -type: text +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. + +type: keyword + +example: Bootstrap.java -- -*`threat.technique.reference`*:: +*`log.origin.function`*:: + -- -The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) +The name of the function or method which originated the log event. type: keyword -example: https://attack.mitre.org/techniques/T1059/ +example: init -- -*`threat.technique.subtechnique.id`*:: +*`log.original`*:: + -- -The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) +Deprecated for removal in next major version release. This field is superseded by `event.original`. +This is the original log message and contains the full log message before splitting it up in multiple parts. +In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. +This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. type: keyword -example: T1059.001 +example: Sep 19 08:26:10 localhost My log + +Field is not indexed. -- -*`threat.technique.subtechnique.name`*:: +*`log.syslog`*:: + -- -The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) - -type: keyword +The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. -example: PowerShell +type: object -- -*`threat.technique.subtechnique.name.text`*:: +*`log.syslog.facility.code`*:: + -- -type: text +The Syslog numeric facility of the log event, if available. +According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + +type: long + +example: 23 + +format: string -- -*`threat.technique.subtechnique.reference`*:: +*`log.syslog.facility.name`*:: + -- -The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) +The Syslog text-based facility of the log event, if available. type: keyword -example: https://attack.mitre.org/techniques/T1059/001/ +example: local7 -- -[float] -=== tls - -Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. - - -*`tls.cipher`*:: +*`log.syslog.priority`*:: + -- -String indicating the cipher used during the current connection. +Syslog numeric priority of the event, if available. +According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. -type: keyword +type: long -example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +example: 135 + +format: string -- -*`tls.client.certificate`*:: +*`log.syslog.severity.code`*:: + -- -PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. -type: keyword +type: long -example: MII... +example: 3 -- -*`tls.client.certificate_chain`*:: +*`log.syslog.severity.name`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. type: keyword -example: ["MII...", "MII..."] +example: Error -- -*`tls.client.hash.md5`*:: +[float] +=== network + +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. + + +*`network.application`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: aim -- -*`tls.client.hash.sha1`*:: +*`network.bytes`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. -type: keyword +type: long -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: 368 + +format: bytes -- -*`tls.client.hash.sha256`*:: +*`network.community_id`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. type: keyword -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= -- -*`tls.client.issuer`*:: +*`network.direction`*:: + -- -Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +Direction of the network traffic. +Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + +When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". +When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". +Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. type: keyword -example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com +example: inbound -- -*`tls.client.ja3`*:: +*`network.forwarded_ip`*:: + -- -A hash that identifies clients based on how they perform an SSL/TLS handshake. +Host IP address when the source IP address is the proxy. -type: keyword +type: ip -example: d4e5b18d6b55c71272893221c96ba240 +example: 192.1.1.2 -- -*`tls.client.not_after`*:: +*`network.iana_number`*:: + -- -Date/Time indicating when client certificate is no longer considered valid. +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: 6 -- -*`tls.client.not_before`*:: +*`network.inner`*:: + -- -Date/Time indicating when client certificate is first considered valid. - -type: date +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) -example: 1970-01-01T00:00:00.000Z +type: object -- -*`tls.client.server_name`*:: +*`network.inner.vlan.id`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. +VLAN ID as reported by the observer. type: keyword -example: www.elastic.co +example: 10 -- -*`tls.client.subject`*:: +*`network.inner.vlan.name`*:: + -- -Distinguished name of subject of the x.509 certificate presented by the client. +Optional VLAN name as reported by the observer. type: keyword -example: CN=myclient, OU=Documentation Team, DC=example, DC=com +example: outside -- -*`tls.client.supported_ciphers`*:: +*`network.name`*:: + -- -Array of ciphers offered by the client during the client hello. +Name given by operators to sections of their network. type: keyword -example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] +example: Guest Wifi -- -*`tls.client.x509.alternative_names`*:: +*`network.packets`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. -type: keyword +type: long -example: *.elastic.co +example: 24 -- -*`tls.client.x509.issuer.common_name`*:: +*`network.protocol`*:: + -- -List of common name (CN) of issuing certificate authority. +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword -example: Example SHA2 High Assurance Server CA +example: http -- -*`tls.client.x509.issuer.country`*:: +*`network.transport`*:: + -- -List of country (C) codes +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword -example: US +example: tcp -- -*`tls.client.x509.issuer.distinguished_name`*:: +*`network.type`*:: + -- -Distinguished name (DN) of issuing certificate authority. +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA +example: ipv4 -- -*`tls.client.x509.issuer.locality`*:: +*`network.vlan.id`*:: + -- -List of locality names (L) +VLAN ID as reported by the observer. type: keyword -example: Mountain View +example: 10 -- -*`tls.client.x509.issuer.organization`*:: +*`network.vlan.name`*:: + -- -List of organizations (O) of issuing certificate authority. +Optional VLAN name as reported by the observer. type: keyword -example: Example Inc +example: outside -- -*`tls.client.x509.issuer.organizational_unit`*:: +[float] +=== observer + +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. + + +*`observer.egress`*:: + -- -List of organizational units (OU) of issuing certificate authority. - -type: keyword +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. -example: www.example.com +type: object -- -*`tls.client.x509.issuer.state_or_province`*:: +*`observer.egress.interface.alias`*:: + -- -List of state or province names (ST, S, or P) +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. type: keyword -example: California +example: outside -- -*`tls.client.x509.not_after`*:: +*`observer.egress.interface.id`*:: + -- -Time at which the certificate is no longer considered valid. +Interface ID as reported by an observer (typically SNMP interface ID). -type: date +type: keyword -example: 2020-07-16 03:15:39+00:00 +example: 10 -- -*`tls.client.x509.not_before`*:: +*`observer.egress.interface.name`*:: + -- -Time at which the certificate is first considered valid. +Interface name as reported by the system. -type: date +type: keyword -example: 2019-08-16 01:40:25+00:00 +example: eth0 -- -*`tls.client.x509.public_key_algorithm`*:: +*`observer.egress.vlan.id`*:: + -- -Algorithm used to generate the public key. +VLAN ID as reported by the observer. type: keyword -example: RSA +example: 10 -- -*`tls.client.x509.public_key_curve`*:: +*`observer.egress.vlan.name`*:: + -- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. +Optional VLAN name as reported by the observer. type: keyword -example: nistp521 +example: outside -- -*`tls.client.x509.public_key_exponent`*:: +*`observer.egress.zone`*:: + -- -Exponent used to derive the public key. This is algorithm specific. - -type: long +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. -example: 65537 +type: keyword -Field is not indexed. +example: Public_Internet -- -*`tls.client.x509.public_key_size`*:: +*`observer.geo.city_name`*:: + -- -The size of the public key space in bits. +City name. -type: long +type: keyword -example: 2048 +example: Montreal -- -*`tls.client.x509.serial_number`*:: +*`observer.geo.continent_code`*:: + -- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. +Two-letter code representing continent's name. type: keyword -example: 55FBB9C7DEBF09809D12CCAA +example: NA -- -*`tls.client.x509.signature_algorithm`*:: +*`observer.geo.continent_name`*:: + -- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. +Name of the continent. type: keyword -example: SHA256-RSA +example: North America -- -*`tls.client.x509.subject.common_name`*:: +*`observer.geo.country_iso_code`*:: + -- -List of common names (CN) of subject. +Country ISO code. type: keyword -example: shared.global.example.net +example: CA -- -*`tls.client.x509.subject.country`*:: +*`observer.geo.country_name`*:: + -- -List of country (C) code +Country name. type: keyword -example: US +example: Canada -- -*`tls.client.x509.subject.distinguished_name`*:: +*`observer.geo.location`*:: + -- -Distinguished name (DN) of the certificate subject entity. +Longitude and latitude. -type: keyword +type: geo_point -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`tls.client.x509.subject.locality`*:: +*`observer.geo.name`*:: + -- -List of locality names (L) +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: San Francisco +example: boston-dc -- -*`tls.client.x509.subject.organization`*:: +*`observer.geo.postal_code`*:: + -- -List of organizations (O) of subject. +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. type: keyword -example: Example, Inc. +example: 94040 -- -*`tls.client.x509.subject.organizational_unit`*:: +*`observer.geo.region_iso_code`*:: + -- -List of organizational units (OU) of subject. +Region ISO code. type: keyword +example: CA-QC + -- -*`tls.client.x509.subject.state_or_province`*:: +*`observer.geo.region_name`*:: + -- -List of state or province names (ST, S, or P) +Region name. type: keyword -example: California +example: Quebec -- -*`tls.client.x509.version_number`*:: +*`observer.geo.timezone`*:: + -- -Version of x509 format. +The time zone of the location, such as IANA time zone name. type: keyword -example: 3 +example: America/Argentina/Buenos_Aires -- -*`tls.curve`*:: +*`observer.hostname`*:: + -- -String indicating the curve used for the given cipher, when applicable. +Hostname of the observer. type: keyword -example: secp256r1 - -- -*`tls.established`*:: +*`observer.ingress`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. -type: boolean +type: object -- -*`tls.next_protocol`*:: +*`observer.ingress.interface.alias`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. type: keyword -example: http/1.1 +example: outside -- -*`tls.resumed`*:: +*`observer.ingress.interface.id`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +Interface ID as reported by an observer (typically SNMP interface ID). -type: boolean +type: keyword + +example: 10 -- -*`tls.server.certificate`*:: +*`observer.ingress.interface.name`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +Interface name as reported by the system. type: keyword -example: MII... +example: eth0 -- -*`tls.server.certificate_chain`*:: +*`observer.ingress.vlan.id`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +VLAN ID as reported by the observer. type: keyword -example: ["MII...", "MII..."] +example: 10 -- -*`tls.server.hash.md5`*:: +*`observer.ingress.vlan.name`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Optional VLAN name as reported by the observer. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: outside -- -*`tls.server.hash.sha1`*:: +*`observer.ingress.zone`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: DMZ -- -*`tls.server.hash.sha256`*:: +*`observer.ip`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword +IP addresses of the observer. -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +type: ip -- -*`tls.server.issuer`*:: +*`observer.mac`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +MAC addresses of the observer. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: keyword -example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com +example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] -- -*`tls.server.ja3s`*:: +*`observer.name`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +Custom name of the observer. +This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. +If no custom name is needed, the field can be left empty. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: 1_proxySG -- -*`tls.server.not_after`*:: +*`observer.os.family`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. +OS family (such as redhat, debian, freebsd, windows). -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: debian -- -*`tls.server.not_before`*:: +*`observer.os.full`*:: + -- -Timestamp indicating when server certificate is first considered valid. +Operating system name, including the version or code name. -type: date +type: keyword -example: 1970-01-01T00:00:00.000Z +example: Mac OS Mojave -- -*`tls.server.subject`*:: +*`observer.os.full.text`*:: + -- -Subject of the x.509 certificate presented by the server. - -type: keyword - -example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com +type: text -- -*`tls.server.x509.alternative_names`*:: +*`observer.os.kernel`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. +Operating system kernel version as a raw string. type: keyword -example: *.elastic.co +example: 4.4.0-112-generic -- -*`tls.server.x509.issuer.common_name`*:: +*`observer.os.name`*:: + -- -List of common name (CN) of issuing certificate authority. +Operating system name, without the version. type: keyword -example: Example SHA2 High Assurance Server CA +example: Mac OS X -- -*`tls.server.x509.issuer.country`*:: +*`observer.os.name.text`*:: + -- -List of country (C) codes - -type: keyword - -example: US +type: text -- -*`tls.server.x509.issuer.distinguished_name`*:: +*`observer.os.platform`*:: + -- -Distinguished name (DN) of issuing certificate authority. +Operating system platform (such centos, ubuntu, windows). type: keyword -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA +example: darwin -- -*`tls.server.x509.issuer.locality`*:: +*`observer.os.type`*:: + -- -List of locality names (L) +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword -example: Mountain View +example: macos -- -*`tls.server.x509.issuer.organization`*:: +*`observer.os.version`*:: + -- -List of organizations (O) of issuing certificate authority. +Operating system version as a raw string. type: keyword -example: Example Inc +example: 10.14.1 -- -*`tls.server.x509.issuer.organizational_unit`*:: +*`observer.product`*:: + -- -List of organizational units (OU) of issuing certificate authority. +The product name of the observer. type: keyword -example: www.example.com +example: s200 -- -*`tls.server.x509.issuer.state_or_province`*:: +*`observer.serial_number`*:: + -- -List of state or province names (ST, S, or P) +Observer serial number. type: keyword -example: California - -- -*`tls.server.x509.not_after`*:: +*`observer.type`*:: + -- -Time at which the certificate is no longer considered valid. +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. -type: date +type: keyword -example: 2020-07-16 03:15:39+00:00 +example: firewall -- -*`tls.server.x509.not_before`*:: +*`observer.vendor`*:: + -- -Time at which the certificate is first considered valid. +Vendor name of the observer. -type: date +type: keyword -example: 2019-08-16 01:40:25+00:00 +example: Symantec -- -*`tls.server.x509.public_key_algorithm`*:: +*`observer.version`*:: + -- -Algorithm used to generate the public key. +Observer version. type: keyword -example: RSA - --- - -*`tls.server.x509.public_key_curve`*:: -+ -- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: keyword +[float] +=== orchestrator -example: nistp521 +Fields that describe the resources which container orchestrators manage or act upon. --- -*`tls.server.x509.public_key_exponent`*:: +*`orchestrator.api_version`*:: + -- -Exponent used to derive the public key. This is algorithm specific. - -type: long +API version being used to carry out the action -example: 65537 +type: keyword -Field is not indexed. +example: v1beta1 -- -*`tls.server.x509.public_key_size`*:: +*`orchestrator.cluster.name`*:: + -- -The size of the public key space in bits. - -type: long +Name of the cluster. -example: 2048 +type: keyword -- -*`tls.server.x509.serial_number`*:: +*`orchestrator.cluster.url`*:: + -- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. +URL of the API used to manage the cluster. type: keyword -example: 55FBB9C7DEBF09809D12CCAA - -- -*`tls.server.x509.signature_algorithm`*:: +*`orchestrator.cluster.version`*:: + -- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. +The version of the cluster. type: keyword -example: SHA256-RSA - -- -*`tls.server.x509.subject.common_name`*:: +*`orchestrator.namespace`*:: + -- -List of common names (CN) of subject. +Namespace in which the action is taking place. type: keyword -example: shared.global.example.net +example: kube-system -- -*`tls.server.x509.subject.country`*:: +*`orchestrator.organization`*:: + -- -List of country (C) code +Organization affected by the event (for multi-tenant orchestrator setups). type: keyword -example: US +example: elastic -- -*`tls.server.x509.subject.distinguished_name`*:: +*`orchestrator.resource.name`*:: + -- -Distinguished name (DN) of the certificate subject entity. +Name of the resource being acted upon. type: keyword -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net +example: test-pod-cdcws -- -*`tls.server.x509.subject.locality`*:: +*`orchestrator.resource.type`*:: + -- -List of locality names (L) +Type of resource being acted upon. type: keyword -example: San Francisco +example: service -- -*`tls.server.x509.subject.organization`*:: +*`orchestrator.type`*:: + -- -List of organizations (O) of subject. +Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). type: keyword -example: Example, Inc. +example: kubernetes -- -*`tls.server.x509.subject.organizational_unit`*:: +[float] +=== organization + +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. + + +*`organization.id`*:: + -- -List of organizational units (OU) of subject. +Unique identifier for the organization. type: keyword -- -*`tls.server.x509.subject.state_or_province`*:: +*`organization.name`*:: + -- -List of state or province names (ST, S, or P) +Organization name. type: keyword -example: California - -- -*`tls.server.x509.version_number`*:: +*`organization.name.text`*:: + -- -Version of x509 format. +type: text -type: keyword +-- -example: 3 +[float] +=== os --- +The OS fields contain information about the operating system. -*`tls.version`*:: + +*`os.family`*:: + -- -Numeric part of the version parsed from the original string. +OS family (such as redhat, debian, freebsd, windows). type: keyword -example: 1.2 +example: debian -- -*`tls.version_protocol`*:: +*`os.full`*:: + -- -Normalized lowercase protocol name parsed from original string. +Operating system name, including the version or code name. type: keyword -example: tls +example: Mac OS Mojave -- -*`span.id`*:: +*`os.full.text`*:: + -- -Unique identifier of the span within the scope of its trace. -A span represents an operation within a transaction, such as a request to another service, or a database query. - -type: keyword - -example: 3ff9a8981b7ccd5a +type: text -- -*`trace.id`*:: +*`os.kernel`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +Operating system kernel version as a raw string. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 +example: 4.4.0-112-generic -- -*`transaction.id`*:: +*`os.name`*:: + -- -Unique identifier of the transaction within the scope of its trace. -A transaction is the highest level of work measured within a service, such as a request to a server. +Operating system name, without the version. type: keyword -example: 00f067aa0ba902b7 +example: Mac OS X -- -[float] -=== url - -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +*`os.name.text`*:: ++ +-- +type: text +-- -*`url.domain`*:: +*`os.platform`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. +Operating system platform (such centos, ubuntu, windows). type: keyword -example: www.elastic.co +example: darwin -- -*`url.extension`*:: +*`os.type`*:: + -- -The field contains the file extension from the original request url, excluding the leading dot. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword -example: png +example: macos -- -*`url.fragment`*:: +*`os.version`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +Operating system version as a raw string. type: keyword +example: 10.14.1 + -- -*`url.full`*:: +[float] +=== package + +These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. + + +*`package.architecture`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +Package architecture. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top +example: x86_64 -- -*`url.full.text`*:: +*`package.build_version`*:: + -- -type: text +Additional information about the build version of the installed package. +For example use the commit SHA of a non-released package. + +type: keyword + +example: 36f4f7e89dd61b0988b12ee000b98966867710cd -- -*`url.original`*:: +*`package.checksum`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +Checksum of the installed package for verification. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: 68b329da9893e34099c7d8ad5cb9c940 -- -*`url.original.text`*:: +*`package.description`*:: + -- -type: text +Description of the package. + +type: keyword + +example: Open source programming language to build simple/reliable/efficient software. -- -*`url.password`*:: +*`package.install_scope`*:: + -- -Password of the request. +Indicating how the package was installed, e.g. user-local, global. type: keyword +example: global + -- -*`url.path`*:: +*`package.installed`*:: + -- -Path of the request, such as "/search". +Time when package was installed. -type: keyword +type: date -- -*`url.port`*:: +*`package.license`*:: + -- -Port of the request, such as 443. - -type: long +License under which the package was released. +Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). -example: 443 +type: keyword -format: string +example: Apache License 2.0 -- -*`url.query`*:: +*`package.name`*:: + -- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +Package name type: keyword +example: go + -- -*`url.registered_domain`*:: +*`package.path`*:: + -- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +Path where the package is installed. type: keyword -example: example.com +example: /usr/local/Cellar/go/1.12.9/ -- -*`url.scheme`*:: +*`package.reference`*:: + -- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. +Home page or reference URL of the software in this package, if available. type: keyword -example: https +example: https://golang.org -- -*`url.subdomain`*:: +*`package.size`*:: + -- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. +Package size in bytes. -type: keyword +type: long -example: east +example: 62231 + +format: string -- -*`url.top_level_domain`*:: +*`package.type`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +Type of package. +This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. type: keyword -example: co.uk +example: rpm -- -*`url.username`*:: +*`package.version`*:: + -- -Username of the request. +Package version type: keyword +example: 1.12.9 + -- [float] -=== user +=== pe -The user fields describe information about the user that is relevant to the event. -Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +These fields contain Windows Portable Executable (PE) metadata. -*`user.changes.domain`*:: +*`pe.architecture`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +CPU architecture target for the file. type: keyword +example: x64 + -- -*`user.changes.email`*:: +*`pe.company`*:: + -- -User email address. +Internal company name of the file, provided at compile-time. type: keyword +example: Microsoft Corporation + -- -*`user.changes.full_name`*:: +*`pe.description`*:: + -- -User's full name, if available. +Internal description of the file, provided at compile-time. type: keyword -example: Albert Einstein +example: Paint -- -*`user.changes.full_name.text`*:: +*`pe.file_version`*:: + -- -type: text +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 -- -*`user.changes.group.domain`*:: +*`pe.imphash`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`user.changes.group.id`*:: +*`pe.original_file_name`*:: + -- -Unique identifier for the group on the system/platform. +Internal name of the file, provided at compile-time. type: keyword +example: MSPAINT.EXE + -- -*`user.changes.group.name`*:: +*`pe.product`*:: + -- -Name of the group. +Internal product name of the file, provided at compile-time. type: keyword --- +example: Microsoft® Windows® Operating System -*`user.changes.hash`*:: -+ -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. -type: keyword +[float] +=== process --- +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. -*`user.changes.id`*:: + +*`process.args`*:: + -- -Unique identifier of the user. +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. type: keyword +example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] + -- -*`user.changes.name`*:: +*`process.args_count`*:: + -- -Short name or login of the user. +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. -type: keyword +type: long -example: albert +example: 4 -- -*`user.changes.name.text`*:: +*`process.code_signature.exists`*:: + -- -type: text +Boolean to capture if a signature is present. + +type: boolean + +example: true -- -*`user.changes.roles`*:: +*`process.code_signature.signing_id`*:: + -- -Array of user roles at the time of the event. +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword -example: ["kibana_admin", "reporting_user"] +example: com.apple.xpc.proxy -- -*`user.domain`*:: +*`process.code_signature.status`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`user.effective.domain`*:: +*`process.code_signature.subject_name`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Subject name of the code signer type: keyword +example: Microsoft Corporation + -- -*`user.effective.email`*:: +*`process.code_signature.team_id`*:: + -- -User email address. +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. type: keyword +example: EQHXZ8M8AV + -- -*`user.effective.full_name`*:: +*`process.code_signature.trusted`*:: + -- -User's full name, if available. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean -example: Albert Einstein +example: true -- -*`user.effective.full_name.text`*:: +*`process.code_signature.valid`*:: + -- -type: text +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true -- -*`user.effective.group.domain`*:: +*`process.command_line`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. type: keyword +example: /usr/bin/ssh -l user 10.0.0.16 + -- -*`user.effective.group.id`*:: +*`process.command_line.text`*:: + -- -Unique identifier for the group on the system/platform. - -type: keyword +type: text -- -*`user.effective.group.name`*:: +*`process.elf.architecture`*:: + -- -Name of the group. +Machine architecture of the ELF file. type: keyword +example: x86-64 + -- -*`user.effective.hash`*:: +*`process.elf.byte_order`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +Byte sequence of ELF file. type: keyword +example: Little Endian + -- -*`user.effective.id`*:: +*`process.elf.cpu_type`*:: + -- -Unique identifier of the user. +CPU type of the ELF file. type: keyword +example: Intel + -- -*`user.effective.name`*:: +*`process.elf.creation_date`*:: + -- -Short name or login of the user. - -type: keyword +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. -example: albert +type: date -- -*`user.effective.name.text`*:: +*`process.elf.exports`*:: + -- -type: text +List of exported element names and types. + +type: flattened -- -*`user.effective.roles`*:: +*`process.elf.header.abi_version`*:: + -- -Array of user roles at the time of the event. +Version of the ELF Application Binary Interface (ABI). type: keyword -example: ["kibana_admin", "reporting_user"] - -- -*`user.email`*:: +*`process.elf.header.class`*:: + -- -User email address. +Header class of the ELF file. type: keyword -- -*`user.full_name`*:: +*`process.elf.header.data`*:: + -- -User's full name, if available. +Data table of the ELF header. type: keyword -example: Albert Einstein - -- -*`user.full_name.text`*:: +*`process.elf.header.entrypoint`*:: + -- -type: text +Header entrypoint of the ELF file. + +type: long + +format: string -- -*`user.group.domain`*:: +*`process.elf.header.object_version`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +"0x1" for original ELF files. type: keyword -- -*`user.group.id`*:: +*`process.elf.header.os_abi`*:: + -- -Unique identifier for the group on the system/platform. +Application Binary Interface (ABI) of the Linux OS. type: keyword -- -*`user.group.name`*:: +*`process.elf.header.type`*:: + -- -Name of the group. +Header type of the ELF file. type: keyword -- -*`user.hash`*:: +*`process.elf.header.version`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +Version of the ELF header. type: keyword -- -*`user.id`*:: +*`process.elf.imports`*:: + -- -Unique identifier of the user. +List of imported element names and types. + +type: flattened + +-- + +*`process.elf.sections`*:: ++ +-- +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + +type: nested + +-- + +*`process.elf.sections.chi2`*:: ++ +-- +Chi-square probability distribution of the section. + +type: long + +format: number + +-- + +*`process.elf.sections.entropy`*:: ++ +-- +Shannon entropy calculation from the section. + +type: long + +format: number + +-- + +*`process.elf.sections.flags`*:: ++ +-- +ELF Section List flags. type: keyword -- -*`user.name`*:: +*`process.elf.sections.name`*:: + -- -Short name or login of the user. +ELF Section List name. type: keyword -example: albert +-- + +*`process.elf.sections.physical_offset`*:: ++ +-- +ELF Section List offset. + +type: keyword -- -*`user.name.text`*:: +*`process.elf.sections.physical_size`*:: + -- -type: text +ELF Section List physical size. + +type: long + +format: bytes -- -*`user.roles`*:: +*`process.elf.sections.type`*:: + -- -Array of user roles at the time of the event. +ELF Section List type. type: keyword -example: ["kibana_admin", "reporting_user"] +-- +*`process.elf.sections.virtual_address`*:: ++ -- +ELF Section List virtual address. -*`user.target.domain`*:: +type: long + +format: string + +-- + +*`process.elf.sections.virtual_size`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +ELF Section List virtual size. + +type: long + +format: string + +-- + +*`process.elf.segments`*:: ++ +-- +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. + +type: nested + +-- + +*`process.elf.segments.sections`*:: ++ +-- +ELF object segment sections. type: keyword -- -*`user.target.email`*:: +*`process.elf.segments.type`*:: + -- -User email address. +ELF object segment type. type: keyword -- -*`user.target.full_name`*:: +*`process.elf.shared_libraries`*:: + -- -User's full name, if available. +List of shared libraries used by this ELF object. type: keyword -example: Albert Einstein +-- + +*`process.elf.telfhash`*:: ++ +-- +telfhash symbol hash for ELF file. + +type: keyword -- -*`user.target.full_name.text`*:: +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + +*`process.executable`*:: ++ +-- +Absolute path to the process executable. + +type: keyword + +example: /usr/bin/ssh + +-- + +*`process.executable.text`*:: + -- type: text -- -*`user.target.group.domain`*:: +*`process.exit_code`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). + +type: long + +example: 137 + +-- + +*`process.hash.md5`*:: ++ +-- +MD5 hash. type: keyword -- -*`user.target.group.id`*:: +*`process.hash.sha1`*:: + -- -Unique identifier for the group on the system/platform. +SHA1 hash. type: keyword -- -*`user.target.group.name`*:: +*`process.hash.sha256`*:: + -- -Name of the group. +SHA256 hash. type: keyword -- -*`user.target.hash`*:: +*`process.hash.sha512`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +SHA512 hash. type: keyword -- -*`user.target.id`*:: +*`process.hash.ssdeep`*:: + -- -Unique identifier of the user. +SSDEEP hash. type: keyword -- -*`user.target.name`*:: +*`process.name`*:: + -- -Short name or login of the user. +Process name. +Sometimes called program name or similar. type: keyword -example: albert +example: ssh -- -*`user.target.name.text`*:: +*`process.name.text`*:: + -- type: text -- -*`user.target.roles`*:: +*`process.parent.args`*:: + -- -Array of user roles at the time of the event. +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. type: keyword -example: ["kibana_admin", "reporting_user"] +example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] -- -[float] -=== user_agent +*`process.parent.args_count`*:: ++ +-- +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. -The user_agent fields normally come from a browser request. -They often show up in web service logs coming from the parsed user agent string. +type: long +example: 4 -*`user_agent.device.name`*:: +-- + +*`process.parent.code_signature.exists`*:: + -- -Name of the device. +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.signing_id`*:: ++ +-- +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword -example: iPhone +example: com.apple.xpc.proxy -- -*`user_agent.name`*:: +*`process.parent.code_signature.status`*:: + -- -Name of the user agent. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword -example: Safari +example: ERROR_UNTRUSTED_ROOT -- -*`user_agent.original`*:: +*`process.parent.code_signature.subject_name`*:: + -- -Unparsed user_agent string. +Subject name of the code signer type: keyword -example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 +example: Microsoft Corporation -- -*`user_agent.original.text`*:: +*`process.parent.code_signature.team_id`*:: ++ +-- +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + +type: keyword + +example: EQHXZ8M8AV + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`process.parent.command_line`*:: ++ +-- +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. + +type: keyword + +example: /usr/bin/ssh -l user 10.0.0.16 + +-- + +*`process.parent.command_line.text`*:: + -- type: text -- -*`user_agent.os.family`*:: +*`process.parent.elf.architecture`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +Machine architecture of the ELF file. type: keyword -example: debian +example: x86-64 -- -*`user_agent.os.full`*:: +*`process.parent.elf.byte_order`*:: + -- -Operating system name, including the version or code name. +Byte sequence of ELF file. type: keyword -example: Mac OS Mojave +example: Little Endian -- -*`user_agent.os.full.text`*:: +*`process.parent.elf.cpu_type`*:: + -- -type: text +CPU type of the ELF file. + +type: keyword + +example: Intel -- -*`user_agent.os.kernel`*:: +*`process.parent.elf.creation_date`*:: + -- -Operating system kernel version as a raw string. +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + +type: date + +-- + +*`process.parent.elf.exports`*:: ++ +-- +List of exported element names and types. + +type: flattened + +-- + +*`process.parent.elf.header.abi_version`*:: ++ +-- +Version of the ELF Application Binary Interface (ABI). type: keyword -example: 4.4.0-112-generic +-- +*`process.parent.elf.header.class`*:: ++ -- +Header class of the ELF file. -*`user_agent.os.name`*:: +type: keyword + +-- + +*`process.parent.elf.header.data`*:: + -- -Operating system name, without the version. +Data table of the ELF header. type: keyword -example: Mac OS X +-- +*`process.parent.elf.header.entrypoint`*:: ++ -- +Header entrypoint of the ELF file. -*`user_agent.os.name.text`*:: +type: long + +format: string + +-- + +*`process.parent.elf.header.object_version`*:: + -- -type: text +"0x1" for original ELF files. + +type: keyword -- -*`user_agent.os.platform`*:: +*`process.parent.elf.header.os_abi`*:: + -- -Operating system platform (such centos, ubuntu, windows). +Application Binary Interface (ABI) of the Linux OS. type: keyword -example: darwin +-- + +*`process.parent.elf.header.type`*:: ++ +-- +Header type of the ELF file. + +type: keyword -- -*`user_agent.os.type`*:: +*`process.parent.elf.header.version`*:: + -- -Use the `os.type` field to categorize the operating system into one of the broad commercial families. -One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +Version of the ELF header. type: keyword -example: macos +-- + +*`process.parent.elf.imports`*:: ++ +-- +List of imported element names and types. + +type: flattened -- -*`user_agent.os.version`*:: +*`process.parent.elf.sections`*:: + -- -Operating system version as a raw string. +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + +type: nested + +-- + +*`process.parent.elf.sections.chi2`*:: ++ +-- +Chi-square probability distribution of the section. + +type: long + +format: number + +-- + +*`process.parent.elf.sections.entropy`*:: ++ +-- +Shannon entropy calculation from the section. + +type: long + +format: number + +-- + +*`process.parent.elf.sections.flags`*:: ++ +-- +ELF Section List flags. type: keyword -example: 10.14.1 +-- +*`process.parent.elf.sections.name`*:: ++ -- +ELF Section List name. -*`user_agent.version`*:: +type: keyword + +-- + +*`process.parent.elf.sections.physical_offset`*:: + -- -Version of the user agent. +ELF Section List offset. type: keyword -example: 12.0 +-- + +*`process.parent.elf.sections.physical_size`*:: ++ +-- +ELF Section List physical size. + +type: long + +format: bytes -- -[float] -=== vlan +*`process.parent.elf.sections.type`*:: ++ +-- +ELF Section List type. -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. -Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. -Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. -Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. +type: keyword +-- -*`vlan.id`*:: +*`process.parent.elf.sections.virtual_address`*:: ++ +-- +ELF Section List virtual address. + +type: long + +format: string + +-- + +*`process.parent.elf.sections.virtual_size`*:: ++ +-- +ELF Section List virtual size. + +type: long + +format: string + +-- + +*`process.parent.elf.segments`*:: ++ +-- +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. + +type: nested + +-- + +*`process.parent.elf.segments.sections`*:: ++ +-- +ELF object segment sections. + +type: keyword + +-- + +*`process.parent.elf.segments.type`*:: ++ +-- +ELF object segment type. + +type: keyword + +-- + +*`process.parent.elf.shared_libraries`*:: ++ +-- +List of shared libraries used by this ELF object. + +type: keyword + +-- + +*`process.parent.elf.telfhash`*:: ++ +-- +telfhash symbol hash for ELF file. + +type: keyword + +-- + +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + +*`process.parent.executable`*:: ++ +-- +Absolute path to the process executable. + +type: keyword + +example: /usr/bin/ssh + +-- + +*`process.parent.executable.text`*:: ++ +-- +type: text + +-- + +*`process.parent.exit_code`*:: ++ +-- +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). + +type: long + +example: 137 + +-- + +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`process.parent.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + +*`process.parent.name`*:: ++ +-- +Process name. +Sometimes called program name or similar. + +type: keyword + +example: ssh + +-- + +*`process.parent.name.text`*:: ++ +-- +type: text + +-- + +*`process.parent.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`process.parent.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.parent.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + +*`process.parent.thread.id`*:: ++ +-- +Thread ID. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + +*`process.parent.title`*:: ++ +-- +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + +type: keyword + +-- + +*`process.parent.title.text`*:: ++ +-- +type: text + +-- + +*`process.parent.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + +*`process.parent.working_directory`*:: ++ +-- +The working directory of the process. + +type: keyword + +example: /home/alice + +-- + +*`process.parent.working_directory.text`*:: ++ +-- +type: text + +-- + +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.start`*:: ++ +-- +The time the process started. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + +*`process.thread.id`*:: ++ +-- +Thread ID. + +type: long + +example: 4242 + +format: string + +-- + +*`process.thread.name`*:: ++ +-- +Thread name. + +type: keyword + +example: thread-0 + +-- + +*`process.title`*:: ++ +-- +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + +type: keyword + +-- + +*`process.title.text`*:: ++ +-- +type: text + +-- + +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + +*`process.working_directory`*:: ++ +-- +The working directory of the process. + +type: keyword + +example: /home/alice + +-- + +*`process.working_directory.text`*:: ++ +-- +type: text + +-- + +[float] +=== registry + +Fields related to Windows Registry operations. + + +*`registry.data.bytes`*:: ++ +-- +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + +type: keyword + +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + +-- + +*`registry.data.strings`*:: ++ +-- +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + +type: keyword + +example: ["C:\rta\red_ttp\bin\myapp.exe"] + +-- + +*`registry.data.type`*:: ++ +-- +Standard registry type for encoding contents + +type: keyword + +example: REG_SZ + +-- + +*`registry.hive`*:: ++ +-- +Abbreviated name for the hive. + +type: keyword + +example: HKLM + +-- + +*`registry.key`*:: ++ +-- +Hive-relative path of keys. + +type: keyword + +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + +-- + +*`registry.path`*:: ++ +-- +Full path, including hive, key and value + +type: keyword + +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + +-- + +*`registry.value`*:: ++ +-- +Name of the value written. + +type: keyword + +example: Debugger + +-- + +[float] +=== related + +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword + +-- + +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + +*`related.ip`*:: ++ +-- +All of the IPs seen on your event. + +type: ip + +-- + +*`related.user`*:: ++ +-- +All the user names or other user identifiers seen on the event. + +type: keyword + +-- + +[float] +=== rule + +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. + + +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ["Star-Lord"] + +-- + +*`rule.category`*:: ++ +-- +A categorization value keyword used by the entity using the rule for detection of this event. + +type: keyword + +example: Attempted Information Leak + +-- + +*`rule.description`*:: ++ +-- +The description of the rule generating the event. + +type: keyword + +example: Block requests to public DNS over HTTPS / TLS protocols + +-- + +*`rule.id`*:: ++ +-- +A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + +type: keyword + +example: 101 + +-- + +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + +*`rule.name`*:: ++ +-- +The name of the rule or signature generating the event. + +type: keyword + +example: BLOCK_DNS_over_TLS + +-- + +*`rule.reference`*:: ++ +-- +Reference URL to additional information about the rule used to generate this event. +The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. + +type: keyword + +example: https://en.wikipedia.org/wiki/DNS_over_TLS + +-- + +*`rule.ruleset`*:: ++ +-- +Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + +type: keyword + +example: Standard_Protocol_Filters + +-- + +*`rule.uuid`*:: ++ +-- +A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + +type: keyword + +example: 1100110011 + +-- + +*`rule.version`*:: ++ +-- +The version / revision of the rule being used for analysis. + +type: keyword + +example: 1.1 + +-- + +[float] +=== server + +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + + +*`server.address`*:: ++ +-- +Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`server.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`server.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`server.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`server.bytes`*:: ++ +-- +Bytes sent from the server to the client. + +type: long + +example: 184 + +format: bytes + +-- + +*`server.domain`*:: ++ +-- +Server domain. + +type: keyword + +-- + +*`server.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`server.geo.continent_code`*:: ++ +-- +Two-letter code representing continent's name. + +type: keyword + +example: NA + +-- + +*`server.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`server.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`server.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`server.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`server.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`server.geo.postal_code`*:: ++ +-- +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + +type: keyword + +example: 94040 + +-- + +*`server.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`server.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`server.geo.timezone`*:: ++ +-- +The time zone of the location, such as IANA time zone name. + +type: keyword + +example: America/Argentina/Buenos_Aires + +-- + +*`server.ip`*:: ++ +-- +IP address of the server (IPv4 or IPv6). + +type: ip + +-- + +*`server.mac`*:: ++ +-- +MAC address of the server. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + +type: keyword + +example: 00-00-5E-00-53-23 + +-- + +*`server.nat.ip`*:: ++ +-- +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip + +-- + +*`server.nat.port`*:: ++ +-- +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`server.packets`*:: ++ +-- +Packets sent from the server to the client. + +type: long + +example: 12 + +-- + +*`server.port`*:: ++ +-- +Port of the server. + +type: long + +format: string + +-- + +*`server.registered_domain`*:: ++ +-- +The highest registered server domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`server.subdomain`*:: ++ +-- +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + +example: east + +-- + +*`server.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`server.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`server.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`server.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`server.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`server.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`server.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`server.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`server.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`server.user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`server.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`server.user.name.text`*:: ++ +-- +type: text + +-- + +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== service + +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. + + +*`service.ephemeral_id`*:: ++ +-- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + +type: keyword + +example: 8a4f500f + +-- + +*`service.id`*:: ++ +-- +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + +type: keyword + +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + +-- + +*`service.name`*:: ++ +-- +Name of the service data is collected from. +The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. +In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + +type: keyword + +example: elasticsearch-metrics + +-- + +*`service.node.name`*:: ++ +-- +Name of a service node. +This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. +In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + +type: keyword + +example: instance-0000000016 + +-- + +*`service.state`*:: ++ +-- +Current state of the service. + +type: keyword + +-- + +*`service.type`*:: ++ +-- +The type of the service data is collected from. +The type can be used to group and correlate logs and metrics from one service type. +Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + +type: keyword + +example: elasticsearch + +-- + +*`service.version`*:: ++ +-- +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. + +type: keyword + +example: 3.2.4 + +-- + +[float] +=== source + +Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. + + +*`source.address`*:: ++ +-- +Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword + +-- + +*`source.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`source.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`source.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`source.bytes`*:: ++ +-- +Bytes sent from the source to the destination. + +type: long + +example: 184 + +format: bytes + +-- + +*`source.domain`*:: ++ +-- +Source domain. + +type: keyword + +-- + +*`source.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`source.geo.continent_code`*:: ++ +-- +Two-letter code representing continent's name. + +type: keyword + +example: NA + +-- + +*`source.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`source.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`source.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`source.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`source.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`source.geo.postal_code`*:: ++ +-- +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + +type: keyword + +example: 94040 + +-- + +*`source.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`source.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`source.geo.timezone`*:: ++ +-- +The time zone of the location, such as IANA time zone name. + +type: keyword + +example: America/Argentina/Buenos_Aires + +-- + +*`source.ip`*:: ++ +-- +IP address of the source (IPv4 or IPv6). + +type: ip + +-- + +*`source.mac`*:: ++ +-- +MAC address of the source. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + +type: keyword + +example: 00-00-5E-00-53-23 + +-- + +*`source.nat.ip`*:: ++ +-- +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. + +type: ip + +-- + +*`source.nat.port`*:: ++ +-- +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string + +-- + +*`source.packets`*:: ++ +-- +Packets sent from the source to the destination. + +type: long + +example: 12 + +-- + +*`source.port`*:: ++ +-- +Port of the source. + +type: long + +format: string + +-- + +*`source.registered_domain`*:: ++ +-- +The highest registered source domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`source.subdomain`*:: ++ +-- +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + +example: east + +-- + +*`source.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`source.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`source.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`source.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`source.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`source.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`source.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`source.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`source.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`source.user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`source.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`source.user.name.text`*:: ++ +-- +type: text + +-- + +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== threat + +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). + + +*`threat.enrichments`*:: ++ +-- +A list of associated indicators objects enriching the event, and the context of that association/enrichment. + +type: nested + +-- + +*`threat.enrichments.indicator`*:: ++ +-- +Object containing associated indicators enriching the event. + +type: object + +-- + +*`threat.enrichments.indicator.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`threat.enrichments.indicator.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`threat.enrichments.indicator.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`threat.enrichments.indicator.confidence`*:: ++ +-- +Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values: + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) + +type: keyword + +example: High + +-- + +*`threat.enrichments.indicator.description`*:: ++ +-- +Describes the type of action conducted by the threat. + +type: keyword + +example: IP x.x.x.x was observed delivering the Angler EK. + +-- + +*`threat.enrichments.indicator.email.address`*:: ++ +-- +Identifies a threat indicator as an email address (irrespective of direction). + +type: keyword + +example: phish@example.com + +-- + +*`threat.enrichments.indicator.file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`threat.enrichments.indicator.file.attributes`*:: ++ +-- +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + +type: keyword + +example: ["readonly", "system"] + +-- + +*`threat.enrichments.indicator.file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`threat.enrichments.indicator.file.code_signature.signing_id`*:: ++ +-- +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + +type: keyword + +example: com.apple.xpc.proxy + +-- + +*`threat.enrichments.indicator.file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`threat.enrichments.indicator.file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.enrichments.indicator.file.code_signature.team_id`*:: ++ +-- +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + +type: keyword + +example: EQHXZ8M8AV + +-- + +*`threat.enrichments.indicator.file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`threat.enrichments.indicator.file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`threat.enrichments.indicator.file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + +*`threat.enrichments.indicator.file.ctime`*:: ++ +-- +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date + +-- + +*`threat.enrichments.indicator.file.device`*:: ++ +-- +Device that is the source of the file. + +type: keyword + +example: sda + +-- + +*`threat.enrichments.indicator.file.directory`*:: ++ +-- +Directory where the file is located. It should include the drive letter, when appropriate. + +type: keyword + +example: /home/alice + +-- + +*`threat.enrichments.indicator.file.drive_letter`*:: ++ +-- +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. + +type: keyword + +example: C + +-- + +*`threat.enrichments.indicator.file.elf.architecture`*:: ++ +-- +Machine architecture of the ELF file. + +type: keyword + +example: x86-64 + +-- + +*`threat.enrichments.indicator.file.elf.byte_order`*:: ++ +-- +Byte sequence of ELF file. + +type: keyword + +example: Little Endian + +-- + +*`threat.enrichments.indicator.file.elf.cpu_type`*:: ++ +-- +CPU type of the ELF file. + +type: keyword + +example: Intel + +-- + +*`threat.enrichments.indicator.file.elf.creation_date`*:: ++ +-- +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + +type: date + +-- + +*`threat.enrichments.indicator.file.elf.exports`*:: ++ +-- +List of exported element names and types. + +type: flattened + +-- + +*`threat.enrichments.indicator.file.elf.header.abi_version`*:: ++ +-- +Version of the ELF Application Binary Interface (ABI). + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.header.class`*:: ++ +-- +Header class of the ELF file. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.header.data`*:: ++ +-- +Data table of the ELF header. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.header.entrypoint`*:: ++ +-- +Header entrypoint of the ELF file. + +type: long + +format: string + +-- + +*`threat.enrichments.indicator.file.elf.header.object_version`*:: ++ +-- +"0x1" for original ELF files. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.header.os_abi`*:: ++ +-- +Application Binary Interface (ABI) of the Linux OS. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.header.type`*:: ++ +-- +Header type of the ELF file. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.header.version`*:: ++ +-- +Version of the ELF header. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.imports`*:: ++ +-- +List of imported element names and types. + +type: flattened + +-- + +*`threat.enrichments.indicator.file.elf.sections`*:: ++ +-- +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + +type: nested + +-- + +*`threat.enrichments.indicator.file.elf.sections.chi2`*:: ++ +-- +Chi-square probability distribution of the section. + +type: long + +format: number + +-- + +*`threat.enrichments.indicator.file.elf.sections.entropy`*:: ++ +-- +Shannon entropy calculation from the section. + +type: long + +format: number + +-- + +*`threat.enrichments.indicator.file.elf.sections.flags`*:: ++ +-- +ELF Section List flags. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.sections.name`*:: ++ +-- +ELF Section List name. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.sections.physical_offset`*:: ++ +-- +ELF Section List offset. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.sections.physical_size`*:: ++ +-- +ELF Section List physical size. + +type: long + +format: bytes + +-- + +*`threat.enrichments.indicator.file.elf.sections.type`*:: ++ +-- +ELF Section List type. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.sections.virtual_address`*:: ++ +-- +ELF Section List virtual address. + +type: long + +format: string + +-- + +*`threat.enrichments.indicator.file.elf.sections.virtual_size`*:: ++ +-- +ELF Section List virtual size. + +type: long + +format: string + +-- + +*`threat.enrichments.indicator.file.elf.segments`*:: ++ +-- +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. + +type: nested + +-- + +*`threat.enrichments.indicator.file.elf.segments.sections`*:: ++ +-- +ELF object segment sections. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.segments.type`*:: ++ +-- +ELF object segment type. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.shared_libraries`*:: ++ +-- +List of shared libraries used by this ELF object. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.elf.telfhash`*:: ++ +-- +telfhash symbol hash for ELF file. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.extension`*:: ++ +-- +File extension, excluding the leading dot. +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + +type: keyword + +example: png + +-- + +*`threat.enrichments.indicator.file.gid`*:: ++ +-- +Primary group ID (GID) of the file. + +type: keyword + +example: 1001 + +-- + +*`threat.enrichments.indicator.file.group`*:: ++ +-- +Primary group name of the file. + +type: keyword + +example: alice + +-- + +*`threat.enrichments.indicator.file.inode`*:: ++ +-- +Inode representing the file in the filesystem. + +type: keyword + +example: 256383 + +-- + +*`threat.enrichments.indicator.file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.mode`*:: ++ +-- +Mode of the file in octal representation. + +type: keyword + +example: 0640 + +-- + +*`threat.enrichments.indicator.file.mtime`*:: ++ +-- +Last time the file content was modified. + +type: date + +-- + +*`threat.enrichments.indicator.file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + +*`threat.enrichments.indicator.file.owner`*:: ++ +-- +File owner's username. + +type: keyword + +example: alice + +-- + +*`threat.enrichments.indicator.file.path`*:: ++ +-- +Full path to the file, including the file name. It should include the drive letter, when appropriate. + +type: keyword + +example: /home/alice/example.png + +-- + +*`threat.enrichments.indicator.file.path.text`*:: ++ +-- +type: text + +-- + +*`threat.enrichments.indicator.file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`threat.enrichments.indicator.file.target_path`*:: ++ +-- +Target path for symlinks. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.target_path.text`*:: ++ +-- +type: text + +-- + +*`threat.enrichments.indicator.file.type`*:: ++ +-- +File type (file, dir, or symlink). + +type: keyword + +example: file + +-- + +*`threat.enrichments.indicator.file.uid`*:: ++ +-- +The user ID (UID) or security identifier (SID) of the file owner. + +type: keyword + +example: 1001 + +-- + +*`threat.enrichments.indicator.first_seen`*:: ++ +-- +The date and time when intelligence source first reported sighting this indicator. + +type: date + +example: 2020-11-05T17:25:47.000Z + +-- + +*`threat.enrichments.indicator.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`threat.enrichments.indicator.geo.continent_code`*:: ++ +-- +Two-letter code representing continent's name. + +type: keyword + +example: NA + +-- + +*`threat.enrichments.indicator.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`threat.enrichments.indicator.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`threat.enrichments.indicator.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`threat.enrichments.indicator.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`threat.enrichments.indicator.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`threat.enrichments.indicator.geo.postal_code`*:: ++ +-- +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + +type: keyword + +example: 94040 + +-- + +*`threat.enrichments.indicator.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`threat.enrichments.indicator.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`threat.enrichments.indicator.geo.timezone`*:: ++ +-- +The time zone of the location, such as IANA time zone name. + +type: keyword + +example: America/Argentina/Buenos_Aires + +-- + +*`threat.enrichments.indicator.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.ip`*:: ++ +-- +Identifies a threat indicator as an IP address (irrespective of direction). + +type: ip + +example: 1.2.3.4 + +-- + +*`threat.enrichments.indicator.last_seen`*:: ++ +-- +The date and time when intelligence source last reported sighting this indicator. + +type: date + +example: 2020-11-05T17:25:47.000Z + +-- + +*`threat.enrichments.indicator.marking.tlp`*:: ++ +-- +Traffic Light Protocol sharing markings. Recommended values are: + * WHITE + * GREEN + * AMBER + * RED + +type: keyword + +example: White + +-- + +*`threat.enrichments.indicator.modified_at`*:: ++ +-- +The date and time when intelligence source last modified information for this indicator. + +type: date + +example: 2020-11-05T17:25:47.000Z + +-- + +*`threat.enrichments.indicator.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.enrichments.indicator.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.enrichments.indicator.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.enrichments.indicator.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.enrichments.indicator.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.enrichments.indicator.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.enrichments.indicator.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`threat.enrichments.indicator.port`*:: ++ +-- +Identifies a threat indicator as a port number (irrespective of direction). + +type: long + +example: 443 + +-- + +*`threat.enrichments.indicator.provider`*:: ++ +-- +The name of the indicator's provider. + +type: keyword + +example: lrz_urlhaus + +-- + +*`threat.enrichments.indicator.reference`*:: ++ +-- +Reference URL linking to additional information about this indicator. + +type: keyword + +example: https://system.example.com/indicator/0001234 + +-- + +*`threat.enrichments.indicator.registry.data.bytes`*:: ++ +-- +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + +type: keyword + +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + +-- + +*`threat.enrichments.indicator.registry.data.strings`*:: ++ +-- +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + +type: keyword + +example: ["C:\rta\red_ttp\bin\myapp.exe"] + +-- + +*`threat.enrichments.indicator.registry.data.type`*:: ++ +-- +Standard registry type for encoding contents + +type: keyword + +example: REG_SZ + +-- + +*`threat.enrichments.indicator.registry.hive`*:: ++ +-- +Abbreviated name for the hive. + +type: keyword + +example: HKLM + +-- + +*`threat.enrichments.indicator.registry.key`*:: ++ +-- +Hive-relative path of keys. + +type: keyword + +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + +-- + +*`threat.enrichments.indicator.registry.path`*:: ++ +-- +Full path, including hive, key and value + +type: keyword + +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + +-- + +*`threat.enrichments.indicator.registry.value`*:: ++ +-- +Name of the value written. + +type: keyword + +example: Debugger + +-- + +*`threat.enrichments.indicator.scanner_stats`*:: ++ +-- +Count of AV/EDR vendors that successfully detected malicious file or URL. + +type: long + +example: 4 + +-- + +*`threat.enrichments.indicator.sightings`*:: ++ +-- +Number of times this indicator was observed conducting threat activity. + +type: long + +example: 20 + +-- + +*`threat.enrichments.indicator.type`*:: ++ +-- +Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + +type: keyword + +example: ipv4-addr + +-- + +*`threat.enrichments.indicator.url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`threat.enrichments.indicator.url.extension`*:: ++ +-- +The field contains the file extension from the original request url, excluding the leading dot. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + +type: keyword + +example: png + +-- + +*`threat.enrichments.indicator.url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`threat.enrichments.indicator.url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`threat.enrichments.indicator.url.full.text`*:: ++ +-- +type: text + +-- + +*`threat.enrichments.indicator.url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`threat.enrichments.indicator.url.original.text`*:: ++ +-- +type: text + +-- + +*`threat.enrichments.indicator.url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`threat.enrichments.indicator.url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`threat.enrichments.indicator.url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`threat.enrichments.indicator.url.query`*:: ++ +-- +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + +type: keyword + +-- + +*`threat.enrichments.indicator.url.registered_domain`*:: ++ +-- +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`threat.enrichments.indicator.url.scheme`*:: ++ +-- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + +type: keyword + +example: https + +-- + +*`threat.enrichments.indicator.url.subdomain`*:: ++ +-- +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + +example: east + +-- + +*`threat.enrichments.indicator.url.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`threat.enrichments.indicator.url.username`*:: ++ +-- +Username of the request. + +type: keyword + +-- + +*`threat.enrichments.indicator.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`threat.enrichments.indicator.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`threat.enrichments.indicator.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`threat.enrichments.indicator.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`threat.enrichments.indicator.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`threat.enrichments.indicator.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`threat.enrichments.indicator.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`threat.enrichments.indicator.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`threat.enrichments.indicator.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`threat.enrichments.indicator.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`threat.enrichments.indicator.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`threat.enrichments.indicator.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`threat.enrichments.indicator.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`threat.enrichments.indicator.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`threat.enrichments.indicator.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`threat.enrichments.indicator.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`threat.enrichments.indicator.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`threat.enrichments.indicator.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`threat.enrichments.indicator.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`threat.enrichments.indicator.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`threat.enrichments.indicator.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`threat.enrichments.indicator.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`threat.enrichments.indicator.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`threat.enrichments.indicator.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`threat.enrichments.matched.atomic`*:: ++ +-- +Identifies the atomic indicator value that matched a local environment endpoint or network event. + +type: keyword + +example: bad-domain.com + +-- + +*`threat.enrichments.matched.field`*:: ++ +-- +Identifies the field of the atomic indicator that matched a local environment endpoint or network event. + +type: keyword + +example: file.hash.sha256 + +-- + +*`threat.enrichments.matched.id`*:: ++ +-- +Identifies the _id of the indicator document enriching the event. + +type: keyword + +example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + +-- + +*`threat.enrichments.matched.index`*:: ++ +-- +Identifies the _index of the indicator document enriching the event. + +type: keyword + +example: filebeat-8.0.0-2021.05.23-000011 + +-- + +*`threat.enrichments.matched.type`*:: ++ +-- +Identifies the type of match that caused the event to be enriched with the given indicator + +type: keyword + +example: indicator_match_rule + +-- + +*`threat.framework`*:: ++ +-- +Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + +type: keyword + +example: MITRE ATT&CK + +-- + +*`threat.group.alias`*:: ++ +-- +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). + +type: keyword + +example: [ "Magecart Group 6" ] + +-- + +*`threat.group.id`*:: ++ +-- +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. + +type: keyword + +example: G0037 + +-- + +*`threat.group.name`*:: ++ +-- +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. + +type: keyword + +example: FIN6 + +-- + +*`threat.group.reference`*:: ++ +-- +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. + +type: keyword + +example: https://attack.mitre.org/groups/G0037/ + +-- + +*`threat.indicator.as.number`*:: ++ +-- +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 + +-- + +*`threat.indicator.as.organization.name`*:: ++ +-- +Organization name. + +type: keyword + +example: Google LLC + +-- + +*`threat.indicator.as.organization.name.text`*:: ++ +-- +type: text + +-- + +*`threat.indicator.confidence`*:: ++ +-- +Identifies the confidence rating assigned by the provider using STIX confidence scales. +Recommended values: + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) + +type: keyword + +example: High + +-- + +*`threat.indicator.description`*:: ++ +-- +Describes the type of action conducted by the threat. + +type: keyword + +example: IP x.x.x.x was observed delivering the Angler EK. + +-- + +*`threat.indicator.email.address`*:: ++ +-- +Identifies a threat indicator as an email address (irrespective of direction). + +type: keyword + +example: phish@example.com + +-- + +*`threat.indicator.file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date + +-- + +*`threat.indicator.file.attributes`*:: ++ +-- +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + +type: keyword + +example: ["readonly", "system"] + +-- + +*`threat.indicator.file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`threat.indicator.file.code_signature.signing_id`*:: ++ +-- +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + +type: keyword + +example: com.apple.xpc.proxy + +-- + +*`threat.indicator.file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`threat.indicator.file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.indicator.file.code_signature.team_id`*:: ++ +-- +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + +type: keyword + +example: EQHXZ8M8AV + +-- + +*`threat.indicator.file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`threat.indicator.file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`threat.indicator.file.created`*:: ++ +-- +File creation time. +Note that not all filesystems store the creation time. + +type: date + +-- + +*`threat.indicator.file.ctime`*:: ++ +-- +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date + +-- + +*`threat.indicator.file.device`*:: ++ +-- +Device that is the source of the file. + +type: keyword + +example: sda + +-- + +*`threat.indicator.file.directory`*:: ++ +-- +Directory where the file is located. It should include the drive letter, when appropriate. + +type: keyword + +example: /home/alice + +-- + +*`threat.indicator.file.drive_letter`*:: ++ +-- +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. + +type: keyword + +example: C + +-- + +*`threat.indicator.file.elf.architecture`*:: ++ +-- +Machine architecture of the ELF file. + +type: keyword + +example: x86-64 + +-- + +*`threat.indicator.file.elf.byte_order`*:: ++ +-- +Byte sequence of ELF file. + +type: keyword + +example: Little Endian + +-- + +*`threat.indicator.file.elf.cpu_type`*:: ++ +-- +CPU type of the ELF file. + +type: keyword + +example: Intel + +-- + +*`threat.indicator.file.elf.creation_date`*:: ++ +-- +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + +type: date + +-- + +*`threat.indicator.file.elf.exports`*:: ++ +-- +List of exported element names and types. + +type: flattened + +-- + +*`threat.indicator.file.elf.header.abi_version`*:: ++ +-- +Version of the ELF Application Binary Interface (ABI). + +type: keyword + +-- + +*`threat.indicator.file.elf.header.class`*:: ++ +-- +Header class of the ELF file. + +type: keyword + +-- + +*`threat.indicator.file.elf.header.data`*:: ++ +-- +Data table of the ELF header. + +type: keyword + +-- + +*`threat.indicator.file.elf.header.entrypoint`*:: ++ +-- +Header entrypoint of the ELF file. + +type: long + +format: string + +-- + +*`threat.indicator.file.elf.header.object_version`*:: ++ +-- +"0x1" for original ELF files. + +type: keyword + +-- + +*`threat.indicator.file.elf.header.os_abi`*:: ++ +-- +Application Binary Interface (ABI) of the Linux OS. + +type: keyword + +-- + +*`threat.indicator.file.elf.header.type`*:: ++ +-- +Header type of the ELF file. + +type: keyword + +-- + +*`threat.indicator.file.elf.header.version`*:: ++ +-- +Version of the ELF header. + +type: keyword + +-- + +*`threat.indicator.file.elf.imports`*:: ++ +-- +List of imported element names and types. + +type: flattened + +-- + +*`threat.indicator.file.elf.sections`*:: ++ +-- +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + +type: nested + +-- + +*`threat.indicator.file.elf.sections.chi2`*:: ++ +-- +Chi-square probability distribution of the section. + +type: long + +format: number + +-- + +*`threat.indicator.file.elf.sections.entropy`*:: ++ +-- +Shannon entropy calculation from the section. + +type: long + +format: number + +-- + +*`threat.indicator.file.elf.sections.flags`*:: ++ +-- +ELF Section List flags. + +type: keyword + +-- + +*`threat.indicator.file.elf.sections.name`*:: ++ +-- +ELF Section List name. + +type: keyword + +-- + +*`threat.indicator.file.elf.sections.physical_offset`*:: ++ +-- +ELF Section List offset. + +type: keyword + +-- + +*`threat.indicator.file.elf.sections.physical_size`*:: ++ +-- +ELF Section List physical size. + +type: long + +format: bytes + +-- + +*`threat.indicator.file.elf.sections.type`*:: ++ +-- +ELF Section List type. + +type: keyword + +-- + +*`threat.indicator.file.elf.sections.virtual_address`*:: ++ +-- +ELF Section List virtual address. + +type: long + +format: string + +-- + +*`threat.indicator.file.elf.sections.virtual_size`*:: ++ +-- +ELF Section List virtual size. + +type: long + +format: string + +-- + +*`threat.indicator.file.elf.segments`*:: ++ +-- +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. + +type: nested + +-- + +*`threat.indicator.file.elf.segments.sections`*:: ++ +-- +ELF object segment sections. + +type: keyword + +-- + +*`threat.indicator.file.elf.segments.type`*:: ++ +-- +ELF object segment type. + +type: keyword + +-- + +*`threat.indicator.file.elf.shared_libraries`*:: ++ +-- +List of shared libraries used by this ELF object. + +type: keyword + +-- + +*`threat.indicator.file.elf.telfhash`*:: ++ +-- +telfhash symbol hash for ELF file. + +type: keyword + +-- + +*`threat.indicator.file.extension`*:: ++ +-- +File extension, excluding the leading dot. +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + +type: keyword + +example: png + +-- + +*`threat.indicator.file.gid`*:: ++ +-- +Primary group ID (GID) of the file. + +type: keyword + +example: 1001 + +-- + +*`threat.indicator.file.group`*:: ++ +-- +Primary group name of the file. + +type: keyword + +example: alice + +-- + +*`threat.indicator.file.inode`*:: ++ +-- +Inode representing the file in the filesystem. + +type: keyword + +example: 256383 + +-- + +*`threat.indicator.file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + +*`threat.indicator.file.mode`*:: ++ +-- +Mode of the file in octal representation. + +type: keyword + +example: 0640 + +-- + +*`threat.indicator.file.mtime`*:: ++ +-- +Last time the file content was modified. + +type: date + +-- + +*`threat.indicator.file.name`*:: ++ +-- +Name of the file including the extension, without the directory. + +type: keyword + +example: example.png + +-- + +*`threat.indicator.file.owner`*:: ++ +-- +File owner's username. + +type: keyword + +example: alice + +-- + +*`threat.indicator.file.path`*:: ++ +-- +Full path to the file, including the file name. It should include the drive letter, when appropriate. + +type: keyword + +example: /home/alice/example.png + +-- + +*`threat.indicator.file.path.text`*:: ++ +-- +type: text + +-- + +*`threat.indicator.file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`threat.indicator.file.target_path`*:: ++ +-- +Target path for symlinks. + +type: keyword + +-- + +*`threat.indicator.file.target_path.text`*:: ++ +-- +type: text + +-- + +*`threat.indicator.file.type`*:: ++ +-- +File type (file, dir, or symlink). + +type: keyword + +example: file + +-- + +*`threat.indicator.file.uid`*:: ++ +-- +The user ID (UID) or security identifier (SID) of the file owner. + +type: keyword + +example: 1001 + +-- + +*`threat.indicator.first_seen`*:: ++ +-- +The date and time when intelligence source first reported sighting this indicator. + +type: date + +example: 2020-11-05T17:25:47.000Z + +-- + +*`threat.indicator.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`threat.indicator.geo.continent_code`*:: ++ +-- +Two-letter code representing continent's name. + +type: keyword + +example: NA + +-- + +*`threat.indicator.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`threat.indicator.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`threat.indicator.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`threat.indicator.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`threat.indicator.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`threat.indicator.geo.postal_code`*:: ++ +-- +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + +type: keyword + +example: 94040 + +-- + +*`threat.indicator.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`threat.indicator.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`threat.indicator.geo.timezone`*:: ++ +-- +The time zone of the location, such as IANA time zone name. + +type: keyword + +example: America/Argentina/Buenos_Aires + +-- + +*`threat.indicator.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.indicator.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.indicator.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.indicator.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.indicator.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + +*`threat.indicator.ip`*:: ++ +-- +Identifies a threat indicator as an IP address (irrespective of direction). + +type: ip + +example: 1.2.3.4 + +-- + +*`threat.indicator.last_seen`*:: ++ +-- +The date and time when intelligence source last reported sighting this indicator. + +type: date + +example: 2020-11-05T17:25:47.000Z + +-- + +*`threat.indicator.marking.tlp`*:: ++ +-- +Traffic Light Protocol sharing markings. +Recommended values are: + * WHITE + * GREEN + * AMBER + * RED + +type: keyword + +example: WHITE + +-- + +*`threat.indicator.modified_at`*:: ++ +-- +The date and time when intelligence source last modified information for this indicator. + +type: date + +example: 2020-11-05T17:25:47.000Z + +-- + +*`threat.indicator.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.indicator.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.indicator.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.indicator.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.indicator.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.indicator.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.indicator.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`threat.indicator.port`*:: ++ +-- +Identifies a threat indicator as a port number (irrespective of direction). + +type: long + +example: 443 + +-- + +*`threat.indicator.provider`*:: ++ +-- +The name of the indicator's provider. + +type: keyword + +example: lrz_urlhaus + +-- + +*`threat.indicator.reference`*:: ++ +-- +Reference URL linking to additional information about this indicator. + +type: keyword + +example: https://system.example.com/indicator/0001234 + +-- + +*`threat.indicator.registry.data.bytes`*:: ++ +-- +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + +type: keyword + +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + +-- + +*`threat.indicator.registry.data.strings`*:: ++ +-- +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + +type: keyword + +example: ["C:\rta\red_ttp\bin\myapp.exe"] + +-- + +*`threat.indicator.registry.data.type`*:: ++ +-- +Standard registry type for encoding contents + +type: keyword + +example: REG_SZ + +-- + +*`threat.indicator.registry.hive`*:: ++ +-- +Abbreviated name for the hive. + +type: keyword + +example: HKLM + +-- + +*`threat.indicator.registry.key`*:: ++ +-- +Hive-relative path of keys. + +type: keyword + +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + +-- + +*`threat.indicator.registry.path`*:: ++ +-- +Full path, including hive, key and value + +type: keyword + +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + +-- + +*`threat.indicator.registry.value`*:: ++ +-- +Name of the value written. + +type: keyword + +example: Debugger + +-- + +*`threat.indicator.scanner_stats`*:: ++ +-- +Count of AV/EDR vendors that successfully detected malicious file or URL. + +type: long + +example: 4 + +-- + +*`threat.indicator.sightings`*:: ++ +-- +Number of times this indicator was observed conducting threat activity. + +type: long + +example: 20 + +-- + +*`threat.indicator.type`*:: ++ +-- +Type of indicator as represented by Cyber Observable in STIX 2.0. +Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + +type: keyword + +example: ipv4-addr + +-- + +*`threat.indicator.url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`threat.indicator.url.extension`*:: ++ +-- +The field contains the file extension from the original request url, excluding the leading dot. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + +type: keyword + +example: png + +-- + +*`threat.indicator.url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`threat.indicator.url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`threat.indicator.url.full.text`*:: ++ +-- +type: text + +-- + +*`threat.indicator.url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`threat.indicator.url.original.text`*:: ++ +-- +type: text + +-- + +*`threat.indicator.url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`threat.indicator.url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`threat.indicator.url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`threat.indicator.url.query`*:: ++ +-- +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + +type: keyword + +-- + +*`threat.indicator.url.registered_domain`*:: ++ +-- +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`threat.indicator.url.scheme`*:: ++ +-- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + +type: keyword + +example: https + +-- + +*`threat.indicator.url.subdomain`*:: ++ +-- +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + +example: east + +-- + +*`threat.indicator.url.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`threat.indicator.url.username`*:: ++ +-- +Username of the request. + +type: keyword + +-- + +*`threat.indicator.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`threat.indicator.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`threat.indicator.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`threat.indicator.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`threat.indicator.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`threat.indicator.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`threat.indicator.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`threat.indicator.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`threat.indicator.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`threat.indicator.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`threat.indicator.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`threat.indicator.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`threat.indicator.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`threat.indicator.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`threat.indicator.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`threat.indicator.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`threat.indicator.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`threat.indicator.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`threat.indicator.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`threat.indicator.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`threat.indicator.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`threat.indicator.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`threat.indicator.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`threat.indicator.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`threat.software.id`*:: ++ +-- +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. + +type: keyword + +example: S0552 + +-- + +*`threat.software.name`*:: ++ +-- +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. + +type: keyword + +example: AdFind + +-- + +*`threat.software.platforms`*:: ++ +-- +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. +Recommended Values: + * AWS + * Azure + * Azure AD + * GCP + * Linux + * macOS + * Network + * Office 365 + * SaaS + * Windows + +type: keyword + +example: [ "Windows" ] + +-- + +*`threat.software.reference`*:: ++ +-- +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. + +type: keyword + +example: https://attack.mitre.org/software/S0552/ + +-- + +*`threat.software.type`*:: ++ +-- +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. +Recommended values + * Malware + * Tool + +type: keyword + +example: Tool + +-- + +*`threat.tactic.id`*:: ++ +-- +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + +type: keyword + +example: TA0002 + +-- + +*`threat.tactic.name`*:: ++ +-- +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) + +type: keyword + +example: Execution + +-- + +*`threat.tactic.reference`*:: ++ +-- +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + +type: keyword + +example: https://attack.mitre.org/tactics/TA0002/ + +-- + +*`threat.technique.id`*:: ++ +-- +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + +type: keyword + +example: T1059 + +-- + +*`threat.technique.name`*:: ++ +-- +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + +type: keyword + +example: Command and Scripting Interpreter + +-- + +*`threat.technique.name.text`*:: ++ +-- +type: text + +-- + +*`threat.technique.reference`*:: ++ +-- +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + +type: keyword + +example: https://attack.mitre.org/techniques/T1059/ + +-- + +*`threat.technique.subtechnique.id`*:: ++ +-- +The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) + +type: keyword + +example: T1059.001 + +-- + +*`threat.technique.subtechnique.name`*:: ++ +-- +The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) + +type: keyword + +example: PowerShell + +-- + +*`threat.technique.subtechnique.name.text`*:: ++ +-- +type: text + +-- + +*`threat.technique.subtechnique.reference`*:: ++ +-- +The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) + +type: keyword + +example: https://attack.mitre.org/techniques/T1059/001/ + +-- + +[float] +=== tls + +Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. + + +*`tls.cipher`*:: ++ +-- +String indicating the cipher used during the current connection. + +type: keyword + +example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + +-- + +*`tls.client.certificate`*:: ++ +-- +PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. + +type: keyword + +example: MII... + +-- + +*`tls.client.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ["MII...", "MII..."] + +-- + +*`tls.client.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.client.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.client.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.client.issuer`*:: ++ +-- +Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.client.ja3`*:: ++ +-- +A hash that identifies clients based on how they perform an SSL/TLS handshake. + +type: keyword + +example: d4e5b18d6b55c71272893221c96ba240 + +-- + +*`tls.client.not_after`*:: ++ +-- +Date/Time indicating when client certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.client.not_before`*:: ++ +-- +Date/Time indicating when client certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.client.server_name`*:: ++ +-- +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + +type: keyword + +example: www.elastic.co + +-- + +*`tls.client.subject`*:: ++ +-- +Distinguished name of subject of the x.509 certificate presented by the client. + +type: keyword + +example: CN=myclient, OU=Documentation Team, DC=example, DC=com + +-- + +*`tls.client.supported_ciphers`*:: ++ +-- +Array of ciphers offered by the client during the client hello. + +type: keyword + +example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] + +-- + +*`tls.client.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.client.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.client.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.client.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.client.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.client.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.client.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.client.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.client.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.client.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.client.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.client.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.client.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.client.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.client.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.client.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.client.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.client.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.client.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.client.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.client.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.client.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.client.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.curve`*:: ++ +-- +String indicating the curve used for the given cipher, when applicable. + +type: keyword + +example: secp256r1 + +-- + +*`tls.established`*:: ++ +-- +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean + +-- + +*`tls.next_protocol`*:: ++ +-- +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. + +type: keyword + +example: http/1.1 + +-- + +*`tls.resumed`*:: ++ +-- +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. + +type: boolean + +-- + +*`tls.server.certificate`*:: ++ +-- +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. + +type: keyword + +example: MII... + +-- + +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ["MII...", "MII..."] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.server.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +*`span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url, excluding the leading dot. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: ++ +-- +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + +type: keyword + +-- + +*`url.registered_domain`*:: ++ +-- +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`url.scheme`*:: ++ +-- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + +type: keyword + +example: https + +-- + +*`url.subdomain`*:: ++ +-- +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + +example: east + +-- + +*`url.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`url.username`*:: ++ +-- +Username of the request. + +type: keyword + +-- + +[float] +=== user + +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. + + +*`user.changes.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.changes.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.changes.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.changes.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.changes.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.changes.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.changes.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.changes.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.changes.name.text`*:: ++ +-- +type: text + +-- + +*`user.changes.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.effective.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.effective.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.effective.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.effective.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.effective.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.effective.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.effective.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.effective.name.text`*:: ++ +-- +type: text + +-- + +*`user.effective.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +*`user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.name.text`*:: ++ +-- +type: text + +-- + +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +*`user.target.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.target.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.target.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.target.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.target.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.target.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.target.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.target.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.target.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.target.name.text`*:: ++ +-- +type: text + +-- + +*`user.target.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== user_agent + +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. + + +*`user_agent.device.name`*:: ++ +-- +Name of the device. + +type: keyword + +example: iPhone + +-- + +*`user_agent.name`*:: ++ +-- +Name of the user agent. + +type: keyword + +example: Safari + +-- + +*`user_agent.original`*:: ++ +-- +Unparsed user_agent string. + +type: keyword + +example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + +-- + +*`user_agent.original.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`user_agent.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`user_agent.os.full.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`user_agent.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`user_agent.os.name.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`user_agent.os.type`*:: ++ +-- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + +example: macos + +-- + +*`user_agent.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`user_agent.version`*:: ++ +-- +Version of the user agent. + +type: keyword + +example: 12.0 + +-- + +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +[float] +=== vulnerability + +The vulnerability fields describe information about a vulnerability that is relevant to an event. + + +*`vulnerability.category`*:: ++ +-- +The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) +This field must be an array. + +type: keyword + +example: ["Firewall"] + +-- + +*`vulnerability.classification`*:: ++ +-- +The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) + +type: keyword + +example: CVSS + +-- + +*`vulnerability.description`*:: ++ +-- +The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) + +type: keyword + +example: In macOS before 2.12.6, there is a vulnerability in the RPC... + +-- + +*`vulnerability.description.text`*:: ++ +-- +type: text + +-- + +*`vulnerability.enumeration`*:: ++ +-- +The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) + +type: keyword + +example: CVE + +-- + +*`vulnerability.id`*:: ++ +-- +The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] + +type: keyword + +example: CVE-2019-00001 + +-- + +*`vulnerability.reference`*:: ++ +-- +A resource that provides additional information, context, and mitigations for the identified vulnerability. + +type: keyword + +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + +-- + +*`vulnerability.report_id`*:: ++ +-- +The report or scan identification number. + +type: keyword + +example: 20191018.0001 + +-- + +*`vulnerability.scanner.vendor`*:: ++ +-- +The name of the vulnerability scanner vendor. + +type: keyword + +example: Tenable + +-- + +*`vulnerability.score.base`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) + +type: float + +example: 5.5 + +-- + +*`vulnerability.score.environmental`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) + +type: float + +example: 5.5 + +-- + +*`vulnerability.score.temporal`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) + +type: float + +-- + +*`vulnerability.score.version`*:: ++ +-- +The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. +CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: 2.0 + +-- + +*`vulnerability.severity`*:: ++ +-- +The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: Critical + +-- + +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. +When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). +Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +[[exported-fields-elasticsearch]] +== Elasticsearch fields + +elasticsearch Module + + + +[float] +=== elasticsearch + + + + +*`elasticsearch.component`*:: ++ +-- +Elasticsearch component from where the log event originated + +type: keyword + +example: o.e.c.m.MetaDataCreateIndexService + +-- + +*`elasticsearch.cluster.uuid`*:: ++ +-- +UUID of the cluster + +type: keyword + +example: GmvrbHlNTiSVYiPf8kxg9g + +-- + +*`elasticsearch.cluster.name`*:: ++ +-- +Name of the cluster + +type: keyword + +example: docker-cluster + +-- + +*`elasticsearch.node.id`*:: ++ +-- +ID of the node + +type: keyword + +example: DSiWcTyeThWtUXLB9J0BMw + +-- + +*`elasticsearch.node.name`*:: ++ +-- +Name of the node + +type: keyword + +example: vWNJsZ3 + +-- + +*`elasticsearch.index.name`*:: ++ +-- +Index name + +type: keyword + +example: filebeat-test-input + +-- + +*`elasticsearch.index.id`*:: ++ +-- +Index id + +type: keyword + +example: aOGgDwbURfCV57AScqbCgw + +-- + +*`elasticsearch.shard.id`*:: ++ +-- +Id of the shard + +type: keyword + +example: 0 + +-- + + +*`elasticsearch.audit.layer`*:: ++ +-- +The layer from which this event originated: rest, transport or ip_filter + +type: keyword + +example: rest + +-- + +*`elasticsearch.audit.event_type`*:: ++ +-- +The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied + +type: keyword + +example: access_granted + +-- + +*`elasticsearch.audit.origin.type`*:: ++ +-- +Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) + +type: keyword + +example: local_node + +-- + +*`elasticsearch.audit.realm`*:: ++ +-- +The authentication realm the authentication was validated against + +type: keyword + +-- + +*`elasticsearch.audit.user.realm`*:: ++ +-- +The user's authentication realm, if authenticated + +type: keyword + +-- + +*`elasticsearch.audit.user.roles`*:: ++ +-- +Roles to which the principal belongs + +type: keyword + +example: ['kibana_admin', 'beats_admin'] + +-- + +*`elasticsearch.audit.user.run_as.name`*:: ++ +-- +type: keyword + +-- + +*`elasticsearch.audit.user.run_as.realm`*:: ++ +-- +type: keyword + +-- + +*`elasticsearch.audit.component`*:: ++ +-- +type: keyword + +-- + +*`elasticsearch.audit.action`*:: ++ +-- +The name of the action that was executed + +type: keyword + +example: cluster:monitor/main + +-- + +*`elasticsearch.audit.url.params`*:: ++ +-- +REST URI parameters + +example: {username=jacknich2} + +-- + +*`elasticsearch.audit.indices`*:: ++ +-- +Indices accessed by action + +type: keyword + +example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] + +-- + +*`elasticsearch.audit.request.id`*:: ++ +-- +Unique ID of request + +type: keyword + +example: WzL_kb6VSvOhAq0twPvHOQ + +-- + +*`elasticsearch.audit.request.name`*:: ++ +-- +The type of request that was executed + +type: keyword + +example: ClearScrollRequest + +-- + +*`elasticsearch.audit.request_body`*:: ++ +-- +type: alias + +alias to: http.request.body.content + +-- + +*`elasticsearch.audit.origin_address`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + +*`elasticsearch.audit.uri`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`elasticsearch.audit.principal`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`elasticsearch.audit.message`*:: ++ +-- +type: text + +-- + +*`elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user`*:: ++ +-- +type: boolean + +-- + +[float] +=== deprecation + + + +[float] +=== gc + +GC fileset fields. + + + +[float] +=== phase + +Fields specific to GC phase. + + + +*`elasticsearch.gc.phase.name`*:: ++ +-- +Name of the GC collection phase. + + +type: keyword + +-- + +*`elasticsearch.gc.phase.duration_sec`*:: ++ +-- +Collection phase duration according to the Java virtual machine. + + +type: float + +-- + +*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: ++ +-- +Pause time in seconds cleaning up symbol tables. + + +type: float + +-- + +*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: ++ +-- +Pause time in seconds cleaning up string tables. + + +type: float + +-- + +*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: ++ +-- +Time spent processing weak references in seconds. + + +type: float + +-- + +*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: ++ +-- +Time spent in seconds marking live objects while application is stopped. + + +type: float + +-- + +*`elasticsearch.gc.phase.class_unload_time_sec`*:: ++ +-- +Time spent unloading unused classes in seconds. + + +type: float + +-- + +[float] +=== cpu_time + +Process CPU time spent performing collections. + + + +*`elasticsearch.gc.phase.cpu_time.user_sec`*:: ++ +-- +CPU time spent outside the kernel. + + +type: float + +-- + +*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: ++ +-- +CPU time spent inside the kernel. + + +type: float + +-- + +*`elasticsearch.gc.phase.cpu_time.real_sec`*:: ++ +-- +Total elapsed CPU time spent to complete the collection from start to finish. + + +type: float + +-- + +*`elasticsearch.gc.jvm_runtime_sec`*:: ++ +-- +The time from JVM start up in seconds, as a floating point number. + + +type: float + +-- + +*`elasticsearch.gc.threads_total_stop_time_sec`*:: ++ +-- +Garbage collection threads total stop time seconds. + + +type: float + +-- + +*`elasticsearch.gc.stopping_threads_time_sec`*:: ++ +-- +Time took to stop threads seconds. + + +type: float + +-- + +*`elasticsearch.gc.tags`*:: ++ +-- +GC logging tags. + + +type: keyword + +-- + +[float] +=== heap + +Heap allocation and total size. + + + +*`elasticsearch.gc.heap.size_kb`*:: ++ +-- +Total heap size in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.heap.used_kb`*:: ++ +-- +Used heap in kilobytes. + + +type: integer + +-- + +[float] +=== old_gen + +Old generation occupancy and total size. + + + +*`elasticsearch.gc.old_gen.size_kb`*:: ++ +-- +Total size of old generation in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.old_gen.used_kb`*:: ++ +-- +Old generation occupancy in kilobytes. + + +type: integer + +-- + +[float] +=== young_gen + +Young generation occupancy and total size. + + + +*`elasticsearch.gc.young_gen.size_kb`*:: ++ +-- +Total size of young generation in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.young_gen.used_kb`*:: ++ +-- +Young generation occupancy in kilobytes. + + +type: integer + +-- + +[float] +=== server + +Server log file + + +*`elasticsearch.server.stacktrace`*:: ++ +-- +Field is not indexed. + +-- + +[float] +=== gc + +GC log + + +[float] +=== young + +Young GC + + +*`elasticsearch.server.gc.young.one`*:: ++ +-- + + +type: long + +example: + +-- + +*`elasticsearch.server.gc.young.two`*:: ++ +-- + + +type: long + +example: + +-- + +*`elasticsearch.server.gc.overhead_seq`*:: ++ +-- +Sequence number + +type: long + +example: 3449992 + +-- + +*`elasticsearch.server.gc.collection_duration.ms`*:: ++ +-- +Time spent in GC, in milliseconds + +type: float + +example: 1600 + +-- + +*`elasticsearch.server.gc.observation_duration.ms`*:: ++ +-- +Total time over which collection was observed, in milliseconds + +type: float + +example: 1800 + +-- + +[float] +=== slowlog + +Slowlog events from Elasticsearch + + +*`elasticsearch.slowlog.logger`*:: ++ +-- +Logger name + +type: keyword + +example: index.search.slowlog.fetch + +-- + +*`elasticsearch.slowlog.took`*:: ++ +-- +Time it took to execute the query + +type: keyword + +example: 300ms + +-- + +*`elasticsearch.slowlog.types`*:: ++ +-- +Types + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.stats`*:: ++ +-- +Stats groups + +type: keyword + +example: group1 + +-- + +*`elasticsearch.slowlog.search_type`*:: ++ +-- +Search type + +type: keyword + +example: QUERY_THEN_FETCH + +-- + +*`elasticsearch.slowlog.source_query`*:: ++ +-- +Slow query + +type: keyword + +example: {"query":{"match_all":{"boost":1.0}}} + +-- + +*`elasticsearch.slowlog.extra_source`*:: ++ +-- +Extra source information + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.total_hits`*:: ++ +-- +Total hits + +type: keyword + +example: 42 + +-- + +*`elasticsearch.slowlog.total_shards`*:: ++ +-- +Total queried shards + +type: keyword + +example: 22 + +-- + +*`elasticsearch.slowlog.routing`*:: ++ +-- +Routing + +type: keyword + +example: s01HZ2QBk9jw4gtgaFtn + +-- + +*`elasticsearch.slowlog.id`*:: ++ +-- +Id + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.type`*:: ++ +-- +Type + +type: keyword + +example: doc + +-- + +*`elasticsearch.slowlog.source`*:: ++ +-- +Source of document that was indexed + +type: keyword + +-- + +[[exported-fields-envoyproxy]] +== Envoyproxy fields + +Module for handling logs produced by envoy + + + +[float] +=== envoyproxy + +Fields from envoy proxy logs after normalization + + + +*`envoyproxy.log_type`*:: ++ +-- +Envoy log type, normally ACCESS + + +type: keyword + +-- + +*`envoyproxy.response_flags`*:: ++ +-- +Response flags + + +type: keyword + +-- + +*`envoyproxy.upstream_service_time`*:: ++ +-- +Upstream service time in nanoseconds + + +type: long + +format: duration + +-- + +*`envoyproxy.request_id`*:: ++ +-- +ID of the request + + +type: keyword + +-- + +*`envoyproxy.authority`*:: ++ +-- +Envoy proxy authority field + + +type: keyword + +-- + +*`envoyproxy.proxy_type`*:: ++ +-- +Envoy proxy type, tcp or http + + +type: keyword + +-- + +[[exported-fields-f5]] +== Big-IP Access Policy Manager fields + +f5 fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: + -- -VLAN ID as reported by the observer. - type: keyword -example: 10 - -- -*`vlan.name`*:: +*`rsa.internal.event_desc`*:: + -- -Optional VLAN name as reported by the observer. - type: keyword -example: outside - -- -[float] -=== vulnerability - -The vulnerability fields describe information about a vulnerability that is relevant to an event. - - -*`vulnerability.category`*:: +*`rsa.internal.message`*:: + -- -The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) -This field must be an array. +This key captures the contents of instant messages type: keyword -example: ["Firewall"] - -- -*`vulnerability.classification`*:: +*`rsa.internal.time`*:: + -- -The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) - -type: keyword +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -example: CVSS +type: date -- -*`vulnerability.description`*:: +*`rsa.internal.level`*:: + -- -The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) - -type: keyword +Deprecated key defined only in table map. -example: In macOS before 2.12.6, there is a vulnerability in the RPC... +type: long -- -*`vulnerability.description.text`*:: +*`rsa.internal.msg_id`*:: + -- -type: text +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`vulnerability.enumeration`*:: +*`rsa.internal.msg_vid`*:: + -- -The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: CVE - -- -*`vulnerability.id`*:: +*`rsa.internal.data`*:: + -- -The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] +Deprecated key defined only in table map. type: keyword -example: CVE-2019-00001 - -- -*`vulnerability.reference`*:: +*`rsa.internal.obj_server`*:: + -- -A resource that provides additional information, context, and mitigations for the identified vulnerability. +Deprecated key defined only in table map. type: keyword -example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 - -- -*`vulnerability.report_id`*:: +*`rsa.internal.obj_val`*:: + -- -The report or scan identification number. +Deprecated key defined only in table map. type: keyword -example: 20191018.0001 - -- -*`vulnerability.scanner.vendor`*:: +*`rsa.internal.resource`*:: + -- -The name of the vulnerability scanner vendor. +Deprecated key defined only in table map. type: keyword -example: Tenable - -- -*`vulnerability.score.base`*:: +*`rsa.internal.obj_id`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - -type: float +Deprecated key defined only in table map. -example: 5.5 +type: keyword -- -*`vulnerability.score.environmental`*:: +*`rsa.internal.statement`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) - -type: float +Deprecated key defined only in table map. -example: 5.5 +type: keyword -- -*`vulnerability.score.temporal`*:: +*`rsa.internal.audit_class`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) +Deprecated key defined only in table map. -type: float +type: keyword -- -*`vulnerability.score.version`*:: +*`rsa.internal.entry`*:: + -- -The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. -CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) +Deprecated key defined only in table map. type: keyword -example: 2.0 - -- -*`vulnerability.severity`*:: +*`rsa.internal.hcode`*:: + -- -The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) +Deprecated key defined only in table map. type: keyword -example: Critical - -- -[float] -=== x509 +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. -This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. -When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). -Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. +type: long +-- -*`x509.alternative_names`*:: +*`rsa.internal.resource_class`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. +Deprecated key defined only in table map. type: keyword -example: *.elastic.co - -- -*`x509.issuer.common_name`*:: +*`rsa.internal.dead`*:: + -- -List of common name (CN) of issuing certificate authority. - -type: keyword +Deprecated key defined only in table map. -example: Example SHA2 High Assurance Server CA +type: long -- -*`x509.issuer.country`*:: +*`rsa.internal.feed_desc`*:: + -- -List of country (C) codes +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: US - -- -*`x509.issuer.distinguished_name`*:: +*`rsa.internal.feed_name`*:: + -- -Distinguished name (DN) of issuing certificate authority. +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - -- -*`x509.issuer.locality`*:: +*`rsa.internal.cid`*:: + -- -List of locality names (L) +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: Mountain View - -- -*`x509.issuer.organization`*:: +*`rsa.internal.device_class`*:: + -- -List of organizations (O) of issuing certificate authority. +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: Example Inc - -- -*`x509.issuer.organizational_unit`*:: +*`rsa.internal.device_group`*:: + -- -List of organizational units (OU) of issuing certificate authority. +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: www.example.com - -- -*`x509.issuer.state_or_province`*:: +*`rsa.internal.device_host`*:: + -- -List of state or province names (ST, S, or P) +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: California - -- -*`x509.not_after`*:: +*`rsa.internal.device_ip`*:: + -- -Time at which the certificate is no longer considered valid. - -type: date +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: 2020-07-16 03:15:39+00:00 +type: ip -- -*`x509.not_before`*:: +*`rsa.internal.device_ipv6`*:: + -- -Time at which the certificate is first considered valid. - -type: date +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: 2019-08-16 01:40:25+00:00 +type: ip -- -*`x509.public_key_algorithm`*:: +*`rsa.internal.device_type`*:: + -- -Algorithm used to generate the public key. +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: RSA - -- -*`x509.public_key_curve`*:: +*`rsa.internal.device_type_id`*:: + -- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword +Deprecated key defined only in table map. -example: nistp521 +type: long -- -*`x509.public_key_exponent`*:: +*`rsa.internal.did`*:: + -- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -Field is not indexed. +type: keyword -- -*`x509.public_key_size`*:: +*`rsa.internal.entropy_req`*:: + -- -The size of the public key space in bits. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration type: long -example: 2048 - -- -*`x509.serial_number`*:: +*`rsa.internal.entropy_res`*:: + -- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -example: 55FBB9C7DEBF09809D12CCAA +type: long -- -*`x509.signature_algorithm`*:: +*`rsa.internal.event_name`*:: + -- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. +Deprecated key defined only in table map. type: keyword -example: SHA256-RSA - -- -*`x509.subject.common_name`*:: +*`rsa.internal.feed_category`*:: + -- -List of common names (CN) of subject. +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: shared.global.example.net - -- -*`x509.subject.country`*:: +*`rsa.internal.forward_ip`*:: + -- -List of country (C) code - -type: keyword +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -example: US +type: ip -- -*`x509.subject.distinguished_name`*:: +*`rsa.internal.forward_ipv6`*:: + -- -Distinguished name (DN) of the certificate subject entity. - -type: keyword +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net +type: ip -- -*`x509.subject.locality`*:: +*`rsa.internal.header_id`*:: + -- -List of locality names (L) +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: San Francisco - -- -*`x509.subject.organization`*:: +*`rsa.internal.lc_cid`*:: + -- -List of organizations (O) of subject. +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: Example, Inc. - -- -*`x509.subject.organizational_unit`*:: +*`rsa.internal.lc_ctime`*:: + -- -List of organizational units (OU) of subject. +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`x509.subject.state_or_province`*:: +*`rsa.internal.mcb_req`*:: + -- -List of state or province names (ST, S, or P) - -type: keyword +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -example: California +type: long -- -*`x509.version_number`*:: +*`rsa.internal.mcb_res`*:: + -- -Version of x509 format. - -type: keyword +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -example: 3 +type: long -- -[[exported-fields-elasticsearch]] -== Elasticsearch fields - -elasticsearch Module - - - -[float] -=== elasticsearch - +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +type: long +-- -*`elasticsearch.component`*:: +*`rsa.internal.mcbc_res`*:: + -- -Elasticsearch component from where the log event originated - -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -example: o.e.c.m.MetaDataCreateIndexService +type: long -- -*`elasticsearch.cluster.uuid`*:: +*`rsa.internal.medium`*:: + -- -UUID of the cluster - -type: keyword +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -example: GmvrbHlNTiSVYiPf8kxg9g +type: long -- -*`elasticsearch.cluster.name`*:: +*`rsa.internal.node_name`*:: + -- -Name of the cluster +Deprecated key defined only in table map. type: keyword -example: docker-cluster - -- -*`elasticsearch.node.id`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -ID of the node +This key denotes that event is endpoint related type: keyword -example: DSiWcTyeThWtUXLB9J0BMw - -- -*`elasticsearch.node.name`*:: +*`rsa.internal.parse_error`*:: + -- -Name of the node +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: vWNJsZ3 - -- -*`elasticsearch.index.name`*:: +*`rsa.internal.payload_req`*:: + -- -Index name - -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -example: filebeat-test-input +type: long -- -*`elasticsearch.index.id`*:: +*`rsa.internal.payload_res`*:: + -- -Index id - -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -example: aOGgDwbURfCV57AScqbCgw +type: long -- -*`elasticsearch.shard.id`*:: +*`rsa.internal.process_vid_dst`*:: + -- -Id of the shard +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -example: 0 - -- - -*`elasticsearch.audit.layer`*:: +*`rsa.internal.process_vid_src`*:: + -- -The layer from which this event originated: rest, transport or ip_filter +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -example: rest - -- -*`elasticsearch.audit.event_type`*:: +*`rsa.internal.rid`*:: + -- -The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied - -type: keyword +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: access_granted +type: long -- -*`elasticsearch.audit.origin.type`*:: +*`rsa.internal.session_split`*:: + -- -Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: local_node - -- -*`elasticsearch.audit.realm`*:: +*`rsa.internal.site`*:: + -- -The authentication realm the authentication was validated against +Deprecated key defined only in table map. type: keyword -- -*`elasticsearch.audit.user.realm`*:: +*`rsa.internal.size`*:: + -- -The user's authentication realm, if authenticated +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`elasticsearch.audit.user.roles`*:: +*`rsa.internal.sourcefile`*:: + -- -Roles to which the principal belongs +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: ['kibana_admin', 'beats_admin'] - -- -*`elasticsearch.audit.user.run_as.name`*:: +*`rsa.internal.ubc_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`elasticsearch.audit.user.run_as.realm`*:: +*`rsa.internal.ubc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`elasticsearch.audit.component`*:: +*`rsa.internal.word`*:: + -- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + type: keyword -- -*`elasticsearch.audit.action`*:: + +*`rsa.time.event_time`*:: + -- -The name of the action that was executed - -type: keyword +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -example: cluster:monitor/main +type: date -- -*`elasticsearch.audit.url.params`*:: +*`rsa.time.duration_time`*:: + -- -REST URI parameters +This key is used to capture the normalized duration/lifetime in seconds. -example: {username=jacknich2} +type: double -- -*`elasticsearch.audit.indices`*:: +*`rsa.time.event_time_str`*:: + -- -Indices accessed by action +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] - -- -*`elasticsearch.audit.request.id`*:: +*`rsa.time.starttime`*:: + -- -Unique ID of request - -type: keyword +This key is used to capture the Start time mentioned in a session in a standard form -example: WzL_kb6VSvOhAq0twPvHOQ +type: date -- -*`elasticsearch.audit.request.name`*:: +*`rsa.time.month`*:: + -- -The type of request that was executed - type: keyword -example: ClearScrollRequest - -- -*`elasticsearch.audit.request_body`*:: +*`rsa.time.day`*:: + -- -type: alias - -alias to: http.request.body.content +type: keyword -- -*`elasticsearch.audit.origin_address`*:: +*`rsa.time.endtime`*:: + -- -type: alias +This key is used to capture the End time mentioned in a session in a standard form -alias to: source.ip +type: date -- -*`elasticsearch.audit.uri`*:: +*`rsa.time.timezone`*:: + -- -type: alias +This key is used to capture the timezone of the Event Time -alias to: url.original +type: keyword -- -*`elasticsearch.audit.principal`*:: +*`rsa.time.duration_str`*:: + -- -type: alias +A text string version of the duration -alias to: user.name +type: keyword -- -*`elasticsearch.audit.message`*:: +*`rsa.time.date`*:: + -- -type: text +type: keyword -- -*`elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user`*:: +*`rsa.time.year`*:: + -- -type: boolean +type: keyword -- -[float] -=== deprecation - - - -[float] -=== gc - -GC fileset fields. - - +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -[float] -=== phase +type: date -Fields specific to GC phase. +-- +*`rsa.time.datetime`*:: ++ +-- +type: keyword +-- -*`elasticsearch.gc.phase.name`*:: +*`rsa.time.effective_time`*:: + -- -Name of the GC collection phase. - +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: keyword +type: date -- -*`elasticsearch.gc.phase.duration_sec`*:: +*`rsa.time.expire_time`*:: + -- -Collection phase duration according to the Java virtual machine. - +This key is the timestamp that explicitly refers to an expiration. -type: float +type: date -- -*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: +*`rsa.time.process_time`*:: + -- -Pause time in seconds cleaning up symbol tables. - +Deprecated, use duration.time -type: float +type: keyword -- -*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: +*`rsa.time.hour`*:: + -- -Pause time in seconds cleaning up string tables. - - -type: float +type: keyword -- -*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: +*`rsa.time.min`*:: + -- -Time spent processing weak references in seconds. +type: keyword +-- -type: float +*`rsa.time.timestamp`*:: ++ +-- +type: keyword -- -*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: +*`rsa.time.event_queue_time`*:: + -- -Time spent in seconds marking live objects while application is stopped. - +This key is the Time that the event was queued. -type: float +type: date -- -*`elasticsearch.gc.phase.class_unload_time_sec`*:: +*`rsa.time.p_time1`*:: + -- -Time spent unloading unused classes in seconds. +type: keyword +-- -type: float +*`rsa.time.tzone`*:: ++ +-- +type: keyword -- -[float] -=== cpu_time +*`rsa.time.eventtime`*:: ++ +-- +type: keyword -Process CPU time spent performing collections. +-- +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword +-- -*`elasticsearch.gc.phase.cpu_time.user_sec`*:: +*`rsa.time.gmttime`*:: + -- -CPU time spent outside the kernel. +type: keyword +-- -type: float +*`rsa.time.p_date`*:: ++ +-- +type: keyword -- -*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: +*`rsa.time.p_month`*:: + -- -CPU time spent inside the kernel. +type: keyword +-- -type: float +*`rsa.time.p_time`*:: ++ +-- +type: keyword -- -*`elasticsearch.gc.phase.cpu_time.real_sec`*:: +*`rsa.time.p_time2`*:: + -- -Total elapsed CPU time spent to complete the collection from start to finish. +type: keyword +-- -type: float +*`rsa.time.p_year`*:: ++ +-- +type: keyword -- -*`elasticsearch.gc.jvm_runtime_sec`*:: +*`rsa.time.expire_time_str`*:: + -- -The time from JVM start up in seconds, as a floating point number. - +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -type: float +type: keyword -- -*`elasticsearch.gc.threads_total_stop_time_sec`*:: +*`rsa.time.stamp`*:: + -- -Garbage collection threads total stop time seconds. - +Deprecated key defined only in table map. -type: float +type: date -- -*`elasticsearch.gc.stopping_threads_time_sec`*:: + +*`rsa.misc.action`*:: + -- -Time took to stop threads seconds. - - -type: float +type: keyword -- -*`elasticsearch.gc.tags`*:: +*`rsa.misc.result`*:: + -- -GC logging tags. - +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -[float] -=== heap - -Heap allocation and total size. +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session +type: keyword +-- -*`elasticsearch.gc.heap.size_kb`*:: +*`rsa.misc.event_type`*:: + -- -Total heap size in kilobytes. - +This key captures the event category type as specified by the event source. -type: integer +type: keyword -- -*`elasticsearch.gc.heap.used_kb`*:: +*`rsa.misc.reference_id`*:: + -- -Used heap in kilobytes. - +This key is used to capture an event id from the session directly -type: integer +type: keyword -- -[float] -=== old_gen - -Old generation occupancy and total size. +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. +type: keyword +-- -*`elasticsearch.gc.old_gen.size_kb`*:: +*`rsa.misc.disposition`*:: + -- -Total size of old generation in kilobytes. - +This key captures the The end state of an action. -type: integer +type: keyword -- -*`elasticsearch.gc.old_gen.used_kb`*:: +*`rsa.misc.result_code`*:: + -- -Old generation occupancy in kilobytes. - +This key is used to capture the outcome/result numeric value of an action in a session -type: integer +type: keyword -- -[float] -=== young_gen - -Young generation occupancy and total size. +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session +type: keyword +-- -*`elasticsearch.gc.young_gen.size_kb`*:: +*`rsa.misc.obj_name`*:: + -- -Total size of young generation in kilobytes. - +This is used to capture name of object -type: integer +type: keyword -- -*`elasticsearch.gc.young_gen.used_kb`*:: +*`rsa.misc.obj_type`*:: + -- -Young generation occupancy in kilobytes. - +This is used to capture type of object -type: integer +type: keyword -- -[float] -=== server +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname -Server log file +type: keyword +-- -*`elasticsearch.server.stacktrace`*:: +*`rsa.misc.log_session_id`*:: + -- -Field is not indexed. +This key is used to capture a sessionid from the session directly + +type: keyword -- -[float] -=== gc +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value -GC log +type: keyword +-- -[float] -=== young +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. -Young GC +type: keyword +-- -*`elasticsearch.server.gc.young.one`*:: +*`rsa.misc.rule_name`*:: + -- +This key captures the Rule Name - -type: long - -example: +type: keyword -- -*`elasticsearch.server.gc.young.two`*:: +*`rsa.misc.context`*:: + -- +This key captures Information which adds additional context to the event. - -type: long - -example: +type: keyword -- -*`elasticsearch.server.gc.overhead_seq`*:: +*`rsa.misc.change_new`*:: + -- -Sequence number - -type: long +This key is used to capture the new values of the attribute that’s changing in a session -example: 3449992 +type: keyword -- -*`elasticsearch.server.gc.collection_duration.ms`*:: +*`rsa.misc.space`*:: + -- -Time spent in GC, in milliseconds - -type: float - -example: 1600 +type: keyword -- -*`elasticsearch.server.gc.observation_duration.ms`*:: +*`rsa.misc.client`*:: + -- -Total time over which collection was observed, in milliseconds - -type: float +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. -example: 1800 +type: keyword -- -[float] -=== slowlog - -Slowlog events from Elasticsearch +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword +-- -*`elasticsearch.slowlog.logger`*:: +*`rsa.misc.msgIdPart2`*:: + -- -Logger name - type: keyword -example: index.search.slowlog.fetch - -- -*`elasticsearch.slowlog.took`*:: +*`rsa.misc.change_old`*:: + -- -Time it took to execute the query +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -example: 300ms - -- -*`elasticsearch.slowlog.types`*:: +*`rsa.misc.operation_id`*:: + -- -Types +An alert number or operation number. The values should be unique and non-repeating. type: keyword -example: - -- -*`elasticsearch.slowlog.stats`*:: +*`rsa.misc.event_state`*:: + -- -Stats groups +This key captures the current state of the object/item referenced within the event. Describing an on-going event. type: keyword -example: group1 - -- -*`elasticsearch.slowlog.search_type`*:: +*`rsa.misc.group_object`*:: + -- -Search type +This key captures a collection/grouping of entities. Specific usage type: keyword -example: QUERY_THEN_FETCH - -- -*`elasticsearch.slowlog.source_query`*:: +*`rsa.misc.node`*:: + -- -Slow query +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -example: {"query":{"match_all":{"boost":1.0}}} - -- -*`elasticsearch.slowlog.extra_source`*:: +*`rsa.misc.rule`*:: + -- -Extra source information +This key captures the Rule number type: keyword -example: - -- -*`elasticsearch.slowlog.total_hits`*:: +*`rsa.misc.device_name`*:: + -- -Total hits +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -example: 42 - -- -*`elasticsearch.slowlog.total_shards`*:: +*`rsa.misc.param`*:: + -- -Total queried shards +This key is the parameters passed as part of a command or application, etc. type: keyword -example: 22 - -- -*`elasticsearch.slowlog.routing`*:: +*`rsa.misc.change_attrib`*:: + -- -Routing +This key is used to capture the name of the attribute that’s changing in a session type: keyword -example: s01HZ2QBk9jw4gtgaFtn - -- -*`elasticsearch.slowlog.id`*:: +*`rsa.misc.event_computer`*:: + -- -Id +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -example: - -- -*`elasticsearch.slowlog.type`*:: +*`rsa.misc.reference_id1`*:: + -- -Type +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -example: doc - -- -*`elasticsearch.slowlog.source`*:: +*`rsa.misc.event_log`*:: + -- -Source of document that was indexed +This key captures the Name of the event log type: keyword -- -[[exported-fields-envoyproxy]] -== Envoyproxy fields - -Module for handling logs produced by envoy - +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System +type: keyword -[float] -=== envoyproxy +-- -Fields from envoy proxy logs after normalization +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only +type: keyword +-- -*`envoyproxy.log_type`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Envoy log type, normally ACCESS - - type: keyword -- -*`envoyproxy.response_flags`*:: +*`rsa.misc.filter`*:: + -- -Response flags - +This key captures Filter used to reduce result set type: keyword -- -*`envoyproxy.upstream_service_time`*:: +*`rsa.misc.serial_number`*:: + -- -Upstream service time in nanoseconds - - -type: long +This key is the Serial number associated with a physical asset. -format: duration +type: keyword -- -*`envoyproxy.request_id`*:: +*`rsa.misc.checksum`*:: + -- -ID of the request - +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`envoyproxy.authority`*:: +*`rsa.misc.event_user`*:: + -- -Envoy proxy authority field - +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -- -*`envoyproxy.proxy_type`*:: +*`rsa.misc.virusname`*:: + -- -Envoy proxy type, tcp or http - +This key captures the name of the virus type: keyword -- -[[exported-fields-f5]] -== Big-IP Access Policy Manager fields - -f5 fields. +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. +type: keyword +-- -*`network.interface.name`*:: +*`rsa.misc.group_id`*:: + -- -Name of the network interface where the traffic has been observed. - +This key captures Group ID Number (related to the group name) type: keyword -- - - -*`rsa.internal.msg`*:: +*`rsa.misc.policy_id`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`rsa.internal.messageid`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`rsa.internal.message`*:: +*`rsa.misc.reference_id2`*:: + -- -This key captures the contents of instant messages +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. type: keyword -- -*`rsa.internal.time`*:: +*`rsa.misc.sensor`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +This key captures Name of the sensor. Typically used in IDS/IPS based devices -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.misc.sig_id`*:: + -- -Deprecated key defined only in table map. +This key captures IDS/IPS Int Signature ID type: long -- -*`rsa.internal.msg_id`*:: +*`rsa.misc.port_name`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.misc.rule_group`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Rule group name type: keyword -- -*`rsa.internal.data`*:: +*`rsa.misc.risk_num`*:: + -- -Deprecated key defined only in table map. +This key captures a Numeric Risk value -type: keyword +type: double -- -*`rsa.internal.obj_server`*:: +*`rsa.misc.trigger_val`*:: + -- -Deprecated key defined only in table map. +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.misc.log_session_id1`*:: + -- -Deprecated key defined only in table map. +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.misc.comp_version`*:: + -- -Deprecated key defined only in table map. +This key captures the Version level of a sub-component of a product. type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.misc.content_version`*:: + -- -Deprecated key defined only in table map. +This key captures Version level of a signature or database content. type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.misc.hardware_id`*:: + -- -Deprecated key defined only in table map. +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`rsa.internal.audit_class`*:: +*`rsa.misc.risk`*:: + -- -Deprecated key defined only in table map. +This key captures the non-numeric risk value type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.misc.event_id`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.hcode`*:: +*`rsa.misc.reason`*:: + -- -Deprecated key defined only in table map. +type: keyword + +-- +*`rsa.misc.status`*:: ++ +-- type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.misc.mail_id`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the mailbox id/name -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.rule_uid`*:: + -- -Deprecated key defined only in table map. +This key is the Unique Identifier for a rule. type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.trigger_desc`*:: + -- -Deprecated key defined only in table map. +This key captures the Description of the trigger or threshold condition. -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.inout`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.p_msgid`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.misc.data_type`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.misc.msgIdPart4`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.error`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures All non successful Error codes or responses type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.misc.index`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.listnum`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture listname or listnumber, primarily for collecting access-list -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.ntype`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.misc.observed_val`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.policy_value`*:: + -- -Deprecated key defined only in table map. +This key captures the contents of the policy. This contains details about the policy -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.misc.pool_name`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the name of a resource pool type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.rule_template`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.count`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.misc.number`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.sigcat`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.misc.type`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.comments`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Comment information provided in the log message -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.doc_number`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures File Identification number -type: keyword +type: long -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.expected_val`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.job_num`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Job Number -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.spi_dst`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +Destination SPI Index -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.spi_src`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +Source SPI Index -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.code`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.agent_id`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +This key is used to capture agent id -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.message_body`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +This key captures the The contents of the message body. -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.misc.phone`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.sig_id_str`*:: + -- -This key denotes that event is endpoint related +This key captures a string object of the sigid variable. type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.cmd`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.misc`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.name`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.cpu`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +This key is the CPU time used in the execution of the event being recorded. -type: keyword +type: long -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.event_desc`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.misc.sig_id1`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id type: long -- -*`rsa.internal.session_split`*:: +*`rsa.misc.im_buddyid`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.site`*:: +*`rsa.misc.im_client`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.size`*:: +*`rsa.misc.im_userid`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`rsa.misc.pid`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.priority`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.context_subject`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +This key is to be used in an audit context where the subject is the object being identified -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.misc.context_target`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.misc.cve`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.misc.fcatnum`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. +This key captures Filter Category Number. Legacy Usage -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.library`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +This key is used to capture library information in mainframe devices type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.parent_node`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form +This key captures the Parent Node Name. Must be related to node variable. -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.risk_info`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: keyword +This key is captures the TCP flags set in any packet of session + +type: long -- -*`rsa.time.endtime`*:: +*`rsa.misc.tos`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +This key describes the type of service -type: date +type: long -- -*`rsa.time.timezone`*:: +*`rsa.misc.vm_target`*:: + -- -This key is used to capture the timezone of the Event Time +VMWare Target **VMWARE** only varaible. type: keyword -- -*`rsa.time.duration_str`*:: +*`rsa.misc.workspace`*:: + -- -A text string version of the duration +This key captures Workspace Description type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`rsa.time.year`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.facilityname`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.jobname`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.mode`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.policy`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.subcategory`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.alert_id`*:: + -- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.checksum_dst`*:: + -- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.checksum_src`*:: + -- +This key is used to capture the checksum or hash of the source entity such as a file or process. + type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.misc.fresult`*:: + -- -type: keyword +This key captures the Filter Result + +type: long -- -*`rsa.time.p_date`*:: +*`rsa.misc.payload_dst`*:: + -- +This key is used to capture destination payload + type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.misc.payload_src`*:: + -- +This key is used to capture source payload + type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.misc.pool_id`*:: + -- +This key captures the identifier (typically numeric field) of a resource pool + type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.process_id_val`*:: + -- +This key is a failure key for Process ID when it is not an integer value + type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.risk_num_comm`*:: + -- -type: keyword +This key captures Risk Number Community + +type: double -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.risk_num_next`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. +This key captures Risk Number NextGen -type: keyword +type: double -- -*`rsa.time.stamp`*:: +*`rsa.misc.risk_num_sand`*:: + -- -Deprecated key defined only in table map. +This key captures Risk Number SandBox -type: date +type: double -- - -*`rsa.misc.action`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: keyword +This key captures Risk Number Static + +type: double -- -*`rsa.misc.result`*:: +*`rsa.misc.risk_suspicious`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.misc.risk_warning`*:: + -- -This key is used to capture the severity given the session +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.snmp_oid`*:: + -- -This key captures the event category type as specified by the event source. +SNMP Object Identifier type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.sql`*:: + -- -This key is used to capture an event id from the session directly +This key captures the SQL query type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.vuln_ref`*:: + -- -This key captures Version of the application or OS which is generating the event. +This key captures the Vulnerability Reference details type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.acl_id`*:: + -- -This key captures the The end state of an action. - type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.acl_op`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`rsa.misc.acl_pos`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.acl_table`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.admin`*:: + -- -This is used to capture type of object - type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.alarm_id`*:: + -- -This key captures Source of the event that’s not a hostname - type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.alarmname`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.app_id`*:: + -- -This key captures the Group Name value - type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.audit`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.audit_object`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.auditdata`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.benchmark`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.cache`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.cfg_attr`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.cfg_obj`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.cfg_path`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.changes`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.client_ip`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.clustermembers`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.cn_asn_src`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -This key captures the Name of the event log - type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.misc.cn_engine_id`*:: + -- -This key captures the Name of the Operating System - type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.cn_engine_type`*:: + -- -This key captures the Terminal Names only - type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -This key captures Filter used to reduce result set - type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -This key is the Serial number associated with a physical asset. - type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -This key captures the name of the virus +type: keyword + +-- +*`rsa.misc.cn_inpermpckts`*:: ++ +-- type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.cn_invalid`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.cn_l_switch`*:: + -- -This key captures Virtual System Name - type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.cn_log_did`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.misc.cn_log_rid`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -This key captures the Rule group name - type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -This key captures Version level of a signature or database content. - type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -This key captures the non-numeric risk value - type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.misc.status`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -This key is used to capture the mailbox id/name - type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -This key is the Unique Identifier for a rule. - type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -This key captures the Description of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`rsa.misc.cn_seqctr`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.misc.cn_src_tos`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.misc.cn_template_id`*:: + -- -This key captures the contents of the policy. This contains details about the policy - type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -This key captures the name of a resource pool - type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - type: keyword -- -*`rsa.misc.count`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`rsa.misc.number`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`rsa.misc.type`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.misc.comp_class`*:: + -- -Comment information provided in the log message - type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.misc.comp_name`*:: + -- -This key captures File Identification number - -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.misc.comp_rbytes`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.misc.comp_sbytes`*:: + -- -This key captures the Job Number - type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.misc.cpu_data`*:: + -- -Destination SPI Index - type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.misc.criticality`*:: + -- -Source SPI Index - type: keyword -- -*`rsa.misc.code`*:: +*`rsa.misc.cs_agency_dst`*:: + -- type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -This key is used to capture agent id - type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.misc.cs_av_other`*:: + -- -This key captures the The contents of the message body. - type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.misc.cs_av_primary`*:: + -- type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -This key captures a string object of the sigid variable. - type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.misc.cs_bit9status`*:: + -- type: keyword -- -*`rsa.misc.name`*:: +*`rsa.misc.cs_context`*:: + -- type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.misc.cs_control`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.misc.cs_data`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.misc.cs_datecret`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.misc.cs_dst_tld`*:: + -- type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.misc.cs_event_uuid`*:: + -- type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.misc.cs_fld`*:: + -- -This key is to be used in an audit context where the subject is the object being identified - type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.misc.cs_if_name`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This key captures Filter Category Number. Legacy Usage - type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.cs_lifetime`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.cs_loginname`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.cs_modulescore`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.cs_payload`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.cs_registrant`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.cs_registrar`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.cs_represult`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.cs_rpayload`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.cs_yararesult`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.description`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.devvendor`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.distance`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.dstburb`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.edomain`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.edomaub`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.euid`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.facility`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.finterface`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.flags`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.gaddr`*:: + -- -This key captures Risk Number Static - -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.id3`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.im_buddyname`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.im_croomid`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.im_croomtype`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.im_members`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.mbug_data`*:: + -- type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.misc_name`*:: + -- type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.number2`*:: + -- type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.opkt`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.orig_from`*:: + -- type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.misc.autorun_type`*:: + -- +This is used to capture Auto Run type + type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.misc.cc_number`*:: + -- -type: keyword +Valid Credit Card Numbers only + +type: long -- -*`rsa.misc.cs_av_other`*:: +*`rsa.misc.content`*:: + -- +This key captures the content type from protocol headers + type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.language`*:: + -- +This is used to capture list of languages the client support and what it prefers + type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.misc.lifetime`*:: + -- -type: keyword +This key is used to capture the session lifetime in seconds. + +type: long -- -*`rsa.misc.cs_context`*:: +*`rsa.misc.link`*:: + -- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.misc.param_dst`*:: + -- +This key captures the command line/launch argument of the target process or file + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.sig_name`*:: + -- +This key is used to capture the Signature Name only. + type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.snmp_value`*:: + -- +SNMP set request value + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.misc.streams`*:: + -- -type: keyword +This key captures number of streams in session + +type: long -- -*`rsa.misc.cs_filetype`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.db.instance`*:: + -- +This key is used to capture the database server instance name + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.db.database`*:: + -- +This key is used to capture the name of a database or an instance as seen in a session + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.misc.cs_loginname`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`rsa.misc.cs_modulesign`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.network.network_port`*:: + -- -type: keyword +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`rsa.misc.devvendor`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.misc.dstburb`*:: +*`rsa.network.protocol_detail`*:: + -- +This key should be used to capture additional protocol information + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`rsa.misc.euid`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.misc.flags`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.load_data`*:: +*`rsa.network.ip_proto`*:: + -- -type: keyword +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`rsa.misc.location_floor`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`rsa.misc.msg_type`*:: + +*`rsa.investigations.ec_activity`*:: + -- +This key captures the particular event activity(Ex:Logoff) + type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.investigations.ec_theme`*:: + -- +This key captures the Theme of a particular Event(Ex:Authentication) + type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.investigations.ec_subject`*:: + -- +This key captures the Subject of a particular Event(Ex:User) + type: keyword -- -*`rsa.misc.num`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.investigations.event_cat`*:: + -- -type: keyword +This key captures the Event category number + +type: long -- -*`rsa.misc.number2`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.misc.object`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.p_id`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`rsa.misc.p_msgid1`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`rsa.misc.p_msgid2`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`rsa.misc.p_result1`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`rsa.misc.password_expire`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`rsa.misc.program`*:: +*`rsa.counters.dclass_r2_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r2 only + type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`rsa.misc.rec_asp_device`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.session`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.state`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.system`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.udb_class`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.v_instafname`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.file.binary`*:: + -- -This is used to capture Auto Run type +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.file.filename_dst`*:: + -- -Valid Credit Card Numbers only +This is used to capture name of the file targeted by the action -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.file.filename_src`*:: + -- -This key captures the content type from protocol headers +This is used to capture name of the parent filename, the file which performed the action type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.file.filename_tmp`*:: + -- -Employee Identification Numbers only - -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.file.directory_dst`*:: + -- -This is used to capture the results of regex match +This key is used to capture the directory of the target process or file type: keyword -- -*`rsa.misc.language`*:: +*`rsa.file.directory_src`*:: + -- -This is used to capture list of languages the client support and what it prefers +This key is used to capture the directory of the source process or file type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.file.file_entropy`*:: + -- -This key is used to capture the session lifetime in seconds. +This is used to capture entropy vale of a file -type: long +type: double -- -*`rsa.misc.link`*:: +*`rsa.file.file_vendor`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is used to capture Company name of file located in version_info type: keyword -- -*`rsa.misc.match`*:: +*`rsa.file.task_name`*:: + -- -This key is for regex match name from search.ini +This is used to capture name of the task type: keyword -- -*`rsa.misc.param_dst`*:: + +*`rsa.web.fqdn`*:: + -- -This key captures the command line/launch argument of the target process or file +Fully Qualified Domain Names type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.web.web_cookie`*:: + -- -This key captures source parameter +This key is used to capture the Web cookies specifically. type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.web.alias_host`*:: + -- -This key captures the Search Text used - type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.web.reputation_num`*:: + -- -This key is used to capture the Signature Name only. +Reputation Number of an entity. Typically used for Web Domains -type: keyword +type: double -- -*`rsa.misc.snmp_value`*:: +*`rsa.web.web_ref_domain`*:: + -- -SNMP set request value +Web referer's domain type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.web.web_ref_query`*:: + -- -This key captures number of streams in session +This key captures Web referer's query portion of the URL -type: long +type: keyword -- - -*`rsa.db.index`*:: +*`rsa.web.remote_domain`*:: + -- -This key captures IndexID of the index. - type: keyword -- -*`rsa.db.instance`*:: +*`rsa.web.web_ref_page`*:: + -- -This key is used to capture the database server instance name +This key captures Web referer's page information type: keyword -- -*`rsa.db.database`*:: +*`rsa.web.web_ref_root`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +Web referer's root URL path type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.web.cn_asn_dst`*:: + -- -This key captures the SQL transantion ID of the current session - type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.web.cn_rpackets`*:: + -- -This key captures permission or privilege level assigned to a resource. - type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.web.urlpage`*:: + -- -This key is used to capture the table name - type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.web.urlroot`*:: + -- -This key is used to capture the unique identifier for a database - type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.web.p_url`*:: + -- -This key captures the process id of a connection with database server - -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`rsa.web.p_user_agent`*:: + -- -This key is used for the number of logical reads - -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.web.p_web_cookie`*:: + -- -This key is used for the number of logical writes - -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.web.p_web_method`*:: + -- -This key is used for the number of physical writes +type: keyword -type: long +-- +*`rsa.web.p_web_referer`*:: ++ -- +type: keyword +-- -*`rsa.network.alias_host`*:: +*`rsa.web.web_extension_tmp`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - type: keyword -- -*`rsa.network.domain`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.network.host_dst`*:: + +*`rsa.threat.threat_category`*:: + -- -This key should only be used when it’s a Destination Hostname +This key captures Threat Name/Threat Category/Categorization of alert type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.threat.threat_desc`*:: + -- -This is used to capture layer 7 protocols/service names +This key is used to capture the threat description from the session directly or inferred type: keyword -- -*`rsa.network.interface`*:: +*`rsa.threat.alert`*:: + -- -This key should be used when the source or destination context of an interface is not clear +This key is used to capture name of the alert type: keyword -- -*`rsa.network.network_port`*:: +*`rsa.threat.threat_source`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +This key is used to capture source of the threat -type: long +type: keyword -- -*`rsa.network.eth_host`*:: + +*`rsa.crypto.crypto`*:: + -- -Deprecated, use alias.mac +This key is used to capture the Encryption Type or Encryption Key only type: keyword -- -*`rsa.network.sinterface`*:: +*`rsa.crypto.cipher_src`*:: + -- -This key should only be used when it’s a Source Interface +This key is for Source (Client) Cipher type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.crypto.cert_subject`*:: + -- -This key should only be used when it’s a Destination Interface +This key is used to capture the Certificate organization only type: keyword -- -*`rsa.network.vlan`*:: +*`rsa.crypto.peer`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +This key is for Encryption peer's IP Address -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -This key should only be used when it’s a Source Zone. +This key captures Source (Client) Cipher Size -type: keyword +type: long -- -*`rsa.network.zone`*:: +*`rsa.crypto.ike`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +IKE negotiation phase. type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.crypto.scheme`*:: + -- -This key should only be used when it’s a Destination Zone. +This key captures the Encryption scheme used type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.crypto.peer_id`*:: + -- -This key is used to capture the IP Address of the gateway +This key is for Encryption peer’s identity type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.crypto.sig_type`*:: + -- -This key is used to capture the ICMP type only +This key captures the Signature Type -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.crypto.cert_issuer`*:: + -- -This key is used to capture the device network IPmask. - type: keyword -- -*`rsa.network.icmp_code`*:: +*`rsa.crypto.cert_host_name`*:: + -- -This key is used to capture the ICMP code only +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.crypto.cert_error`*:: + -- -This key should be used to capture additional protocol information +This key captures the Certificate Error String type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.crypto.cipher_dst`*:: + -- -This key is used for Destionation Device network mask +This key is for Destination (Server) Cipher type: keyword -- -*`rsa.network.port`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +This key captures Destination (Server) Cipher Size type: long -- -*`rsa.network.smask`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -This key is used for capturing source Network Mask +Deprecated, use version type: keyword -- -*`rsa.network.netname`*:: +*`rsa.crypto.d_certauth`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.crypto.s_certauth`*:: + -- -Deprecated - -type: ip +type: keyword -- -*`rsa.network.faddr`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.network.origin`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.network.addr`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.network.fport`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`rsa.network.phost`*:: +*`rsa.crypto.cert_ca`*:: + -- +This key is used to capture the Certificate signing authority only + type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.crypto.cert_common`*:: + -- -Deprecated, use host.dst +This key is used to capture the Certificate common name only type: keyword -- -*`rsa.network.eth_type`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +This key is used to capture the ssid of a Wireless Session -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.wireless.access_point`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +This key is used to capture the access point name. -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: +*`rsa.wireless.wlan_channel`*:: + -- -type: keyword +This is used to capture the channel names + +type: long -- -*`rsa.network.dns_id`*:: +*`rsa.wireless.wlan_name`*:: + -- +This key captures either WLAN number/name + type: keyword -- -*`rsa.network.dns_opcode`*:: + +*`rsa.storage.disk_volume`*:: + -- +A unique name assigned to logical units (volumes) within a physical disk + type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.storage.lun`*:: + -- +Logical Unit Number.This key is a very useful concept in Storage. + type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.storage.pwwn`*:: + -- +This uniquely identifies a port on a HBA. + type: keyword -- -*`rsa.network.domain1`*:: + +*`rsa.physical.org_dst`*:: + -- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.physical.org_src`*:: + -- +This is used to capture the source organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.network.packet_length`*:: + +*`rsa.healthcare.patient_fname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.healthcare.patient_id`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +This key captures the unique ID for a patient type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.healthcare.patient_lname`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.network.vlan_name`*:: +*`rsa.healthcare.patient_mname`*:: + -- -This key should only be used to capture the name of the Virtual LAN +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.investigations.ec_activity`*:: +*`rsa.endpoint.host_state`*:: + -- -This key captures the particular event activity(Ex:Logoff) +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.endpoint.registry_key`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +This key captures the path to the registry key type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.endpoint.registry_value`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +This key captures values or decorators used within a registry entry type: keyword -- -*`rsa.investigations.ec_outcome`*:: +[[exported-fields-fortinet]] +== Fortinet fields + +fortinet Module + + + +*`network.interface.name`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +Name of the network interface where the traffic has been observed. + type: keyword -- -*`rsa.investigations.event_cat`*:: + + +*`rsa.internal.msg`*:: + -- -This key captures the Event category number +This key is used to capture the raw message that comes into the Log Decoder -type: long +type: keyword -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.internal.messageid`*:: + -- -This key captures the event category name corresponding to the event cat code - type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.internal.event_desc`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.internal.message`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +This key captures the contents of instant messages type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`rsa.internal.time`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -*`rsa.investigations.analysis_session`*:: +*`rsa.internal.level`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.investigations.boc`*:: +*`rsa.internal.msg_id`*:: + -- -This is used to capture behaviour of compromise +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.eoc`*:: +*`rsa.internal.msg_vid`*:: + -- -This is used to capture Enablers of Compromise +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.inv_category`*:: +*`rsa.internal.data`*:: + -- -This used to capture investigation category +Deprecated key defined only in table map. type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.internal.obj_server`*:: + -- -This used to capture investigation context +Deprecated key defined only in table map. type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.internal.obj_val`*:: + -- -This is key capture indicator of compromise +Deprecated key defined only in table map. type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.internal.resource`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`rsa.internal.obj_id`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.counters.event_counter`*:: +*`rsa.internal.statement`*:: + -- -This is used to capture the number of times an event repeated +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.counters.dclass_r1`*:: +*`rsa.internal.audit_class`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +Deprecated key defined only in table map. type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.internal.entry`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.internal.hcode`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +Deprecated key defined only in table map. type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.internal.inode`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.internal.resource_class`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +Deprecated key defined only in table map. type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.internal.dead`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.internal.feed_desc`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`rsa.internal.feed_name`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.internal.cid`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.internal.device_class`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- - -*`rsa.identity.auth_method`*:: +*`rsa.internal.device_group`*:: + -- -This key is used to capture authentication methods used only +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.user_role`*:: +*`rsa.internal.device_host`*:: + -- -This key is used to capture the Role of a user only +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.internal.device_ip`*:: + -- -X.500 (LDAP) Distinguished Name +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.identity.logon_type`*:: +*`rsa.internal.device_ipv6`*:: + -- -This key is used to capture the type of logon method used. +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.identity.profile`*:: +*`rsa.internal.device_type`*:: + -- -This key is used to capture the user profile +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.accesses`*:: +*`rsa.internal.device_type_id`*:: + -- -This key is used to capture actual privileges used in accessing an object +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.identity.realm`*:: +*`rsa.internal.did`*:: + -- -Radius realm or similar grouping of accounts +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.internal.entropy_req`*:: + -- -This key captures Destination User Session ID +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.identity.dn_src`*:: +*`rsa.internal.entropy_res`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.identity.org`*:: +*`rsa.internal.event_name`*:: + -- -This key captures the User organization +Deprecated key defined only in table map. type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.internal.feed_category`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.internal.forward_ip`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`rsa.identity.lastname`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.identity.user_dept`*:: +*`rsa.internal.header_id`*:: + -- -User's Department Names only +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`rsa.internal.lc_cid`*:: + -- -This key captures Source User Session ID +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.internal.lc_ctime`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`rsa.identity.federated_idp`*:: +*`rsa.internal.mcb_req`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.internal.mcb_res`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.identity.middlename`*:: +*`rsa.internal.mcbc_req`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.identity.password`*:: +*`rsa.internal.mcbc_res`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.identity.host_role`*:: +*`rsa.internal.medium`*:: + -- -This key should only be used to capture the role of a Host Machine +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`rsa.identity.ldap`*:: +*`rsa.internal.node_name`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +Deprecated key defined only in table map. type: keyword -- -*`rsa.identity.ldap_query`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -This key is the Search criteria from an LDAP search +This key denotes that event is endpoint related type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.internal.parse_error`*:: + -- -This key is to capture Results from an LDAP search +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.internal.payload_req`*:: + -- -This is used to capture username the process or service is running as, the author of the task +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.identity.service_account`*:: +*`rsa.internal.payload_res`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- - -*`rsa.email.email_dst`*:: +*`rsa.internal.process_vid_dst`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.internal.process_vid_src`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`rsa.email.subject`*:: +*`rsa.internal.rid`*:: + -- -This key is used to capture the subject string from an Email only. +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`rsa.email.email`*:: +*`rsa.internal.session_split`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.internal.site`*:: + -- Deprecated key defined only in table map. @@ -54049,11093 +60929,11137 @@ type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.internal.size`*:: + -- -Deprecated key defined only in table map. +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- - -*`rsa.file.privilege`*:: +*`rsa.internal.sourcefile`*:: + -- -Deprecated, use permissions +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.internal.ubc_req`*:: + -- -This key captures the attachment file name +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.file.filesystem`*:: +*`rsa.internal.ubc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`rsa.file.binary`*:: +*`rsa.internal.word`*:: + -- -Deprecated key defined only in table map. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`rsa.file.filename_dst`*:: + +*`rsa.time.event_time`*:: + -- -This is used to capture name of the file targeted by the action +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`rsa.file.filename_src`*:: +*`rsa.time.duration_time`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- -*`rsa.file.filename_tmp`*:: +*`rsa.time.event_time_str`*:: + -- +This key is used to capture the incomplete time mentioned in a session as a string + type: keyword -- -*`rsa.file.directory_dst`*:: +*`rsa.time.starttime`*:: + -- -This key is used to capture the directory of the target process or file +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.file.directory_src`*:: +*`rsa.time.month`*:: + -- -This key is used to capture the directory of the source process or file - type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.time.day`*:: + -- -This is used to capture entropy vale of a file - -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`rsa.time.endtime`*:: + -- -This is used to capture Company name of file located in version_info +This key is used to capture the End time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.file.task_name`*:: +*`rsa.time.timezone`*:: + -- -This is used to capture name of the task +This key is used to capture the timezone of the Event Time type: keyword -- - -*`rsa.web.fqdn`*:: +*`rsa.time.duration_str`*:: + -- -Fully Qualified Domain Names +A text string version of the duration type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.time.date`*:: + -- -This key is used to capture the Web cookies specifically. - type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.time.recorded_time`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: double +type: date -- -*`rsa.web.web_ref_domain`*:: +*`rsa.time.datetime`*:: + -- -Web referer's domain - type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.time.effective_time`*:: + -- -This key captures Web referer's query portion of the URL +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: keyword +type: date -- -*`rsa.web.remote_domain`*:: +*`rsa.time.expire_time`*:: + -- -type: keyword +This key is the timestamp that explicitly refers to an expiration. + +type: date -- -*`rsa.web.web_ref_page`*:: +*`rsa.time.process_time`*:: + -- -This key captures Web referer's page information +Deprecated, use duration.time type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.time.hour`*:: + -- -Web referer's root URL path - type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.time.event_queue_time`*:: + -- -type: keyword +This key is the Time that the event was queued. + +type: date -- -*`rsa.web.urlroot`*:: +*`rsa.time.p_time1`*:: + -- type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.time.tzone`*:: + -- type: keyword -- -*`rsa.web.p_user_agent`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`rsa.time.gmtdate`*:: + -- type: keyword -- -*`rsa.web.p_web_method`*:: +*`rsa.time.gmttime`*:: + -- type: keyword -- -*`rsa.web.p_web_referer`*:: +*`rsa.time.p_date`*:: + -- type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.time.p_month`*:: + -- type: keyword -- -*`rsa.web.web_page`*:: +*`rsa.time.p_time`*:: + -- type: keyword -- - -*`rsa.threat.threat_category`*:: +*`rsa.time.p_time2`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert - type: keyword -- -*`rsa.threat.threat_desc`*:: +*`rsa.time.p_year`*:: + -- -This key is used to capture the threat description from the session directly or inferred - type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.time.expire_time_str`*:: + -- -This key is used to capture name of the alert +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.time.stamp`*:: + -- -This key is used to capture source of the threat +Deprecated key defined only in table map. -type: keyword +type: date -- -*`rsa.crypto.crypto`*:: +*`rsa.misc.action`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only - type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.misc.result`*:: + -- -This key is for Source (Client) Cipher +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.misc.severity`*:: + -- -This key is used to capture the Certificate organization only +This key is used to capture the severity given the session type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.misc.event_type`*:: + -- -This key is for Encryption peer's IP Address +This key captures the event category type as specified by the event source. type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.misc.reference_id`*:: + -- -This key captures Source (Client) Cipher Size +This key is used to capture an event id from the session directly -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.misc.version`*:: + -- -IKE negotiation phase. +This key captures Version of the application or OS which is generating the event. type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.misc.disposition`*:: + -- -This key captures the Encryption scheme used +This key captures the The end state of an action. type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.misc.result_code`*:: + -- -This key is for Encryption peer’s identity +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`rsa.crypto.sig_type`*:: +*`rsa.misc.category`*:: + -- -This key captures the Signature Type +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.misc.obj_name`*:: + -- +This is used to capture name of object + type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.misc.obj_type`*:: + -- -Deprecated key defined only in table map. +This is used to capture type of object type: keyword -- -*`rsa.crypto.cert_error`*:: +*`rsa.misc.event_source`*:: + -- -This key captures the Certificate Error String +This key captures Source of the event that’s not a hostname type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.misc.log_session_id`*:: + -- -This key is for Destination (Server) Cipher +This key is used to capture a sessionid from the session directly type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.misc.group`*:: + -- -This key captures Destination (Server) Cipher Size +This key captures the Group Name value -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.misc.policy_name`*:: + -- -Deprecated, use version +This key is used to capture the Policy Name only. type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.misc.rule_name`*:: + -- -type: keyword - --- +This key captures the Rule Name -*`rsa.crypto.s_certauth`*:: -+ --- type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.misc.context`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +This key captures Information which adds additional context to the event. type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.misc.change_new`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.misc.client`*:: + -- -This key is used for the hostname category value of a certificate +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.misc.msgIdPart1`*:: + -- -This key is used to capture the Certificate serial number only - type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.misc.msgIdPart2`*:: + -- -This key captures Certificate validation status - type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.misc.change_old`*:: + -- -Deprecated, use version +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.misc.operation_id`*:: + -- -type: keyword - --- +An alert number or operation number. The values should be unique and non-repeating. -*`rsa.crypto.cert_username`*:: -+ --- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.misc.event_state`*:: + -- -type: keyword - --- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. -*`rsa.crypto.https_valid`*:: -+ --- type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.misc.group_object`*:: + -- -This key is used to capture the Certificate signing authority only +This key captures a collection/grouping of entities. Specific usage type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.misc.node`*:: + -- -This key is used to capture the Certificate common name only +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.misc.rule`*:: + -- -This key is used to capture the ssid of a Wireless Session +This key captures the Rule number type: keyword -- -*`rsa.wireless.access_point`*:: +*`rsa.misc.device_name`*:: + -- -This key is used to capture the access point name. +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.misc.param`*:: + -- -This is used to capture the channel names +This key is the parameters passed as part of a command or application, etc. -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.misc.change_attrib`*:: + -- -This key captures either WLAN number/name +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.misc.event_computer`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.misc.reference_id1`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.misc.event_log`*:: + -- -This uniquely identifies a port on a HBA. +This key captures the Name of the event log type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.misc.OS`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +This key captures the Name of the Operating System type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.misc.terminal`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +This key captures the Terminal Names only type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.misc.msgIdPart3`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.misc.filter`*:: + -- -This key captures the unique ID for a patient +This key captures Filter used to reduce result set type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.misc.serial_number`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key is the Serial number associated with a physical asset. type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.misc.checksum`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.misc.event_user`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.misc.virusname`*:: + -- -This key captures the path to the registry key +This key captures the name of the virus type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.misc.content_type`*:: + -- -This key captures values or decorators used within a registry entry +This key is used to capture Content Type only. type: keyword -- -[[exported-fields-fortinet]] -== Fortinet fields - -fortinet Module - - - -*`network.interface.name`*:: +*`rsa.misc.group_id`*:: + -- -Name of the network interface where the traffic has been observed. - +This key captures Group ID Number (related to the group name) type: keyword -- - - -*`rsa.internal.msg`*:: +*`rsa.misc.policy_id`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`rsa.internal.messageid`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`rsa.internal.message`*:: +*`rsa.misc.reference_id2`*:: + -- -This key captures the contents of instant messages +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. type: keyword -- -*`rsa.internal.time`*:: +*`rsa.misc.sensor`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +This key captures Name of the sensor. Typically used in IDS/IPS based devices -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.misc.sig_id`*:: + -- -Deprecated key defined only in table map. +This key captures IDS/IPS Int Signature ID type: long -- -*`rsa.internal.msg_id`*:: +*`rsa.misc.port_name`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.misc.rule_group`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Rule group name type: keyword -- -*`rsa.internal.data`*:: +*`rsa.misc.risk_num`*:: + -- -Deprecated key defined only in table map. +This key captures a Numeric Risk value -type: keyword +type: double -- -*`rsa.internal.obj_server`*:: +*`rsa.misc.trigger_val`*:: + -- -Deprecated key defined only in table map. +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.misc.log_session_id1`*:: + -- -Deprecated key defined only in table map. +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.misc.comp_version`*:: + -- -Deprecated key defined only in table map. +This key captures the Version level of a sub-component of a product. type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.misc.content_version`*:: + -- -Deprecated key defined only in table map. +This key captures Version level of a signature or database content. type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.misc.hardware_id`*:: + -- -Deprecated key defined only in table map. +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`rsa.internal.audit_class`*:: +*`rsa.misc.risk`*:: + -- -Deprecated key defined only in table map. +This key captures the non-numeric risk value type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.misc.event_id`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.hcode`*:: +*`rsa.misc.reason`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.misc.status`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.mail_id`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the mailbox id/name type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.rule_uid`*:: + -- -Deprecated key defined only in table map. +This key is the Unique Identifier for a rule. -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.trigger_desc`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.inout`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.misc.p_msgid`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.misc.data_type`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.msgIdPart4`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.misc.error`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures All non successful Error codes or responses type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.index`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.listnum`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture listname or listnumber, primarily for collecting access-list -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.misc.ntype`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.observed_val`*:: + -- -Deprecated key defined only in table map. +This key captures the Value observed (from the perspective of the device generating the log). -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.misc.policy_value`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.pool_name`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +This key captures the name of a resource pool -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.rule_template`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.misc.count`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.number`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.misc.sigcat`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.type`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.comments`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Comment information provided in the log message type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.doc_number`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures File Identification number -type: keyword +type: long -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.expected_val`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Value expected (from the perspective of the device generating the log). -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.job_num`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +This key captures the Job Number -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.spi_dst`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +Destination SPI Index -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.spi_src`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +Source SPI Index -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.code`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.agent_id`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +This key is used to capture agent id -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.misc.message_body`*:: + -- -Deprecated key defined only in table map. +This key captures the The contents of the message body. type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.phone`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.sig_id_str`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures a string object of the sigid variable. type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.cmd`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.misc`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.name`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.cpu`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +This key is the CPU time used in the execution of the event being recorded. -type: keyword +type: long -- -*`rsa.internal.rid`*:: +*`rsa.misc.event_desc`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture a description of an event available directly or inferred -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.misc.sig_id1`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -*`rsa.internal.site`*:: +*`rsa.misc.im_buddyid`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.size`*:: +*`rsa.misc.im_client`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`rsa.misc.im_userid`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.pid`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.priority`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.misc.context_subject`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +This key is to be used in an audit context where the subject is the object being identified type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.misc.context_target`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.misc.cve`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.fcatnum`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.library`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form +This key is used to capture library information in mainframe devices -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.parent_node`*:: + -- +This key captures the Parent Node Name. Must be related to node variable. + type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.risk_info`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.time.endtime`*:: +*`rsa.misc.tcp_flags`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +This key is captures the TCP flags set in any packet of session -type: date +type: long -- -*`rsa.time.timezone`*:: +*`rsa.misc.tos`*:: + -- -This key is used to capture the timezone of the Event Time +This key describes the type of service -type: keyword +type: long -- -*`rsa.time.duration_str`*:: +*`rsa.misc.vm_target`*:: + -- -A text string version of the duration +VMWare Target **VMWARE** only varaible. type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.workspace`*:: + -- +This key captures Workspace Description + type: keyword -- -*`rsa.time.year`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.event_category`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.forensic_info`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.jobname`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.mode`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.space1`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.alert_id`*:: + -- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.checksum_dst`*:: + -- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.misc.checksum_src`*:: + -- +This key is used to capture the checksum or hash of the source entity such as a file or process. + type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.misc.fresult`*:: + -- -type: keyword +This key captures the Filter Result + +type: long -- -*`rsa.time.p_month`*:: +*`rsa.misc.payload_dst`*:: + -- +This key is used to capture destination payload + type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.misc.payload_src`*:: + -- +This key is used to capture source payload + type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.pool_id`*:: + -- +This key captures the identifier (typically numeric field) of a resource pool + type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.process_id_val`*:: + -- +This key is a failure key for Process ID when it is not an integer value + type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.risk_num_comm`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. +This key captures Risk Number Community -type: keyword +type: double -- -*`rsa.time.stamp`*:: +*`rsa.misc.risk_num_next`*:: + -- -Deprecated key defined only in table map. +This key captures Risk Number NextGen -type: date +type: double -- - -*`rsa.misc.action`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: keyword +This key captures Risk Number SandBox + +type: double -- -*`rsa.misc.result`*:: +*`rsa.misc.risk_num_static`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +This key captures Risk Number Static -type: keyword +type: double -- -*`rsa.misc.severity`*:: +*`rsa.misc.risk_suspicious`*:: + -- -This key is used to capture the severity given the session +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.risk_warning`*:: + -- -This key captures the event category type as specified by the event source. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.snmp_oid`*:: + -- -This key is used to capture an event id from the session directly +SNMP Object Identifier type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.sql`*:: + -- -This key captures Version of the application or OS which is generating the event. +This key captures the SQL query type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.vuln_ref`*:: + -- -This key captures the The end state of an action. +This key captures the Vulnerability Reference details type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.acl_id`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`rsa.misc.acl_op`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.acl_pos`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.acl_table`*:: + -- -This is used to capture type of object - type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.admin`*:: + --- -This key captures Source of the event that’s not a hostname - +-- type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.alarm_id`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.alarmname`*:: + -- -This key captures the Group Name value - type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.app_id`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.audit`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.audit_object`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.auditdata`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.bypass`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.cefversion`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.cfg_attr`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.cfg_obj`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.cfg_path`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.changes`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.client_ip`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.clustermembers`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.cn_asn_src`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -This key captures the Name of the event log - type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -This key captures the Name of the Operating System - type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.cn_engine_id`*:: + -- -This key captures the Terminal Names only - type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.misc.cn_f_switch`*:: + -- -This key captures Filter used to reduce result set - type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -This key is the Serial number associated with a physical asset. - type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -This key captures the name of the virus - type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.cn_invalid`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -This key captures Virtual System Name - type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.misc.cn_l_switch`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.misc.cn_log_did`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.misc.cn_log_rid`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -This key captures the Rule group name - type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -This key captures Version level of a signature or database content. - type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -This key captures the non-numeric risk value - type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`rsa.misc.status`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -This key is used to capture the mailbox id/name - type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -This key is the Unique Identifier for a rule. - type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -This key captures the Description of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.misc.cn_seqctr`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.misc.cn_src_tos`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -This key captures the contents of the policy. This contains details about the policy - type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -This key captures the name of a resource pool - type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.misc.cn_template_id`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - type: keyword -- -*`rsa.misc.count`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`rsa.misc.number`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`rsa.misc.type`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -Comment information provided in the log message - type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -This key captures File Identification number - -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.misc.comp_class`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.misc.comp_name`*:: + -- -This key captures the Job Number - type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.misc.comp_rbytes`*:: + -- -Destination SPI Index - type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.misc.comp_sbytes`*:: + -- -Source SPI Index - type: keyword -- -*`rsa.misc.code`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.misc.criticality`*:: + -- -This key is used to capture agent id - type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -This key captures the The contents of the message body. - type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.misc.cs_analyzedby`*:: + -- type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.misc.cs_av_other`*:: + -- -This key captures a string object of the sigid variable. - type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.misc.cs_av_primary`*:: + -- type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.misc.cs_av_secondary`*:: + -- type: keyword -- -*`rsa.misc.name`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.misc.cs_bit9status`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.misc.cs_context`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.misc.cs_control`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.misc.cs_datecret`*:: + -- type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.misc.cs_dst_tld`*:: + -- type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This key is to be used in an audit context where the subject is the object being identified - type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.misc.cs_fld`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This key captures Filter Category Number. Legacy Usage - type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.cs_if_name`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.cs_lifetime`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.cs_log_medium`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.cs_loginname`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.cs_modulescore`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.cs_modulesign`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.cs_payload`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.cs_registrant`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.cs_registrar`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.cs_represult`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.cs_rpayload`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.cs_whois_server`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.description`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.devvendor`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.distance`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.dstburb`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.edomain`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.edomaub`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.euid`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.facility`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.finterface`*:: + -- -This key captures Risk Number Static - -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.flags`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.gaddr`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.id3`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.im_buddyname`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.im_croomid`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.mbug_data`*:: + -- type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.misc_name`*:: + -- type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.number2`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.opkt`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.orig_from`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.misc.autorun_type`*:: + -- +This is used to capture Auto Run type + type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.misc.cc_number`*:: + -- -type: keyword +Valid Credit Card Numbers only + +type: long -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.misc.content`*:: + -- +This key captures the content type from protocol headers + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.misc.language`*:: + -- +This is used to capture list of languages the client support and what it prefers + type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.misc.lifetime`*:: + -- -type: keyword +This key is used to capture the session lifetime in seconds. + +type: long -- -*`rsa.misc.cs_data`*:: +*`rsa.misc.link`*:: + -- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.misc.param_dst`*:: + -- +This key captures the command line/launch argument of the target process or file + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.misc.sig_name`*:: + -- +This key is used to capture the Signature Name only. + type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.misc.snmp_value`*:: + -- +SNMP set request value + type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.misc.streams`*:: + -- -type: keyword +This key captures number of streams in session + +type: long -- -*`rsa.misc.cs_if_desc`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.db.instance`*:: + -- +This key is used to capture the database server instance name + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.db.database`*:: + -- +This key is used to capture the name of a database or an instance as seen in a session + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`rsa.misc.cs_payload`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.network.network_port`*:: + -- -type: keyword +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`rsa.misc.dstburb`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.misc.edomaub`*:: +*`rsa.network.protocol_detail`*:: + -- +This key should be used to capture additional protocol information + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`rsa.misc.finterface`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`rsa.misc.flags`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.misc.id3`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.location_mark`*:: +*`rsa.network.ip_proto`*:: + -- -type: keyword +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`rsa.misc.log_id`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`rsa.misc.netsessid`*:: + +*`rsa.investigations.ec_activity`*:: + -- +This key captures the particular event activity(Ex:Logoff) + type: keyword -- -*`rsa.misc.num`*:: +*`rsa.investigations.ec_theme`*:: + -- +This key captures the Theme of a particular Event(Ex:Authentication) + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.investigations.ec_subject`*:: + -- +This key captures the Subject of a particular Event(Ex:User) + type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.investigations.event_cat`*:: + -- -type: keyword +This key captures the Event category number + +type: long -- -*`rsa.misc.object`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.p_msgid2`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`rsa.misc.p_result1`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`rsa.misc.password_chg`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`rsa.misc.password_expire`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`rsa.misc.permwanted`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`rsa.misc.program`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.counters.dclass_r2_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r2 only + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`rsa.misc.rec_library`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.misc.session`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.state`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.system`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.user_div`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.vpnid`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.file.attachment`*:: + -- -This is used to capture Auto Run type +This key captures the attachment file name type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.file.filesystem`*:: + -- -Valid Credit Card Numbers only - -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.file.binary`*:: + -- -This key captures the content type from protocol headers +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.file.filename_dst`*:: + -- -Employee Identification Numbers only +This is used to capture name of the file targeted by the action -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.file.filename_src`*:: + -- -This is used to capture the results of regex match +This is used to capture name of the parent filename, the file which performed the action type: keyword -- -*`rsa.misc.language`*:: +*`rsa.file.filename_tmp`*:: + -- -This is used to capture list of languages the client support and what it prefers - type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.file.directory_dst`*:: + -- -This key is used to capture the session lifetime in seconds. +This key is used to capture the directory of the target process or file -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.file.directory_src`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the directory of the source process or file type: keyword -- -*`rsa.misc.match`*:: +*`rsa.file.file_entropy`*:: + -- -This key is for regex match name from search.ini +This is used to capture entropy vale of a file -type: keyword +type: double -- -*`rsa.misc.param_dst`*:: +*`rsa.file.file_vendor`*:: + -- -This key captures the command line/launch argument of the target process or file +This is used to capture Company name of file located in version_info type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.file.task_name`*:: + -- -This key captures source parameter +This is used to capture name of the task type: keyword -- -*`rsa.misc.search_text`*:: + +*`rsa.web.fqdn`*:: + -- -This key captures the Search Text used +Fully Qualified Domain Names type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.web.web_cookie`*:: + -- -This key is used to capture the Signature Name only. +This key is used to capture the Web cookies specifically. type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.web.alias_host`*:: + -- -SNMP set request value - type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.web.reputation_num`*:: + -- -This key captures number of streams in session +Reputation Number of an entity. Typically used for Web Domains -type: long +type: double -- - -*`rsa.db.index`*:: +*`rsa.web.web_ref_domain`*:: + -- -This key captures IndexID of the index. +Web referer's domain type: keyword -- -*`rsa.db.instance`*:: +*`rsa.web.web_ref_query`*:: + -- -This key is used to capture the database server instance name +This key captures Web referer's query portion of the URL type: keyword -- -*`rsa.db.database`*:: +*`rsa.web.remote_domain`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session - type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.web.web_ref_page`*:: + -- -This key captures the SQL transantion ID of the current session +This key captures Web referer's page information type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.web.web_ref_root`*:: + -- -This key captures permission or privilege level assigned to a resource. +Web referer's root URL path type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.web.cn_asn_dst`*:: + -- -This key is used to capture the table name - type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.web.cn_rpackets`*:: + -- -This key is used to capture the unique identifier for a database - type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.web.urlpage`*:: + -- -This key captures the process id of a connection with database server - -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`rsa.web.urlroot`*:: + -- -This key is used for the number of logical reads - -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.web.p_url`*:: + -- -This key is used for the number of logical writes - -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.web.p_user_agent`*:: + -- -This key is used for the number of physical writes - -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.web.p_web_cookie`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - type: keyword -- -*`rsa.network.domain`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.web.p_web_referer`*:: + -- -This key should only be used when it’s a Destination Hostname - type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.web.web_extension_tmp`*:: + -- -This is used to capture layer 7 protocols/service names - type: keyword -- -*`rsa.network.interface`*:: +*`rsa.web.web_page`*:: + -- -This key should be used when the source or destination context of an interface is not clear - type: keyword -- -*`rsa.network.network_port`*:: + +*`rsa.threat.threat_category`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +This key captures Threat Name/Threat Category/Categorization of alert -type: long +type: keyword -- -*`rsa.network.eth_host`*:: +*`rsa.threat.threat_desc`*:: + -- -Deprecated, use alias.mac +This key is used to capture the threat description from the session directly or inferred type: keyword -- -*`rsa.network.sinterface`*:: +*`rsa.threat.alert`*:: + -- -This key should only be used when it’s a Source Interface +This key is used to capture name of the alert type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.threat.threat_source`*:: + -- -This key should only be used when it’s a Destination Interface +This key is used to capture source of the threat type: keyword -- -*`rsa.network.vlan`*:: + +*`rsa.crypto.crypto`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +This key is used to capture the Encryption Type or Encryption Key only -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.crypto.cipher_src`*:: + -- -This key should only be used when it’s a Source Zone. +This key is for Source (Client) Cipher type: keyword -- -*`rsa.network.zone`*:: +*`rsa.crypto.cert_subject`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +This key is used to capture the Certificate organization only type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.crypto.peer`*:: + -- -This key should only be used when it’s a Destination Zone. +This key is for Encryption peer's IP Address type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -This key is used to capture the IP Address of the gateway +This key captures Source (Client) Cipher Size -type: keyword +type: long -- -*`rsa.network.icmp_type`*:: +*`rsa.crypto.ike`*:: + -- -This key is used to capture the ICMP type only +IKE negotiation phase. -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.crypto.scheme`*:: + -- -This key is used to capture the device network IPmask. +This key captures the Encryption scheme used type: keyword -- -*`rsa.network.icmp_code`*:: +*`rsa.crypto.peer_id`*:: + -- -This key is used to capture the ICMP code only +This key is for Encryption peer’s identity -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.crypto.sig_type`*:: + -- -This key should be used to capture additional protocol information +This key captures the Signature Type type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.crypto.cert_issuer`*:: + -- -This key is used for Destionation Device network mask - type: keyword -- -*`rsa.network.port`*:: +*`rsa.crypto.cert_host_name`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.crypto.cert_error`*:: + -- -This key is used for capturing source Network Mask +This key captures the Certificate Error String type: keyword -- -*`rsa.network.netname`*:: +*`rsa.crypto.cipher_dst`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +This key is for Destination (Server) Cipher type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -Deprecated +This key captures Destination (Server) Cipher Size -type: ip +type: long -- -*`rsa.network.faddr`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`rsa.network.origin`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`rsa.network.addr`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.network.fport`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.network.phost`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.crypto.https_insact`*:: + -- -Deprecated, use host.dst - type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.crypto.https_valid`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.crypto.cert_ca`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +This key is used to capture the Certificate signing authority only -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: +*`rsa.crypto.cert_common`*:: + -- +This key is used to capture the Certificate common name only + type: keyword -- -*`rsa.network.dns_id`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- +This key is used to capture the ssid of a Wireless Session + type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.wireless.access_point`*:: + -- +This key is used to capture the access point name. + type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.wireless.wlan_channel`*:: + -- -type: keyword +This is used to capture the channel names + +type: long -- -*`rsa.network.dns_type`*:: +*`rsa.wireless.wlan_name`*:: + -- +This key captures either WLAN number/name + type: keyword -- -*`rsa.network.domain1`*:: + +*`rsa.storage.disk_volume`*:: + -- +A unique name assigned to logical units (volumes) within a physical disk + type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.storage.lun`*:: + -- +Logical Unit Number.This key is a very useful concept in Storage. + type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.storage.pwwn`*:: + -- +This uniquely identifies a port on a HBA. + type: keyword -- -*`rsa.network.host_orig`*:: + +*`rsa.physical.org_dst`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.physical.org_src`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.network.vlan_name`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -This key should only be used to capture the name of the Virtual LAN +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.healthcare.patient_id`*:: + -- -This key captures the particular event activity(Ex:Logoff) +This key captures the unique ID for a patient type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.healthcare.patient_lname`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.healthcare.patient_mname`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.investigations.ec_outcome`*:: + +*`rsa.endpoint.host_state`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.investigations.event_cat`*:: +*`rsa.endpoint.registry_key`*:: + -- -This key captures the Event category number +This key captures the path to the registry key -type: long +type: keyword -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.endpoint.registry_value`*:: + -- -This key captures the event category name corresponding to the event cat code +This key captures values or decorators used within a registry entry type: keyword -- -*`rsa.investigations.event_vcat`*:: +[float] +=== fortinet + +Fields from fortinet FortiOS + + + +*`fortinet.file.hash.crc32`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +CRC32 Hash of file + type: keyword -- -*`rsa.investigations.analysis_file`*:: +[float] +=== firewall + +Module for parsing Fortinet syslog. + + + +*`fortinet.firewall.acct_stat`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +Accounting state (RADIUS) + type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`fortinet.firewall.acktime`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +Alarm Acknowledge Time + type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`fortinet.firewall.act`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +Action + type: keyword -- -*`rsa.investigations.boc`*:: +*`fortinet.firewall.action`*:: + -- -This is used to capture behaviour of compromise +Status of the session + type: keyword -- -*`rsa.investigations.eoc`*:: +*`fortinet.firewall.activity`*:: + -- -This is used to capture Enablers of Compromise +HA activity message + type: keyword -- -*`rsa.investigations.inv_category`*:: +*`fortinet.firewall.addr`*:: + -- -This used to capture investigation category +IP Address -type: keyword + +type: ip -- -*`rsa.investigations.inv_context`*:: +*`fortinet.firewall.addr_type`*:: + -- -This used to capture investigation context +Address Type + type: keyword -- -*`rsa.investigations.ioc`*:: +*`fortinet.firewall.addrgrp`*:: + -- -This is key capture indicator of compromise +Address Group + type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`fortinet.firewall.adgroup`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +AD Group Name -type: long + +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`fortinet.firewall.admin`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +Admin User -type: long + +type: keyword -- -*`rsa.counters.event_counter`*:: +*`fortinet.firewall.age`*:: + -- -This is used to capture the number of times an event repeated +Time in seconds - time passed since last seen -type: long + +type: integer -- -*`rsa.counters.dclass_r1`*:: +*`fortinet.firewall.agent`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +User agent - eg. agent="Mozilla/5.0" + type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`fortinet.firewall.alarmid`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +Alarm ID -type: long + +type: integer -- -*`rsa.counters.dclass_c1_str`*:: +*`fortinet.firewall.alert`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +Alert + type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`fortinet.firewall.analyticscksum`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +The checksum of the file submitted for analytics + type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`fortinet.firewall.analyticssubmit`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +The flag for analytics submission + type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`fortinet.firewall.ap`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +Access Point + type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`fortinet.firewall.app-type`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +Address Type + type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`fortinet.firewall.appact`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +The security action from app control + type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`fortinet.firewall.appid`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +Application ID -type: keyword + +type: integer -- -*`rsa.counters.dclass_r3_str`*:: +*`fortinet.firewall.applist`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +Application Control profile + type: keyword -- - -*`rsa.identity.auth_method`*:: +*`fortinet.firewall.apprisk`*:: + -- -This key is used to capture authentication methods used only +Application Risk Level + type: keyword -- -*`rsa.identity.user_role`*:: +*`fortinet.firewall.apscan`*:: + -- -This key is used to capture the Role of a user only +The name of the AP, which scanned and detected the rogue AP + type: keyword -- -*`rsa.identity.dn`*:: +*`fortinet.firewall.apsn`*:: + -- -X.500 (LDAP) Distinguished Name +Access Point + type: keyword -- -*`rsa.identity.logon_type`*:: +*`fortinet.firewall.apstatus`*:: + -- -This key is used to capture the type of logon method used. +Access Point status + type: keyword -- -*`rsa.identity.profile`*:: +*`fortinet.firewall.aptype`*:: + -- -This key is used to capture the user profile +Access Point type + type: keyword -- -*`rsa.identity.accesses`*:: +*`fortinet.firewall.assigned`*:: + -- -This key is used to capture actual privileges used in accessing an object +Assigned IP Address -type: keyword + +type: ip -- -*`rsa.identity.realm`*:: +*`fortinet.firewall.assignip`*:: + -- -Radius realm or similar grouping of accounts +Assigned IP Address -type: keyword + +type: ip -- -*`rsa.identity.user_sid_dst`*:: +*`fortinet.firewall.attachment`*:: + -- -This key captures Destination User Session ID +The flag for email attachement + type: keyword -- -*`rsa.identity.dn_src`*:: +*`fortinet.firewall.attack`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +Attack Name + type: keyword -- -*`rsa.identity.org`*:: +*`fortinet.firewall.attackcontext`*:: + -- -This key captures the User organization +The trigger patterns and the packetdata with base64 encoding + type: keyword -- -*`rsa.identity.dn_dst`*:: +*`fortinet.firewall.attackcontextid`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +Attack context id / total + type: keyword -- -*`rsa.identity.firstname`*:: +*`fortinet.firewall.attackid`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +Attack ID -type: keyword + +type: integer -- -*`rsa.identity.lastname`*:: +*`fortinet.firewall.auditid`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +Audit ID -type: keyword + +type: long -- -*`rsa.identity.user_dept`*:: +*`fortinet.firewall.auditscore`*:: + -- -User's Department Names only +The Audit Score + type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`fortinet.firewall.audittime`*:: + -- -This key captures Source User Session ID +The time of the audit -type: keyword + +type: long -- -*`rsa.identity.federated_sp`*:: +*`fortinet.firewall.authgrp`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +Authorization Group + type: keyword -- -*`rsa.identity.federated_idp`*:: +*`fortinet.firewall.authid`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +Authentication ID + type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`fortinet.firewall.authproto`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +The protocol that initiated the authentication + type: keyword -- -*`rsa.identity.middlename`*:: +*`fortinet.firewall.authserver`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +Authentication server + type: keyword -- -*`rsa.identity.password`*:: +*`fortinet.firewall.bandwidth`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +Bandwidth + type: keyword -- -*`rsa.identity.host_role`*:: +*`fortinet.firewall.banned_rule`*:: + -- -This key should only be used to capture the role of a Host Machine +NAC quarantine Banned Rule Name + type: keyword -- -*`rsa.identity.ldap`*:: +*`fortinet.firewall.banned_src`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +NAC quarantine Banned Source IP + type: keyword -- -*`rsa.identity.ldap_query`*:: +*`fortinet.firewall.banword`*:: + -- -This key is the Search criteria from an LDAP search +Banned word + type: keyword -- -*`rsa.identity.ldap_response`*:: +*`fortinet.firewall.botnetdomain`*:: + -- -This key is to capture Results from an LDAP search +Botnet Domain Name + type: keyword -- -*`rsa.identity.owner`*:: +*`fortinet.firewall.botnetip`*:: + -- -This is used to capture username the process or service is running as, the author of the task +Botnet IP Address -type: keyword + +type: ip -- -*`rsa.identity.service_account`*:: +*`fortinet.firewall.bssid`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage +Service Set ID + type: keyword -- - -*`rsa.email.email_dst`*:: +*`fortinet.firewall.call_id`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email +Caller ID + type: keyword -- -*`rsa.email.email_src`*:: +*`fortinet.firewall.carrier_ep`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +The FortiOS Carrier end-point identification + type: keyword -- -*`rsa.email.subject`*:: +*`fortinet.firewall.cat`*:: + -- -This key is used to capture the subject string from an Email only. +DNS category ID -type: keyword + +type: integer -- -*`rsa.email.email`*:: +*`fortinet.firewall.category`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +Authentication category + type: keyword -- -*`rsa.email.trans_from`*:: +*`fortinet.firewall.cc`*:: + -- -Deprecated key defined only in table map. +CC Email Address + type: keyword -- -*`rsa.email.trans_to`*:: +*`fortinet.firewall.cdrcontent`*:: + -- -Deprecated key defined only in table map. +Cdrcontent + type: keyword -- - -*`rsa.file.privilege`*:: +*`fortinet.firewall.centralnatid`*:: + -- -Deprecated, use permissions +Central NAT ID -type: keyword + +type: integer -- -*`rsa.file.attachment`*:: +*`fortinet.firewall.cert`*:: + -- -This key captures the attachment file name +Certificate + type: keyword -- -*`rsa.file.filesystem`*:: +*`fortinet.firewall.cert-type`*:: + -- +Certificate type + + type: keyword -- -*`rsa.file.binary`*:: +*`fortinet.firewall.certhash`*:: + -- -Deprecated key defined only in table map. +Certificate hash + type: keyword -- -*`rsa.file.filename_dst`*:: +*`fortinet.firewall.cfgattr`*:: + -- -This is used to capture name of the file targeted by the action +Configuration attribute + type: keyword -- -*`rsa.file.filename_src`*:: +*`fortinet.firewall.cfgobj`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +Configuration object + type: keyword -- -*`rsa.file.filename_tmp`*:: +*`fortinet.firewall.cfgpath`*:: + -- +Configuration path + + type: keyword -- -*`rsa.file.directory_dst`*:: +*`fortinet.firewall.cfgtid`*:: + -- -This key is used to capture the directory of the target process or file +Configuration transaction ID + type: keyword -- -*`rsa.file.directory_src`*:: +*`fortinet.firewall.cfgtxpower`*:: + -- -This key is used to capture the directory of the source process or file +Configuration TX power -type: keyword + +type: integer -- -*`rsa.file.file_entropy`*:: +*`fortinet.firewall.channel`*:: + -- -This is used to capture entropy vale of a file +Wireless Channel -type: double + +type: integer -- -*`rsa.file.file_vendor`*:: +*`fortinet.firewall.channeltype`*:: + -- -This is used to capture Company name of file located in version_info +SSH channel type + type: keyword -- -*`rsa.file.task_name`*:: +*`fortinet.firewall.chassisid`*:: + -- -This is used to capture name of the task +Chassis ID -type: keyword --- +type: integer +-- -*`rsa.web.fqdn`*:: +*`fortinet.firewall.checksum`*:: + -- -Fully Qualified Domain Names +The checksum of the scanned file + type: keyword -- -*`rsa.web.web_cookie`*:: +*`fortinet.firewall.chgheaders`*:: + -- -This key is used to capture the Web cookies specifically. +HTTP Headers + type: keyword -- -*`rsa.web.alias_host`*:: +*`fortinet.firewall.cldobjid`*:: + -- +Connector object ID + + type: keyword -- -*`rsa.web.reputation_num`*:: +*`fortinet.firewall.client_addr`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +Wifi client address -type: double + +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`fortinet.firewall.cloudaction`*:: + -- -Web referer's domain +Cloud Action + type: keyword -- -*`rsa.web.web_ref_query`*:: +*`fortinet.firewall.clouduser`*:: + -- -This key captures Web referer's query portion of the URL +Cloud User + type: keyword -- -*`rsa.web.remote_domain`*:: +*`fortinet.firewall.column`*:: + -- -type: keyword +VOIP Column + + +type: integer -- -*`rsa.web.web_ref_page`*:: +*`fortinet.firewall.command`*:: + -- -This key captures Web referer's page information +CLI Command + type: keyword -- -*`rsa.web.web_ref_root`*:: +*`fortinet.firewall.community`*:: + -- -Web referer's root URL path +SNMP Community + type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`fortinet.firewall.configcountry`*:: + -- -type: keyword +Configuration country --- -*`rsa.web.cn_rpackets`*:: -+ --- type: keyword -- -*`rsa.web.urlpage`*:: +*`fortinet.firewall.connection_type`*:: + -- -type: keyword +FortiClient Connection Type --- -*`rsa.web.urlroot`*:: -+ --- type: keyword -- -*`rsa.web.p_url`*:: +*`fortinet.firewall.conserve`*:: + -- -type: keyword +Flag for conserve mode --- -*`rsa.web.p_user_agent`*:: -+ --- type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`fortinet.firewall.constraint`*:: + -- +WAF http protocol restrictions + + type: keyword -- -*`rsa.web.p_web_method`*:: +*`fortinet.firewall.contentdisarmed`*:: + -- +Email scanned content + + type: keyword -- -*`rsa.web.p_web_referer`*:: +*`fortinet.firewall.contenttype`*:: + -- +Content Type from HTTP header + + type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`fortinet.firewall.cookies`*:: + -- +VPN Cookie + + type: keyword -- -*`rsa.web.web_page`*:: +*`fortinet.firewall.count`*:: + -- -type: keyword +Counts of action type --- +type: integer -*`rsa.threat.threat_category`*:: +-- + +*`fortinet.firewall.countapp`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +Number of App Ctrl logs associated with the session -type: keyword + +type: integer -- -*`rsa.threat.threat_desc`*:: +*`fortinet.firewall.countav`*:: + -- -This key is used to capture the threat description from the session directly or inferred +Number of AV logs associated with the session -type: keyword + +type: integer -- -*`rsa.threat.alert`*:: +*`fortinet.firewall.countcifs`*:: + -- -This key is used to capture name of the alert +Number of CIFS logs associated with the session -type: keyword + +type: integer -- -*`rsa.threat.threat_source`*:: +*`fortinet.firewall.countdlp`*:: + -- -This key is used to capture source of the threat +Number of DLP logs associated with the session -type: keyword --- +type: integer +-- -*`rsa.crypto.crypto`*:: +*`fortinet.firewall.countdns`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +Number of DNS logs associated with the session -type: keyword + +type: integer -- -*`rsa.crypto.cipher_src`*:: +*`fortinet.firewall.countemail`*:: + -- -This key is for Source (Client) Cipher +Number of email logs associated with the session -type: keyword + +type: integer -- -*`rsa.crypto.cert_subject`*:: +*`fortinet.firewall.countff`*:: + -- -This key is used to capture the Certificate organization only +Number of ff logs associated with the session -type: keyword + +type: integer -- -*`rsa.crypto.peer`*:: +*`fortinet.firewall.countips`*:: + -- -This key is for Encryption peer's IP Address +Number of IPS logs associated with the session -type: keyword + +type: integer -- -*`rsa.crypto.cipher_size_src`*:: +*`fortinet.firewall.countssh`*:: + -- -This key captures Source (Client) Cipher Size +Number of SSH logs associated with the session -type: long + +type: integer -- -*`rsa.crypto.ike`*:: +*`fortinet.firewall.countssl`*:: + -- -IKE negotiation phase. +Number of SSL logs associated with the session -type: keyword + +type: integer -- -*`rsa.crypto.scheme`*:: +*`fortinet.firewall.countwaf`*:: + -- -This key captures the Encryption scheme used +Number of WAF logs associated with the session -type: keyword + +type: integer -- -*`rsa.crypto.peer_id`*:: +*`fortinet.firewall.countweb`*:: + -- -This key is for Encryption peer’s identity +Number of Web filter logs associated with the session -type: keyword + +type: integer -- -*`rsa.crypto.sig_type`*:: +*`fortinet.firewall.cpu`*:: + -- -This key captures the Signature Type +CPU Usage -type: keyword + +type: integer -- -*`rsa.crypto.cert_issuer`*:: +*`fortinet.firewall.craction`*:: + -- -type: keyword +Client Reputation Action + + +type: integer -- -*`rsa.crypto.cert_host_name`*:: +*`fortinet.firewall.criticalcount`*:: + -- -Deprecated key defined only in table map. +Number of critical ratings -type: keyword + +type: integer -- -*`rsa.crypto.cert_error`*:: +*`fortinet.firewall.crl`*:: + -- -This key captures the Certificate Error String +Client Reputation Level + type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`fortinet.firewall.crlevel`*:: + -- -This key is for Destination (Server) Cipher +Client Reputation Level + type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`fortinet.firewall.crscore`*:: + -- -This key captures Destination (Server) Cipher Size +Some description -type: long + +type: integer -- -*`rsa.crypto.ssl_ver_src`*:: +*`fortinet.firewall.cveid`*:: + -- -Deprecated, use version +CVE ID + type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`fortinet.firewall.daemon`*:: + -- -type: keyword +Daemon name --- -*`rsa.crypto.s_certauth`*:: -+ --- type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`fortinet.firewall.datarange`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +Data range for reports + type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`fortinet.firewall.date`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +Date + type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`fortinet.firewall.ddnsserver`*:: + -- -type: keyword +DDNS server + + +type: ip -- -*`rsa.crypto.cert_host_cat`*:: +*`fortinet.firewall.desc`*:: + -- -This key is used for the hostname category value of a certificate +Description + type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`fortinet.firewall.detectionmethod`*:: + -- -This key is used to capture the Certificate serial number only +Detection method + type: keyword -- -*`rsa.crypto.cert_status`*:: +*`fortinet.firewall.devcategory`*:: + -- -This key captures Certificate validation status +Device category + type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`fortinet.firewall.devintfname`*:: + -- -Deprecated, use version +HA device Interface Name + type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`fortinet.firewall.devtype`*:: + -- -type: keyword +Device type --- -*`rsa.crypto.cert_username`*:: -+ --- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`fortinet.firewall.dhcp_msg`*:: + -- +DHCP Message + + type: keyword -- -*`rsa.crypto.https_valid`*:: +*`fortinet.firewall.dintf`*:: + -- +Destination interface + + type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`fortinet.firewall.disk`*:: + -- -This key is used to capture the Certificate signing authority only +Assosciated disk + type: keyword -- -*`rsa.crypto.cert_common`*:: +*`fortinet.firewall.disklograte`*:: + -- -This key is used to capture the Certificate common name only +Disk logging rate -type: keyword --- +type: long +-- -*`rsa.wireless.wlan_ssid`*:: +*`fortinet.firewall.dlpextra`*:: + -- -This key is used to capture the ssid of a Wireless Session +DLP extra information + type: keyword -- -*`rsa.wireless.access_point`*:: +*`fortinet.firewall.docsource`*:: + -- -This key is used to capture the access point name. +DLP fingerprint document source + type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`fortinet.firewall.domainctrlauthstate`*:: + -- -This is used to capture the channel names +CIFS domain auth state -type: long + +type: integer -- -*`rsa.wireless.wlan_name`*:: +*`fortinet.firewall.domainctrlauthtype`*:: + -- -This key captures either WLAN number/name +CIFS domain auth type -type: keyword --- +type: integer +-- -*`rsa.storage.disk_volume`*:: +*`fortinet.firewall.domainctrldomain`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +CIFS domain auth domain + type: keyword -- -*`rsa.storage.lun`*:: +*`fortinet.firewall.domainctrlip`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +CIFS Domain IP -type: keyword + +type: ip -- -*`rsa.storage.pwwn`*:: +*`fortinet.firewall.domainctrlname`*:: + -- -This uniquely identifies a port on a HBA. +CIFS Domain name + type: keyword -- - -*`rsa.physical.org_dst`*:: +*`fortinet.firewall.domainctrlprotocoltype`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +CIFS Domain connection protocol -type: keyword + +type: integer -- -*`rsa.physical.org_src`*:: +*`fortinet.firewall.domainctrlusername`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +CIFS Domain username + type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`fortinet.firewall.domainfilteridx`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +Domain filter ID -type: keyword + +type: integer -- -*`rsa.healthcare.patient_id`*:: +*`fortinet.firewall.domainfilterlist`*:: + -- -This key captures the unique ID for a patient +Domain filter name + type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`fortinet.firewall.ds`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +Direction with distribution system + type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`fortinet.firewall.dst_int`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +Destination interface + type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`fortinet.firewall.dstintfrole`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +Destination interface role + type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`fortinet.firewall.dstcountry`*:: + -- -This key captures the path to the registry key +Destination country + type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`fortinet.firewall.dstdevcategory`*:: + -- -This key captures values or decorators used within a registry entry +Destination device category + type: keyword -- -[float] -=== fortinet - -Fields from fortinet FortiOS - - - -*`fortinet.file.hash.crc32`*:: +*`fortinet.firewall.dstdevtype`*:: + -- -CRC32 Hash of file +Destination device type type: keyword -- -[float] -=== firewall - -Module for parsing Fortinet syslog. - - - -*`fortinet.firewall.acct_stat`*:: +*`fortinet.firewall.dstfamily`*:: + -- -Accounting state (RADIUS) +Destination OS family type: keyword -- -*`fortinet.firewall.acktime`*:: +*`fortinet.firewall.dsthwvendor`*:: + -- -Alarm Acknowledge Time +Destination HW vendor type: keyword -- -*`fortinet.firewall.act`*:: +*`fortinet.firewall.dsthwversion`*:: + -- -Action +Destination HW version type: keyword -- -*`fortinet.firewall.action`*:: +*`fortinet.firewall.dstinetsvc`*:: + -- -Status of the session +Destination interface service type: keyword -- -*`fortinet.firewall.activity`*:: +*`fortinet.firewall.dstosname`*:: + -- -HA activity message +Destination OS name type: keyword -- -*`fortinet.firewall.addr`*:: +*`fortinet.firewall.dstosversion`*:: + -- -IP Address +Destination OS version -type: ip +type: keyword -- -*`fortinet.firewall.addr_type`*:: +*`fortinet.firewall.dstserver`*:: + -- -Address Type +Destination server -type: keyword +type: integer -- -*`fortinet.firewall.addrgrp`*:: +*`fortinet.firewall.dstssid`*:: + -- -Address Group +Destination SSID type: keyword -- -*`fortinet.firewall.adgroup`*:: +*`fortinet.firewall.dstswversion`*:: + -- -AD Group Name +Destination software version type: keyword -- -*`fortinet.firewall.admin`*:: +*`fortinet.firewall.dstunauthusersource`*:: + -- -Admin User +Destination unauthenticated source type: keyword -- -*`fortinet.firewall.age`*:: +*`fortinet.firewall.dstuuid`*:: + -- -Time in seconds - time passed since last seen +UUID of the Destination IP address -type: integer +type: keyword -- -*`fortinet.firewall.agent`*:: +*`fortinet.firewall.duid`*:: + -- -User agent - eg. agent="Mozilla/5.0" +DHCP UID type: keyword -- -*`fortinet.firewall.alarmid`*:: +*`fortinet.firewall.eapolcnt`*:: + -- -Alarm ID +EAPOL packet count type: integer -- -*`fortinet.firewall.alert`*:: +*`fortinet.firewall.eapoltype`*:: + -- -Alert +EAPOL packet type type: keyword -- -*`fortinet.firewall.analyticscksum`*:: +*`fortinet.firewall.encrypt`*:: + -- -The checksum of the file submitted for analytics +Whether the packet is encrypted or not -type: keyword +type: integer -- -*`fortinet.firewall.analyticssubmit`*:: +*`fortinet.firewall.encryption`*:: + -- -The flag for analytics submission +Encryption method type: keyword -- -*`fortinet.firewall.ap`*:: +*`fortinet.firewall.epoch`*:: + -- -Access Point +Epoch used for locating file -type: keyword +type: integer -- -*`fortinet.firewall.app-type`*:: +*`fortinet.firewall.espauth`*:: + -- -Address Type +ESP Authentication type: keyword -- -*`fortinet.firewall.appact`*:: +*`fortinet.firewall.esptransform`*:: + -- -The security action from app control +ESP Transform type: keyword -- -*`fortinet.firewall.appid`*:: +*`fortinet.firewall.eventtype`*:: + -- -Application ID +UTM Event Type -type: integer +type: keyword -- -*`fortinet.firewall.applist`*:: +*`fortinet.firewall.exch`*:: + -- -Application Control profile +Mail Exchanges from DNS response answer section type: keyword -- -*`fortinet.firewall.apprisk`*:: +*`fortinet.firewall.exchange`*:: + -- -Application Risk Level +Mail Exchanges from DNS response answer section type: keyword -- -*`fortinet.firewall.apscan`*:: +*`fortinet.firewall.expectedsignature`*:: + -- -The name of the AP, which scanned and detected the rogue AP +Expected SSL signature type: keyword -- -*`fortinet.firewall.apsn`*:: +*`fortinet.firewall.expiry`*:: + -- -Access Point +FortiGuard override expiry timestamp type: keyword -- -*`fortinet.firewall.apstatus`*:: +*`fortinet.firewall.fams_pause`*:: + -- -Access Point status +Fortinet Analysis and Management Service Pause -type: keyword +type: integer -- -*`fortinet.firewall.aptype`*:: +*`fortinet.firewall.fazlograte`*:: + -- -Access Point type +FortiAnalyzer Logging Rate -type: keyword +type: long -- -*`fortinet.firewall.assigned`*:: +*`fortinet.firewall.fctemssn`*:: + -- -Assigned IP Address +FortiClient Endpoint SSN -type: ip +type: keyword -- -*`fortinet.firewall.assignip`*:: +*`fortinet.firewall.fctuid`*:: + -- -Assigned IP Address +FortiClient UID -type: ip +type: keyword -- -*`fortinet.firewall.attachment`*:: +*`fortinet.firewall.field`*:: + -- -The flag for email attachement +NTP status field type: keyword -- -*`fortinet.firewall.attack`*:: +*`fortinet.firewall.filefilter`*:: + -- -Attack Name +The filter used to identify the affected file type: keyword -- -*`fortinet.firewall.attackcontext`*:: +*`fortinet.firewall.filehashsrc`*:: + -- -The trigger patterns and the packetdata with base64 encoding +Filehash source type: keyword -- -*`fortinet.firewall.attackcontextid`*:: +*`fortinet.firewall.filtercat`*:: + -- -Attack context id / total +DLP filter category type: keyword -- -*`fortinet.firewall.attackid`*:: +*`fortinet.firewall.filteridx`*:: + -- -Attack ID +DLP filter ID type: integer -- -*`fortinet.firewall.auditid`*:: +*`fortinet.firewall.filtername`*:: + -- -Audit ID +DLP rule name -type: long +type: keyword -- -*`fortinet.firewall.auditscore`*:: +*`fortinet.firewall.filtertype`*:: + -- -The Audit Score +DLP filter type type: keyword -- -*`fortinet.firewall.audittime`*:: +*`fortinet.firewall.fortiguardresp`*:: + -- -The time of the audit +Antispam ESP value -type: long +type: keyword -- -*`fortinet.firewall.authgrp`*:: +*`fortinet.firewall.forwardedfor`*:: + -- -Authorization Group +Email address forwarded type: keyword -- -*`fortinet.firewall.authid`*:: +*`fortinet.firewall.fqdn`*:: + -- -Authentication ID +FQDN type: keyword -- -*`fortinet.firewall.authproto`*:: +*`fortinet.firewall.frametype`*:: + -- -The protocol that initiated the authentication +Wireless frametype type: keyword -- -*`fortinet.firewall.authserver`*:: +*`fortinet.firewall.freediskstorage`*:: + -- -Authentication server +Free disk integer -type: keyword +type: integer -- -*`fortinet.firewall.bandwidth`*:: +*`fortinet.firewall.from`*:: + -- -Bandwidth +From email address type: keyword -- -*`fortinet.firewall.banned_rule`*:: +*`fortinet.firewall.from_vcluster`*:: + -- -NAC quarantine Banned Rule Name +Source virtual cluster number + + +type: integer + +-- + +*`fortinet.firewall.fsaverdict`*:: ++ +-- +FSA verdict type: keyword -- -*`fortinet.firewall.banned_src`*:: +*`fortinet.firewall.fwserver_name`*:: + -- -NAC quarantine Banned Source IP +Web proxy server name type: keyword -- -*`fortinet.firewall.banword`*:: +*`fortinet.firewall.gateway`*:: + -- -Banned word +Gateway ip address for PPPoE status report -type: keyword +type: ip -- -*`fortinet.firewall.botnetdomain`*:: +*`fortinet.firewall.green`*:: + -- -Botnet Domain Name +Memory status type: keyword -- -*`fortinet.firewall.botnetip`*:: +*`fortinet.firewall.groupid`*:: + -- -Botnet IP Address +User Group ID -type: ip +type: integer -- -*`fortinet.firewall.bssid`*:: +*`fortinet.firewall.ha-prio`*:: + -- -Service Set ID +HA Priority -type: keyword +type: integer -- -*`fortinet.firewall.call_id`*:: +*`fortinet.firewall.ha_group`*:: + -- -Caller ID +HA Group type: keyword -- -*`fortinet.firewall.carrier_ep`*:: +*`fortinet.firewall.ha_role`*:: + -- -The FortiOS Carrier end-point identification +HA Role type: keyword -- -*`fortinet.firewall.cat`*:: +*`fortinet.firewall.handshake`*:: + -- -DNS category ID +SSL Handshake -type: integer +type: keyword -- -*`fortinet.firewall.category`*:: +*`fortinet.firewall.hash`*:: + -- -Authentication category +Hash value of downloaded file type: keyword -- -*`fortinet.firewall.cc`*:: +*`fortinet.firewall.hbdn_reason`*:: + -- -CC Email Address +Heartbeat down reason type: keyword -- -*`fortinet.firewall.cdrcontent`*:: +*`fortinet.firewall.highcount`*:: + -- -Cdrcontent +Highcount fabric summary -type: keyword +type: integer -- -*`fortinet.firewall.centralnatid`*:: +*`fortinet.firewall.host`*:: + -- -Central NAT ID +Hostname -type: integer +type: keyword -- -*`fortinet.firewall.cert`*:: +*`fortinet.firewall.iaid`*:: + -- -Certificate +DHCPv6 id type: keyword -- -*`fortinet.firewall.cert-type`*:: +*`fortinet.firewall.icmpcode`*:: + -- -Certificate type +Destination Port of the ICMP message type: keyword -- -*`fortinet.firewall.certhash`*:: +*`fortinet.firewall.icmpid`*:: + -- -Certificate hash +Source port of the ICMP message type: keyword -- -*`fortinet.firewall.cfgattr`*:: +*`fortinet.firewall.icmptype`*:: + -- -Configuration attribute +The type of ICMP message type: keyword -- -*`fortinet.firewall.cfgobj`*:: +*`fortinet.firewall.identifier`*:: + -- -Configuration object +Network traffic identifier -type: keyword +type: integer -- -*`fortinet.firewall.cfgpath`*:: +*`fortinet.firewall.in_spi`*:: + -- -Configuration path +IPSEC inbound SPI type: keyword -- -*`fortinet.firewall.cfgtid`*:: +*`fortinet.firewall.incidentserialno`*:: + -- -Configuration transaction ID +Incident serial number -type: keyword +type: integer -- -*`fortinet.firewall.cfgtxpower`*:: +*`fortinet.firewall.infected`*:: + -- -Configuration TX power +Infected MMS type: integer -- -*`fortinet.firewall.channel`*:: +*`fortinet.firewall.infectedfilelevel`*:: + -- -Wireless Channel +DLP infected file level type: integer -- -*`fortinet.firewall.channeltype`*:: +*`fortinet.firewall.informationsource`*:: + -- -SSH channel type +Information source type: keyword -- -*`fortinet.firewall.chassisid`*:: +*`fortinet.firewall.init`*:: + -- -Chassis ID +IPSEC init stage -type: integer +type: keyword -- -*`fortinet.firewall.checksum`*:: +*`fortinet.firewall.initiator`*:: + -- -The checksum of the scanned file +Original login user name for Fortiguard override type: keyword -- -*`fortinet.firewall.chgheaders`*:: +*`fortinet.firewall.interface`*:: + -- -HTTP Headers +Related interface type: keyword -- -*`fortinet.firewall.cldobjid`*:: +*`fortinet.firewall.intf`*:: + -- -Connector object ID +Related interface type: keyword -- -*`fortinet.firewall.client_addr`*:: +*`fortinet.firewall.invalidmac`*:: + -- -Wifi client address +The MAC address with invalid OUI type: keyword -- -*`fortinet.firewall.cloudaction`*:: +*`fortinet.firewall.ip`*:: + -- -Cloud Action +Related IP -type: keyword +type: ip -- -*`fortinet.firewall.clouduser`*:: +*`fortinet.firewall.iptype`*:: + -- -Cloud User +Related IP type type: keyword -- -*`fortinet.firewall.column`*:: +*`fortinet.firewall.keyword`*:: + -- -VOIP Column +Keyword used for search -type: integer +type: keyword -- -*`fortinet.firewall.command`*:: +*`fortinet.firewall.kind`*:: + -- -CLI Command +VOIP kind type: keyword -- -*`fortinet.firewall.community`*:: +*`fortinet.firewall.lanin`*:: + -- -SNMP Community +LAN incoming traffic in bytes -type: keyword +type: long -- -*`fortinet.firewall.configcountry`*:: +*`fortinet.firewall.lanout`*:: + -- -Configuration country +LAN outbound traffic in bytes -type: keyword +type: long -- -*`fortinet.firewall.connection_type`*:: +*`fortinet.firewall.lease`*:: + -- -FortiClient Connection Type +DHCP lease -type: keyword +type: integer -- -*`fortinet.firewall.conserve`*:: +*`fortinet.firewall.license_limit`*:: + -- -Flag for conserve mode +Maximum Number of FortiClients for the License type: keyword -- -*`fortinet.firewall.constraint`*:: +*`fortinet.firewall.limit`*:: + -- -WAF http protocol restrictions +Virtual Domain Resource Limit -type: keyword +type: integer -- -*`fortinet.firewall.contentdisarmed`*:: +*`fortinet.firewall.line`*:: + -- -Email scanned content +VOIP line type: keyword -- -*`fortinet.firewall.contenttype`*:: +*`fortinet.firewall.live`*:: + -- -Content Type from HTTP header +Time in seconds -type: keyword +type: integer -- -*`fortinet.firewall.cookies`*:: +*`fortinet.firewall.local`*:: + -- -VPN Cookie +Local IP for a PPPD Connection -type: keyword +type: ip -- -*`fortinet.firewall.count`*:: +*`fortinet.firewall.log`*:: + -- -Counts of action type +Log message -type: integer +type: keyword -- -*`fortinet.firewall.countapp`*:: +*`fortinet.firewall.login`*:: + -- -Number of App Ctrl logs associated with the session +SSH login -type: integer +type: keyword -- -*`fortinet.firewall.countav`*:: +*`fortinet.firewall.lowcount`*:: + -- -Number of AV logs associated with the session +Fabric lowcount type: integer -- -*`fortinet.firewall.countcifs`*:: +*`fortinet.firewall.mac`*:: + -- -Number of CIFS logs associated with the session +DHCP mac address -type: integer +type: keyword -- -*`fortinet.firewall.countdlp`*:: +*`fortinet.firewall.malform_data`*:: + -- -Number of DLP logs associated with the session +VOIP malformed data type: integer -- -*`fortinet.firewall.countdns`*:: +*`fortinet.firewall.malform_desc`*:: + -- -Number of DNS logs associated with the session +VOIP malformed data description -type: integer +type: keyword -- -*`fortinet.firewall.countemail`*:: +*`fortinet.firewall.manuf`*:: + -- -Number of email logs associated with the session +Manufacturer name -type: integer +type: keyword -- -*`fortinet.firewall.countff`*:: +*`fortinet.firewall.masterdstmac`*:: + -- -Number of ff logs associated with the session +Master mac address for a host with multiple network interfaces -type: integer +type: keyword -- -*`fortinet.firewall.countips`*:: +*`fortinet.firewall.mastersrcmac`*:: + -- -Number of IPS logs associated with the session +The master MAC address for a host that has multiple network interfaces -type: integer +type: keyword -- -*`fortinet.firewall.countssh`*:: +*`fortinet.firewall.mediumcount`*:: + -- -Number of SSH logs associated with the session +Fabric medium count type: integer -- -*`fortinet.firewall.countssl`*:: +*`fortinet.firewall.mem`*:: + -- -Number of SSL logs associated with the session +Memory usage system statistics type: integer -- -*`fortinet.firewall.countwaf`*:: +*`fortinet.firewall.meshmode`*:: + -- -Number of WAF logs associated with the session +Wireless mesh mode -type: integer +type: keyword -- -*`fortinet.firewall.countweb`*:: +*`fortinet.firewall.message_type`*:: + -- -Number of Web filter logs associated with the session +VOIP message type -type: integer +type: keyword -- -*`fortinet.firewall.cpu`*:: +*`fortinet.firewall.method`*:: + -- -CPU Usage +HTTP method -type: integer +type: keyword -- -*`fortinet.firewall.craction`*:: +*`fortinet.firewall.mgmtcnt`*:: + -- -Client Reputation Action +The number of unauthorized client flooding managemet frames type: integer -- -*`fortinet.firewall.criticalcount`*:: +*`fortinet.firewall.mode`*:: + -- -Number of critical ratings +IPSEC mode -type: integer +type: keyword -- -*`fortinet.firewall.crl`*:: +*`fortinet.firewall.module`*:: + -- -Client Reputation Level +PCI-DSS module type: keyword -- -*`fortinet.firewall.crlevel`*:: +*`fortinet.firewall.monitor-name`*:: + -- -Client Reputation Level +Health Monitor Name type: keyword -- -*`fortinet.firewall.crscore`*:: +*`fortinet.firewall.monitor-type`*:: + -- -Some description +Health Monitor Type -type: integer +type: keyword -- -*`fortinet.firewall.cveid`*:: +*`fortinet.firewall.mpsk`*:: + -- -CVE ID +Wireless MPSK type: keyword -- -*`fortinet.firewall.daemon`*:: +*`fortinet.firewall.msgproto`*:: + -- -Daemon name +Message Protocol Number type: keyword -- -*`fortinet.firewall.datarange`*:: +*`fortinet.firewall.mtu`*:: + -- -Data range for reports +Max Transmission Unit Value -type: keyword +type: integer -- -*`fortinet.firewall.date`*:: +*`fortinet.firewall.name`*:: + -- -Date +Name type: keyword -- -*`fortinet.firewall.ddnsserver`*:: +*`fortinet.firewall.nat`*:: + -- -DDNS server +NAT IP Address -type: ip +type: keyword -- -*`fortinet.firewall.desc`*:: +*`fortinet.firewall.netid`*:: + -- -Description +Connector NetID type: keyword -- -*`fortinet.firewall.detectionmethod`*:: +*`fortinet.firewall.new_status`*:: + -- -Detection method +New status on user change type: keyword -- -*`fortinet.firewall.devcategory`*:: +*`fortinet.firewall.new_value`*:: + -- -Device category +New Virtual Domain Name type: keyword -- -*`fortinet.firewall.devintfname`*:: +*`fortinet.firewall.newchannel`*:: + -- -HA device Interface Name +New Channel Number -type: keyword +type: integer -- -*`fortinet.firewall.devtype`*:: +*`fortinet.firewall.newchassisid`*:: + -- -Device type +New Chassis ID -type: keyword +type: integer -- -*`fortinet.firewall.dhcp_msg`*:: +*`fortinet.firewall.newslot`*:: + -- -DHCP Message +New Slot Number -type: keyword +type: integer -- -*`fortinet.firewall.dintf`*:: +*`fortinet.firewall.nextstat`*:: + -- -Destination interface +Time interval in seconds for the next statistics. -type: keyword +type: integer -- -*`fortinet.firewall.disk`*:: +*`fortinet.firewall.nf_type`*:: + -- -Assosciated disk +Notification Type type: keyword -- -*`fortinet.firewall.disklograte`*:: +*`fortinet.firewall.noise`*:: + -- -Disk logging rate +Wifi Noise -type: long +type: integer -- -*`fortinet.firewall.dlpextra`*:: +*`fortinet.firewall.old_status`*:: + -- -DLP extra information +Original Status type: keyword -- -*`fortinet.firewall.docsource`*:: +*`fortinet.firewall.old_value`*:: + -- -DLP fingerprint document source +Original Virtual Domain name type: keyword -- -*`fortinet.firewall.domainctrlauthstate`*:: +*`fortinet.firewall.oldchannel`*:: + -- -CIFS domain auth state +Original channel type: integer -- -*`fortinet.firewall.domainctrlauthtype`*:: +*`fortinet.firewall.oldchassisid`*:: + -- -CIFS domain auth type +Original Chassis Number type: integer -- -*`fortinet.firewall.domainctrldomain`*:: +*`fortinet.firewall.oldslot`*:: + -- -CIFS domain auth domain +Original Slot Number -type: keyword +type: integer -- -*`fortinet.firewall.domainctrlip`*:: +*`fortinet.firewall.oldsn`*:: + -- -CIFS Domain IP +Old Serial number -type: ip +type: keyword -- -*`fortinet.firewall.domainctrlname`*:: +*`fortinet.firewall.oldwprof`*:: + -- -CIFS Domain name +Old Web Filter Profile type: keyword -- -*`fortinet.firewall.domainctrlprotocoltype`*:: +*`fortinet.firewall.onwire`*:: + -- -CIFS Domain connection protocol +A flag to indicate if the AP is onwire or not -type: integer +type: keyword -- -*`fortinet.firewall.domainctrlusername`*:: +*`fortinet.firewall.opercountry`*:: + -- -CIFS Domain username +Operating Country type: keyword -- -*`fortinet.firewall.domainfilteridx`*:: +*`fortinet.firewall.opertxpower`*:: + -- -Domain filter ID +Operating TX power type: integer -- -*`fortinet.firewall.domainfilterlist`*:: +*`fortinet.firewall.osname`*:: + -- -Domain filter name +Operating System name type: keyword -- -*`fortinet.firewall.ds`*:: +*`fortinet.firewall.osversion`*:: + -- -Direction with distribution system +Operating System version type: keyword -- -*`fortinet.firewall.dst_int`*:: +*`fortinet.firewall.out_spi`*:: + -- -Destination interface +Out SPI type: keyword -- -*`fortinet.firewall.dstintfrole`*:: +*`fortinet.firewall.outintf`*:: + -- -Destination interface role +Out interface type: keyword -- -*`fortinet.firewall.dstcountry`*:: +*`fortinet.firewall.passedcount`*:: + -- -Destination country +Fabric passed count -type: keyword +type: integer -- -*`fortinet.firewall.dstdevcategory`*:: +*`fortinet.firewall.passwd`*:: + -- -Destination device category +Changed user password information type: keyword -- -*`fortinet.firewall.dstdevtype`*:: +*`fortinet.firewall.path`*:: + -- -Destination device type +Path of looped configuration for security fabric type: keyword -- -*`fortinet.firewall.dstfamily`*:: +*`fortinet.firewall.peer`*:: + -- -Destination OS family +WAN optimization peer type: keyword -- -*`fortinet.firewall.dsthwvendor`*:: +*`fortinet.firewall.peer_notif`*:: + -- -Destination HW vendor +VPN peer notification type: keyword -- -*`fortinet.firewall.dsthwversion`*:: +*`fortinet.firewall.phase2_name`*:: + -- -Destination HW version +VPN phase2 name type: keyword -- -*`fortinet.firewall.dstinetsvc`*:: +*`fortinet.firewall.phone`*:: + -- -Destination interface service +VOIP Phone type: keyword -- -*`fortinet.firewall.dstosname`*:: +*`fortinet.firewall.pid`*:: + -- -Destination OS name +Process ID + + +type: integer + +-- + +*`fortinet.firewall.policytype`*:: ++ +-- +Policy Type type: keyword -- -*`fortinet.firewall.dstosversion`*:: +*`fortinet.firewall.poolname`*:: + -- -Destination OS version +IP Pool name type: keyword -- -*`fortinet.firewall.dstserver`*:: +*`fortinet.firewall.port`*:: + -- -Destination server +Log upload error port type: integer -- -*`fortinet.firewall.dstssid`*:: +*`fortinet.firewall.portbegin`*:: + -- -Destination SSID +IP Pool port number to begin -type: keyword +type: integer -- -*`fortinet.firewall.dstswversion`*:: +*`fortinet.firewall.portend`*:: + -- -Destination software version +IP Pool port number to end -type: keyword +type: integer -- -*`fortinet.firewall.dstunauthusersource`*:: +*`fortinet.firewall.probeproto`*:: + -- -Destination unauthenticated source +Link Monitor Probe Protocol type: keyword -- -*`fortinet.firewall.dstuuid`*:: +*`fortinet.firewall.process`*:: + -- -UUID of the Destination IP address +URL Filter process type: keyword -- -*`fortinet.firewall.duid`*:: +*`fortinet.firewall.processtime`*:: + -- -DHCP UID +Process time for reports -type: keyword +type: integer -- -*`fortinet.firewall.eapolcnt`*:: +*`fortinet.firewall.profile`*:: + -- -EAPOL packet count +Profile Name -type: integer +type: keyword -- -*`fortinet.firewall.eapoltype`*:: +*`fortinet.firewall.profile_vd`*:: + -- -EAPOL packet type +Virtual Domain Name type: keyword -- -*`fortinet.firewall.encrypt`*:: +*`fortinet.firewall.profilegroup`*:: + -- -Whether the packet is encrypted or not +Profile Group Name -type: integer +type: keyword -- -*`fortinet.firewall.encryption`*:: +*`fortinet.firewall.profiletype`*:: + -- -Encryption method +Profile Type type: keyword -- -*`fortinet.firewall.epoch`*:: +*`fortinet.firewall.qtypeval`*:: + -- -Epoch used for locating file +DNS question type value type: integer -- -*`fortinet.firewall.espauth`*:: +*`fortinet.firewall.quarskip`*:: + -- -ESP Authentication +Quarantine skip explanation type: keyword -- -*`fortinet.firewall.esptransform`*:: +*`fortinet.firewall.quotaexceeded`*:: + -- -ESP Transform +If quota has been exceeded type: keyword -- -*`fortinet.firewall.eventtype`*:: +*`fortinet.firewall.quotamax`*:: + -- -UTM Event Type +Maximum quota allowed - in seconds if time-based - in bytes if traffic-based -type: keyword +type: long -- -*`fortinet.firewall.exch`*:: +*`fortinet.firewall.quotatype`*:: + -- -Mail Exchanges from DNS response answer section +Quota type type: keyword -- -*`fortinet.firewall.exchange`*:: +*`fortinet.firewall.quotaused`*:: + -- -Mail Exchanges from DNS response answer section +Quota used - in seconds if time-based - in bytes if trafficbased) -type: keyword +type: long -- -*`fortinet.firewall.expectedsignature`*:: +*`fortinet.firewall.radioband`*:: + -- -Expected SSL signature +Radio band type: keyword -- -*`fortinet.firewall.expiry`*:: +*`fortinet.firewall.radioid`*:: + -- -FortiGuard override expiry timestamp +Radio ID -type: keyword +type: integer -- -*`fortinet.firewall.fams_pause`*:: +*`fortinet.firewall.radioidclosest`*:: + -- -Fortinet Analysis and Management Service Pause +Radio ID on the AP closest the rogue AP type: integer -- -*`fortinet.firewall.fazlograte`*:: +*`fortinet.firewall.radioiddetected`*:: + -- -FortiAnalyzer Logging Rate +Radio ID on the AP which detected the rogue AP -type: long +type: integer -- -*`fortinet.firewall.fctemssn`*:: +*`fortinet.firewall.rate`*:: + -- -FortiClient Endpoint SSN +Wireless rogue rate value type: keyword -- -*`fortinet.firewall.fctuid`*:: +*`fortinet.firewall.rawdata`*:: + -- -FortiClient UID +Raw data value type: keyword -- -*`fortinet.firewall.field`*:: +*`fortinet.firewall.rawdataid`*:: + -- -NTP status field +Raw data ID type: keyword -- -*`fortinet.firewall.filefilter`*:: +*`fortinet.firewall.rcvddelta`*:: + -- -The filter used to identify the affected file +Received bytes delta type: keyword -- -*`fortinet.firewall.filehashsrc`*:: +*`fortinet.firewall.reason`*:: + -- -Filehash source +Alert reason type: keyword -- -*`fortinet.firewall.filtercat`*:: +*`fortinet.firewall.received`*:: + -- -DLP filter category +Server key exchange received -type: keyword +type: integer -- -*`fortinet.firewall.filteridx`*:: +*`fortinet.firewall.receivedsignature`*:: + -- -DLP filter ID +Server key exchange received signature -type: integer +type: keyword -- -*`fortinet.firewall.filtername`*:: +*`fortinet.firewall.red`*:: + -- -DLP rule name +Memory information in red type: keyword -- -*`fortinet.firewall.filtertype`*:: +*`fortinet.firewall.referralurl`*:: + -- -DLP filter type +Web filter referralurl type: keyword -- -*`fortinet.firewall.fortiguardresp`*:: +*`fortinet.firewall.remote`*:: + -- -Antispam ESP value +Remote PPP IP address -type: keyword +type: ip -- -*`fortinet.firewall.forwardedfor`*:: +*`fortinet.firewall.remotewtptime`*:: + -- -Email address forwarded +Remote Wifi Radius authentication time type: keyword -- -*`fortinet.firewall.fqdn`*:: +*`fortinet.firewall.reporttype`*:: + -- -FQDN +Report type type: keyword -- -*`fortinet.firewall.frametype`*:: +*`fortinet.firewall.reqtype`*:: + -- -Wireless frametype +Request type type: keyword -- -*`fortinet.firewall.freediskstorage`*:: +*`fortinet.firewall.request_name`*:: + -- -Free disk integer +VOIP request name -type: integer +type: keyword -- -*`fortinet.firewall.from`*:: +*`fortinet.firewall.result`*:: + -- -From email address +VPN phase result type: keyword -- -*`fortinet.firewall.from_vcluster`*:: +*`fortinet.firewall.role`*:: + -- -Source virtual cluster number +VPN Phase 2 role -type: integer +type: keyword -- -*`fortinet.firewall.fsaverdict`*:: +*`fortinet.firewall.rssi`*:: + -- -FSA verdict +Received signal strength indicator -type: keyword +type: integer -- -*`fortinet.firewall.fwserver_name`*:: +*`fortinet.firewall.rsso_key`*:: + -- -Web proxy server name +RADIUS SSO attribute value type: keyword -- -*`fortinet.firewall.gateway`*:: +*`fortinet.firewall.ruledata`*:: + -- -Gateway ip address for PPPoE status report +Rule data -type: ip +type: keyword -- -*`fortinet.firewall.green`*:: +*`fortinet.firewall.ruletype`*:: + -- -Memory status +Rule type type: keyword -- -*`fortinet.firewall.groupid`*:: +*`fortinet.firewall.scanned`*:: + -- -User Group ID +Number of Scanned MMSs type: integer -- -*`fortinet.firewall.ha-prio`*:: +*`fortinet.firewall.scantime`*:: + -- -HA Priority +Scanned time -type: integer +type: long -- -*`fortinet.firewall.ha_group`*:: +*`fortinet.firewall.scope`*:: + -- -HA Group +FortiGuard Override Scope type: keyword -- -*`fortinet.firewall.ha_role`*:: +*`fortinet.firewall.security`*:: + -- -HA Role +Wireless rogue security type: keyword -- -*`fortinet.firewall.handshake`*:: +*`fortinet.firewall.sensitivity`*:: + -- -SSL Handshake +Sensitivity for document fingerprint type: keyword -- -*`fortinet.firewall.hash`*:: +*`fortinet.firewall.sensor`*:: + -- -Hash value of downloaded file +NAC Sensor Name type: keyword -- -*`fortinet.firewall.hbdn_reason`*:: +*`fortinet.firewall.sentdelta`*:: + -- -Heartbeat down reason +Sent bytes delta type: keyword -- -*`fortinet.firewall.highcount`*:: +*`fortinet.firewall.seq`*:: + -- -Highcount fabric summary +Sequence number -type: integer +type: keyword -- -*`fortinet.firewall.host`*:: +*`fortinet.firewall.serial`*:: + -- -Hostname +WAN optimisation serial type: keyword -- -*`fortinet.firewall.iaid`*:: +*`fortinet.firewall.serialno`*:: + -- -DHCPv6 id +Serial number type: keyword -- -*`fortinet.firewall.icmpcode`*:: +*`fortinet.firewall.server`*:: + -- -Destination Port of the ICMP message +AD server FQDN or IP type: keyword -- -*`fortinet.firewall.icmpid`*:: +*`fortinet.firewall.session_id`*:: + -- -Source port of the ICMP message +Session ID type: keyword -- -*`fortinet.firewall.icmptype`*:: +*`fortinet.firewall.sessionid`*:: + -- -The type of ICMP message +WAD Session ID -type: keyword +type: integer -- -*`fortinet.firewall.identifier`*:: +*`fortinet.firewall.setuprate`*:: + -- -Network traffic identifier +Session Setup Rate -type: integer +type: long -- -*`fortinet.firewall.in_spi`*:: +*`fortinet.firewall.severity`*:: + -- -IPSEC inbound SPI +Severity type: keyword -- -*`fortinet.firewall.incidentserialno`*:: +*`fortinet.firewall.shaperdroprcvdbyte`*:: + -- -Incident serial number +Received bytes dropped by shaper type: integer -- -*`fortinet.firewall.infected`*:: +*`fortinet.firewall.shaperdropsentbyte`*:: + -- -Infected MMS +Sent bytes dropped by shaper type: integer -- -*`fortinet.firewall.infectedfilelevel`*:: +*`fortinet.firewall.shaperperipdropbyte`*:: + -- -DLP infected file level +Dropped bytes per IP by shaper type: integer -- -*`fortinet.firewall.informationsource`*:: +*`fortinet.firewall.shaperperipname`*:: + -- -Information source +Traffic shaper name (per IP) type: keyword -- -*`fortinet.firewall.init`*:: +*`fortinet.firewall.shaperrcvdname`*:: + -- -IPSEC init stage +Traffic shaper name for received traffic type: keyword -- -*`fortinet.firewall.initiator`*:: +*`fortinet.firewall.shapersentname`*:: + -- -Original login user name for Fortiguard override +Traffic shaper name for sent traffic type: keyword -- -*`fortinet.firewall.interface`*:: +*`fortinet.firewall.shapingpolicyid`*:: + -- -Related interface +Traffic shaper policy ID -type: keyword +type: integer -- -*`fortinet.firewall.intf`*:: +*`fortinet.firewall.signal`*:: + -- -Related interface +Wireless rogue API signal -type: keyword +type: integer -- -*`fortinet.firewall.invalidmac`*:: +*`fortinet.firewall.size`*:: + -- -The MAC address with invalid OUI +Email size in bytes -type: keyword +type: long -- -*`fortinet.firewall.ip`*:: +*`fortinet.firewall.slot`*:: + -- -Related IP +Slot number -type: ip +type: integer -- -*`fortinet.firewall.iptype`*:: +*`fortinet.firewall.sn`*:: + -- -Related IP type +Security fabric serial number type: keyword -- -*`fortinet.firewall.keyword`*:: +*`fortinet.firewall.snclosest`*:: + -- -Keyword used for search +SN of the AP closest to the rogue AP type: keyword -- -*`fortinet.firewall.kind`*:: +*`fortinet.firewall.sndetected`*:: + -- -VOIP kind +SN of the AP which detected the rogue AP type: keyword -- -*`fortinet.firewall.lanin`*:: +*`fortinet.firewall.snmeshparent`*:: + -- -LAN incoming traffic in bytes +SN of the mesh parent -type: long +type: keyword -- -*`fortinet.firewall.lanout`*:: +*`fortinet.firewall.spi`*:: + -- -LAN outbound traffic in bytes +IPSEC SPI -type: long +type: keyword -- -*`fortinet.firewall.lease`*:: +*`fortinet.firewall.src_int`*:: + -- -DHCP lease +Source interface -type: integer +type: keyword -- -*`fortinet.firewall.license_limit`*:: +*`fortinet.firewall.srcintfrole`*:: + -- -Maximum Number of FortiClients for the License +Source interface role type: keyword -- -*`fortinet.firewall.limit`*:: +*`fortinet.firewall.srccountry`*:: + -- -Virtual Domain Resource Limit +Source country -type: integer +type: keyword -- -*`fortinet.firewall.line`*:: +*`fortinet.firewall.srcfamily`*:: + -- -VOIP line +Source family type: keyword -- -*`fortinet.firewall.live`*:: +*`fortinet.firewall.srchwvendor`*:: + -- -Time in seconds +Source hardware vendor -type: integer +type: keyword -- -*`fortinet.firewall.local`*:: +*`fortinet.firewall.srchwversion`*:: + -- -Local IP for a PPPD Connection +Source hardware version -type: ip +type: keyword -- -*`fortinet.firewall.log`*:: +*`fortinet.firewall.srcinetsvc`*:: + -- -Log message +Source interface service type: keyword -- -*`fortinet.firewall.login`*:: +*`fortinet.firewall.srcname`*:: + -- -SSH login +Source name type: keyword -- -*`fortinet.firewall.lowcount`*:: +*`fortinet.firewall.srcserver`*:: + -- -Fabric lowcount +Source server type: integer -- -*`fortinet.firewall.mac`*:: +*`fortinet.firewall.srcssid`*:: + -- -DHCP mac address +Source SSID type: keyword -- -*`fortinet.firewall.malform_data`*:: +*`fortinet.firewall.srcswversion`*:: + -- -VOIP malformed data +Source software version -type: integer +type: keyword -- -*`fortinet.firewall.malform_desc`*:: +*`fortinet.firewall.srcuuid`*:: + -- -VOIP malformed data description +Source UUID type: keyword -- -*`fortinet.firewall.manuf`*:: +*`fortinet.firewall.sscname`*:: + -- -Manufacturer name +SSC name type: keyword -- -*`fortinet.firewall.masterdstmac`*:: +*`fortinet.firewall.ssid`*:: + -- -Master mac address for a host with multiple network interfaces +Base Service Set ID type: keyword -- -*`fortinet.firewall.mastersrcmac`*:: +*`fortinet.firewall.sslaction`*:: + -- -The master MAC address for a host that has multiple network interfaces +SSL Action type: keyword -- -*`fortinet.firewall.mediumcount`*:: +*`fortinet.firewall.ssllocal`*:: + -- -Fabric medium count +WAD SSL local -type: integer +type: keyword -- -*`fortinet.firewall.mem`*:: +*`fortinet.firewall.sslremote`*:: + -- -Memory usage system statistics +WAD SSL remote -type: integer +type: keyword -- -*`fortinet.firewall.meshmode`*:: +*`fortinet.firewall.stacount`*:: + -- -Wireless mesh mode +Number of stations/clients -type: keyword +type: integer -- -*`fortinet.firewall.message_type`*:: +*`fortinet.firewall.stage`*:: + -- -VOIP message type +IPSEC stage type: keyword -- -*`fortinet.firewall.method`*:: +*`fortinet.firewall.stamac`*:: + -- -HTTP method +802.1x station mac type: keyword -- -*`fortinet.firewall.mgmtcnt`*:: +*`fortinet.firewall.state`*:: + -- -The number of unauthorized client flooding managemet frames +Admin login state -type: integer +type: keyword -- -*`fortinet.firewall.mode`*:: +*`fortinet.firewall.status`*:: + -- -IPSEC mode +Status type: keyword -- -*`fortinet.firewall.module`*:: +*`fortinet.firewall.stitch`*:: + -- -PCI-DSS module +Automation stitch triggered type: keyword -- -*`fortinet.firewall.monitor-name`*:: +*`fortinet.firewall.subject`*:: + -- -Health Monitor Name +Email subject type: keyword -- -*`fortinet.firewall.monitor-type`*:: +*`fortinet.firewall.submodule`*:: + -- -Health Monitor Type +Configuration Sub-Module Name type: keyword -- -*`fortinet.firewall.mpsk`*:: +*`fortinet.firewall.subservice`*:: + -- -Wireless MPSK +AV subservice type: keyword -- -*`fortinet.firewall.msgproto`*:: +*`fortinet.firewall.subtype`*:: + -- -Message Protocol Number +Log subtype type: keyword -- -*`fortinet.firewall.mtu`*:: +*`fortinet.firewall.suspicious`*:: + -- -Max Transmission Unit Value +Number of Suspicious MMSs type: integer -- -*`fortinet.firewall.name`*:: +*`fortinet.firewall.switchproto`*:: + -- -Name +Protocol change information type: keyword -- -*`fortinet.firewall.nat`*:: +*`fortinet.firewall.sync_status`*:: + -- -NAT IP Address +The sync status with the master type: keyword -- -*`fortinet.firewall.netid`*:: +*`fortinet.firewall.sync_type`*:: + -- -Connector NetID +The sync type with the master type: keyword -- -*`fortinet.firewall.new_status`*:: +*`fortinet.firewall.sysuptime`*:: + -- -New status on user change +System uptime type: keyword -- -*`fortinet.firewall.new_value`*:: +*`fortinet.firewall.tamac`*:: + -- -New Virtual Domain Name +the MAC address of Transmitter, if none, then Receiver type: keyword -- -*`fortinet.firewall.newchannel`*:: +*`fortinet.firewall.threattype`*:: + -- -New Channel Number +WIDS threat type -type: integer +type: keyword -- -*`fortinet.firewall.newchassisid`*:: +*`fortinet.firewall.time`*:: + -- -New Chassis ID +Time of the event -type: integer +type: keyword -- -*`fortinet.firewall.newslot`*:: +*`fortinet.firewall.to`*:: + -- -New Slot Number +Email to field -type: integer +type: keyword -- -*`fortinet.firewall.nextstat`*:: +*`fortinet.firewall.to_vcluster`*:: + -- -Time interval in seconds for the next statistics. +destination virtual cluster number type: integer -- -*`fortinet.firewall.nf_type`*:: +*`fortinet.firewall.total`*:: + -- -Notification Type +Total memory -type: keyword +type: integer -- -*`fortinet.firewall.noise`*:: +*`fortinet.firewall.totalsession`*:: + -- -Wifi Noise +Total Number of Sessions type: integer -- -*`fortinet.firewall.old_status`*:: +*`fortinet.firewall.trace_id`*:: + -- -Original Status +Session clash trace ID type: keyword -- -*`fortinet.firewall.old_value`*:: +*`fortinet.firewall.trandisp`*:: + -- -Original Virtual Domain name +NAT translation type type: keyword -- -*`fortinet.firewall.oldchannel`*:: -+ --- -Original channel - - -type: integer - --- - -*`fortinet.firewall.oldchassisid`*:: -+ --- -Original Chassis Number - - -type: integer - --- - -*`fortinet.firewall.oldslot`*:: +*`fortinet.firewall.transid`*:: + -- -Original Slot Number +HTTP transaction ID type: integer -- -*`fortinet.firewall.oldsn`*:: +*`fortinet.firewall.translationid`*:: + -- -Old Serial number +DNS filter transaltion ID type: keyword -- -*`fortinet.firewall.oldwprof`*:: +*`fortinet.firewall.trigger`*:: + -- -Old Web Filter Profile +Automation stitch trigger type: keyword -- -*`fortinet.firewall.onwire`*:: +*`fortinet.firewall.trueclntip`*:: + -- -A flag to indicate if the AP is onwire or not +File filter true client IP -type: keyword +type: ip -- -*`fortinet.firewall.opercountry`*:: +*`fortinet.firewall.tunnelid`*:: + -- -Operating Country +IPSEC tunnel ID -type: keyword +type: integer -- -*`fortinet.firewall.opertxpower`*:: +*`fortinet.firewall.tunnelip`*:: + -- -Operating TX power +IPSEC tunnel IP -type: integer +type: ip -- -*`fortinet.firewall.osname`*:: +*`fortinet.firewall.tunneltype`*:: + -- -Operating System name +IPSEC tunnel type type: keyword -- -*`fortinet.firewall.osversion`*:: +*`fortinet.firewall.type`*:: + -- -Operating System version +Module type type: keyword -- -*`fortinet.firewall.out_spi`*:: +*`fortinet.firewall.ui`*:: + -- -Out SPI +Admin authentication UI type type: keyword -- -*`fortinet.firewall.outintf`*:: +*`fortinet.firewall.unauthusersource`*:: + -- -Out interface +Unauthenticated user source type: keyword -- -*`fortinet.firewall.passedcount`*:: +*`fortinet.firewall.unit`*:: + -- -Fabric passed count +Power supply unit type: integer -- -*`fortinet.firewall.passwd`*:: +*`fortinet.firewall.urlfilteridx`*:: + -- -Changed user password information +URL filter ID -type: keyword +type: integer -- -*`fortinet.firewall.path`*:: +*`fortinet.firewall.urlfilterlist`*:: + -- -Path of looped configuration for security fabric +URL filter list type: keyword -- -*`fortinet.firewall.peer`*:: +*`fortinet.firewall.urlsource`*:: + -- -WAN optimization peer +URL filter source type: keyword -- -*`fortinet.firewall.peer_notif`*:: +*`fortinet.firewall.urltype`*:: + -- -VPN peer notification +URL filter type type: keyword -- -*`fortinet.firewall.phase2_name`*:: +*`fortinet.firewall.used`*:: + -- -VPN phase2 name +Number of Used IPs -type: keyword +type: integer -- -*`fortinet.firewall.phone`*:: +*`fortinet.firewall.used_for_type`*:: + -- -VOIP Phone +Connection for the type -type: keyword +type: integer -- -*`fortinet.firewall.pid`*:: +*`fortinet.firewall.utmaction`*:: + -- -Process ID +Security action performed by UTM -type: integer +type: keyword -- -*`fortinet.firewall.policytype`*:: +*`fortinet.firewall.utmref`*:: + -- -Policy Type +Reference to UTM type: keyword -- -*`fortinet.firewall.poolname`*:: +*`fortinet.firewall.vap`*:: + -- -IP Pool name +Virtual AP type: keyword -- -*`fortinet.firewall.port`*:: +*`fortinet.firewall.vapmode`*:: + -- -Log upload error port +Virtual AP mode -type: integer +type: keyword -- -*`fortinet.firewall.portbegin`*:: +*`fortinet.firewall.vcluster`*:: + -- -IP Pool port number to begin +virtual cluster id type: integer -- -*`fortinet.firewall.portend`*:: +*`fortinet.firewall.vcluster_member`*:: + -- -IP Pool port number to end +Virtual cluster member type: integer -- -*`fortinet.firewall.probeproto`*:: +*`fortinet.firewall.vcluster_state`*:: + -- -Link Monitor Probe Protocol +Virtual cluster state type: keyword -- -*`fortinet.firewall.process`*:: +*`fortinet.firewall.vd`*:: + -- -URL Filter process +Virtual Domain Name type: keyword -- -*`fortinet.firewall.processtime`*:: +*`fortinet.firewall.vdname`*:: + -- -Process time for reports +Virtual Domain Name -type: integer +type: keyword -- -*`fortinet.firewall.profile`*:: +*`fortinet.firewall.vendorurl`*:: + -- -Profile Name +Vulnerability scan vendor name type: keyword -- -*`fortinet.firewall.profile_vd`*:: +*`fortinet.firewall.version`*:: + -- -Virtual Domain Name +Version type: keyword -- -*`fortinet.firewall.profilegroup`*:: +*`fortinet.firewall.vip`*:: + -- -Profile Group Name +Virtual IP type: keyword -- -*`fortinet.firewall.profiletype`*:: +*`fortinet.firewall.virus`*:: + -- -Profile Type +Virus name type: keyword -- -*`fortinet.firewall.qtypeval`*:: +*`fortinet.firewall.virusid`*:: + -- -DNS question type value +Virus ID (unique virus identifier) type: integer -- -*`fortinet.firewall.quarskip`*:: +*`fortinet.firewall.voip_proto`*:: + -- -Quarantine skip explanation +VOIP protocol type: keyword -- -*`fortinet.firewall.quotaexceeded`*:: +*`fortinet.firewall.vpn`*:: + -- -If quota has been exceeded +VPN description type: keyword -- -*`fortinet.firewall.quotamax`*:: +*`fortinet.firewall.vpntunnel`*:: + -- -Maximum quota allowed - in seconds if time-based - in bytes if traffic-based +IPsec Vpn Tunnel Name -type: long +type: keyword -- -*`fortinet.firewall.quotatype`*:: +*`fortinet.firewall.vpntype`*:: + -- -Quota type +The type of the VPN tunnel type: keyword -- -*`fortinet.firewall.quotaused`*:: +*`fortinet.firewall.vrf`*:: + -- -Quota used - in seconds if time-based - in bytes if trafficbased) +VRF number -type: long +type: integer -- -*`fortinet.firewall.radioband`*:: +*`fortinet.firewall.vulncat`*:: + -- -Radio band +Vulnerability Category type: keyword -- -*`fortinet.firewall.radioid`*:: +*`fortinet.firewall.vulnid`*:: + -- -Radio ID +Vulnerability ID type: integer -- -*`fortinet.firewall.radioidclosest`*:: +*`fortinet.firewall.vulnname`*:: + -- -Radio ID on the AP closest the rogue AP +Vulnerability name -type: integer +type: keyword -- -*`fortinet.firewall.radioiddetected`*:: +*`fortinet.firewall.vwlid`*:: + -- -Radio ID on the AP which detected the rogue AP +VWL ID type: integer -- -*`fortinet.firewall.rate`*:: +*`fortinet.firewall.vwlquality`*:: + -- -Wireless rogue rate value +VWL quality type: keyword -- -*`fortinet.firewall.rawdata`*:: +*`fortinet.firewall.vwlservice`*:: + -- -Raw data value +VWL service type: keyword -- -*`fortinet.firewall.rawdataid`*:: +*`fortinet.firewall.vwpvlanid`*:: + -- -Raw data ID +VWP VLAN ID -type: keyword +type: integer -- -*`fortinet.firewall.rcvddelta`*:: +*`fortinet.firewall.wanin`*:: + -- -Received bytes delta +WAN incoming traffic in bytes -type: keyword +type: long -- -*`fortinet.firewall.reason`*:: +*`fortinet.firewall.wanoptapptype`*:: + -- -Alert reason +WAN Optimization Application type type: keyword -- -*`fortinet.firewall.received`*:: +*`fortinet.firewall.wanout`*:: + -- -Server key exchange received +WAN outgoing traffic in bytes -type: integer +type: long -- -*`fortinet.firewall.receivedsignature`*:: +*`fortinet.firewall.weakwepiv`*:: + -- -Server key exchange received signature +Weak Wep Initiation Vector type: keyword -- -*`fortinet.firewall.red`*:: +*`fortinet.firewall.xauthgroup`*:: + -- -Memory information in red +XAuth Group Name type: keyword -- -*`fortinet.firewall.referralurl`*:: +*`fortinet.firewall.xauthuser`*:: + -- -Web filter referralurl +XAuth User Name type: keyword -- -*`fortinet.firewall.remote`*:: +*`fortinet.firewall.xid`*:: + -- -Remote PPP IP address +Wireless X ID -type: ip +type: integer -- -*`fortinet.firewall.remotewtptime`*:: -+ --- -Remote Wifi Radius authentication time +[[exported-fields-gcp]] +== Google Cloud Platform (GCP) fields +Module for handling logs from Google Cloud. -type: keyword --- -*`fortinet.firewall.reporttype`*:: -+ --- -Report type +[float] +=== gcp +Fields from Google Cloud logs. -type: keyword --- -*`fortinet.firewall.reqtype`*:: -+ --- -Request type +[float] +=== destination.instance +If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. -type: keyword --- -*`fortinet.firewall.request_name`*:: +*`gcp.destination.instance.project_id`*:: + -- -VOIP request name +ID of the project containing the VM. type: keyword -- -*`fortinet.firewall.result`*:: +*`gcp.destination.instance.region`*:: + -- -VPN phase result +Region of the VM. type: keyword -- -*`fortinet.firewall.role`*:: +*`gcp.destination.instance.zone`*:: + -- -VPN Phase 2 role +Zone of the VM. type: keyword -- -*`fortinet.firewall.rssi`*:: -+ --- -Received signal strength indicator +[float] +=== destination.vpc +If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. -type: integer --- -*`fortinet.firewall.rsso_key`*:: +*`gcp.destination.vpc.project_id`*:: + -- -RADIUS SSO attribute value +ID of the project containing the VM. type: keyword -- -*`fortinet.firewall.ruledata`*:: +*`gcp.destination.vpc.vpc_name`*:: + -- -Rule data +VPC on which the VM is operating. type: keyword -- -*`fortinet.firewall.ruletype`*:: +*`gcp.destination.vpc.subnetwork_name`*:: + -- -Rule type +Subnetwork on which the VM is operating. type: keyword -- -*`fortinet.firewall.scanned`*:: -+ --- -Number of Scanned MMSs +[float] +=== source.instance +If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. -type: integer --- -*`fortinet.firewall.scantime`*:: +*`gcp.source.instance.project_id`*:: + -- -Scanned time +ID of the project containing the VM. -type: long +type: keyword -- -*`fortinet.firewall.scope`*:: +*`gcp.source.instance.region`*:: + -- -FortiGuard Override Scope +Region of the VM. type: keyword -- -*`fortinet.firewall.security`*:: +*`gcp.source.instance.zone`*:: + -- -Wireless rogue security +Zone of the VM. type: keyword -- -*`fortinet.firewall.sensitivity`*:: -+ --- -Sensitivity for document fingerprint +[float] +=== source.vpc +If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. -type: keyword --- -*`fortinet.firewall.sensor`*:: +*`gcp.source.vpc.project_id`*:: + -- -NAC Sensor Name +ID of the project containing the VM. type: keyword -- -*`fortinet.firewall.sentdelta`*:: +*`gcp.source.vpc.vpc_name`*:: + -- -Sent bytes delta +VPC on which the VM is operating. type: keyword -- -*`fortinet.firewall.seq`*:: +*`gcp.source.vpc.subnetwork_name`*:: + -- -Sequence number +Subnetwork on which the VM is operating. type: keyword -- -*`fortinet.firewall.serial`*:: -+ --- -WAN optimisation serial +[float] +=== audit +Fields for Google Cloud audit logs. -type: keyword --- -*`fortinet.firewall.serialno`*:: +*`gcp.audit.type`*:: + -- -Serial number +Type property. type: keyword -- -*`fortinet.firewall.server`*:: -+ --- -AD server FQDN or IP +[float] +=== authentication_info +Authentication information. -type: keyword --- -*`fortinet.firewall.session_id`*:: +*`gcp.audit.authentication_info.principal_email`*:: + -- -Session ID +The email address of the authenticated user making the request. type: keyword -- -*`fortinet.firewall.sessionid`*:: +*`gcp.audit.authentication_info.authority_selector`*:: + -- -WAD Session ID +The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. -type: integer +type: keyword -- -*`fortinet.firewall.setuprate`*:: +*`gcp.audit.authorization_info`*:: + -- -Session Setup Rate +Authorization information for the operation. -type: long +type: array -- -*`fortinet.firewall.severity`*:: +*`gcp.audit.method_name`*:: + -- -Severity +The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. type: keyword -- -*`fortinet.firewall.shaperdroprcvdbyte`*:: +*`gcp.audit.num_response_items`*:: + -- -Received bytes dropped by shaper +The number of items returned from a List or Query API method, if applicable. -type: integer +type: long -- -*`fortinet.firewall.shaperdropsentbyte`*:: -+ --- -Sent bytes dropped by shaper +[float] +=== request +The operation request. -type: integer --- -*`fortinet.firewall.shaperperipdropbyte`*:: +*`gcp.audit.request.proto_name`*:: + -- -Dropped bytes per IP by shaper +Type property of the request. -type: integer +type: keyword -- -*`fortinet.firewall.shaperperipname`*:: +*`gcp.audit.request.filter`*:: + -- -Traffic shaper name (per IP) +Filter of the request. type: keyword -- -*`fortinet.firewall.shaperrcvdname`*:: +*`gcp.audit.request.name`*:: + -- -Traffic shaper name for received traffic +Name of the request. type: keyword -- -*`fortinet.firewall.shapersentname`*:: +*`gcp.audit.request.resource_name`*:: + -- -Traffic shaper name for sent traffic +Name of the request resource. type: keyword -- -*`fortinet.firewall.shapingpolicyid`*:: -+ --- -Traffic shaper policy ID +[float] +=== request_metadata +Metadata about the request. -type: integer --- -*`fortinet.firewall.signal`*:: +*`gcp.audit.request_metadata.caller_ip`*:: + -- -Wireless rogue API signal +The IP address of the caller. -type: integer +type: ip -- -*`fortinet.firewall.size`*:: +*`gcp.audit.request_metadata.caller_supplied_user_agent`*:: + -- -Email size in bytes +The user agent of the caller. This information is not authenticated and should be treated accordingly. -type: long +type: keyword -- -*`fortinet.firewall.slot`*:: -+ --- -Slot number +[float] +=== response +The operation response. -type: integer --- -*`fortinet.firewall.sn`*:: +*`gcp.audit.response.proto_name`*:: + -- -Security fabric serial number +Type property of the response. type: keyword -- -*`fortinet.firewall.snclosest`*:: +[float] +=== details + +The details of the response. + + + +*`gcp.audit.response.details.group`*:: + -- -SN of the AP closest to the rogue AP +The name of the group. type: keyword -- -*`fortinet.firewall.sndetected`*:: +*`gcp.audit.response.details.kind`*:: + -- -SN of the AP which detected the rogue AP +The kind of the response details. type: keyword -- -*`fortinet.firewall.snmeshparent`*:: +*`gcp.audit.response.details.name`*:: + -- -SN of the mesh parent +The name of the response details. type: keyword -- -*`fortinet.firewall.spi`*:: +*`gcp.audit.response.details.uid`*:: + -- -IPSEC SPI +The uid of the response details. type: keyword -- -*`fortinet.firewall.src_int`*:: +*`gcp.audit.response.status`*:: + -- -Source interface +Status of the response. type: keyword -- -*`fortinet.firewall.srcintfrole`*:: +*`gcp.audit.resource_name`*:: + -- -Source interface role +The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. type: keyword -- -*`fortinet.firewall.srccountry`*:: +[float] +=== resource_location + +The location of the resource. + + + +*`gcp.audit.resource_location.current_locations`*:: + -- -Source country +Current locations of the resource. type: keyword -- -*`fortinet.firewall.srcfamily`*:: +*`gcp.audit.service_name`*:: + -- -Source family +The name of the API service performing the operation. For example, datastore.googleapis.com. type: keyword -- -*`fortinet.firewall.srchwvendor`*:: +[float] +=== status + +The status of the overall operation. + + + +*`gcp.audit.status.code`*:: + -- -Source hardware vendor +The status code, which should be an enum value of google.rpc.Code. -type: keyword +type: integer -- -*`fortinet.firewall.srchwversion`*:: +*`gcp.audit.status.message`*:: + -- -Source hardware version +A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type: keyword -- -*`fortinet.firewall.srcinetsvc`*:: +[float] +=== firewall + +Fields for Google Cloud Firewall logs. + + + +[float] +=== rule_details + +Description of the firewall rule that matched this connection. + + + +*`gcp.firewall.rule_details.priority`*:: + -- -Source interface service - +The priority for the firewall rule. -type: keyword +type: long -- -*`fortinet.firewall.srcname`*:: +*`gcp.firewall.rule_details.action`*:: + -- -Source name - +Action that the rule performs on match. type: keyword -- -*`fortinet.firewall.srcserver`*:: +*`gcp.firewall.rule_details.direction`*:: + -- -Source server - +Direction of traffic that matches this rule. -type: integer +type: keyword -- -*`fortinet.firewall.srcssid`*:: +*`gcp.firewall.rule_details.reference`*:: + -- -Source SSID - +Reference to the firewall rule. type: keyword -- -*`fortinet.firewall.srcswversion`*:: +*`gcp.firewall.rule_details.source_range`*:: + -- -Source software version - +List of source ranges that the firewall rule applies to. type: keyword -- -*`fortinet.firewall.srcuuid`*:: +*`gcp.firewall.rule_details.destination_range`*:: + -- -Source UUID - +List of destination ranges that the firewall applies to. type: keyword -- -*`fortinet.firewall.sscname`*:: +*`gcp.firewall.rule_details.source_tag`*:: + -- -SSC name +List of all the source tags that the firewall rule applies to. type: keyword -- -*`fortinet.firewall.ssid`*:: +*`gcp.firewall.rule_details.target_tag`*:: + -- -Base Service Set ID +List of all the target tags that the firewall rule applies to. type: keyword -- -*`fortinet.firewall.sslaction`*:: +*`gcp.firewall.rule_details.ip_port_info`*:: + -- -SSL Action +List of ip protocols and applicable port ranges for rules. -type: keyword +type: array -- -*`fortinet.firewall.ssllocal`*:: +*`gcp.firewall.rule_details.source_service_account`*:: + -- -WAD SSL local +List of all the source service accounts that the firewall rule applies to. type: keyword -- -*`fortinet.firewall.sslremote`*:: +*`gcp.firewall.rule_details.target_service_account`*:: + -- -WAD SSL remote +List of all the target service accounts that the firewall rule applies to. type: keyword -- -*`fortinet.firewall.stacount`*:: -+ --- -Number of stations/clients +[float] +=== vpcflow +Fields for Google Cloud VPC flow logs. -type: integer --- -*`fortinet.firewall.stage`*:: +*`gcp.vpcflow.reporter`*:: + -- -IPSEC stage +The side which reported the flow. Can be either 'SRC' or 'DEST'. type: keyword -- -*`fortinet.firewall.stamac`*:: +*`gcp.vpcflow.rtt.ms`*:: + -- -802.1x station mac +Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. -type: keyword +type: long -- -*`fortinet.firewall.state`*:: -+ --- -Admin login state +[[exported-fields-google_workspace]] +== google_workspace fields +Google Workspace Module -type: keyword --- -*`fortinet.firewall.status`*:: +[float] +=== google_workspace + +Google Workspace specific fields. +More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + + +*`google_workspace.actor.type`*:: + -- -Status +The type of actor. +Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. type: keyword -- -*`fortinet.firewall.stitch`*:: +*`google_workspace.actor.key`*:: + -- -Automation stitch triggered +Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. type: keyword -- -*`fortinet.firewall.subject`*:: +*`google_workspace.event.type`*:: + -- -Email subject +The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list type: keyword +example: audit#activity + -- -*`fortinet.firewall.submodule`*:: +*`google_workspace.kind`*:: + -- -Configuration Sub-Module Name +The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list type: keyword +example: audit#activity + -- -*`fortinet.firewall.subservice`*:: +*`google_workspace.organization.domain`*:: + -- -AV subservice +The domain that is affected by the report's event. type: keyword -- -*`fortinet.firewall.subtype`*:: + +*`google_workspace.admin.application.edition`*:: + -- -Log subtype - +The Google Workspace edition. type: keyword -- -*`fortinet.firewall.suspicious`*:: +*`google_workspace.admin.application.name`*:: + -- -Number of Suspicious MMSs - +The application's name. -type: integer +type: keyword -- -*`fortinet.firewall.switchproto`*:: +*`google_workspace.admin.application.enabled`*:: + -- -Protocol change information - +The enabled application. type: keyword -- -*`fortinet.firewall.sync_status`*:: +*`google_workspace.admin.application.licences_order_number`*:: + -- -The sync status with the master - +Order number used to redeem licenses. type: keyword -- -*`fortinet.firewall.sync_type`*:: +*`google_workspace.admin.application.licences_purchased`*:: + -- -The sync type with the master - +Number of licences purchased. type: keyword -- -*`fortinet.firewall.sysuptime`*:: +*`google_workspace.admin.application.id`*:: + -- -System uptime - +The application ID. type: keyword -- -*`fortinet.firewall.tamac`*:: +*`google_workspace.admin.application.asp_id`*:: + -- -the MAC address of Transmitter, if none, then Receiver - +The application specific password ID. type: keyword -- -*`fortinet.firewall.threattype`*:: +*`google_workspace.admin.application.package_id`*:: + -- -WIDS threat type - +The mobile application package ID. type: keyword -- -*`fortinet.firewall.time`*:: +*`google_workspace.admin.group.email`*:: + -- -Time of the event - +The group's primary email address. type: keyword -- -*`fortinet.firewall.to`*:: +*`google_workspace.admin.new_value`*:: + -- -Email to field - +The new value for the setting. type: keyword -- -*`fortinet.firewall.to_vcluster`*:: +*`google_workspace.admin.old_value`*:: + -- -destination virtual cluster number - +The old value for the setting. -type: integer +type: keyword -- -*`fortinet.firewall.total`*:: +*`google_workspace.admin.org_unit.name`*:: + -- -Total memory - +The organizational unit name. -type: integer +type: keyword -- -*`fortinet.firewall.totalsession`*:: +*`google_workspace.admin.org_unit.full`*:: + -- -Total Number of Sessions - +The org unit full path including the root org unit name. -type: integer +type: keyword -- -*`fortinet.firewall.trace_id`*:: +*`google_workspace.admin.setting.name`*:: + -- -Session clash trace ID - +The setting name. type: keyword -- -*`fortinet.firewall.trandisp`*:: +*`google_workspace.admin.user_defined_setting.name`*:: + -- -NAT translation type - +The name of the user-defined setting. type: keyword -- -*`fortinet.firewall.transid`*:: +*`google_workspace.admin.setting.description`*:: + -- -HTTP transaction ID - +The setting name. -type: integer +type: keyword -- -*`fortinet.firewall.translationid`*:: +*`google_workspace.admin.group.priorities`*:: + -- -DNS filter transaltion ID - +Group priorities. type: keyword -- -*`fortinet.firewall.trigger`*:: +*`google_workspace.admin.domain.alias`*:: + -- -Automation stitch trigger - +The domain alias. type: keyword -- -*`fortinet.firewall.trueclntip`*:: +*`google_workspace.admin.domain.name`*:: + -- -File filter true client IP - +The primary domain name. -type: ip +type: keyword -- -*`fortinet.firewall.tunnelid`*:: +*`google_workspace.admin.domain.secondary_name`*:: + -- -IPSEC tunnel ID - +The secondary domain name. -type: integer +type: keyword -- -*`fortinet.firewall.tunnelip`*:: +*`google_workspace.admin.managed_configuration`*:: + -- -IPSEC tunnel IP - +The name of the managed configuration. -type: ip +type: keyword -- -*`fortinet.firewall.tunneltype`*:: +*`google_workspace.admin.non_featured_services_selection`*:: + -- -IPSEC tunnel type +Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED type: keyword -- -*`fortinet.firewall.type`*:: +*`google_workspace.admin.field`*:: + -- -Module type - +The name of the field. type: keyword -- -*`fortinet.firewall.ui`*:: +*`google_workspace.admin.resource.id`*:: + -- -Admin authentication UI type - +The name of the resource identifier. type: keyword -- -*`fortinet.firewall.unauthusersource`*:: +*`google_workspace.admin.user.email`*:: + -- -Unauthenticated user source - +The user's primary email address. type: keyword -- -*`fortinet.firewall.unit`*:: +*`google_workspace.admin.user.nickname`*:: + -- -Power supply unit - +The user's nickname. -type: integer +type: keyword -- -*`fortinet.firewall.urlfilteridx`*:: +*`google_workspace.admin.user.birthdate`*:: + -- -URL filter ID - +The user's birth date. -type: integer +type: date -- -*`fortinet.firewall.urlfilterlist`*:: +*`google_workspace.admin.gateway.name`*:: + -- -URL filter list - +Gateway name. Present on some chat settings. type: keyword -- -*`fortinet.firewall.urlsource`*:: +*`google_workspace.admin.chrome_os.session_type`*:: + -- -URL filter source - +Chrome OS session type. type: keyword -- -*`fortinet.firewall.urltype`*:: +*`google_workspace.admin.device.serial_number`*:: + -- -URL filter type - +Device serial number. type: keyword -- -*`fortinet.firewall.used`*:: +*`google_workspace.admin.device.id`*:: + -- -Number of Used IPs - - -type: integer +type: keyword -- -*`fortinet.firewall.used_for_type`*:: +*`google_workspace.admin.device.type`*:: + -- -Connection for the type - +Device type. -type: integer +type: keyword -- -*`fortinet.firewall.utmaction`*:: +*`google_workspace.admin.print_server.name`*:: + -- -Security action performed by UTM - +The name of the print server. type: keyword -- -*`fortinet.firewall.utmref`*:: +*`google_workspace.admin.printer.name`*:: + -- -Reference to UTM - +The name of the printer. type: keyword -- -*`fortinet.firewall.vap`*:: +*`google_workspace.admin.device.command_details`*:: + -- -Virtual AP - +Command details. type: keyword -- -*`fortinet.firewall.vapmode`*:: +*`google_workspace.admin.role.id`*:: + -- -Virtual AP mode - +Unique identifier for this role privilege. type: keyword -- -*`fortinet.firewall.vcluster`*:: +*`google_workspace.admin.role.name`*:: + -- -virtual cluster id +The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings -type: integer +type: keyword -- -*`fortinet.firewall.vcluster_member`*:: +*`google_workspace.admin.privilege.name`*:: + -- -Virtual cluster member - +Privilege name. -type: integer +type: keyword -- -*`fortinet.firewall.vcluster_state`*:: +*`google_workspace.admin.service.name`*:: + -- -Virtual cluster state - +The service name. type: keyword -- -*`fortinet.firewall.vd`*:: +*`google_workspace.admin.url.name`*:: + -- -Virtual Domain Name - +The website name. type: keyword -- -*`fortinet.firewall.vdname`*:: +*`google_workspace.admin.product.name`*:: + -- -Virtual Domain Name - +The product name. type: keyword -- -*`fortinet.firewall.vendorurl`*:: +*`google_workspace.admin.product.sku`*:: + -- -Vulnerability scan vendor name - +The product SKU. type: keyword -- -*`fortinet.firewall.version`*:: +*`google_workspace.admin.bulk_upload.failed`*:: + -- -Version - +Number of failed records in bulk upload operation. -type: keyword +type: long -- -*`fortinet.firewall.vip`*:: +*`google_workspace.admin.bulk_upload.total`*:: + -- -Virtual IP - +Number of total records in bulk upload operation. -type: keyword +type: long -- -*`fortinet.firewall.virus`*:: +*`google_workspace.admin.group.allowed_list`*:: + -- -Virus name - +Names of allow-listed groups. type: keyword -- -*`fortinet.firewall.virusid`*:: +*`google_workspace.admin.email.quarantine_name`*:: + -- -Virus ID (unique virus identifier) - +The name of the quarantine. -type: integer +type: keyword -- -*`fortinet.firewall.voip_proto`*:: +*`google_workspace.admin.email.log_search_filter.message_id`*:: + -- -VOIP protocol - +The log search filter's email message ID. type: keyword -- -*`fortinet.firewall.vpn`*:: +*`google_workspace.admin.email.log_search_filter.start_date`*:: + -- -VPN description - +The log search filter's start date. -type: keyword +type: date -- -*`fortinet.firewall.vpntunnel`*:: +*`google_workspace.admin.email.log_search_filter.end_date`*:: + -- -IPsec Vpn Tunnel Name - +The log search filter's ending date. -type: keyword +type: date -- -*`fortinet.firewall.vpntype`*:: +*`google_workspace.admin.email.log_search_filter.recipient.value`*:: + -- -The type of the VPN tunnel - +The log search filter's email recipient. type: keyword -- -*`fortinet.firewall.vrf`*:: +*`google_workspace.admin.email.log_search_filter.sender.value`*:: + -- -VRF number - +The log search filter's email sender. -type: integer +type: keyword -- -*`fortinet.firewall.vulncat`*:: +*`google_workspace.admin.email.log_search_filter.recipient.ip`*:: + -- -Vulnerability Category - +The log search filter's email recipient's IP address. -type: keyword +type: ip -- -*`fortinet.firewall.vulnid`*:: +*`google_workspace.admin.email.log_search_filter.sender.ip`*:: + -- -Vulnerability ID - +The log search filter's email sender's IP address. -type: integer +type: ip -- -*`fortinet.firewall.vulnname`*:: +*`google_workspace.admin.chrome_licenses.enabled`*:: + -- -Vulnerability name +Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings type: keyword -- -*`fortinet.firewall.vwlid`*:: +*`google_workspace.admin.chrome_licenses.allowed`*:: + -- -VWL ID +Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings -type: integer +type: keyword -- -*`fortinet.firewall.vwlquality`*:: +*`google_workspace.admin.oauth2.service.name`*:: + -- -VWL quality +OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings type: keyword -- -*`fortinet.firewall.vwlservice`*:: +*`google_workspace.admin.oauth2.application.id`*:: + -- -VWL service - +OAuth2 application ID. type: keyword -- -*`fortinet.firewall.vwpvlanid`*:: +*`google_workspace.admin.oauth2.application.name`*:: + -- -VWP VLAN ID - +OAuth2 application name. -type: integer +type: keyword -- -*`fortinet.firewall.wanin`*:: +*`google_workspace.admin.oauth2.application.type`*:: + -- -WAN incoming traffic in bytes +OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings -type: long +type: keyword -- -*`fortinet.firewall.wanoptapptype`*:: +*`google_workspace.admin.verification_method`*:: + -- -WAN Optimization Application type +Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings type: keyword -- -*`fortinet.firewall.wanout`*:: +*`google_workspace.admin.alert.name`*:: + -- -WAN outgoing traffic in bytes - +The alert name. -type: long +type: keyword -- -*`fortinet.firewall.weakwepiv`*:: +*`google_workspace.admin.rule.name`*:: + -- -Weak Wep Initiation Vector - +The rule name. type: keyword -- -*`fortinet.firewall.xauthgroup`*:: +*`google_workspace.admin.api.client.name`*:: + -- -XAuth Group Name - +The API client name. type: keyword -- -*`fortinet.firewall.xauthuser`*:: +*`google_workspace.admin.api.scopes`*:: + -- -XAuth User Name - +The API scopes. type: keyword -- -*`fortinet.firewall.xid`*:: +*`google_workspace.admin.mdm.token`*:: + -- -Wireless X ID - +The MDM vendor enrollment token. -type: integer +type: keyword -- -[[exported-fields-gcp]] -== Google Cloud Platform (GCP) fields - -Module for handling logs from Google Cloud. - - - -[float] -=== gcp - -Fields from Google Cloud logs. - - - -[float] -=== destination.instance - -If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. - - - -*`gcp.destination.instance.project_id`*:: +*`google_workspace.admin.mdm.vendor`*:: + -- -ID of the project containing the VM. - +The MDM vendor's name. type: keyword -- -*`gcp.destination.instance.region`*:: +*`google_workspace.admin.info_type`*:: + -- -Region of the VM. +This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings type: keyword -- -*`gcp.destination.instance.zone`*:: +*`google_workspace.admin.email_monitor.dest_email`*:: + -- -Zone of the VM. - +The destination address of the email monitor. type: keyword -- -[float] -=== destination.vpc - -If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. +*`google_workspace.admin.email_monitor.level.chat`*:: ++ +-- +The chat email monitor level. +type: keyword +-- -*`gcp.destination.vpc.project_id`*:: +*`google_workspace.admin.email_monitor.level.draft`*:: + -- -ID of the project containing the VM. - +The draft email monitor level. type: keyword -- -*`gcp.destination.vpc.vpc_name`*:: +*`google_workspace.admin.email_monitor.level.incoming`*:: + -- -VPC on which the VM is operating. - +The incoming email monitor level. type: keyword -- -*`gcp.destination.vpc.subnetwork_name`*:: +*`google_workspace.admin.email_monitor.level.outgoing`*:: + -- -Subnetwork on which the VM is operating. - +The outgoing email monitor level. type: keyword -- -[float] -=== source.instance - -If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. +*`google_workspace.admin.email_dump.include_deleted`*:: ++ +-- +Indicates if deleted emails are included in the export. +type: boolean +-- -*`gcp.source.instance.project_id`*:: +*`google_workspace.admin.email_dump.package_content`*:: + -- -ID of the project containing the VM. - +The contents of the mailbox package. type: keyword -- -*`gcp.source.instance.region`*:: +*`google_workspace.admin.email_dump.query`*:: + -- -Region of the VM. - +The search query used for the dump. type: keyword -- -*`gcp.source.instance.zone`*:: +*`google_workspace.admin.request.id`*:: + -- -Zone of the VM. - +The request ID. type: keyword -- -[float] -=== source.vpc - -If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. +*`google_workspace.admin.mobile.action.id`*:: ++ +-- +The mobile device action's ID. +type: keyword +-- -*`gcp.source.vpc.project_id`*:: +*`google_workspace.admin.mobile.action.type`*:: + -- -ID of the project containing the VM. +The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings type: keyword -- -*`gcp.source.vpc.vpc_name`*:: +*`google_workspace.admin.mobile.certificate.name`*:: + -- -VPC on which the VM is operating. - +The mobile certificate common name. type: keyword -- -*`gcp.source.vpc.subnetwork_name`*:: +*`google_workspace.admin.mobile.company_owned_devices`*:: + -- -Subnetwork on which the VM is operating. - +The number of devices a company owns. -type: keyword +type: long -- -[float] -=== audit +*`google_workspace.admin.distribution.entity.name`*:: ++ +-- +The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings -Fields for Google Cloud audit logs. +type: keyword +-- -*`gcp.audit.type`*:: +*`google_workspace.admin.distribution.entity.type`*:: + -- -Type property. +The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings type: keyword -- -[float] -=== authentication_info -Authentication information. +*`google_workspace.drive.billable`*:: ++ +-- +Whether this activity is billable. +type: boolean +-- -*`gcp.audit.authentication_info.principal_email`*:: +*`google_workspace.drive.source_folder_id`*:: + -- -The email address of the authenticated user making the request. - - type: keyword -- -*`gcp.audit.authentication_info.authority_selector`*:: +*`google_workspace.drive.source_folder_title`*:: + -- -The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. - - type: keyword -- -*`gcp.audit.authorization_info`*:: +*`google_workspace.drive.destination_folder_id`*:: + -- -Authorization information for the operation. - - -type: array +type: keyword -- -*`gcp.audit.method_name`*:: +*`google_workspace.drive.destination_folder_title`*:: + -- -The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. +type: keyword +-- +*`google_workspace.drive.file.id`*:: ++ +-- type: keyword -- -*`gcp.audit.num_response_items`*:: +*`google_workspace.drive.file.type`*:: + -- -The number of items returned from a List or Query API method, if applicable. +Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive -type: long +type: keyword -- -[float] -=== request +*`google_workspace.drive.originating_app_id`*:: ++ +-- +The Google Cloud Project ID of the application that performed the action. -The operation request. +type: keyword +-- -*`gcp.audit.request.proto_name`*:: +*`google_workspace.drive.file.owner.email`*:: + -- -Type property of the request. - - type: keyword -- -*`gcp.audit.request.filter`*:: +*`google_workspace.drive.file.owner.is_shared_drive`*:: + -- -Filter of the request. +Boolean flag denoting whether owner is a shared drive. -type: keyword +type: boolean -- -*`gcp.audit.request.name`*:: +*`google_workspace.drive.primary_event`*:: + -- -Name of the request. +Whether this is a primary event. A single user action in Drive may generate several events. -type: keyword +type: boolean -- -*`gcp.audit.request.resource_name`*:: +*`google_workspace.drive.shared_drive_id`*:: + -- -Name of the request resource. +The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. type: keyword -- -[float] -=== request_metadata +*`google_workspace.drive.visibility`*:: ++ +-- +Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive -Metadata about the request. +type: keyword +-- -*`gcp.audit.request_metadata.caller_ip`*:: +*`google_workspace.drive.new_value`*:: + -- -The IP address of the caller. +When a setting or property of the file changes, the new value for it will appear here. -type: ip +type: keyword -- -*`gcp.audit.request_metadata.caller_supplied_user_agent`*:: +*`google_workspace.drive.old_value`*:: + -- -The user agent of the caller. This information is not authenticated and should be treated accordingly. +When a setting or property of the file changes, the old value for it will appear here. type: keyword -- -[float] -=== response - -The operation response. +*`google_workspace.drive.sheets_import_range_recipient_doc`*:: ++ +-- +Doc ID of the recipient of a sheets import range. +type: keyword +-- -*`gcp.audit.response.proto_name`*:: +*`google_workspace.drive.old_visibility`*:: + -- -Type property of the response. +When visibility changes, this holds the old value. type: keyword -- -[float] -=== details +*`google_workspace.drive.visibility_change`*:: ++ +-- +When visibility changes, this holds the new overall visibility of the file. -The details of the response. +type: keyword +-- -*`gcp.audit.response.details.group`*:: +*`google_workspace.drive.target_domain`*:: + -- -The name of the group. +The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. type: keyword -- -*`gcp.audit.response.details.kind`*:: +*`google_workspace.drive.added_role`*:: + -- -The kind of the response details. +Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive type: keyword -- -*`gcp.audit.response.details.name`*:: +*`google_workspace.drive.membership_change_type`*:: + -- -The name of the response details. +Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive type: keyword -- -*`gcp.audit.response.details.uid`*:: +*`google_workspace.drive.shared_drive_settings_change_type`*:: + -- -The uid of the response details. +Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive type: keyword -- -*`gcp.audit.response.status`*:: +*`google_workspace.drive.removed_role`*:: + -- -Status of the response. +Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive type: keyword -- -*`gcp.audit.resource_name`*:: +*`google_workspace.drive.target`*:: + -- -The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - +Target user or group. type: keyword -- -[float] -=== resource_location -The location of the resource. +*`google_workspace.groups.acl_permission`*:: ++ +-- +Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +type: keyword -*`gcp.audit.resource_location.current_locations`*:: +-- + +*`google_workspace.groups.email`*:: + -- -Current locations of the resource. +Group email. type: keyword -- -*`gcp.audit.service_name`*:: +*`google_workspace.groups.member.email`*:: + -- -The name of the API service performing the operation. For example, datastore.googleapis.com. +Member email. type: keyword -- -[float] -=== status +*`google_workspace.groups.member.role`*:: ++ +-- +Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups -The status of the overall operation. +type: keyword +-- -*`gcp.audit.status.code`*:: +*`google_workspace.groups.setting`*:: + -- -The status code, which should be an enum value of google.rpc.Code. +Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups -type: integer +type: keyword -- -*`gcp.audit.status.message`*:: +*`google_workspace.groups.new_value`*:: + -- -A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. +New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups type: keyword -- -[float] -=== firewall - -Fields for Google Cloud Firewall logs. +*`google_workspace.groups.old_value`*:: ++ +-- +Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +type: keyword +-- -[float] -=== rule_details +*`google_workspace.groups.value`*:: ++ +-- +Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups -Description of the firewall rule that matched this connection. +type: keyword +-- -*`gcp.firewall.rule_details.priority`*:: +*`google_workspace.groups.message.id`*:: + -- -The priority for the firewall rule. +SMTP message Id of an email message. Present for moderation events. -type: long + +type: keyword -- -*`gcp.firewall.rule_details.action`*:: +*`google_workspace.groups.message.moderation_action`*:: + -- -Action that the rule performs on match. +Message moderation action. Possible values are `approved` and `rejected`. + type: keyword -- -*`gcp.firewall.rule_details.direction`*:: +*`google_workspace.groups.status`*:: + -- -Direction of traffic that matches this rule. +A status describing the output of an operation. Possible values are `failed` and `succeeded`. + type: keyword -- -*`gcp.firewall.rule_details.reference`*:: + +*`google_workspace.login.affected_email_address`*:: + -- -Reference to the firewall rule. - type: keyword -- -*`gcp.firewall.rule_details.source_range`*:: +*`google_workspace.login.challenge_method`*:: + -- -List of source ranges that the firewall rule applies to. +Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + type: keyword -- -*`gcp.firewall.rule_details.destination_range`*:: +*`google_workspace.login.failure_type`*:: + -- -List of destination ranges that the firewall applies to. +Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + type: keyword -- -*`gcp.firewall.rule_details.source_tag`*:: +*`google_workspace.login.type`*:: + -- -List of all the source tags that the firewall rule applies to. +Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. type: keyword -- -*`gcp.firewall.rule_details.target_tag`*:: +*`google_workspace.login.is_second_factor`*:: + -- -List of all the target tags that the firewall rule applies to. +type: boolean +-- -type: keyword +*`google_workspace.login.is_suspicious`*:: ++ +-- +type: boolean -- -*`gcp.firewall.rule_details.ip_port_info`*:: + +*`google_workspace.saml.application_name`*:: + -- -List of ip protocols and applicable port ranges for rules. +Saml SP application name. -type: array +type: keyword -- -*`gcp.firewall.rule_details.source_service_account`*:: +*`google_workspace.saml.failure_type`*:: + -- -List of all the source service accounts that the firewall rule applies to. +Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. type: keyword -- -*`gcp.firewall.rule_details.target_service_account`*:: +*`google_workspace.saml.initiated_by`*:: + -- -List of all the target service accounts that the firewall rule applies to. +Requester of SAML authentication. type: keyword -- -[float] -=== vpcflow +*`google_workspace.saml.orgunit_path`*:: ++ +-- +User orgunit. -Fields for Google Cloud VPC flow logs. +type: keyword +-- -*`gcp.vpcflow.reporter`*:: +*`google_workspace.saml.status_code`*:: + -- -The side which reported the flow. Can be either 'SRC' or 'DEST'. +SAML status code. type: keyword -- -*`gcp.vpcflow.rtt.ms`*:: +*`google_workspace.saml.second_level_status_code`*:: + -- -Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. +SAML second level status code. -type: long +type: keyword -- -[[exported-fields-google_workspace]] -== google_workspace fields +[[exported-fields-gsuite]] +== gsuite fields -Google Workspace Module +gsuite Module [float] -=== google_workspace +=== gsuite -Google Workspace specific fields. +Gsuite specific fields. More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list -*`google_workspace.actor.type`*:: +*`gsuite.actor.type`*:: + -- The type of actor. @@ -65149,7 +72073,7 @@ type: keyword -- -*`google_workspace.actor.key`*:: +*`gsuite.actor.key`*:: + -- Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. @@ -65159,10 +72083,10 @@ type: keyword -- -*`google_workspace.event.type`*:: +*`gsuite.event.type`*:: + -- -The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list type: keyword @@ -65171,7 +72095,7 @@ example: audit#activity -- -*`google_workspace.kind`*:: +*`gsuite.kind`*:: + -- The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list @@ -65183,7 +72107,7 @@ example: audit#activity -- -*`google_workspace.organization.domain`*:: +*`gsuite.organization.domain`*:: + -- The domain that is affected by the report's event. @@ -65194,16 +72118,16 @@ type: keyword -- -*`google_workspace.admin.application.edition`*:: +*`gsuite.admin.application.edition`*:: + -- -The Google Workspace edition. +The GSuite edition. type: keyword -- -*`google_workspace.admin.application.name`*:: +*`gsuite.admin.application.name`*:: + -- The application's name. @@ -65212,7 +72136,7 @@ type: keyword -- -*`google_workspace.admin.application.enabled`*:: +*`gsuite.admin.application.enabled`*:: + -- The enabled application. @@ -65221,7 +72145,7 @@ type: keyword -- -*`google_workspace.admin.application.licences_order_number`*:: +*`gsuite.admin.application.licences_order_number`*:: + -- Order number used to redeem licenses. @@ -65230,7 +72154,7 @@ type: keyword -- -*`google_workspace.admin.application.licences_purchased`*:: +*`gsuite.admin.application.licences_purchased`*:: + -- Number of licences purchased. @@ -65239,7 +72163,7 @@ type: keyword -- -*`google_workspace.admin.application.id`*:: +*`gsuite.admin.application.id`*:: + -- The application ID. @@ -65248,7 +72172,7 @@ type: keyword -- -*`google_workspace.admin.application.asp_id`*:: +*`gsuite.admin.application.asp_id`*:: + -- The application specific password ID. @@ -65257,7 +72181,7 @@ type: keyword -- -*`google_workspace.admin.application.package_id`*:: +*`gsuite.admin.application.package_id`*:: + -- The mobile application package ID. @@ -65266,7 +72190,7 @@ type: keyword -- -*`google_workspace.admin.group.email`*:: +*`gsuite.admin.group.email`*:: + -- The group's primary email address. @@ -65275,7 +72199,7 @@ type: keyword -- -*`google_workspace.admin.new_value`*:: +*`gsuite.admin.new_value`*:: + -- The new value for the setting. @@ -65284,7 +72208,7 @@ type: keyword -- -*`google_workspace.admin.old_value`*:: +*`gsuite.admin.old_value`*:: + -- The old value for the setting. @@ -65293,7 +72217,7 @@ type: keyword -- -*`google_workspace.admin.org_unit.name`*:: +*`gsuite.admin.org_unit.name`*:: + -- The organizational unit name. @@ -65302,7 +72226,7 @@ type: keyword -- -*`google_workspace.admin.org_unit.full`*:: +*`gsuite.admin.org_unit.full`*:: + -- The org unit full path including the root org unit name. @@ -65311,7 +72235,7 @@ type: keyword -- -*`google_workspace.admin.setting.name`*:: +*`gsuite.admin.setting.name`*:: + -- The setting name. @@ -65320,7 +72244,7 @@ type: keyword -- -*`google_workspace.admin.user_defined_setting.name`*:: +*`gsuite.admin.user_defined_setting.name`*:: + -- The name of the user-defined setting. @@ -65329,7 +72253,7 @@ type: keyword -- -*`google_workspace.admin.setting.description`*:: +*`gsuite.admin.setting.description`*:: + -- The setting name. @@ -65338,7 +72262,7 @@ type: keyword -- -*`google_workspace.admin.group.priorities`*:: +*`gsuite.admin.group.priorities`*:: + -- Group priorities. @@ -65347,7 +72271,7 @@ type: keyword -- -*`google_workspace.admin.domain.alias`*:: +*`gsuite.admin.domain.alias`*:: + -- The domain alias. @@ -65356,7 +72280,7 @@ type: keyword -- -*`google_workspace.admin.domain.name`*:: +*`gsuite.admin.domain.name`*:: + -- The primary domain name. @@ -65365,7 +72289,7 @@ type: keyword -- -*`google_workspace.admin.domain.secondary_name`*:: +*`gsuite.admin.domain.secondary_name`*:: + -- The secondary domain name. @@ -65374,7 +72298,7 @@ type: keyword -- -*`google_workspace.admin.managed_configuration`*:: +*`gsuite.admin.managed_configuration`*:: + -- The name of the managed configuration. @@ -65383,7 +72307,7 @@ type: keyword -- -*`google_workspace.admin.non_featured_services_selection`*:: +*`gsuite.admin.non_featured_services_selection`*:: + -- Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED @@ -65393,7 +72317,7 @@ type: keyword -- -*`google_workspace.admin.field`*:: +*`gsuite.admin.field`*:: + -- The name of the field. @@ -65402,7 +72326,7 @@ type: keyword -- -*`google_workspace.admin.resource.id`*:: +*`gsuite.admin.resource.id`*:: + -- The name of the resource identifier. @@ -65411,7 +72335,7 @@ type: keyword -- -*`google_workspace.admin.user.email`*:: +*`gsuite.admin.user.email`*:: + -- The user's primary email address. @@ -65420,7 +72344,7 @@ type: keyword -- -*`google_workspace.admin.user.nickname`*:: +*`gsuite.admin.user.nickname`*:: + -- The user's nickname. @@ -65429,7 +72353,7 @@ type: keyword -- -*`google_workspace.admin.user.birthdate`*:: +*`gsuite.admin.user.birthdate`*:: + -- The user's birth date. @@ -65438,7 +72362,7 @@ type: date -- -*`google_workspace.admin.gateway.name`*:: +*`gsuite.admin.gateway.name`*:: + -- Gateway name. Present on some chat settings. @@ -65447,7 +72371,7 @@ type: keyword -- -*`google_workspace.admin.chrome_os.session_type`*:: +*`gsuite.admin.chrome_os.session_type`*:: + -- Chrome OS session type. @@ -65456,7 +72380,7 @@ type: keyword -- -*`google_workspace.admin.device.serial_number`*:: +*`gsuite.admin.device.serial_number`*:: + -- Device serial number. @@ -65465,14 +72389,14 @@ type: keyword -- -*`google_workspace.admin.device.id`*:: +*`gsuite.admin.device.id`*:: + -- type: keyword -- -*`google_workspace.admin.device.type`*:: +*`gsuite.admin.device.type`*:: + -- Device type. @@ -65481,7 +72405,7 @@ type: keyword -- -*`google_workspace.admin.print_server.name`*:: +*`gsuite.admin.print_server.name`*:: + -- The name of the print server. @@ -65490,7 +72414,7 @@ type: keyword -- -*`google_workspace.admin.printer.name`*:: +*`gsuite.admin.printer.name`*:: + -- The name of the printer. @@ -65499,7 +72423,7 @@ type: keyword -- -*`google_workspace.admin.device.command_details`*:: +*`gsuite.admin.device.command_details`*:: + -- Command details. @@ -65508,7 +72432,7 @@ type: keyword -- -*`google_workspace.admin.role.id`*:: +*`gsuite.admin.role.id`*:: + -- Unique identifier for this role privilege. @@ -65517,7 +72441,7 @@ type: keyword -- -*`google_workspace.admin.role.name`*:: +*`gsuite.admin.role.name`*:: + -- The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings @@ -65527,7 +72451,7 @@ type: keyword -- -*`google_workspace.admin.privilege.name`*:: +*`gsuite.admin.privilege.name`*:: + -- Privilege name. @@ -65536,7 +72460,7 @@ type: keyword -- -*`google_workspace.admin.service.name`*:: +*`gsuite.admin.service.name`*:: + -- The service name. @@ -65545,7 +72469,7 @@ type: keyword -- -*`google_workspace.admin.url.name`*:: +*`gsuite.admin.url.name`*:: + -- The website name. @@ -65554,7 +72478,7 @@ type: keyword -- -*`google_workspace.admin.product.name`*:: +*`gsuite.admin.product.name`*:: + -- The product name. @@ -65563,7 +72487,7 @@ type: keyword -- -*`google_workspace.admin.product.sku`*:: +*`gsuite.admin.product.sku`*:: + -- The product SKU. @@ -65572,7 +72496,7 @@ type: keyword -- -*`google_workspace.admin.bulk_upload.failed`*:: +*`gsuite.admin.bulk_upload.failed`*:: + -- Number of failed records in bulk upload operation. @@ -65581,7 +72505,7 @@ type: long -- -*`google_workspace.admin.bulk_upload.total`*:: +*`gsuite.admin.bulk_upload.total`*:: + -- Number of total records in bulk upload operation. @@ -65590,7 +72514,7 @@ type: long -- -*`google_workspace.admin.group.allowed_list`*:: +*`gsuite.admin.group.allowed_list`*:: + -- Names of allow-listed groups. @@ -65599,7 +72523,7 @@ type: keyword -- -*`google_workspace.admin.email.quarantine_name`*:: +*`gsuite.admin.email.quarantine_name`*:: + -- The name of the quarantine. @@ -65608,7 +72532,7 @@ type: keyword -- -*`google_workspace.admin.email.log_search_filter.message_id`*:: +*`gsuite.admin.email.log_search_filter.message_id`*:: + -- The log search filter's email message ID. @@ -65617,7 +72541,7 @@ type: keyword -- -*`google_workspace.admin.email.log_search_filter.start_date`*:: +*`gsuite.admin.email.log_search_filter.start_date`*:: + -- The log search filter's start date. @@ -65626,7 +72550,7 @@ type: date -- -*`google_workspace.admin.email.log_search_filter.end_date`*:: +*`gsuite.admin.email.log_search_filter.end_date`*:: + -- The log search filter's ending date. @@ -65635,7 +72559,7 @@ type: date -- -*`google_workspace.admin.email.log_search_filter.recipient.value`*:: +*`gsuite.admin.email.log_search_filter.recipient.value`*:: + -- The log search filter's email recipient. @@ -65644,7 +72568,7 @@ type: keyword -- -*`google_workspace.admin.email.log_search_filter.sender.value`*:: +*`gsuite.admin.email.log_search_filter.sender.value`*:: + -- The log search filter's email sender. @@ -65653,7 +72577,7 @@ type: keyword -- -*`google_workspace.admin.email.log_search_filter.recipient.ip`*:: +*`gsuite.admin.email.log_search_filter.recipient.ip`*:: + -- The log search filter's email recipient's IP address. @@ -65662,7 +72586,7 @@ type: ip -- -*`google_workspace.admin.email.log_search_filter.sender.ip`*:: +*`gsuite.admin.email.log_search_filter.sender.ip`*:: + -- The log search filter's email sender's IP address. @@ -65671,7 +72595,7 @@ type: ip -- -*`google_workspace.admin.chrome_licenses.enabled`*:: +*`gsuite.admin.chrome_licenses.enabled`*:: + -- Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings @@ -65681,7 +72605,7 @@ type: keyword -- -*`google_workspace.admin.chrome_licenses.allowed`*:: +*`gsuite.admin.chrome_licenses.allowed`*:: + -- Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings @@ -65691,7 +72615,7 @@ type: keyword -- -*`google_workspace.admin.oauth2.service.name`*:: +*`gsuite.admin.oauth2.service.name`*:: + -- OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings @@ -65701,7 +72625,7 @@ type: keyword -- -*`google_workspace.admin.oauth2.application.id`*:: +*`gsuite.admin.oauth2.application.id`*:: + -- OAuth2 application ID. @@ -65710,7 +72634,7 @@ type: keyword -- -*`google_workspace.admin.oauth2.application.name`*:: +*`gsuite.admin.oauth2.application.name`*:: + -- OAuth2 application name. @@ -65719,7 +72643,7 @@ type: keyword -- -*`google_workspace.admin.oauth2.application.type`*:: +*`gsuite.admin.oauth2.application.type`*:: + -- OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings @@ -65729,7 +72653,7 @@ type: keyword -- -*`google_workspace.admin.verification_method`*:: +*`gsuite.admin.verification_method`*:: + -- Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings @@ -65739,7 +72663,7 @@ type: keyword -- -*`google_workspace.admin.alert.name`*:: +*`gsuite.admin.alert.name`*:: + -- The alert name. @@ -65748,7 +72672,7 @@ type: keyword -- -*`google_workspace.admin.rule.name`*:: +*`gsuite.admin.rule.name`*:: + -- The rule name. @@ -65757,7 +72681,7 @@ type: keyword -- -*`google_workspace.admin.api.client.name`*:: +*`gsuite.admin.api.client.name`*:: + -- The API client name. @@ -65766,7 +72690,7 @@ type: keyword -- -*`google_workspace.admin.api.scopes`*:: +*`gsuite.admin.api.scopes`*:: + -- The API scopes. @@ -65775,7 +72699,7 @@ type: keyword -- -*`google_workspace.admin.mdm.token`*:: +*`gsuite.admin.mdm.token`*:: + -- The MDM vendor enrollment token. @@ -65784,7 +72708,7 @@ type: keyword -- -*`google_workspace.admin.mdm.vendor`*:: +*`gsuite.admin.mdm.vendor`*:: + -- The MDM vendor's name. @@ -65793,7 +72717,7 @@ type: keyword -- -*`google_workspace.admin.info_type`*:: +*`gsuite.admin.info_type`*:: + -- This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings @@ -65803,7 +72727,7 @@ type: keyword -- -*`google_workspace.admin.email_monitor.dest_email`*:: +*`gsuite.admin.email_monitor.dest_email`*:: + -- The destination address of the email monitor. @@ -65812,7 +72736,7 @@ type: keyword -- -*`google_workspace.admin.email_monitor.level.chat`*:: +*`gsuite.admin.email_monitor.level.chat`*:: + -- The chat email monitor level. @@ -65821,7 +72745,7 @@ type: keyword -- -*`google_workspace.admin.email_monitor.level.draft`*:: +*`gsuite.admin.email_monitor.level.draft`*:: + -- The draft email monitor level. @@ -65830,7 +72754,7 @@ type: keyword -- -*`google_workspace.admin.email_monitor.level.incoming`*:: +*`gsuite.admin.email_monitor.level.incoming`*:: + -- The incoming email monitor level. @@ -65839,7 +72763,7 @@ type: keyword -- -*`google_workspace.admin.email_monitor.level.outgoing`*:: +*`gsuite.admin.email_monitor.level.outgoing`*:: + -- The outgoing email monitor level. @@ -65848,7 +72772,7 @@ type: keyword -- -*`google_workspace.admin.email_dump.include_deleted`*:: +*`gsuite.admin.email_dump.include_deleted`*:: + -- Indicates if deleted emails are included in the export. @@ -65857,7 +72781,7 @@ type: boolean -- -*`google_workspace.admin.email_dump.package_content`*:: +*`gsuite.admin.email_dump.package_content`*:: + -- The contents of the mailbox package. @@ -65866,7 +72790,7 @@ type: keyword -- -*`google_workspace.admin.email_dump.query`*:: +*`gsuite.admin.email_dump.query`*:: + -- The search query used for the dump. @@ -65875,7 +72799,7 @@ type: keyword -- -*`google_workspace.admin.request.id`*:: +*`gsuite.admin.request.id`*:: + -- The request ID. @@ -65884,7 +72808,7 @@ type: keyword -- -*`google_workspace.admin.mobile.action.id`*:: +*`gsuite.admin.mobile.action.id`*:: + -- The mobile device action's ID. @@ -65893,7 +72817,7 @@ type: keyword -- -*`google_workspace.admin.mobile.action.type`*:: +*`gsuite.admin.mobile.action.type`*:: + -- The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings @@ -65903,7 +72827,7 @@ type: keyword -- -*`google_workspace.admin.mobile.certificate.name`*:: +*`gsuite.admin.mobile.certificate.name`*:: + -- The mobile certificate common name. @@ -65912,7 +72836,7 @@ type: keyword -- -*`google_workspace.admin.mobile.company_owned_devices`*:: +*`gsuite.admin.mobile.company_owned_devices`*:: + -- The number of devices a company owns. @@ -65921,7 +72845,7 @@ type: long -- -*`google_workspace.admin.distribution.entity.name`*:: +*`gsuite.admin.distribution.entity.name`*:: + -- The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings @@ -65931,7 +72855,7 @@ type: keyword -- -*`google_workspace.admin.distribution.entity.type`*:: +*`gsuite.admin.distribution.entity.type`*:: + -- The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings @@ -65942,7 +72866,7 @@ type: keyword -- -*`google_workspace.drive.billable`*:: +*`gsuite.drive.billable`*:: + -- Whether this activity is billable. @@ -65951,42 +72875,42 @@ type: boolean -- -*`google_workspace.drive.source_folder_id`*:: +*`gsuite.drive.source_folder_id`*:: + -- type: keyword -- -*`google_workspace.drive.source_folder_title`*:: +*`gsuite.drive.source_folder_title`*:: + -- type: keyword -- -*`google_workspace.drive.destination_folder_id`*:: +*`gsuite.drive.destination_folder_id`*:: + -- type: keyword -- -*`google_workspace.drive.destination_folder_title`*:: +*`gsuite.drive.destination_folder_title`*:: + -- type: keyword -- -*`google_workspace.drive.file.id`*:: +*`gsuite.drive.file.id`*:: + -- type: keyword -- -*`google_workspace.drive.file.type`*:: +*`gsuite.drive.file.type`*:: + -- Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -65996,7 +72920,7 @@ type: keyword -- -*`google_workspace.drive.originating_app_id`*:: +*`gsuite.drive.originating_app_id`*:: + -- The Google Cloud Project ID of the application that performed the action. @@ -66006,14 +72930,14 @@ type: keyword -- -*`google_workspace.drive.file.owner.email`*:: +*`gsuite.drive.file.owner.email`*:: + -- type: keyword -- -*`google_workspace.drive.file.owner.is_shared_drive`*:: +*`gsuite.drive.file.owner.is_shared_drive`*:: + -- Boolean flag denoting whether owner is a shared drive. @@ -66023,7 +72947,7 @@ type: boolean -- -*`google_workspace.drive.primary_event`*:: +*`gsuite.drive.primary_event`*:: + -- Whether this is a primary event. A single user action in Drive may generate several events. @@ -66033,7 +72957,7 @@ type: boolean -- -*`google_workspace.drive.shared_drive_id`*:: +*`gsuite.drive.shared_drive_id`*:: + -- The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. @@ -66043,7 +72967,7 @@ type: keyword -- -*`google_workspace.drive.visibility`*:: +*`gsuite.drive.visibility`*:: + -- Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -66053,7 +72977,7 @@ type: keyword -- -*`google_workspace.drive.new_value`*:: +*`gsuite.drive.new_value`*:: + -- When a setting or property of the file changes, the new value for it will appear here. @@ -66063,7 +72987,7 @@ type: keyword -- -*`google_workspace.drive.old_value`*:: +*`gsuite.drive.old_value`*:: + -- When a setting or property of the file changes, the old value for it will appear here. @@ -66073,7 +72997,7 @@ type: keyword -- -*`google_workspace.drive.sheets_import_range_recipient_doc`*:: +*`gsuite.drive.sheets_import_range_recipient_doc`*:: + -- Doc ID of the recipient of a sheets import range. @@ -66082,7 +73006,7 @@ type: keyword -- -*`google_workspace.drive.old_visibility`*:: +*`gsuite.drive.old_visibility`*:: + -- When visibility changes, this holds the old value. @@ -66092,7 +73016,7 @@ type: keyword -- -*`google_workspace.drive.visibility_change`*:: +*`gsuite.drive.visibility_change`*:: + -- When visibility changes, this holds the new overall visibility of the file. @@ -66102,7 +73026,7 @@ type: keyword -- -*`google_workspace.drive.target_domain`*:: +*`gsuite.drive.target_domain`*:: + -- The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. @@ -66112,7 +73036,7 @@ type: keyword -- -*`google_workspace.drive.added_role`*:: +*`gsuite.drive.added_role`*:: + -- Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -66122,7 +73046,7 @@ type: keyword -- -*`google_workspace.drive.membership_change_type`*:: +*`gsuite.drive.membership_change_type`*:: + -- Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -66132,7 +73056,7 @@ type: keyword -- -*`google_workspace.drive.shared_drive_settings_change_type`*:: +*`gsuite.drive.shared_drive_settings_change_type`*:: + -- Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -66142,7 +73066,7 @@ type: keyword -- -*`google_workspace.drive.removed_role`*:: +*`gsuite.drive.removed_role`*:: + -- Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -66152,7 +73076,7 @@ type: keyword -- -*`google_workspace.drive.target`*:: +*`gsuite.drive.target`*:: + -- Target user or group. @@ -66162,7 +73086,7 @@ type: keyword -- -*`google_workspace.groups.acl_permission`*:: +*`gsuite.groups.acl_permission`*:: + -- Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -66172,7 +73096,7 @@ type: keyword -- -*`google_workspace.groups.email`*:: +*`gsuite.groups.email`*:: + -- Group email. @@ -66182,7 +73106,7 @@ type: keyword -- -*`google_workspace.groups.member.email`*:: +*`gsuite.groups.member.email`*:: + -- Member email. @@ -66192,7 +73116,7 @@ type: keyword -- -*`google_workspace.groups.member.role`*:: +*`gsuite.groups.member.role`*:: + -- Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -66202,7 +73126,7 @@ type: keyword -- -*`google_workspace.groups.setting`*:: +*`gsuite.groups.setting`*:: + -- Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -66212,7 +73136,7 @@ type: keyword -- -*`google_workspace.groups.new_value`*:: +*`gsuite.groups.new_value`*:: + -- New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -66222,7 +73146,7 @@ type: keyword -- -*`google_workspace.groups.old_value`*:: +*`gsuite.groups.old_value`*:: + -- Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -66231,7 +73155,7 @@ type: keyword -- -*`google_workspace.groups.value`*:: +*`gsuite.groups.value`*:: + -- Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -66241,7 +73165,7 @@ type: keyword -- -*`google_workspace.groups.message.id`*:: +*`gsuite.groups.message.id`*:: + -- SMTP message Id of an email message. Present for moderation events. @@ -66251,7 +73175,7 @@ type: keyword -- -*`google_workspace.groups.message.moderation_action`*:: +*`gsuite.groups.message.moderation_action`*:: + -- Message moderation action. Possible values are `approved` and `rejected`. @@ -66261,7 +73185,7 @@ type: keyword -- -*`google_workspace.groups.status`*:: +*`gsuite.groups.status`*:: + -- A status describing the output of an operation. Possible values are `failed` and `succeeded`. @@ -66272,14 +73196,14 @@ type: keyword -- -*`google_workspace.login.affected_email_address`*:: +*`gsuite.login.affected_email_address`*:: + -- type: keyword -- -*`google_workspace.login.challenge_method`*:: +*`gsuite.login.challenge_method`*:: + -- Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. @@ -66289,7 +73213,7 @@ type: keyword -- -*`google_workspace.login.failure_type`*:: +*`gsuite.login.failure_type`*:: + -- Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. @@ -66299,7 +73223,7 @@ type: keyword -- -*`google_workspace.login.type`*:: +*`gsuite.login.type`*:: + -- Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. @@ -66309,14 +73233,14 @@ type: keyword -- -*`google_workspace.login.is_second_factor`*:: +*`gsuite.login.is_second_factor`*:: + -- type: boolean -- -*`google_workspace.login.is_suspicious`*:: +*`gsuite.login.is_suspicious`*:: + -- type: boolean @@ -66324,7 +73248,7 @@ type: boolean -- -*`google_workspace.saml.application_name`*:: +*`gsuite.saml.application_name`*:: + -- Saml SP application name. @@ -66334,7 +73258,7 @@ type: keyword -- -*`google_workspace.saml.failure_type`*:: +*`gsuite.saml.failure_type`*:: + -- Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. @@ -66344,7 +73268,7 @@ type: keyword -- -*`google_workspace.saml.initiated_by`*:: +*`gsuite.saml.initiated_by`*:: + -- Requester of SAML authentication. @@ -66354,7 +73278,7 @@ type: keyword -- -*`google_workspace.saml.orgunit_path`*:: +*`gsuite.saml.orgunit_path`*:: + -- User orgunit. @@ -66364,7 +73288,7 @@ type: keyword -- -*`google_workspace.saml.status_code`*:: +*`gsuite.saml.status_code`*:: + -- SAML status code. @@ -66374,7 +73298,7 @@ type: keyword -- -*`google_workspace.saml.second_level_status_code`*:: +*`gsuite.saml.second_level_status_code`*:: + -- SAML second level status code. diff --git a/filebeat/docs/filebeat-modules-options.asciidoc b/filebeat/docs/filebeat-modules-options.asciidoc index 80b87e14f12..643f964080d 100644 --- a/filebeat/docs/filebeat-modules-options.asciidoc +++ b/filebeat/docs/filebeat-modules-options.asciidoc @@ -75,12 +75,8 @@ The following example shows a configuration that runs the `nginx`,`mysql`, and ---- {beatname_lc}.modules: - module: nginx - access: - error: - module: mysql - slowlog: - module: system - auth: ---- [[advanced-settings]] diff --git a/filebeat/docs/filebeat-options.asciidoc b/filebeat/docs/filebeat-options.asciidoc index ec8d8ef2faf..2e609307e67 100644 --- a/filebeat/docs/filebeat-options.asciidoc +++ b/filebeat/docs/filebeat-options.asciidoc @@ -72,7 +72,6 @@ You can configure {beatname_uc} to use the following inputs: * <<{beatname_lc}-input-gcp-pubsub>> * <<{beatname_lc}-input-http_endpoint>> * <<{beatname_lc}-input-httpjson>> -* <<{beatname_lc}-input-journald>> * <<{beatname_lc}-input-kafka>> * <<{beatname_lc}-input-log>> * <<{beatname_lc}-input-mqtt>> @@ -107,8 +106,6 @@ include::../../x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc[] include::../../x-pack/filebeat/docs/inputs/input-httpjson.asciidoc[] -include::inputs/input-journald.asciidoc[] - include::inputs/input-kafka.asciidoc[] include::inputs/input-log.asciidoc[] diff --git a/filebeat/docs/getting-started.asciidoc b/filebeat/docs/getting-started.asciidoc index d51a267b91f..8f340bde6a5 100644 --- a/filebeat/docs/getting-started.asciidoc +++ b/filebeat/docs/getting-started.asciidoc @@ -86,8 +86,8 @@ configs: include::{libbeat-dir}/tab-widgets/enable-modules-widget.asciidoc[] -- -. In the module configs under `modules.d`, enable the desired datasets and -change the module settings to match your environment. +. In the module configs under `modules.d`, change the module settings to match +your environment. + For example, log locations are set based on the OS. If your logs aren't in default locations, set the `paths` variable: @@ -97,7 +97,6 @@ default locations, set the `paths` variable: ---- - module: nginx access: - enabled: true var.paths: ["/var/log/nginx/access.log*"] <1> ---- -- diff --git a/filebeat/docs/inputs/input-journald.asciidoc b/filebeat/docs/inputs/input-journald.asciidoc deleted file mode 100644 index 0279f768d65..00000000000 --- a/filebeat/docs/inputs/input-journald.asciidoc +++ /dev/null @@ -1,223 +0,0 @@ -:type: journald - -[id="{beatname_lc}-input-{type}"] -=== Journald input - -++++ -journald -++++ - -https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html[`journald`] -is a system service that collects and stores logging data. The `journald` input -reads this log data and the metadata associated with it. - -The simplest configuration example is one that reads all logs from the default -journal. - -["source","yaml",subs="attributes"] ----- -{beatname_lc}.inputs: -- type: journald - id: everything ----- - -You may wish to have separate inputs for each service. You can use -`include_matches` to specify a list of filter expressions that are applied as a -logical OR. A good way to list the journald fields that are available for -filtering messages is to run `journalctl -o json` to output logs and metadata as -JSON. This example collects logs from the `vault.service` systemd unit. - -["source","yaml",subs="attributes"] ----- -{beatname_lc}.inputs: -- type: journald - id: service-vault - include_matches: - - _SYSTEMD_UNIT=vault.service ----- - -This example collects kernel logs where the message begins with `iptables`. -Note that `include_matches` is more efficient than Beat processors because that -are applied before the data is passed to the {beatname_uc} so prefer them where -possible. - -["source","yaml",subs="attributes"] ----- -{beatname_lc}.inputs: -- type: journald - id: iptables - include_matches: - - _TRANSPORT=kernel - processors: - - drop_event: - when.not.regex.message: '^iptables' ----- - -Each example adds the `id` for the input to ensure the cursor is persisted to -the registry with a unique ID. The ID should be unique among journald inputs. -If you don't specify and `id` then one is created for you by hashing -the configuration. So when you modify the config this will result in a new ID -and a fresh cursor. - -[id="{beatname_lc}-input-{type}-options"] -==== Configuration options - -The `journald` input supports the following configuration options plus the -<<{beatname_lc}-input-{type}-common-options>> described later. - -[float] -[id="{beatname_lc}-input-{type}-id"] -==== `id` - -An optional unique identifier for the input. By providing a unique `id` you can -operate multiple inputs on the same journal. This allows each input's cursor to -be persisted independently in the registry file. - -["source","yaml",subs="attributes"] ----- -{beatname_lc}.inputs: -- type: journald - id: consul.service - include_matches: - - _SYSTEMD_UNIT=consul.service - -- type: journald - id: vault.service - include_matches: - - _SYSTEMD_UNIT=vault.service ----- - -[float] -[id="{beatname_lc}-input-{type}-paths"] -==== `paths` - -A list of paths that will be crawled and fetched. Each path can be a directory -path (to collect events from all journals in a directory), or a file path. If -you specify a directory, {beatname_uc} merges all journals under the directory -into a single journal and reads them. - -If no paths are specified, {beatname_uc} reads from the default journal. - -[float] -[id="{beatname_lc}-input-{type}-backoff"] -==== `backoff` - -The number of seconds to wait before trying to read again from journals. The -default is 1s. - -[float] -[id="{beatname_lc}-input-{type}-max-backoff"] -==== `max_backoff` - -The maximum number of seconds to wait before attempting to read again from -journals. The default is 60s. - -[float] -[id="{beatname_lc}-input-{type}-seek"] -==== `seek` - -The position to start reading the journal from. Valid settings are: - -* `head`: Starts reading at the beginning of the journal. After a restart, -{beatname_uc} resends all log messages in the journal. -* `tail`: Starts reading at the end of the journal. After a restart, -{beatname_uc} resends the last message, which might result in duplicates. If -multiple log messages are written to a journal while {beatname_uc} is down, -only the last log message is sent on restart. -* `cursor`: On first read, starts reading at the beginning of the journal. After -a reload or restart, continues reading at the last known position. - -If you have old log files and want to skip lines, start {beatname_uc} with -`seek: tail` specified. Then stop {beatname_uc}, set `seek: cursor`, and restart -{beatname_uc}. - -[float] -[id="{beatname_lc}-input-{type}-include-matches"] -==== `include_matches` - -A list of filter expressions used to match fields. The format of the expression -is `field=value`. {beatname_uc} fetches all events that exactly match the -expressions. Pattern matching is not supported. - -To reference fields, use one of the following: - -* The field name used by the systemd journal. For example, -`CONTAINER_TAG=redis`. -* The <<{beatname_lc}-input-{type}-translated-fields,translated field name>> -used by {beatname_uc}. For example, `container.image.tag=redis`. {beatname_uc} -does not translate all fields from the journal. For custom fields, use the name -specified in the systemd journal. - -[float] -[id="{beatname_lc}-input-{type}-translated-fields"] -=== Translated field names - -You can use the following translated names in filter expressions to reference -journald fields: - -[horizontal] -*Journald field name*:: *Translated name* -`COREDUMP_UNIT`:: `journald.coredump.unit` -`COREDUMP_USER_UNIT`:: `journald.coredump.user_unit` -`OBJECT_AUDIT_LOGINUID`:: `journald.object.audit.login_uid` -`OBJECT_AUDIT_SESSION`:: `journald.object.audit.session` -`OBJECT_CMDLINE`:: `journald.object.cmd` -`OBJECT_COMM`:: `journald.object.name` -`OBJECT_EXE`:: `journald.object.executable` -`OBJECT_GID`:: `journald.object.gid` -`OBJECT_PID`:: `journald.object.pid` -`OBJECT_SYSTEMD_OWNER_UID`:: `journald.object.systemd.owner_uid` -`OBJECT_SYSTEMD_SESSION`:: `journald.object.systemd.session` -`OBJECT_SYSTEMD_UNIT`:: `journald.object.systemd.unit` -`OBJECT_SYSTEMD_USER_UNIT`:: `journald.object.systemd.user_unit` -`OBJECT_UID`:: `journald.object.uid` -`_AUDIT_LOGINUID`:: `process.audit.login_uid` -`_AUDIT_SESSION`:: `process.audit.session` -`_BOOT_ID`:: `host.boot_id` -`_CAP_EFFECTIVE`:: `process.capabilites` -`_CMDLINE`:: `process.cmd` -`_CODE_FILE`:: `journald.code.file` -`_CODE_FUNC`:: `journald.code.func` -`_CODE_LINE`:: `journald.code.line` -`_COMM`:: `process.name` -`_EXE`:: `process.executable` -`_GID`:: `process.uid` -`_HOSTNAME`:: `host.name` -`_KERNEL_DEVICE`:: `journald.kernel.device` -`_KERNEL_SUBSYSTEM`:: `journald.kernel.subsystem` -`_MACHINE_ID`:: `host.id` -`_MESSAGE`:: `message` -`_PID`:: `process.pid` -`_PRIORITY`:: `syslog.priority` -`_SYSLOG_FACILITY`:: `syslog.facility` -`_SYSLOG_IDENTIFIER`:: `syslog.identifier` -`_SYSLOG_PID`:: `syslog.pid` -`_SYSTEMD_CGROUP`:: `systemd.cgroup` -`_SYSTEMD_INVOCATION_ID`:: `systemd.invocation_id` -`_SYSTEMD_OWNER_UID`:: `systemd.owner_uid` -`_SYSTEMD_SESSION`:: `systemd.session` -`_SYSTEMD_SLICE`:: `systemd.slice` -`_SYSTEMD_UNIT`:: `systemd.unit` -`_SYSTEMD_USER_SLICE`:: `systemd.user_slice` -`_SYSTEMD_USER_UNIT`:: `systemd.user_unit` -`_TRANSPORT`:: `systemd.transport` -`_UDEV_DEVLINK`:: `journald.kernel.device_symlinks` -`_UDEV_DEVNODE`:: `journald.kernel.device_node_path` -`_UDEV_SYSNAME`:: `journald.kernel.device_name` -`_UID`:: `process.uid` - -The following translated fields for -https://docs.docker.com/config/containers/logging/journald/[Docker] are also -available: - -[horizontal] -`CONTAINER_ID`:: `container.id_truncated` -`CONTAINER_ID_FULL`:: `container.id` -`CONTAINER_NAME`:: `container.name` -`CONTAINER_PARTIAL_MESSAGE`:: `container.partial` -`CONTAINER_TAG`:: `container.image.tag` - -[id="{beatname_lc}-input-{type}-common-options"] -include::../inputs/input-common-options.asciidoc[] - -:type!: diff --git a/filebeat/docs/modules/aws.asciidoc b/filebeat/docs/modules/aws.asciidoc index a1652498c96..32d3eab6c9b 100644 --- a/filebeat/docs/modules/aws.asciidoc +++ b/filebeat/docs/modules/aws.asciidoc @@ -197,29 +197,6 @@ Required when using temporary security credentials. *`var.role_arn`*:: AWS IAM Role to assume. -[float] -=== config behaviour -Beware that in case both `var.queue_url` and `var.bucket_arn` are not set -instead of failing to start Filebeat with a config validation error, only the -specific fileset input will be stopped and a warning printed: -``` -2021-08-26T14:33:03.661-0600 WARN [aws-s3] awss3/config.go:54 neither queue_url nor bucket_arn were provided, input aws-s3 will stop -2021-08-26T14:33:10.668-0600 INFO [input.aws-s3] compat/compat.go:111 Input aws-s3 starting {"id": "29F3565F5B2A7070"} -2021-08-26T14:33:10.668-0600 INFO [input.aws-s3] compat/compat.go:124 Input 'aws-s3' stopped {"id": "29F3565F5B2A7070"} -``` - -This behaviour is required in order to reduce destruction of existing Filebeat setup -where not all AWS module's filesets are defined and will change in next major release. - -Setting `enabled: false` in the unused fileset will silence the warning and it is -the suggested setup. For example (assuming `cloudtrail` as unused fileset): -``` -- module: aws - cloudtrail: - enabled: false - -``` - [float] === cloudtrail fileset diff --git a/filebeat/docs/modules/cyberark.asciidoc b/filebeat/docs/modules/cyberark.asciidoc new file mode 100644 index 00000000000..bff645d0809 --- /dev/null +++ b/filebeat/docs/modules/cyberark.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-cyberark]] +[role="xpack"] + +:modulename: cyberark +:has-dashboards: false + +== Cyberark module + +deprecated::[7.13.0,"This module is deprecated. Use the <>"] + +This is a module for receiving Cyber-Ark logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: corepas + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `corepas` fileset settings + +deprecated::[7.13.0] + +NOTE: This was converted from RSA NetWitness log parser XML "cyberark" device revision 124. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9527` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/gsuite.asciidoc b/filebeat/docs/modules/gsuite.asciidoc new file mode 100644 index 00000000000..2df022216c5 --- /dev/null +++ b/filebeat/docs/modules/gsuite.asciidoc @@ -0,0 +1,146 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-gsuite]] +[role="xpack"] + +:modulename: gsuite +:has-dashboards: false + +== GSuite module + +beta[] + +deprecated::[7.12] + +This is a module for ingesting data from the different GSuite audit reports API's. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +It is compatible with a subset of applications under the https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started[Google Reports API v1]. As of today it supports: + +[options="header"] +|=========================================================================================================================================================================================================================== +| GSuite Service | Description | +| SAML https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[api docs] https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054[help] | View users’ successful and failed sign-ins to SAML applications. | +| User Accounts https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[api docs] https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054[help] | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | +| Login https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[api docs] https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054[help] | Track user sign-in activity to your domain. | +| Admin https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[api docs] https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054[help] | View administrator activity performed within the Google Admin console. | +| Drive https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[api docs] https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054[help] | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | +| Groups https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[api docs] https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054[help] | Track changes to groups, group memberships and group messages. | +|=========================================================================================================================================================================================================================== + +[float] +=== Configure the module + +In order for Filebeat to ingest data from the Google Reports API you must: + +- Have an *administrator account*. +- https://support.google.com/gsuitemigrate/answer/9222993?hl=en[Set up a ServiceAccount] using the administrator account. +- https://support.google.com/gsuitemigrate/answer/9222865?hl=en[Set up access to the Admin SDK API] for the ServiceAccount. +- https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Enable Domain-Wide Delegation] for your ServiceAccount. + +This module will make use of the following *oauth2 scope*: + +- `https://www.googleapis.com/auth/admin.reports.audit.readonly` + +Once you have downloaded your service account credentials as a JSON file, +you can set up your module: + +[float] +===== Configuration options + +[source,yaml] +---- +- module: gsuite + saml: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + user_accounts: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + login: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + admin: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + drive: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + groups: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" +---- + +Every fileset has the following configuration options: + +*`var.jwt_file`*:: + +Specifies the path to the JWT credentials file. + +*`var.delegated_account`*:: + +Email of the admin user used to access the API. + +*`var.http_client_timeout`*:: + +Duration of the time limit on HTTP requests made by the module. Defaults to +`60s`. + +*`var.interval`*:: + +Duration between requests to the API. Defaults to `2h`. + +NOTE: GSuite defaults to a 2 hour polling interval because Google reports can go from +some minutes up to 3 days of delay. For more details on this, you can read more https://support.google.com/a/answer/7061566[here]. + +*`var.user_key`*:: + +Specifies the user key to fetch reports from. Defaults to `all`. + +*`var.initial_interval`*:: + +It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to `24h`. + +[float] +==== GSuite Reports ECS fields + +This is a list of GSuite Reports fields that are mapped to ECS. + +[options="header"] +|=============================================================================================== +| GSuite Reports | ECS Fields | +| `items[].id.time` | `@timestamp` | +| `items[].id.uniqueQualifier` | `event.id` | +| `items[].id.applicationName` | `event.provider` | +| `items[].events[].name` | `event.action` | +| `items[].customerId` | `organization.id` | +| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` | +| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | +| `items[].actor.profileId` | `source.user.id` | +|=============================================================================================== + +These are the common ones to all filesets. + +:has-dashboards!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/sophos.asciidoc b/filebeat/docs/modules/sophos.asciidoc index 35438478d5d..510afde1f65 100644 --- a/filebeat/docs/modules/sophos.asciidoc +++ b/filebeat/docs/modules/sophos.asciidoc @@ -16,17 +16,17 @@ logs in syslog format or from a file for the following devices: - `xg` fileset: supports Sophos XG SFOS logs. - `utm` fileset: supports Sophos UTM logs. -To configure a remote syslog destination, please reference the https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/SyslogServerAdd.html[SophosXG/SFOS Documentation]. +To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. -The syslog format choosen in Sophos configuration should be `Central Reporting Format`. +The syslog format choosen should be `Default`. include::../include/gs-link.asciidoc[] [float] === Compatibility -This module has been tested against SFOS version 17.5.x, 18.0.x, and 18.5.x. -Versions above this and between 18.0 - 18.5 are expected to work but have not been tested. +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. include::../include/configuring-intro.asciidoc[] diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index c55da6935ad..bb588001ee1 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -16,6 +16,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -24,6 +25,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -89,6 +91,7 @@ include::modules/checkpoint.asciidoc[] include::modules/cisco.asciidoc[] include::modules/coredns.asciidoc[] include::modules/crowdstrike.asciidoc[] +include::modules/cyberark.asciidoc[] include::modules/cyberarkpas.asciidoc[] include::modules/cylance.asciidoc[] include::modules/elasticsearch.asciidoc[] @@ -97,6 +100,7 @@ include::modules/f5.asciidoc[] include::modules/fortinet.asciidoc[] include::modules/gcp.asciidoc[] include::modules/google_workspace.asciidoc[] +include::modules/gsuite.asciidoc[] include::modules/haproxy.asciidoc[] include::modules/ibmmq.asciidoc[] include::modules/icinga.asciidoc[] diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 33a24a5fb9c..dbdb731c0dc 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -80,32 +80,32 @@ filebeat.modules: - module: elasticsearch # Server log server: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: @@ -114,7 +114,7 @@ filebeat.modules: - module: haproxy # All logs log: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: @@ -191,7 +191,7 @@ filebeat.modules: - module: kafka # All logs log: - enabled: false + enabled: true # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. @@ -205,7 +205,7 @@ filebeat.modules: - module: kibana # Server logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -213,7 +213,7 @@ filebeat.modules: # Audit logs audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -281,7 +281,7 @@ filebeat.modules: - module: nats # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -322,9 +322,9 @@ filebeat.modules: # #var.paths: #------------------------------- Osquery Module ------------------------------- -#- module: osquery - #result: - #enabled: true +- module: osquery + result: + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -339,7 +339,7 @@ filebeat.modules: - module: pensando # Firewall logs dfw: - enabled: false + enabled: true var.syslog_host: 0.0.0.0 var.syslog_port: 9001 @@ -384,7 +384,7 @@ filebeat.modules: #----------------------------- Google Santa Module ----------------------------- - module: santa log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/filebeat/fileset/compatibility.go b/filebeat/fileset/compatibility.go index 8a38e6158cc..8fe4e64a4db 100644 --- a/filebeat/fileset/compatibility.go +++ b/filebeat/fileset/compatibility.go @@ -106,13 +106,6 @@ var processorCompatibilityChecks = []processorCompatibility{ }, adaptConfig: deleteProcessor, }, - { - procType: "*", - checkVersion: func(esVersion *common.Version) bool { - return esVersion.LessThan(common.MustNewVersion("7.9.0")) - }, - adaptConfig: removeDescription, - }, } // Processor represents and Ingest Node processor definition. @@ -280,7 +273,7 @@ nextProcessor: // Run compatibility checks on the processor. for _, proc := range processorCompatibilityChecks { - if processor.Name() != proc.procType && proc.procType != "*" { + if processor.Name() != proc.procType { continue } @@ -288,9 +281,9 @@ nextProcessor: continue } - processor, err = proc.adaptConfig(processor, log.With("processor_type", processor.Name(), "processor_index", i)) + processor, err = proc.adaptConfig(processor, log.With("processor_type", proc.procType, "processor_index", i)) if err != nil { - return fmt.Errorf("failed to adapt %q processor at index %d: %w", processor.Name(), i, err) + return fmt.Errorf("failed to adapt %q processor at index %d: %w", proc.procType, i, err) } if processor.IsNil() { continue nextProcessor @@ -415,16 +408,3 @@ func replaceConvertIP(processor Processor, log *logp.Logger) (Processor, error) log.Debug("processor output=", processor.String()) return processor, nil } - -// removeDescription removes the description config option so ES less than 7.9 will work. -func removeDescription(processor Processor, log *logp.Logger) (Processor, error) { - _, ok := processor.GetString("description") - if !ok { - return processor, nil - } - - log.Debug("Removing unsupported 'description' from processor.") - processor.Delete("description") - - return processor, nil -} diff --git a/filebeat/fileset/compatibility_test.go b/filebeat/fileset/compatibility_test.go index 560af3940ab..0d3b000d8b7 100644 --- a/filebeat/fileset/compatibility_test.go +++ b/filebeat/fileset/compatibility_test.go @@ -922,6 +922,7 @@ func TestReplaceConvertIPWithGrok(t *testing.T) { "^%{IP:bar}$", }, "ignore_missing": true, + "description": "foo bar", "if": "condition", "ignore_failure": false, "tag": "myTag", @@ -1340,118 +1341,3 @@ func TestReplaceAlternativeFlowProcessors(t *testing.T) { }) } } - -func TestRemoveDescription(t *testing.T) { - cases := []struct { - name string - esVersion *common.Version - content map[string]interface{} - expected map[string]interface{} - isErrExpected bool - }{ - { - name: "ES < 7.9.0", - esVersion: common.MustNewVersion("7.8.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "description": "This is a description", - }, - }, - map[string]interface{}{ - "script": map[string]interface{}{ - "source": "abcd", - "lang": "painless", - "description": "This is a description", - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - }, - }, - map[string]interface{}{ - "script": map[string]interface{}{ - "source": "abcd", - "lang": "painless", - }, - }, - }, - }, - isErrExpected: false, - }, - { - name: "ES == 7.9.0", - esVersion: common.MustNewVersion("7.9.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "description": "This is a description", - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "description": "This is a description", - }, - }, - }, - }, - isErrExpected: false, - }, - { - name: "ES > 7.9.0", - esVersion: common.MustNewVersion("8.0.0"), - content: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "description": "This is a description", - }, - }, - }}, - expected: map[string]interface{}{ - "processors": []interface{}{ - map[string]interface{}{ - "set": map[string]interface{}{ - "field": "rule.name", - "value": "{{panw.panos.ruleset}}", - "description": "This is a description", - }, - }, - }, - }, - isErrExpected: false, - }, - } - - for _, test := range cases { - test := test - t.Run(test.name, func(t *testing.T) { - t.Parallel() - err := adaptPipelineForCompatibility(*test.esVersion, "foo-pipeline", test.content, logp.NewLogger(logName)) - if test.isErrExpected { - assert.Error(t, err) - } else { - require.NoError(t, err) - assert.Equal(t, test.expected, test.content, test.name) - } - }) - } -} diff --git a/filebeat/fileset/modules.go b/filebeat/fileset/modules.go index 72c8d17cb25..3df41999f8f 100644 --- a/filebeat/fileset/modules.go +++ b/filebeat/fileset/modules.go @@ -69,7 +69,11 @@ func newModuleRegistry(modulesPath string, return nil, fmt.Errorf("error getting filesets for module %s: %v", mcfg.Module, err) } - for filesetName, fcfg := range mcfg.Filesets { + for _, filesetName := range moduleFilesets { + fcfg, exists := mcfg.Filesets[filesetName] + if !exists { + fcfg = &FilesetConfig{} + } fcfg, err = applyOverrides(fcfg, mcfg.Module, filesetName, overrides) if err != nil { @@ -79,15 +83,6 @@ func newModuleRegistry(modulesPath string, if fcfg.Enabled != nil && !(*fcfg.Enabled) { continue } - found := false - for _, name := range moduleFilesets { - if filesetName == name { - found = true - } - } - if !found { - return nil, fmt.Errorf("fileset %s/%s is configured but doesn't exist", mcfg.Module, filesetName) - } fileset, err := New(modulesPath, filesetName, mcfg, fcfg) if err != nil { @@ -98,6 +93,22 @@ func newModuleRegistry(modulesPath string, } reg.registry[mcfg.Module][filesetName] = fileset } + + // check that no extra filesets are configured + for filesetName, fcfg := range mcfg.Filesets { + if fcfg.Enabled != nil && !(*fcfg.Enabled) { + continue + } + found := false + for _, name := range moduleFilesets { + if filesetName == name { + found = true + } + } + if !found { + return nil, fmt.Errorf("fileset %s/%s is configured but doesn't exist", mcfg.Module, filesetName) + } + } } return ®, nil @@ -141,30 +152,9 @@ func NewModuleRegistry(moduleConfigs []*common.Config, beatInfo beat.Info, init return nil, err } - enableFilesetsFromOverrides(mcfgs, modulesOverrides) return newModuleRegistry(modulesPath, mcfgs, modulesOverrides, beatInfo) } -// enableFilesetsFromOverrides enables in mcfgs the filesets mentioned in overrides, -// so that the overridden configuration can be applied. -func enableFilesetsFromOverrides(mcfgs []*ModuleConfig, overrides *ModuleOverrides) { - if overrides == nil { - return - } - for _, mcfg := range mcfgs { - if modOvr, ok := (*overrides)[mcfg.Module]; ok { - for fset := range modOvr { - if _, ok = mcfg.Filesets[fset]; !ok { - if mcfg.Filesets == nil { - mcfg.Filesets = make(map[string]*FilesetConfig) - } - mcfg.Filesets[fset] = &FilesetConfig{} - } - } - } - } -} - func mcfgFromConfig(cfg *common.Config) (*ModuleConfig, error) { var mcfg ModuleConfig @@ -181,18 +171,11 @@ func mcfgFromConfig(cfg *common.Config) (*ModuleConfig, error) { } mcfg.Filesets = map[string]*FilesetConfig{} - - // This calls cfg.GetFields() instead of iterating over `dict` keys - // because cfg.Unpack above doesn't return keys that map to a nil value, - // but GetFields() returns all keys. We need to observe filesets that - // don't contain any configuration (all default values). - for _, name := range cfg.GetFields() { + for name, filesetConfig := range dict { if name == "module" || name == "enabled" || name == "path" { continue } - filesetConfig, _ := dict[name] // Nil config if name is not present. - tmpCfg, err := common.NewConfigFrom(filesetConfig) if err != nil { return nil, fmt.Errorf("error creating config from fileset %s/%s: %v", mcfg.Module, name, err) @@ -417,19 +400,9 @@ func (reg *ModuleRegistry) ModuleNames() []string { return modules } -// ModuleAvailableFilesets return the list of available filesets for the given module +// ModuleFilesets return the list of available filesets for the given module // it returns an empty list if the module doesn't exist -func (reg *ModuleRegistry) ModuleAvailableFilesets(module string) ([]string, error) { +func (reg *ModuleRegistry) ModuleFilesets(module string) ([]string, error) { modulesPath := paths.Resolve(paths.Home, "module") return getModuleFilesets(modulesPath, module) } - -// ModuleConfiguredFilesets return the list of configured filesets for the given module -// it returns an empty list if the module doesn't exist -func (reg *ModuleRegistry) ModuleConfiguredFilesets(module string) (list []string, err error) { - filesets, _ := reg.registry[module] - for name := range filesets { - list = append(list, name) - } - return -} diff --git a/filebeat/fileset/modules_integration_test.go b/filebeat/fileset/modules_integration_test.go index 4d5a79a9426..7afd9bbb547 100644 --- a/filebeat/fileset/modules_integration_test.go +++ b/filebeat/fileset/modules_integration_test.go @@ -105,13 +105,7 @@ func TestSetupNginx(t *testing.T) { require.NoError(t, err) configs := []*ModuleConfig{ - { - Module: "nginx", - Filesets: map[string]*FilesetConfig{ - "error": {}, - "access": {}, - }, - }, + {Module: "nginx"}, } reg, err := newModuleRegistry(modulesPath, configs, nil, makeTestInfo("5.2.0")) diff --git a/filebeat/fileset/modules_test.go b/filebeat/fileset/modules_test.go index 7fe2e32aaab..f69db27648c 100644 --- a/filebeat/fileset/modules_test.go +++ b/filebeat/fileset/modules_test.go @@ -45,39 +45,11 @@ func TestNewModuleRegistry(t *testing.T) { modulesPath, err := filepath.Abs("../module") require.NoError(t, err) - falseVar := false - configs := []*ModuleConfig{ - { - Module: "nginx", - Filesets: map[string]*FilesetConfig{ - "access": {}, - "error": {}, - "ingress_controller": { - Enabled: &falseVar, - }, - }, - }, - { - Module: "mysql", - Filesets: map[string]*FilesetConfig{ - "slowlog": {}, - "error": {}, - }, - }, - { - Module: "system", - Filesets: map[string]*FilesetConfig{ - "syslog": {}, - "auth": {}, - }, - }, - { - Module: "auditd", - Filesets: map[string]*FilesetConfig{ - "log": {}, - }, - }, + {Module: "nginx"}, + {Module: "mysql"}, + {Module: "system"}, + {Module: "auditd"}, } reg, err := newModuleRegistry(modulesPath, configs, nil, beat.Info{Version: "5.2.0"}) @@ -86,7 +58,7 @@ func TestNewModuleRegistry(t *testing.T) { expectedModules := map[string][]string{ "auditd": {"log"}, - "nginx": {"access", "error"}, + "nginx": {"access", "error", "ingress_controller"}, "mysql": {"slowlog", "error"}, "system": {"syslog", "auth"}, } @@ -402,19 +374,6 @@ func TestMcfgFromConfig(t *testing.T) { }, }, }, - { - name: "empty fileset (nil)", - config: load(t, map[string]interface{}{ - "module": "nginx", - "error": nil, - }), - expected: ModuleConfig{ - Module: "nginx", - Filesets: map[string]*FilesetConfig{ - "error": {}, - }, - }, - }, } for _, test := range tests { @@ -492,132 +451,3 @@ func TestInterpretError(t *testing.T) { }) } } - -func TestEnableFilesetsFromOverrides(t *testing.T) { - tests := []struct { - Name string - Cfg []*ModuleConfig - Overrides *ModuleOverrides - Expected []*ModuleConfig - }{ - { - Name: "add fileset", - Cfg: []*ModuleConfig{ - { - Module: "foo", - Filesets: map[string]*FilesetConfig{ - "bar": {}, - }, - }, - }, - Overrides: &ModuleOverrides{ - "foo": { - "baz": nil, - }, - }, - Expected: []*ModuleConfig{ - { - Module: "foo", - Filesets: map[string]*FilesetConfig{ - "bar": {}, - "baz": {}, - }, - }, - }, - }, - { - Name: "defined fileset", - Cfg: []*ModuleConfig{ - { - Module: "foo", - Filesets: map[string]*FilesetConfig{ - "bar": { - Var: map[string]interface{}{ - "a": "b", - }, - }, - }, - }, - }, - Overrides: &ModuleOverrides{ - "foo": { - "bar": nil, - }, - }, - Expected: []*ModuleConfig{ - { - Module: "foo", - Filesets: map[string]*FilesetConfig{ - "bar": { - Var: map[string]interface{}{ - "a": "b", - }, - }, - }, - }, - }, - }, - { - Name: "disabled module", - Cfg: []*ModuleConfig{ - { - Module: "foo", - Filesets: map[string]*FilesetConfig{ - "bar": {}, - }, - }, - }, - Overrides: &ModuleOverrides{ - "other": { - "bar": nil, - }, - }, - Expected: []*ModuleConfig{ - { - Module: "foo", - Filesets: map[string]*FilesetConfig{ - "bar": {}, - }, - }, - }, - }, - { - Name: "nil overrides", - Cfg: []*ModuleConfig{ - { - Module: "foo", - Filesets: map[string]*FilesetConfig{ - "bar": {}, - }, - }, - }, - Overrides: nil, - Expected: []*ModuleConfig{ - { - Module: "foo", - Filesets: map[string]*FilesetConfig{ - "bar": {}, - }, - }, - }, - }, - { - Name: "no modules", - Cfg: nil, - Overrides: &ModuleOverrides{ - "other": { - "bar": nil, - }, - }, - Expected: nil, - }, - } - - for _, test := range tests { - t.Run(test.Name, func(t *testing.T) { - enableFilesetsFromOverrides(test.Cfg, test.Overrides) - assert.Equal(t, test.Expected, test.Cfg) - }) - } - -} diff --git a/filebeat/input/default-inputs/inputs_linux.go b/filebeat/input/default-inputs/inputs_linux.go index deaa915b918..c2ec4960e92 100644 --- a/filebeat/input/default-inputs/inputs_linux.go +++ b/filebeat/input/default-inputs/inputs_linux.go @@ -18,7 +18,6 @@ package inputs import ( - "github.com/elastic/beats/v7/filebeat/input/journald" v2 "github.com/elastic/beats/v7/filebeat/input/v2" cursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" "github.com/elastic/beats/v7/libbeat/beat" @@ -32,12 +31,8 @@ type osComponents interface { } func osInputs(info beat.Info, log *logp.Logger, components osComponents) []v2.Plugin { - var plugins []v2.Plugin - - zeroPlugin := v2.Plugin{} - if journald := journald.Plugin(log, components); journald != zeroPlugin { - plugins = append(plugins, journald) + return []v2.Plugin{ + // XXX: journald is currently disable. + // journald.Plugin(log, components), } - - return plugins } diff --git a/filebeat/input/filestream/input.go b/filebeat/input/filestream/input.go index c1ba829d65f..ec051273171 100644 --- a/filebeat/input/filestream/input.go +++ b/filebeat/input/filestream/input.go @@ -27,6 +27,7 @@ import ( loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/cleanup" "github.com/elastic/beats/v7/libbeat/common/match" @@ -329,7 +330,8 @@ func (inp *filestream) readFromSource( continue } - if err := p.Publish(message.ToEvent(), s); err != nil { + event := inp.eventFromMessage(message, path) + if err := p.Publish(event, s); err != nil { return err } } @@ -363,3 +365,21 @@ func matchAny(matchers []match.Matcher, text string) bool { } return false } + +func (inp *filestream) eventFromMessage(m reader.Message, path string) beat.Event { + if m.Fields == nil { + m.Fields = common.MapStr{} + } + + if len(m.Content) > 0 { + if _, ok := m.Fields["message"]; !ok { + m.Fields["message"] = string(m.Content) + } + } + + return beat.Event{ + Timestamp: m.Ts, + Meta: m.Meta, + Fields: m.Fields, + } +} diff --git a/filebeat/input/filestream/parsers_integration_test.go b/filebeat/input/filestream/parsers_integration_test.go index 87f592c0849..aab501ca146 100644 --- a/filebeat/input/filestream/parsers_integration_test.go +++ b/filebeat/input/filestream/parsers_integration_test.go @@ -247,8 +247,6 @@ The total should be 4 lines covered // test_rabbitmq_multiline_log from test_multiline.py func TestParsersRabbitMQMultilineLog(t *testing.T) { - t.Skip("Flaky test: https://github.com/elastic/beats/issues/27893") - env := newInputTestingEnvironment(t) testlogName := "test.log" @@ -293,8 +291,6 @@ connection <0.23893.109>, channel 3 - soft error: // test_max_lines from test_multiline.py func TestParsersMultilineMaxLines(t *testing.T) { - t.Skip("Flaky test: https://github.com/elastic/beats/issues/27894") - env := newInputTestingEnvironment(t) testlogName := "test.log" @@ -505,8 +501,6 @@ func TestParsersCloseTimeoutWithMultiline(t *testing.T) { // test_consecutive_newline from test_multiline.py func TestParsersConsecutiveNewline(t *testing.T) { - t.Skip("Flaky test: https://github.com/elastic/beats/issues/27085") - env := newInputTestingEnvironment(t) testlogName := "test.log" diff --git a/filebeat/input/journald/input_stub.go b/filebeat/input/journald/input_stub.go deleted file mode 100644 index 4eada4569c5..00000000000 --- a/filebeat/input/journald/input_stub.go +++ /dev/null @@ -1,30 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// +build !linux !cgo !withjournald - -package journald - -import ( - v2 "github.com/elastic/beats/v7/filebeat/input/v2" - cursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" - "github.com/elastic/beats/v7/libbeat/logp" -) - -func Plugin(log *logp.Logger, store cursor.StateStore) v2.Plugin { - return v2.Plugin{} -} diff --git a/filebeat/input/v2/simplemanager.go b/filebeat/input/v2/simplemanager.go index 5024fcfa3d1..76ade85c9f5 100644 --- a/filebeat/input/v2/simplemanager.go +++ b/filebeat/input/v2/simplemanager.go @@ -33,12 +33,12 @@ func ConfigureWith(fn func(*common.Config) (Input, error)) InputManager { return &simpleInputManager{configure: fn} } -// Init is required to fulfil the input.InputManager interface. +// Init is required to fullfil the input.InputManager interface. // For the kafka input no special initialization is required. func (*simpleInputManager) Init(grp unison.Group, m Mode) error { return nil } -// Create builds a new Input instance from the given configuration, or returns -// an error if the configuration is invalid. +// Creates builds a new Input instance from the given configuation, or returns +// an error if the configuation is invalid. func (manager *simpleInputManager) Create(cfg *common.Config) (Input, error) { return manager.configure(cfg) } diff --git a/filebeat/magefile.go b/filebeat/magefile.go index 8e55f6e0d4d..0d68e5a86c4 100644 --- a/filebeat/magefile.go +++ b/filebeat/magefile.go @@ -39,6 +39,21 @@ import ( "github.com/elastic/beats/v7/dev-tools/mage/target/test" ) +// declare journald dependencies for cross build target +var ( + journaldPlatforms = []devtools.PlatformDescription{ + devtools.Linux386, devtools.LinuxAMD64, + devtools.LinuxARM64, devtools.LinuxARM5, devtools.LinuxARM6, devtools.LinuxARM7, + devtools.LinuxMIPS, devtools.LinuxMIPSLE, devtools.LinuxMIPS64LE, + devtools.LinuxPPC64LE, + devtools.LinuxS390x, + } + + journaldDeps = devtools.NewPackageInstaller(). + AddEach(journaldPlatforms, "libsystemd-dev"). + Add(devtools.Linux386, "libsystemd0", "libgcrypt20") +) + func init() { common.RegisterCheckDeps(Update) test.RegisterDeps(IntegTest) @@ -51,10 +66,13 @@ func Build() error { return devtools.Build(devtools.DefaultBuildArgs()) } -// GolangCrossBuild builds the Beat binary inside the golang-builder. +// GolangCrossBuild build the Beat binary inside of the golang-builder. // Do not use directly, use crossBuild instead. func GolangCrossBuild() error { - return filebeat.GolangCrossBuild() + // XXX: enable once we have systemd available in the cross build image + // mg.Deps(journaldDeps.Installer(devtools.Platform.Name)) + + return devtools.GolangCrossBuild(devtools.DefaultGolangCrossBuildArgs()) } // BuildGoDaemon builds the go-daemon binary (use crossBuildGoDaemon). @@ -64,7 +82,7 @@ func BuildGoDaemon() error { // CrossBuild cross-builds the beat for all target platforms. func CrossBuild() error { - return filebeat.CrossBuild() + return devtools.CrossBuild() } // CrossBuildGoDaemon cross-builds the go-daemon binary using Docker. @@ -105,7 +123,6 @@ func Update() { // modules.d directory. func Config() { mg.Deps(devtools.GenerateDirModulesD, configYML) - mg.SerialDeps(devtools.ValidateDirModulesD, devtools.ValidateDirModulesDDatasetsDisabled) } func configYML() error { diff --git a/filebeat/module/apache/_meta/config.yml b/filebeat/module/apache/_meta/config.yml index ddf2b0c40d4..24e64df694a 100644 --- a/filebeat/module/apache/_meta/config.yml +++ b/filebeat/module/apache/_meta/config.yml @@ -1,7 +1,7 @@ - module: apache # Access logs access: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Error logs error: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/apache/_meta/fields.yml b/filebeat/module/apache/_meta/fields.yml index ead9903ad9d..cbd235a7268 100644 --- a/filebeat/module/apache/_meta/fields.yml +++ b/filebeat/module/apache/_meta/fields.yml @@ -4,6 +4,134 @@ Apache Module short_config: true fields: + - name: apache2 + type: group + description: > + Aliases for backward compatibility with old apache2 fields + fields: + - name: access + type: group + fields: + - name: remote_ip + type: alias + path: source.address + migration: true + - name: ssl.protocol + type: alias + path: apache.access.ssl.protocol + migration: true + - name: ssl.cipher + type: alias + path: apache.access.ssl.cipher + migration: true + - name: body_sent.bytes + type: alias + path: http.response.body.bytes + migration: true + - name: user_name + type: alias + path: user.name + migration: true + - name: method + type: alias + path: http.request.method + migration: true + - name: url + type: alias + path: url.original + migration: true + - name: http_version + type: alias + path: http.version + migration: true + - name: response_code + type: alias + path: http.response.status_code + migration: true + - name: referrer + type: alias + path: http.request.referrer + migration: true + - name: agent + type: alias + path: user_agent.original + migration: true + + - name: user_agent + type: group + fields: + - name: device + type: alias + path: user_agent.device.name + migration: true + - name: name + type: alias + path: user_agent.name + migration: true + - name: os + type: alias + path: user_agent.os.full_name + migration: true + - name: os_name + type: alias + path: user_agent.os.name + migration: true + - name: original + type: alias + path: user_agent.original + migration: true + - name: geoip + type: group + fields: + - name: continent_name + type: alias + path: source.geo.continent_name + migration: true + - name: country_iso_code + type: alias + path: source.geo.country_iso_code + migration: true + - name: location + type: alias + path: source.geo.location + migration: true + - name: region_name + type: alias + path: source.geo.region_name + migration: true + - name: city_name + type: alias + path: source.geo.city_name + migration: true + - name: region_iso_code + type: alias + path: source.geo.region_iso_code + migration: true + - name: error + type: group + fields: + - name: level + type: alias + path: log.level + migration: true + - name: message + type: alias + path: message + migration: true + - name: pid + type: alias + path: process.pid + migration: true + - name: tid + type: alias + path: process.thread.id + migration: true + - name: module + type: alias + path: apache.error.module + migration: true + + - name: apache type: group description: > diff --git a/filebeat/module/apache/fields.go b/filebeat/module/apache/fields.go index b24297a9888..1e0b1608ebb 100644 --- a/filebeat/module/apache/fields.go +++ b/filebeat/module/apache/fields.go @@ -32,5 +32,5 @@ func init() { // AssetApache returns asset data. // This is the base64 encoded zlib format compressed contents of module/apache. func AssetApache() string { - return "eJysksFq6zAQRff+ikv28Qdo8eBRKF20UEj2xUgTWUTWiJGckr8vcuTUadNAaWY5su455mqNPR0Vutjpnhogu+xJYfV/WqwawFDS4mJ2HBT+NQBwOsQLm9GXS6lnyW+aw85ZhSxjWe4ceZPUdGGN0A20wJTJx0gKVniMdXMFtcCdAtu6XsZfILSmlM7ra5gbqDIPHHLnQqoI7FiQe5o1nrbbV2xIDiQVBs/27HXNbemXkm+jcGbN/uKD2XRPx3cW8+Xshm+ZzeYZcyoOJMlx+DT6UUS72JPcV+OUOUHab+2QCMtfynmsnQgPy1Km3F/1MMyP906/vu2pZpYizKhdsJOhZ2vJYKCUOktt8xEAAP//tzvrEQ==" + return "eJysl7+O4zgMxvs8BTH9qLgyxQGHAw5X3AELzPSGIjO2MIropegM/PYL/5tNMrIjOXEVyOH3/SjSgvgKH9jtQTfa1LgDECsO9/Dy17DwsgMoMRi2jVjye/hzBwAwvoT/qWxdHxRqYikM+aOt9iDc9otHi64M+yHgFbw+4Wzzx7AGIF2De6iY2mZaiXgNfs7qgAGOxHDQ5uNTcwmGTo0We7DOSgefVmogV84Wk/0kcclyxWMMhvC1HEOKhV9KMJ5IsLDN1dtZSffkN28aLfUeArVsUOmy5GuE/jnZivW4C9NufjcOwamGSciQy/Qe90iN2asVoVQOY5sa+WGKqEwKw4HKrgjoRR06wVu7eyC1SKMYQ0M+oOq1ojIpIG1ALvqfmQh9nIrEpXieUGoqt+X8s8UgKqqQlC7ntl7LThHbynq9pdl67OKMHCz5LRnHQ1Oc5/4oDJW51b1usCBa2hDTSeM4InP2x3ZV7wWNFHtdoZcNzV0MgamlX/62lv1vD21YOLgvJUs8W3NbhfWUommNOrEPOJbdEs1CeCbLgxAUM8lEoKCOrXOxgzAPZUkhn+dRlHjfbmFZVkr5/iqkhavGlv435MV69PLIRk83mQpJ3dVL3W9DrRfuChsodlBuQrurmArnyAx/exxqRSkVhrGy5J9Uv3Wx5OJZ6Z7VUCtSmTv0vFa6L7iENiMhM/FDY4fDM+bevRxVKhaXdskMQVe5F594VIpfY3NvtA3TMEh8j0zxk81+UjPqUm1yPc0TdI7xNDcNPaSiCt+uU5EhPHsGH2f+sSfVc+bqBav++Zu8aOvDZDGM/lLjjPHv+/sPeEM+I09mfXd/ccXYIGd2/sDuk/i2pCu8/fP29h/MqjBNGr+JtgzPmzFGzcFEbTx9Vlz+mWrCdLosyqCbVYeV/t+U+nuNk2ZfiLI11lcDoaOqwnI+j9TuVwAAAP//QYrRgg==" } diff --git a/filebeat/module/apache2/module.yml b/filebeat/module/apache2/module.yml new file mode 100644 index 00000000000..139027d128b --- /dev/null +++ b/filebeat/module/apache2/module.yml @@ -0,0 +1 @@ +movedTo: apache diff --git a/filebeat/module/auditd/_meta/config.yml b/filebeat/module/auditd/_meta/config.yml index eaf816cec78..bd952f49cc9 100644 --- a/filebeat/module/auditd/_meta/config.yml +++ b/filebeat/module/auditd/_meta/config.yml @@ -1,6 +1,6 @@ - module: auditd log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/elasticsearch/_meta/config.yml b/filebeat/module/elasticsearch/_meta/config.yml index 4a2f751b67c..0c2562f2796 100644 --- a/filebeat/module/elasticsearch/_meta/config.yml +++ b/filebeat/module/elasticsearch/_meta/config.yml @@ -1,32 +1,32 @@ - module: elasticsearch # Server log server: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/module/haproxy/_meta/config.yml b/filebeat/module/haproxy/_meta/config.yml index b559d6d837f..0e1431e503c 100644 --- a/filebeat/module/haproxy/_meta/config.yml +++ b/filebeat/module/haproxy/_meta/config.yml @@ -1,7 +1,7 @@ - module: haproxy # All logs log: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: diff --git a/filebeat/module/icinga/_meta/config.yml b/filebeat/module/icinga/_meta/config.yml index 5fe0ddc2054..afcd57986a2 100644 --- a/filebeat/module/icinga/_meta/config.yml +++ b/filebeat/module/icinga/_meta/config.yml @@ -1,7 +1,7 @@ - module: icinga # Main logs main: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Debug logs debug: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -17,7 +17,7 @@ # Startup logs startup: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/iis/_meta/config.yml b/filebeat/module/iis/_meta/config.yml index f4f1d8cec36..0ed84f14e52 100644 --- a/filebeat/module/iis/_meta/config.yml +++ b/filebeat/module/iis/_meta/config.yml @@ -1,7 +1,7 @@ - module: iis # Access logs access: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,9 +9,9 @@ # Error logs error: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: - + \ No newline at end of file diff --git a/filebeat/module/kafka/_meta/config.yml b/filebeat/module/kafka/_meta/config.yml index 72e6d49ab44..cbda5709c39 100644 --- a/filebeat/module/kafka/_meta/config.yml +++ b/filebeat/module/kafka/_meta/config.yml @@ -1,7 +1,7 @@ - module: kafka # All logs log: - enabled: false + enabled: true # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. diff --git a/filebeat/module/kibana/_meta/config.yml b/filebeat/module/kibana/_meta/config.yml index 2d6904e30c6..ffb82496fca 100644 --- a/filebeat/module/kibana/_meta/config.yml +++ b/filebeat/module/kibana/_meta/config.yml @@ -1,7 +1,7 @@ - module: kibana # Server logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Audit logs audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/logstash/_meta/config.yml b/filebeat/module/logstash/_meta/config.yml index d38c8058aca..bdb8e488dac 100644 --- a/filebeat/module/logstash/_meta/config.yml +++ b/filebeat/module/logstash/_meta/config.yml @@ -1,7 +1,7 @@ - module: logstash # logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Slow logs slowlog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/module/mongodb/_meta/config.yml b/filebeat/module/mongodb/_meta/config.yml index 28143b64eb4..be6ea989c1c 100644 --- a/filebeat/module/mongodb/_meta/config.yml +++ b/filebeat/module/mongodb/_meta/config.yml @@ -1,7 +1,7 @@ - module: mongodb # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/mysql/_meta/config.yml b/filebeat/module/mysql/_meta/config.yml index 2b7c393eecc..10afcb9e0ab 100644 --- a/filebeat/module/mysql/_meta/config.yml +++ b/filebeat/module/mysql/_meta/config.yml @@ -1,7 +1,7 @@ - module: mysql # Error logs error: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Slow logs slowlog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/nats/_meta/config.yml b/filebeat/module/nats/_meta/config.yml index b09a36dd006..59a63637680 100644 --- a/filebeat/module/nats/_meta/config.yml +++ b/filebeat/module/nats/_meta/config.yml @@ -1,7 +1,7 @@ - module: nats # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/nginx/_meta/config.yml b/filebeat/module/nginx/_meta/config.yml index d520f4225b9..3967af2693f 100644 --- a/filebeat/module/nginx/_meta/config.yml +++ b/filebeat/module/nginx/_meta/config.yml @@ -1,7 +1,7 @@ - module: nginx # Access logs access: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Error logs error: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/osquery/_meta/config.reference.yml b/filebeat/module/osquery/_meta/config.reference.yml index 890e602f688..b2a86b43c67 100644 --- a/filebeat/module/osquery/_meta/config.reference.yml +++ b/filebeat/module/osquery/_meta/config.reference.yml @@ -1,6 +1,6 @@ -#- module: osquery - #result: - #enabled: true +- module: osquery + result: + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/osquery/_meta/config.yml b/filebeat/module/osquery/_meta/config.yml index 2f4fd911807..b2a86b43c67 100644 --- a/filebeat/module/osquery/_meta/config.yml +++ b/filebeat/module/osquery/_meta/config.yml @@ -1,6 +1,6 @@ - module: osquery result: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/pensando/_meta/config.yml b/filebeat/module/pensando/_meta/config.yml index f352f542124..e632160bdd7 100644 --- a/filebeat/module/pensando/_meta/config.yml +++ b/filebeat/module/pensando/_meta/config.yml @@ -1,7 +1,7 @@ - module: pensando # Firewall logs dfw: - enabled: false + enabled: true var.syslog_host: 0.0.0.0 var.syslog_port: 9001 diff --git a/filebeat/module/postgresql/_meta/config.yml b/filebeat/module/postgresql/_meta/config.yml index 373954e6e4f..c82734a9570 100644 --- a/filebeat/module/postgresql/_meta/config.yml +++ b/filebeat/module/postgresql/_meta/config.yml @@ -1,7 +1,7 @@ - module: postgresql # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/redis/_meta/config.yml b/filebeat/module/redis/_meta/config.yml index 1a99edf7d29..4aa2f1eacf0 100644 --- a/filebeat/module/redis/_meta/config.yml +++ b/filebeat/module/redis/_meta/config.yml @@ -1,7 +1,7 @@ - module: redis # Main logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Slow logs, retrieved via the Redis API (SLOWLOG) slowlog: - enabled: false + enabled: true # The Redis hosts to connect to. #var.hosts: ["localhost:6379"] diff --git a/filebeat/module/santa/_meta/config.yml b/filebeat/module/santa/_meta/config.yml index b6b03be3fe4..ab2588f900e 100644 --- a/filebeat/module/santa/_meta/config.yml +++ b/filebeat/module/santa/_meta/config.yml @@ -1,6 +1,6 @@ - module: santa log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/filebeat/module/system/_meta/config.yml b/filebeat/module/system/_meta/config.yml index c1fe882374d..f76dd905b4d 100644 --- a/filebeat/module/system/_meta/config.yml +++ b/filebeat/module/system/_meta/config.yml @@ -1,7 +1,7 @@ - module: system # Syslog syslog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Authorization logs auth: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/traefik/_meta/config.yml b/filebeat/module/traefik/_meta/config.yml index 3e9f73ce10b..16ec37f975e 100644 --- a/filebeat/module/traefik/_meta/config.yml +++ b/filebeat/module/traefik/_meta/config.yml @@ -1,7 +1,7 @@ - module: traefik # Access logs access: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/apache.yml.disabled b/filebeat/modules.d/apache.yml.disabled index d4fbc61659d..c6a2c941469 100644 --- a/filebeat/modules.d/apache.yml.disabled +++ b/filebeat/modules.d/apache.yml.disabled @@ -4,7 +4,7 @@ - module: apache # Access logs access: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Error logs error: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/auditd.yml.disabled b/filebeat/modules.d/auditd.yml.disabled index 8bcedafdee9..4b0bd49c6f6 100644 --- a/filebeat/modules.d/auditd.yml.disabled +++ b/filebeat/modules.d/auditd.yml.disabled @@ -3,7 +3,7 @@ - module: auditd log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/elasticsearch.yml.disabled b/filebeat/modules.d/elasticsearch.yml.disabled index 75236f1a664..4db2df4eaea 100644 --- a/filebeat/modules.d/elasticsearch.yml.disabled +++ b/filebeat/modules.d/elasticsearch.yml.disabled @@ -4,32 +4,32 @@ - module: elasticsearch # Server log server: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/modules.d/haproxy.yml.disabled b/filebeat/modules.d/haproxy.yml.disabled index 5863c5bbdf8..7493d93d763 100644 --- a/filebeat/modules.d/haproxy.yml.disabled +++ b/filebeat/modules.d/haproxy.yml.disabled @@ -4,7 +4,7 @@ - module: haproxy # All logs log: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: diff --git a/filebeat/modules.d/icinga.yml.disabled b/filebeat/modules.d/icinga.yml.disabled index 10ab79616eb..2b136d52072 100644 --- a/filebeat/modules.d/icinga.yml.disabled +++ b/filebeat/modules.d/icinga.yml.disabled @@ -4,7 +4,7 @@ - module: icinga # Main logs main: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Debug logs debug: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -20,7 +20,7 @@ # Startup logs startup: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/iis.yml.disabled b/filebeat/modules.d/iis.yml.disabled index 868fadedbb0..3fb8768b391 100644 --- a/filebeat/modules.d/iis.yml.disabled +++ b/filebeat/modules.d/iis.yml.disabled @@ -4,7 +4,7 @@ - module: iis # Access logs access: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,9 +12,9 @@ # Error logs error: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: - + \ No newline at end of file diff --git a/filebeat/modules.d/kafka.yml.disabled b/filebeat/modules.d/kafka.yml.disabled index fd7b0013739..9d1b367b5c3 100644 --- a/filebeat/modules.d/kafka.yml.disabled +++ b/filebeat/modules.d/kafka.yml.disabled @@ -4,7 +4,7 @@ - module: kafka # All logs log: - enabled: false + enabled: true # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. diff --git a/filebeat/modules.d/kibana.yml.disabled b/filebeat/modules.d/kibana.yml.disabled index bc34de819a5..0dbffa7e766 100644 --- a/filebeat/modules.d/kibana.yml.disabled +++ b/filebeat/modules.d/kibana.yml.disabled @@ -4,7 +4,7 @@ - module: kibana # Server logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Audit logs audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/logstash.yml.disabled b/filebeat/modules.d/logstash.yml.disabled index fe99eeabae4..3eee07b97bf 100644 --- a/filebeat/modules.d/logstash.yml.disabled +++ b/filebeat/modules.d/logstash.yml.disabled @@ -4,7 +4,7 @@ - module: logstash # logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Slow logs slowlog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/modules.d/mongodb.yml.disabled b/filebeat/modules.d/mongodb.yml.disabled index ac31f64bed1..36745bca419 100644 --- a/filebeat/modules.d/mongodb.yml.disabled +++ b/filebeat/modules.d/mongodb.yml.disabled @@ -4,7 +4,7 @@ - module: mongodb # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/mysql.yml.disabled b/filebeat/modules.d/mysql.yml.disabled index dd5079648bc..a7904e69f1b 100644 --- a/filebeat/modules.d/mysql.yml.disabled +++ b/filebeat/modules.d/mysql.yml.disabled @@ -4,7 +4,7 @@ - module: mysql # Error logs error: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Slow logs slowlog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/nats.yml.disabled b/filebeat/modules.d/nats.yml.disabled index 6074f499cad..d203a1735e4 100644 --- a/filebeat/modules.d/nats.yml.disabled +++ b/filebeat/modules.d/nats.yml.disabled @@ -4,7 +4,7 @@ - module: nats # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/nginx.yml.disabled b/filebeat/modules.d/nginx.yml.disabled index 450b30c0e01..e15f4fe492d 100644 --- a/filebeat/modules.d/nginx.yml.disabled +++ b/filebeat/modules.d/nginx.yml.disabled @@ -4,7 +4,7 @@ - module: nginx # Access logs access: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Error logs error: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/osquery.yml.disabled b/filebeat/modules.d/osquery.yml.disabled index 0740b774a52..1c66965bfe9 100644 --- a/filebeat/modules.d/osquery.yml.disabled +++ b/filebeat/modules.d/osquery.yml.disabled @@ -3,7 +3,7 @@ - module: osquery result: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/pensando.yml.disabled b/filebeat/modules.d/pensando.yml.disabled index 1002b61bf3e..72350a5dcb6 100644 --- a/filebeat/modules.d/pensando.yml.disabled +++ b/filebeat/modules.d/pensando.yml.disabled @@ -4,7 +4,7 @@ - module: pensando # Firewall logs dfw: - enabled: false + enabled: true var.syslog_host: 0.0.0.0 var.syslog_port: 9001 diff --git a/filebeat/modules.d/postgresql.yml.disabled b/filebeat/modules.d/postgresql.yml.disabled index 5df32fefc49..1e01709d02c 100644 --- a/filebeat/modules.d/postgresql.yml.disabled +++ b/filebeat/modules.d/postgresql.yml.disabled @@ -4,7 +4,7 @@ - module: postgresql # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/redis.yml.disabled b/filebeat/modules.d/redis.yml.disabled index dfec32f8849..6a43828abfe 100644 --- a/filebeat/modules.d/redis.yml.disabled +++ b/filebeat/modules.d/redis.yml.disabled @@ -4,7 +4,7 @@ - module: redis # Main logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Slow logs, retrieved via the Redis API (SLOWLOG) slowlog: - enabled: false + enabled: true # The Redis hosts to connect to. #var.hosts: ["localhost:6379"] diff --git a/filebeat/modules.d/santa.yml.disabled b/filebeat/modules.d/santa.yml.disabled index 9655b1afb59..8e187d56b62 100644 --- a/filebeat/modules.d/santa.yml.disabled +++ b/filebeat/modules.d/santa.yml.disabled @@ -3,7 +3,7 @@ - module: santa log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/filebeat/modules.d/system.yml.disabled b/filebeat/modules.d/system.yml.disabled index 4171c65f7ad..49e5c9c4d98 100644 --- a/filebeat/modules.d/system.yml.disabled +++ b/filebeat/modules.d/system.yml.disabled @@ -4,7 +4,7 @@ - module: system # Syslog syslog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Authorization logs auth: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/traefik.yml.disabled b/filebeat/modules.d/traefik.yml.disabled index 440028cc182..22e6cdf0dc8 100644 --- a/filebeat/modules.d/traefik.yml.disabled +++ b/filebeat/modules.d/traefik.yml.disabled @@ -4,7 +4,7 @@ - module: traefik # Access logs access: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/scripts/mage/build.go b/filebeat/scripts/mage/build.go deleted file mode 100644 index b7786d947c5..00000000000 --- a/filebeat/scripts/mage/build.go +++ /dev/null @@ -1,85 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package mage - -import ( - "strings" - - "github.com/magefile/mage/mg" - "go.uber.org/multierr" - - devtools "github.com/elastic/beats/v7/dev-tools/mage" -) - -// declare journald dependencies for cross build target -var ( - journaldPlatforms = []devtools.PlatformDescription{ - devtools.Linux386, devtools.LinuxAMD64, - devtools.LinuxARM64, devtools.LinuxARM5, devtools.LinuxARM6, devtools.LinuxARM7, - devtools.LinuxMIPS, devtools.LinuxMIPSLE, devtools.LinuxMIPS64LE, - devtools.LinuxPPC64LE, - devtools.LinuxS390x, - } - - journaldDeps = devtools.NewPackageInstaller(). - AddEach(journaldPlatforms, "libsystemd-dev"). - Add(devtools.Linux386, "libsystemd0", "libgcrypt20") -) - -// GolangCrossBuild builds the Beat binary inside the golang-builder and then -// checks the binaries GLIBC requirements for RHEL compatability. -// Do not use directly, use crossBuild instead. -func GolangCrossBuild() error { - return multierr.Combine( - golangCrossBuild(), - // Test the linked glibc version requirement of the binary. - devtools.TestLinuxForCentosGLIBC(), - ) -} - -// golangCrossBuild builds the Beat binary inside the golang-builder. -// Do not use directly, use crossBuild instead. -func golangCrossBuild() error { - conf := devtools.DefaultGolangCrossBuildArgs() - if devtools.Platform.GOOS == "linux" { - mg.Deps(journaldDeps.Installer(devtools.Platform.Name)) - conf.ExtraFlags = append(conf.ExtraFlags, "-tags=withjournald") - } - return devtools.GolangCrossBuild(conf) -} - -// CrossBuild cross-builds the beat for all target platforms. -func CrossBuild() error { - return devtools.CrossBuild(devtools.ImageSelector(func(platform string) (string, error) { - image, err := devtools.CrossBuildImage(platform) - if err != nil { - return "", err - } - // Normally linux/amd64 and linux/386 binaries are build using debian7 - // because it has an older glibc version that makes the binaries work on - // RHEL 6, but debian7 does not have the systemd libraries needed for - // the journald input. - // - // So use the debian8 image, but test the binary to ensure that the - // linked glibc version requirement is still compatible with RHEL6. - if platform == "linux/amd64" || platform == "linux/386" { - image = strings.ReplaceAll(image, "main-debian7", "main-debian8") - } - return image, nil - })) -} diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 3702de33c94..a9ce3637939 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -128,8 +128,7 @@ def run_on_file(self, module, fileset, test_file, cfgfile): # Based on the convention that if a name contains -json the json format is needed. Currently used for LS. if "-json" in test_file: cmd.append("-M") - cmd.append("{module}.{fileset}.var.format=json".format( - module=module, fileset=fileset)) + cmd.append("{module}.{fileset}.var.format=json".format(module=module, fileset=fileset)) output_path = os.path.join(self.working_dir) # Runs inside a with block to ensure file is closed afterwards @@ -153,10 +152,8 @@ def run_on_file(self, module, fileset, test_file, cfgfile): # List of errors to check in filebeat output logs errors = ["error loading pipeline for fileset"] # Checks if the output of filebeat includes errors - contains_error, error_line = file_contains( - os.path.join(output_path, "output.log"), errors) - assert contains_error is False, "Error found in log:{}".format( - error_line) + contains_error, error_line = file_contains(os.path.join(output_path, "output.log"), errors) + assert contains_error is False, "Error found in log:{}".format(error_line) # Make sure index exists self.wait_until(lambda: self.es.indices.exists(self.index_name)) @@ -201,8 +198,7 @@ def _test_expected_events(self, test_file, objects): if isinstance(objects[k][key], list): objects[k][key].sort(key=str) - json.dump(objects, f, indent=4, separators=( - ',', ': '), sort_keys=True) + json.dump(objects, f, indent=4, separators=(',', ': '), sort_keys=True) with open(test_file + "-expected.json", "r") as f: expected = json.load(f) @@ -230,8 +226,7 @@ def _test_expected_events(self, test_file, objects): d = DeepDiff(ev, obj, ignore_order=True) - assert len( - d) == 0, "The following expected object doesn't match:\n Diff:\n{}, full object: \n{}".format(d, obj) + assert len(d) == 0, "The following expected object doesn't match:\n Diff:\n{}, full object: \n{}".format(d, obj) def clean_keys(obj): @@ -257,6 +252,7 @@ def clean_keys(obj): "cisco.asa", "cisco.ios", "citrix.netscaler", + "cyberark.corepas", "cylance.protect", "f5.bigipafm", "fortinet.clientendpoint", @@ -277,6 +273,14 @@ def clean_keys(obj): "microsoft.defender_atp", "crowdstrike.falcon_endpoint", "crowdstrike.falcon_audit", + "gsuite.admin", + "gsuite.config", + "gsuite.drive", + "gsuite.groups", + "gsuite.ingest", + "gsuite.login", + "gsuite.saml", + "gsuite.user_accounts", "zoom.webhook", "threatintel.otx", "threatintel.abuseurl", diff --git a/go.mod b/go.mod index 3595ff6bd19..13c15c2e3a4 100644 --- a/go.mod +++ b/go.mod @@ -45,7 +45,7 @@ require ( github.com/davecgh/go-xdr v0.0.0-20161123171359-e6a2ba005892 // indirect github.com/denisenkom/go-mssqldb v0.0.0-20200206145737-bbfc9a55622e github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2 // indirect - github.com/dgraph-io/badger/v3 v3.2103.1 + github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1 github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf // indirect github.com/docker/docker v1.4.2-0.20170802015333-8af4db6f002a @@ -86,12 +86,12 @@ require ( github.com/godror/godror v0.10.4 github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b github.com/gofrs/uuid v3.3.0+incompatible - github.com/gogo/protobuf v1.3.2 + github.com/gogo/protobuf v1.3.1 github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.4.3 github.com/golang/snappy v0.0.3 github.com/gomodule/redigo v1.8.3 - github.com/google/flatbuffers v1.12.0 + github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9 github.com/google/go-cmp v0.5.4 github.com/google/gopacket v1.1.18-0.20191009163724-0ad7f2610e34 github.com/google/uuid v1.1.2 @@ -204,7 +204,6 @@ replace ( github.com/dop251/goja_nodejs => github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6 github.com/fsnotify/fsevents => github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 github.com/fsnotify/fsnotify => github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d - github.com/golang/glog => github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4 github.com/google/gopacket => github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41 github.com/insomniacslk/dhcp => github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 // indirect github.com/tonistiigi/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c diff --git a/go.sum b/go.sum index b5fa8e561e5..b70e27e1d6c 100644 --- a/go.sum +++ b/go.sum @@ -219,10 +219,10 @@ github.com/denisenkom/go-mssqldb v0.0.0-20200206145737-bbfc9a55622e/go.mod h1:xb github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2 h1:6+hM8KeYKV0Z9EIINNqIEDyyIRAcNc2FW+/TUYNmWyw= github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= -github.com/dgraph-io/badger/v3 v3.2103.1 h1:zaX53IRg7ycxVlkd5pYdCeFp1FynD6qBGQoQql3R3Hk= -github.com/dgraph-io/badger/v3 v3.2103.1/go.mod h1:dULbq6ehJ5K0cGW/1TQ9iSfUk0gbSiToDWmWmTsJ53E= -github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI= -github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug= +github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b h1:mUDs72Rlzv6A4YN8w3Ra3hU9x/plOQPcQjZYL/1f5SM= +github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b/go.mod h1:26P/7fbL4kUZVEVKLAKXkBXKOydDmM2p1e+NhhnBCAE= +github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de h1:t0UHb5vdojIDUqktM6+xJAfScFBsVpXZmqC9dsgJmeA= +github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= @@ -269,8 +269,6 @@ github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6 h1 github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6/go.mod h1:uh/Gj9a0XEbYoM4NYz4LvaBVARz3QXLmlNjsrKY9fTc= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 h1:cWPqxlPtir4RoQVCpGSRXmLqjEHpJKbR60rxh1nQZY4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng= -github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4 h1:ViJxdtOsHeO+SWVekzM82fYHH1xnvZ8CvGPXZj+G4YI= -github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/elastic/go-concert v0.2.0 h1:GAQrhRVXprnNjtvTP9pWJ1d4ToEA4cU5ci7TwTa20xg= github.com/elastic/go-concert v0.2.0/go.mod h1:HWjpO3IAEJUxOeaJOWXWEp7imKd27foxz9V5vegC/38= github.com/elastic/go-libaudit/v2 v2.2.0 h1:TY3FDpG4Zr9Qnv6KYW6olYr/U+nfu0rD2QAbv75VxMQ= @@ -364,13 +362,13 @@ github.com/gofrs/uuid v3.3.0+incompatible h1:8K4tyRfvU1CYPgJsveYFQMhpFd/wXNM7iK6 github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= -github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= -github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0 h1:RAqyYixv1p7uEnocuy8P1nru5wprCh/MH2BIlW5z5/o= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -392,14 +390,15 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomodule/redigo v1.8.3 h1:HR0kYDX2RJZvAup8CsiJwxB4dTCSC0AaUq6S4SiLwUc= github.com/gomodule/redigo v1.8.3/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/flatbuffers v1.12.0 h1:/PtAHvnBY4Kqnx/xCQ3OIV9uYcSFGScBsWI3Oogeh6w= -github.com/google/flatbuffers v1.12.0/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9 h1:b4EyQBj8pgtcWOr7YCSxK6NUQzJr0n4hxJ3mc+dtKk4= +github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -529,11 +528,9 @@ github.com/karrick/godirwalk v1.15.6 h1:Yf2mmR8TJy+8Fa0SuQVto5SYap6IF7lNVX4Jdl8G github.com/karrick/godirwalk v1.15.6/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= -github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.12.2 h1:2KCfW3I9M7nSc5wOqXAlW2v2U6v+w6cbjvbfp+OykW8= github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= -github.com/klauspost/compress v1.12.3 h1:G5AfA94pHPysR56qqrkO2pxEexdDzrpFJ6yt/VqWxVU= -github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -796,9 +793,8 @@ go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg= go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2 h1:75k/FF0Q2YM8QYo07VPddOLBslDt1MZOdEslOHvmzAs= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.5 h1:dntmOdLpSpHlVqbW5Eay97DelsZHe+55D+xC6i0dDS0= -go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/goleak v1.0.0 h1:qsup4IcBdlmsnGfqyLl4Ntn3C2XCCuKAE7DwHpScyUo= @@ -874,7 +870,6 @@ golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200425230154-ff2c4b7c35a0/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q= golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= @@ -911,6 +906,7 @@ golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190529164535-6a60838ec259/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -929,11 +925,9 @@ golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/heartbeat/docs/monitors/monitor-browser.asciidoc b/heartbeat/docs/monitors/monitor-browser.asciidoc index aa1a2ee1ceb..24ea6dc7beb 100644 --- a/heartbeat/docs/monitors/monitor-browser.asciidoc +++ b/heartbeat/docs/monitors/monitor-browser.asciidoc @@ -65,7 +65,6 @@ Under `zip_url`, specify these options: located in the repository. *`username`*:: The username for authenticating with the zip endpoint. This setting is optional. *`password`*:: The password for authenticating with the zip endpoint. This setting is optional. -*`ssl`*:: SSL options applied to downloading the zip, not the browser. See <> for more details. If `username` and `password` are provided, they will be sent as HTTP Basic Authentication headers to the remote zip endpoint. @@ -84,11 +83,9 @@ Example configuration: folder: "examples/todos" username: "" password: "" - # ssl options apply to downloading the zip, not the browser - #ssl: - # certificate_authorities: ['/etc/ca.crt'] ------------------------------------------------------------------------------- + [float] [[monitor-source-local]] ===== `Local directory` @@ -201,6 +198,7 @@ Example configuration: *`tags`*:: run only journeys with the given tag(s), or globs *`match`*:: run only journeys with a name or tags that matches the configured glob + [float] [[monitor-browser-synthetics-args]] ==== `synthetics_args` diff --git a/heartbeat/hbtest/hbtestutil.go b/heartbeat/hbtest/hbtestutil.go index 80753294d8e..ec802079fbc 100644 --- a/heartbeat/hbtest/hbtestutil.go +++ b/heartbeat/hbtest/hbtestutil.go @@ -83,15 +83,6 @@ func SizedResponseHandler(bytes int) http.HandlerFunc { ) } -func CustomResponseHandler(body []byte, status int) http.HandlerFunc { - return http.HandlerFunc( - func(w http.ResponseWriter, r *http.Request) { - w.WriteHeader(status) - w.Write(body) - }, - ) -} - // RedirectHandler redirects the paths at the keys in the redirectingPaths map to the locations in their values. // For paths not in the redirectingPaths map it returns a 200 response with the given body. func RedirectHandler(redirectingPaths map[string]string, body string) http.HandlerFunc { diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go index 48b37b74d89..4e6f67dec97 100644 --- a/heartbeat/monitors/active/http/http_test.go +++ b/heartbeat/monitors/active/http/http_test.go @@ -341,112 +341,6 @@ func TestLargeResponse(t *testing.T) { ) } -func TestJsonBody(t *testing.T) { - type testCase struct { - name string - responseBody string - condition common.MapStr - expectedErrMsg string - expectedContentType string - } - - testCases := []testCase{ - { - "simple match", - "{\"foo\": \"bar\"}", - common.MapStr{ - "equals": common.MapStr{"foo": "bar"}, - }, - "", - "application/json", - }, - { - "mismatch", - "{\"foo\": \"bar\"}", - common.MapStr{ - "equals": common.MapStr{"baz": "bot"}, - }, - "JSON body did not match", - "application/json", - }, - { - "invalid json", - "notjson", - common.MapStr{ - "equals": common.MapStr{"foo": "bar"}, - }, - "could not parse JSON", - "text/plain; charset=utf-8", - }, - { - "complex type match json", - "{\"number\": 3, \"bool\": true}", - common.MapStr{ - "equals": common.MapStr{"number": 3, "bool": true}, - }, - "", - "application/json", - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - server := httptest.NewServer(hbtest.CustomResponseHandler([]byte(tc.responseBody), 200)) - defer server.Close() - - configSrc := map[string]interface{}{ - "hosts": server.URL, - "timeout": "1s", - "response.include_body": "never", - "check.response.json": []common.MapStr{ - { - "description": "myJsonCheck", - "condition": tc.condition, - }, - }, - } - - config, err := common.NewConfigFrom(configSrc) - require.NoError(t, err) - - p, err := create("largeresp", config) - require.NoError(t, err) - - sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(p.Jobs, stdfields.StdMonitorFields{ID: "test", Type: "http", Schedule: sched, Timeout: 1})[0] - - event := &beat.Event{} - _, err = job(event) - require.NoError(t, err) - - if tc.expectedErrMsg == "" { - testslike.Test( - t, - lookslike.Strict(lookslike.Compose( - hbtest.BaseChecks("127.0.0.1", "up", "http"), - hbtest.RespondingTCPChecks(), - hbtest.SummaryChecks(1, 0), - respondingHTTPChecks(server.URL, tc.expectedContentType, 200), - )), - event.Fields, - ) - } else { - testslike.Test( - t, - lookslike.Strict(lookslike.Compose( - hbtest.BaseChecks("127.0.0.1", "down", "http"), - hbtest.RespondingTCPChecks(), - hbtest.SummaryChecks(0, 1), - hbtest.ErrorChecks(tc.expectedErrMsg, "validate"), - respondingHTTPChecks(server.URL, tc.expectedContentType, 200), - )), - event.Fields, - ) - } - }) - } -} - func runHTTPSServerCheck( t *testing.T, server *httptest.Server, diff --git a/heartbeat/tests/system/test_monitor.py b/heartbeat/tests/system/test_monitor.py index b7a1edae5be..4952ab8d259 100644 --- a/heartbeat/tests/system/test_monitor.py +++ b/heartbeat/tests/system/test_monitor.py @@ -90,6 +90,88 @@ def test_http_delayed(self): finally: server.shutdown() + @parameterized.expand([ + ("up", '{"foo": {"baz": "bar"}}'), + ("down", '{"foo": "unexpected"}'), + ("down", 'notjson'), + ]) + def test_http_json(self, expected_status, body): + """ + Test JSON response checks + """ + server = self.start_server(body, 200) + try: + self.render_config_template( + monitors=[{ + "type": "http", + "urls": ["http://localhost:{}".format(server.server_port)], + "check_response_json": [{ + "description": "foo equals bar", + "condition": { + "equals": {"foo": {"baz": "bar"}} + } + }] + }] + ) + + try: + proc = self.start_beat() + self.wait_until(lambda: self.log_contains("heartbeat is running")) + + self.wait_until( + lambda: self.output_has(lines=1)) + finally: + proc.check_kill_and_wait() + + self.assert_last_status(expected_status) + if expected_status == "down": + self.assertEqual(self.last_output_line()["http.response.body.content"], body) + if body == "notjson": + self.assertEqual(self.last_output_line()["http.response.mime_type"], "text/plain; charset=utf-8") + else: + self.assertEqual(self.last_output_line()["http.response.mime_type"], "application/json") + else: + assert "http.response.body.content" not in self.last_output_line() + finally: + server.shutdown() + + @parameterized.expand([ + ('{"foo": "bar"}', {"foo": "bar"}), + ('{"foo": true}', {"foo": True},), + ('{"foo": 3}', {"foo": 3},), + ]) + def test_json_simple_comparisons(self, body, comparison): + """ + Test JSON response with simple straight-forward comparisons + """ + server = self.start_server(body, 200) + try: + self.render_config_template( + monitors=[{ + "type": "http", + "urls": ["http://localhost:{}".format(server.server_port)], + "check_response_json": [{ + "description": body, + "condition": { + "equals": comparison + } + }] + }] + ) + + try: + proc = self.start_beat() + self.wait_until(lambda: self.log_contains("heartbeat is running")) + + self.wait_until( + lambda: self.output_has(lines=1)) + finally: + proc.check_kill_and_wait() + + self.assert_last_status("up") + finally: + server.shutdown() + @parameterized.expand([ (lambda server: "localhost:{}".format(server.server_port), "up"), # This IP is reserved in IPv4 diff --git a/libbeat/cmd/instance/beat_test.go b/libbeat/cmd/instance/beat_test.go index e05b4ddb87a..bb541c3d204 100644 --- a/libbeat/cmd/instance/beat_test.go +++ b/libbeat/cmd/instance/beat_test.go @@ -78,31 +78,16 @@ func TestInitKibanaConfig(t *testing.T) { assert.Equal(t, "testidx", b.Info.IndexPrefix) assert.Equal(t, "0.9", b.Info.Version) - const configPath = "../test/filebeat_test.yml" - - // Ensure that the config has owner-exclusive write permissions. - // This is necessary on some systems which have a default umask - // of 0o002, meaning that files are checked out by git with mode - // 0o664. This would cause cfgfile.Load to fail. - err = os.Chmod(configPath, 0o644) - assert.NoError(t, err) - - cfg, err := cfgfile.Load(configPath, nil) - assert.NoError(t, err) + cfg, err := cfgfile.Load("../test/filebeat_test.yml", nil) err = cfg.Unpack(&b.Config) assert.NoError(t, err) kibanaConfig := InitKibanaConfig(b.Config) username, err := kibanaConfig.String("username", -1) - assert.NoError(t, err) password, err := kibanaConfig.String("password", -1) - assert.NoError(t, err) api_key, err := kibanaConfig.String("api_key", -1) - assert.NoError(t, err) protocol, err := kibanaConfig.String("protocol", -1) - assert.NoError(t, err) host, err := kibanaConfig.String("host", -1) - assert.NoError(t, err) assert.Equal(t, "elastic-test-username", username) assert.Equal(t, "elastic-test-password", password) diff --git a/libbeat/cmd/instance/metrics/metrics.go b/libbeat/cmd/instance/metrics/metrics.go index 8865b4967c9..700b0420a76 100644 --- a/libbeat/cmd/instance/metrics/metrics.go +++ b/libbeat/cmd/instance/metrics/metrics.go @@ -28,7 +28,6 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/metric/system/cgroup" "github.com/elastic/beats/v7/libbeat/metric/system/cpu" - "github.com/elastic/beats/v7/libbeat/metric/system/numcpu" "github.com/elastic/beats/v7/libbeat/metric/system/process" "github.com/elastic/beats/v7/libbeat/monitoring" "github.com/elastic/beats/v7/libbeat/paths" @@ -266,7 +265,7 @@ func reportSystemCPUUsage(_ monitoring.Mode, V monitoring.Visitor) { V.OnRegistryStart() defer V.OnRegistryFinished() - monitoring.ReportInt(V, "cores", int64(numcpu.NumCPU())) + monitoring.ReportInt(V, "cores", int64(runtime.NumCPU())) } func reportRuntime(_ monitoring.Mode, V monitoring.Visitor) { diff --git a/libbeat/common/encoding/xml/decode.go b/libbeat/common/encoding/xml/decode.go index 8fcc790ca5c..665c0608f67 100644 --- a/libbeat/common/encoding/xml/decode.go +++ b/libbeat/common/encoding/xml/decode.go @@ -80,7 +80,7 @@ func (d *Decoder) decode(attrs []xml.Attr) (string, map[string]interface{}, erro // Add the data to the current object while taking into account // if the current key already exists (in the case of lists). key := d.key(elem.Name.Local) - value := elements[key] + value := elements[elem.Name.Local] switch v := value.(type) { case nil: elements[key] = add diff --git a/libbeat/common/encoding/xml/decode_test.go b/libbeat/common/encoding/xml/decode_test.go index 9dd585ac6d7..277972e56da 100644 --- a/libbeat/common/encoding/xml/decode_test.go +++ b/libbeat/common/encoding/xml/decode_test.go @@ -366,16 +366,10 @@ func ExampleDecoder_Decode() { // "event": { // "eventdata": { // "binary": "770069006E006C006F00670062006500610074002F0034000000", - // "data": [ - // { - // "#text": "winlogbeat", - // "name": "param1" - // }, - // { - // "#text": "running", - // "name": "param2" - // } - // ] + // "data": { + // "#text": "running", + // "name": "param2" + // } // }, // "processingerrordata": { // "dataitemname": "shellId", diff --git a/libbeat/dashboards/decode.go b/libbeat/dashboards/decode.go index 10c0a694898..cd79bfead43 100644 --- a/libbeat/dashboards/decode.go +++ b/libbeat/dashboards/decode.go @@ -30,13 +30,11 @@ import ( var ( responseToDecode = []string{ - "attributes.kibanaSavedObjectMeta.searchSourceJSON", - "attributes.layerListJSON", - "attributes.mapStateJSON", - "attributes.optionsJSON", - "attributes.panelsJSON", "attributes.uiStateJSON", "attributes.visState", + "attributes.optionsJSON", + "attributes.panelsJSON", + "attributes.kibanaSavedObjectMeta.searchSourceJSON", } ) @@ -78,51 +76,15 @@ func decodeLine(line []byte) []byte { if err != nil { return line } - o = decodeObject(o) - o = decodeEmbeddableConfig(o) - - return []byte(o.String()) -} - -func decodeObject(o common.MapStr) common.MapStr { for _, key := range responseToDecode { // All fields are optional, so errors are not caught err := decodeValue(o, key) if err != nil { logger := logp.NewLogger("dashboards") logger.Debugf("Error while decoding dashboard objects: %+v", err) - continue - } - } - - return o -} - -func decodeEmbeddableConfig(o common.MapStr) common.MapStr { - p, err := o.GetValue("attributes.panelsJSON") - if err != nil { - return o - } - - if panels, ok := p.([]interface{}); ok { - for i, pan := range panels { - if panel, ok := pan.(map[string]interface{}); ok { - panelObj := common.MapStr(panel) - embedded, err := panelObj.GetValue("embeddableConfig") - if err != nil { - continue - } - if embeddedConfig, ok := embedded.(map[string]interface{}); ok { - embeddedConfigObj := common.MapStr(embeddedConfig) - panelObj.Put("embeddableConfig", decodeObject(embeddedConfigObj)) - panels[i] = panelObj - } - } } - o.Put("attributes.panelsJSON", panels) } - - return o + return []byte(o.String()) } func decodeValue(data common.MapStr, key string) error { diff --git a/libbeat/dashboards/modify_json.go b/libbeat/dashboards/modify_json.go index daacccdbc3f..3178d6b2382 100644 --- a/libbeat/dashboards/modify_json.go +++ b/libbeat/dashboards/modify_json.go @@ -21,7 +21,6 @@ import ( "bytes" "encoding/json" "fmt" - "regexp" "github.com/pkg/errors" @@ -47,6 +46,11 @@ type JSONObject struct { Attributes JSONObjectAttribute `json:"attributes"` } +// JSONFormat contains a list of JSON object +type JSONFormat struct { + Objects []JSONObject `json:"objects"` +} + // ReplaceIndexInIndexPattern replaces an index in a dashboard content body func ReplaceIndexInIndexPattern(index string, content common.MapStr) (err error) { if index == "" { @@ -124,62 +128,43 @@ func ReplaceIndexInSavedObject(logger *logp.Logger, index string, kibanaSavedObj } kibanaSavedObject["searchSourceJSON"] = searchSourceJSON } - if visState, ok := kibanaSavedObject["visState"].(map[string]interface{}); ok { - kibanaSavedObject["visState"] = ReplaceIndexInVisState(logger, index, visState) + if visStateJSON, ok := kibanaSavedObject["visState"].(string); ok { + visStateJSON = ReplaceIndexInVisState(logger, index, visStateJSON) + kibanaSavedObject["visState"] = visStateJSON } return kibanaSavedObject } -var timeLionIdxRegexp = regexp.MustCompile(`index=\".*beat-\*\"`) - // ReplaceIndexInVisState replaces index appearing in visState params objects -func ReplaceIndexInVisState(logger *logp.Logger, index string, visState map[string]interface{}) map[string]interface{} { +func ReplaceIndexInVisState(logger *logp.Logger, index string, visStateJSON string) string { + + var visState map[string]interface{} + err := json.Unmarshal([]byte(visStateJSON), &visState) + if err != nil { + logger.Errorf("Fail to unmarshal visState: %v", err) + return visStateJSON + } + params, ok := visState["params"].(map[string]interface{}) if !ok { - return visState + return visStateJSON } // Don't set it if it was not set before - if pattern, ok := params["index_pattern"].(string); ok && len(pattern) != 0 { - params["index_pattern"] = index - } - - if s, ok := params["series"].([]interface{}); ok { - for i, ser := range s { - if series, ok := ser.(map[string]interface{}); ok { - if _, ok := series["series_index_pattern"]; !ok { - continue - } - series["series_index_pattern"] = index - s[i] = series - } - } - params["series"] = s + if pattern, ok := params["index_pattern"].(string); !ok || len(pattern) == 0 { + return visStateJSON } - if annotations, ok := params["annotations"].([]interface{}); ok { - for i, ann := range annotations { - annotation, ok := ann.(map[string]interface{}) - if !ok { - continue - } - if _, ok = annotation["index_pattern"]; !ok { - continue - } - annotation["index_pattern"] = index - annotations[i] = annotation - } - params["annotations"] = annotations - } + params["index_pattern"] = index - if expr, ok := params["expression"].(string); ok { - params["expression"] = timeLionIdxRegexp.ReplaceAllString(expr, `index="`+index+`"`) + d, err := json.Marshal(visState) + if err != nil { + logger.Errorf("Fail to marshal visState: %v", err) + return visStateJSON } - visState["params"] = replaceIndexInParamControls(logger, index, params) - - return visState + return string(d) } // ReplaceIndexInDashboardObject replaces references to the index pattern in dashboard objects @@ -210,28 +195,10 @@ func ReplaceIndexInDashboardObject(index string, content []byte) []byte { attributes["kibanaSavedObjectMeta"] = ReplaceIndexInSavedObject(logger, index, kibanaSavedObject) } - if visState, ok := attributes["visState"].(map[string]interface{}); ok { + if visState, ok := attributes["visState"].(string); ok { attributes["visState"] = ReplaceIndexInVisState(logger, index, visState) } - if layerListJSON, ok := attributes["layerListJSON"].([]interface{}); ok { - attributes["layerListJSON"] = replaceIndexInLayerListJSON(logger, index, layerListJSON) - } - - if mapStateJSON, ok := attributes["mapStateJSON"].(map[string]interface{}); ok { - attributes["mapStateJSON"] = replaceIndexInMapStateJSON(logger, index, mapStateJSON) - } - - if panelsJSON, ok := attributes["panelsJSON"].([]interface{}); ok { - attributes["panelsJSON"] = replaceIndexInPanelsJSON(logger, index, panelsJSON) - } - - objectMap["attributes"] = attributes - - if references, ok := objectMap["references"].([]interface{}); ok { - objectMap["references"] = replaceIndexInReferences(index, references) - } - b, err := json.Marshal(objectMap) if err != nil { logger.Error("Error marshaling modified dashboard: %+v", err) @@ -241,121 +208,6 @@ func ReplaceIndexInDashboardObject(index string, content []byte) []byte { return b } -func replaceIndexInLayerListJSON(logger *logp.Logger, index string, layerListJSON []interface{}) []interface{} { - for i, layerListElem := range layerListJSON { - elem, ok := layerListElem.(map[string]interface{}) - if !ok { - continue - } - - if joins, ok := elem["joins"].([]interface{}); ok { - for j, join := range joins { - if pos, ok := join.(map[string]interface{}); ok { - for key, val := range pos { - if joinElems, ok := val.(map[string]interface{}); ok { - if _, ok := joinElems["indexPatternTitle"]; ok { - joinElems["indexPatternTitle"] = index - pos[key] = joinElems - } - } - } - joins[j] = pos - } - } - elem["joins"] = joins - } - if descriptor, ok := elem["sourceDescriptor"].(map[string]interface{}); ok { - if _, ok := descriptor["indexPatternId"]; ok { - descriptor["indexPatternId"] = index - } - elem["sourceDescriptor"] = descriptor - } - - layerListJSON[i] = elem - } - return layerListJSON -} - -func replaceIndexInMapStateJSON(logger *logp.Logger, index string, mapState map[string]interface{}) map[string]interface{} { - if filters, ok := mapState["filters"].([]interface{}); ok { - for i, f := range filters { - if filter, ok := f.(map[string]interface{}); ok { - if meta, ok := filter["meta"].(map[string]interface{}); ok { - if _, ok := meta["index"]; !ok { - continue - } - meta["index"] = index - filter["meta"] = meta - } - filters[i] = filter - } - } - mapState["filters"] = filters - } - - return mapState -} - -func replaceIndexInPanelsJSON(logger *logp.Logger, index string, panelsJSON []interface{}) []interface{} { - for i, p := range panelsJSON { - if panel, ok := p.(map[string]interface{}); ok { - config, ok := panel["embeddableConfig"].(map[string]interface{}) - if !ok { - continue - } - if configAttr, ok := config["attributes"].(map[string]interface{}); ok { - if references, ok := configAttr["references"].([]interface{}); ok { - configAttr["references"] = replaceIndexInReferences(index, references) - } - if layerListJSON, ok := configAttr["layerListJSON"].([]interface{}); ok { - configAttr["layerListJSON"] = replaceIndexInLayerListJSON(logger, index, layerListJSON) - } - config["attributes"] = configAttr - } - - if savedVis, ok := config["savedVis"].(map[string]interface{}); ok { - if params, ok := savedVis["params"].(map[string]interface{}); ok { - savedVis["params"] = replaceIndexInParamControls(logger, index, params) - } - config["savedVis"] = savedVis - } - - panel["embeddableConfig"] = config - panelsJSON[i] = panel - } - } - return panelsJSON -} - -func replaceIndexInParamControls(logger *logp.Logger, index string, params map[string]interface{}) map[string]interface{} { - if controlsList, ok := params["controls"].([]interface{}); ok { - for i, ctrl := range controlsList { - if control, ok := ctrl.(map[string]interface{}); ok { - if _, ok := control["indexPattern"]; ok { - control["indexPattern"] = index - controlsList[i] = control - } - } - } - params["controls"] = controlsList - } - return params -} - -func replaceIndexInReferences(index string, references []interface{}) []interface{} { - for i, ref := range references { - if reference, ok := ref.(map[string]interface{}); ok { - if refType, ok := reference["type"].(string); ok { - if refType == "index-pattern" { - reference["id"] = index - } - } - references[i] = reference - } - } - return references -} - func EncodeJSONObjects(content []byte) []byte { logger := logp.NewLogger("dashboards") diff --git a/libbeat/dashboards/modify_json_test.go b/libbeat/dashboards/modify_json_test.go index 389e8b416a7..48f0fe972c9 100644 --- a/libbeat/dashboards/modify_json_test.go +++ b/libbeat/dashboards/modify_json_test.go @@ -77,34 +77,9 @@ func TestReplaceIndexInDashboardObject(t *testing.T) { []byte(`{"attributes":{"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"otherindex-*\"}"}}}`), }, { - []byte(`{"attributes":{"layerListJSON":[{"joins":[{"leftField":"iso2","right":{"indexPatternTitle":"filebeat-*"}}]}]}}`), + []byte(`{"attributes":{"kibanaSavedObjectMeta":{"visState":"{\"params\":{\"index_pattern\":\"metricbeat-*\"}}"}}}`), "otherindex-*", - []byte(`{"attributes":{"layerListJSON":[{"joins":[{"leftField":"iso2","right":{"indexPatternTitle":"otherindex-*"}}]}]}}`), - }, - { - []byte(`{"attributes":{"panelsJSON":[{"embeddableConfig":{"attributes":{"references":[{"id":"filebeat-*","type":"index-pattern"}]}}}]}}`), - "otherindex-*", - []byte(`{"attributes":{"panelsJSON":[{"embeddableConfig":{"attributes":{"references":[{"id":"otherindex-*","type":"index-pattern"}]}}}]}}`), - }, - { - []byte(`{"attributes":{},"references":[{"id":"auditbeat-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}]}`), - "otherindex-*", - []byte(`{"attributes":{},"references":[{"id":"otherindex-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}]}`), - }, - { - []byte(`{"attributes":{"visState":{"params":{"index_pattern":"winlogbeat-*"}}}}`), - "otherindex-*", - []byte(`{"attributes":{"visState":{"params":{"index_pattern":"otherindex-*"}}}}`), - }, - { - []byte(`{"attributes":{"visState":{"params":{"series":[{"series_index_pattern":"filebeat-*"}]}}}}`), - "otherindex-*", - []byte(`{"attributes":{"visState":{"params":{"series":[{"series_index_pattern":"otherindex-*"}]}}}}`), - }, - { - []byte(`{"attributes":{"mapStateJSON":{"filters":[{"meta":{"index":"filebeat-*"}}]}}}`), - "otherindex-*", - []byte(`{"attributes":{"mapStateJSON":{"filters":[{"meta":{"index":"otherindex-*"}}]}}}`), + []byte(`{"attributes":{"kibanaSavedObjectMeta":{"visState":"{\"params\":{\"index_pattern\":\"otherindex-*\"}}"}}}`), }, } diff --git a/libbeat/docs/shared-docker.asciidoc b/libbeat/docs/shared-docker.asciidoc index 2e7e04e6c7a..6b73a6d90a7 100644 --- a/libbeat/docs/shared-docker.asciidoc +++ b/libbeat/docs/shared-docker.asciidoc @@ -294,7 +294,10 @@ ifeval::["{beatname_lc}"!="auditbeat"] ["source", "dockerfile", subs="attributes"] -------------------------------------------- FROM {dockerimage} -COPY --chown=root:{beatname_lc} {beatname_lc}.yml /usr/share/{beatname_lc}/{beatname_lc}.yml +COPY {beatname_lc}.yml /usr/share/{beatname_lc}/{beatname_lc}.yml +USER root +RUN chown root:{beatname_lc} /usr/share/{beatname_lc}/{beatname_lc}.yml +USER {beatname_lc} -------------------------------------------- endif::[] diff --git a/libbeat/metric/system/cgroup/cgcommon/metrics.go b/libbeat/metric/system/cgroup/cgcommon/metrics.go index 32d5a31803f..1791ba2ffc3 100644 --- a/libbeat/metric/system/cgroup/cgcommon/metrics.go +++ b/libbeat/metric/system/cgroup/cgcommon/metrics.go @@ -58,6 +58,7 @@ func (p Pressure) IsZero() bool { // See https://github.com/torvalds/linux/blob/master/Documentation/accounting/psi.rst func GetPressure(path string) (map[string]Pressure, error) { pressureData := make(map[string]Pressure) + f, err := os.Open(path) // pass along any OS open errors directly if err != nil { diff --git a/libbeat/metric/system/cgroup/cgstats.go b/libbeat/metric/system/cgroup/cgstats.go index 0fecf06232c..e218ad04fc8 100644 --- a/libbeat/metric/system/cgroup/cgstats.go +++ b/libbeat/metric/system/cgroup/cgstats.go @@ -18,13 +18,13 @@ package cgroup import ( + "runtime" "time" "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/transform/typeconv" - "github.com/elastic/beats/v7/libbeat/metric/system/numcpu" "github.com/elastic/beats/v7/libbeat/opt" ) @@ -69,11 +69,13 @@ func (curStat *StatsV1) FillPercentages(prev CGStats, curTime, prevTime time.Tim totalCPUDeltaNanos := int64(curStat.CPUAccounting.Total.NS - prevStat.CPUAccounting.Total.NS) pct := float64(totalCPUDeltaNanos) / float64(timeDeltaNanos) + // Avoid using NumCPU unless we need to; the values in UsagePerCPU are more likely to reflect the running conditions of the cgroup + // NumCPU can vary based on the conditions of the running metricbeat process, as it uses Affinity Masks, not hardware data. var cpuCount int if len(curStat.CPUAccounting.UsagePerCPU) > 0 { cpuCount = len(curStat.CPUAccounting.UsagePerCPU) } else { - cpuCount = numcpu.NumCPU() + cpuCount = runtime.NumCPU() } // if you look at the raw cgroup stats, the following normalized value is literally an average of per-cpu numbers. @@ -130,7 +132,7 @@ func (curStat *StatsV2) FillPercentages(prev CGStats, curTime, prevTime time.Tim pct := float64(totalCPUDeltaNanos) / float64(timeDeltaNanos) - cpuCount := numcpu.NumCPU() + cpuCount := runtime.NumCPU() // if you look at the raw cgroup stats, the following normalized value is literally an average of per-cpu numbers. normalizedPct := pct / float64(cpuCount) diff --git a/libbeat/metric/system/cpu/cpu.go b/libbeat/metric/system/cpu/cpu.go index fc14652e6ac..c27687a85ce 100644 --- a/libbeat/metric/system/cpu/cpu.go +++ b/libbeat/metric/system/cpu/cpu.go @@ -20,8 +20,9 @@ package cpu import ( + "runtime" + "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/libbeat/metric/system/numcpu" sigar "github.com/elastic/gosigar" ) @@ -61,7 +62,7 @@ func (m *LoadMetrics) Averages() LoadAverages { // NormalizedAverages return the CPU load averages normalized by the NumCPU. // These values should range from 0 to 1. func (m *LoadMetrics) NormalizedAverages() LoadAverages { - cpus := numcpu.NumCPU() + cpus := runtime.NumCPU() return LoadAverages{ OneMinute: common.Round(m.sample.One/float64(cpus), common.DefaultDecimalPlacesCount), FiveMinute: common.Round(m.sample.Five/float64(cpus), common.DefaultDecimalPlacesCount), diff --git a/libbeat/metric/system/diskio/diskstat_linux.go b/libbeat/metric/system/diskio/diskstat_linux.go index 964fbf7663d..5ab0f7e3723 100644 --- a/libbeat/metric/system/diskio/diskstat_linux.go +++ b/libbeat/metric/system/diskio/diskstat_linux.go @@ -20,10 +20,10 @@ package diskio import ( + "runtime" + "github.com/pkg/errors" "github.com/shirou/gopsutil/disk" - - "github.com/elastic/beats/v7/libbeat/metric/system/numcpu" ) // GetCLKTCK emulates the _SC_CLK_TCK syscall @@ -63,7 +63,7 @@ func (stat *IOStat) CalcIOStatistics(counter disk.IOCountersStat) (IOMetric, err } // calculate the delta ms between the CloseSampling and OpenSampling - deltams := 1000.0 * float64(stat.curCPU.Total()-stat.lastCPU.Total()) / float64(numcpu.NumCPU()) / float64(GetCLKTCK()) + deltams := 1000.0 * float64(stat.curCPU.Total()-stat.lastCPU.Total()) / float64(runtime.NumCPU()) / float64(GetCLKTCK()) if deltams <= 0 { return IOMetric{}, errors.New("The delta cpu time between close sampling and open sampling is less or equal to 0") } diff --git a/libbeat/metric/system/numcpu/cpu_bsd.go b/libbeat/metric/system/numcpu/cpu_bsd.go deleted file mode 100644 index 1b0c4142ed4..00000000000 --- a/libbeat/metric/system/numcpu/cpu_bsd.go +++ /dev/null @@ -1,55 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// +build openbsd freebsd - -package numcpu - -/* -#include -#include -#include -#include -#include -*/ -import "C" - -import ( - "syscall" - "unsafe" -) - -// getCPU implements NumCPU on openbsd -// This is just using the HW_NCPU sysctl value. -func getCPU() (int, bool, error) { - - // Get count of available CPUs - ncpuMIB := [2]int32{C.CTL_HW, C.HW_NCPU} - callSize := uintptr(0) - var ncpu int - // Get size of return value. - _, _, errno := syscall.Syscall6(syscall.SYS___SYSCTL, uintptr(unsafe.Pointer(&ncpuMIB[0])), 2, 0, uintptr(unsafe.Pointer(&callSize)), 0, 0) - - if errno != 0 || callSize == 0 { - return -1, false, errno - } - - // Get CPU count - _, _, errno = syscall.Syscall6(syscall.SYS___SYSCTL, uintptr(unsafe.Pointer(&ncpuMIB[0])), 2, uintptr(unsafe.Pointer(&ncpu)), uintptr(unsafe.Pointer(&callSize)), 0, 0) - - return ncpu, true, nil -} diff --git a/libbeat/metric/system/numcpu/cpu_cgo.go b/libbeat/metric/system/numcpu/cpu_cgo.go deleted file mode 100644 index fe6da963daf..00000000000 --- a/libbeat/metric/system/numcpu/cpu_cgo.go +++ /dev/null @@ -1,26 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// +build freebsd,!cgo openbsd,!cgo - -package numcpu - -// getCPU is the fallback for unimplemented platforms -func getCPU() (int, bool, error) { - - return -1, false, nil -} diff --git a/libbeat/metric/system/numcpu/cpu_linux.go b/libbeat/metric/system/numcpu/cpu_linux.go deleted file mode 100644 index d8f2e9f821c..00000000000 --- a/libbeat/metric/system/numcpu/cpu_linux.go +++ /dev/null @@ -1,93 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package numcpu - -import ( - "fmt" - "io/ioutil" - "os" - "path/filepath" - "strings" - - "github.com/pkg/errors" - - "github.com/elastic/beats/v7/libbeat/paths" -) - -// getCPU implements NumCPU on linux -// see https://www.kernel.org/doc/Documentation/admin-guide/cputopology.rst -func getCPU() (int, bool, error) { - - // These are the files that LSCPU looks for - // This will report online CPUs, which are are the logical CPUS - // that are currently online and scheduleable by the system. - // Some users may expect a "present" count, which reflects what - // CPUs are available to the OS, online or off. - // These two values will only differ in cases where CPU hotplugging is in affect. - // This env var swaps between them. - _, isPresent := os.LookupEnv("LINUX_CPU_COUNT_PRESENT") - var cpuPath = "/sys/devices/system/cpu/online" - if isPresent { - cpuPath = "/sys/devices/system/cpu/present" - } - sysfspath := filepath.Join(paths.Paths.Hostfs, cpuPath) - - rawFile, err := ioutil.ReadFile(sysfspath) - // if the file doesn't exist, assume it's a support issue and not a bug - if errors.Is(err, os.ErrNotExist) { - return -1, false, nil - } - if err != nil { - return -1, false, errors.Wrapf(err, "error reading file %s", sysfspath) - } - - cpuCount, err := parseCPUList(string(rawFile)) - if err != nil { - return -1, false, errors.Wrapf(err, "error parsing file %s", sysfspath) - } - return cpuCount, true, nil -} - -// parse the weird list files we get from sysfs -func parseCPUList(raw string) (int, error) { - - listPart := strings.Split(raw, ",") - count := 0 - for _, v := range listPart { - if strings.Contains(v, "-") { - rangeC, err := parseCPURange(v) - if err != nil { - return 0, errors.Wrapf(err, "error parsing line %s", v) - } - count = count + rangeC - } else { - count++ - } - } - return count, nil -} - -func parseCPURange(cpuRange string) (int, error) { - var first, last int - _, err := fmt.Sscanf(cpuRange, "%d-%d", &first, &last) - if err != nil { - return 0, errors.Wrapf(err, "error reading from range %s", cpuRange) - } - - return (last - first) + 1, nil -} diff --git a/libbeat/metric/system/numcpu/cpu_linux_test.go b/libbeat/metric/system/numcpu/cpu_linux_test.go deleted file mode 100644 index af761ad70c9..00000000000 --- a/libbeat/metric/system/numcpu/cpu_linux_test.go +++ /dev/null @@ -1,49 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package numcpu - -import ( - "testing" - - "github.com/stretchr/testify/assert" -) - -func TestCPUParse(t *testing.T) { - - type cpuInput struct { - input string - platform string - expected int - } - - cpuList := []cpuInput{ - {input: "0-23", platform: "basic X86", expected: 24}, - {input: "0-1", platform: "ARMv7", expected: 2}, - {input: "0-63", platform: "POWER7", expected: 64}, - {input: "0", platform: "QEMU", expected: 1}, - {input: "0-1,3", platform: "Kernel docs example 1", expected: 3}, - {input: "2,4-31,32-63", platform: "Kernel docs example 2", expected: 61}, - } - - for _, cpuTest := range cpuList { - res, err := parseCPUList(cpuTest.input) - assert.NoError(t, err, cpuTest.platform) - assert.Equal(t, cpuTest.expected, res, cpuTest.platform) - } - -} diff --git a/libbeat/metric/system/numcpu/cpu_other.go b/libbeat/metric/system/numcpu/cpu_other.go deleted file mode 100644 index 9e7bca21d6f..00000000000 --- a/libbeat/metric/system/numcpu/cpu_other.go +++ /dev/null @@ -1,26 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// +build !linux,!freebsd,!openbsd,!windows - -package numcpu - -// getCPU is the fallback for unimplemented platforms -func getCPU() (int, bool, error) { - - return -1, false, nil -} diff --git a/libbeat/metric/system/numcpu/cpu_windows.go b/libbeat/metric/system/numcpu/cpu_windows.go deleted file mode 100644 index b5ddd766968..00000000000 --- a/libbeat/metric/system/numcpu/cpu_windows.go +++ /dev/null @@ -1,38 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package numcpu - -import ( - "github.com/pkg/errors" - - "github.com/elastic/gosigar/sys/windows" -) - -// getCPU implements NumCPU on windows -// For now, this is a bit of a hack that just asks for per-CPU performance data, and reports the CPU count -func getCPU() (int, bool, error) { - - // get per-cpu data - cpus, err := windows.NtQuerySystemProcessorPerformanceInformation() - if err != nil { - return -1, false, errors.Wrap(err, "NtQuerySystemProcessorPerformanceInformation failed") - } - - return len(cpus), true, nil - -} diff --git a/libbeat/metric/system/numcpu/numcpu.go b/libbeat/metric/system/numcpu/numcpu.go deleted file mode 100644 index 1e328d349a2..00000000000 --- a/libbeat/metric/system/numcpu/numcpu.go +++ /dev/null @@ -1,46 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package numcpu - -import ( - "runtime" - - "github.com/elastic/beats/v7/libbeat/logp" -) - -// NumCPU is a drop-in replacement for runtime.NumCPU for accurate system config reporting. -// runtime.NumCPU doesn't query any kind of hardware or OS state, -// but merely uses affinity APIs to count what CPUs the given go process is available to run on. -// Most of the time this works okay for reporting metrics, but under certain conditions, such as cases where -// affinity masks are being manually set to manage the go process, or certain job controllers/VMs/etc, -// this number will not reflect the system config. -// Because this is drop-in, it will not return an error. -// if it can't fetch the CPU count the "correct" way, it'll fallback to runtime.NumCPU(). -func NumCPU() int { - count, exists, err := getCPU() - if err != nil { - logp.L().Debugf("Error fetching CPU count: %s", err) - return runtime.NumCPU() - } - if !exists { - logp.L().Debugf("Accurate CPU counts not available on platform, falling back to runtime.NumCPU for metrics") - return runtime.NumCPU() - } - - return count -} diff --git a/libbeat/metric/system/numcpu/numcpu_test.go b/libbeat/metric/system/numcpu/numcpu_test.go deleted file mode 100644 index 12ceba74512..00000000000 --- a/libbeat/metric/system/numcpu/numcpu_test.go +++ /dev/null @@ -1,40 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package numcpu - -import ( - "testing" - - "github.com/stretchr/testify/assert" -) - -func TestGetCPU(t *testing.T) { - cpuCount, exists, err := getCPU() - assert.NoError(t, err, "getCPU") - if exists { - assert.Greater(t, cpuCount, 0) - t.Logf("Got actual CPU counts.") - } - t.Logf("CPU Count: %d", cpuCount) -} - -func TestNumCPU(t *testing.T) { - cpuCount := NumCPU() - assert.NotEqual(t, -1, cpuCount) - t.Logf("CPU Count: %d", cpuCount) -} diff --git a/libbeat/metric/system/process/process.go b/libbeat/metric/system/process/process.go index 8ec358d3a81..3e3c1a078fd 100644 --- a/libbeat/metric/system/process/process.go +++ b/libbeat/metric/system/process/process.go @@ -33,7 +33,6 @@ import ( "github.com/elastic/beats/v7/libbeat/common/match" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/metric/system/cgroup" - "github.com/elastic/beats/v7/libbeat/metric/system/numcpu" sysinfo "github.com/elastic/go-sysinfo" sigar "github.com/elastic/gosigar" ) @@ -404,7 +403,7 @@ func GetProcCPUPercentage(s0, s1 *Process) (normalizedPct, pct, totalPct float64 totalCPUDeltaMillis := int64(s1.CPU.Total - s0.CPU.Total) pct := float64(totalCPUDeltaMillis) / float64(timeDeltaMillis) - normalizedPct := pct / float64(numcpu.NumCPU()) + normalizedPct := pct / float64(runtime.NumCPU()) return common.Round(normalizedPct, common.DefaultDecimalPlacesCount), common.Round(pct, common.DefaultDecimalPlacesCount), common.Round(float64(s1.CPU.Total), common.DefaultDecimalPlacesCount) diff --git a/libbeat/processors/decode_xml/decode_xml_test.go b/libbeat/processors/decode_xml/decode_xml_test.go index 83ef61ea226..04c3c8847ed 100644 --- a/libbeat/processors/decode_xml/decode_xml_test.go +++ b/libbeat/processors/decode_xml/decode_xml_test.go @@ -176,41 +176,6 @@ func TestDecodeXML(t *testing.T) { }, }, }, - { - description: "Decoding with an array and mixed-case keys", - config: decodeXMLConfig{ - Field: "message", - ToLower: true, - }, - Input: common.MapStr{ - "message": ` - - - N/A - - - N/A - - - `, - }, - Output: common.MapStr{ - "message": common.MapStr{ - "auditbase": map[string]interface{}{ - "contextcomponents": map[string]interface{}{ - "component": []interface{}{ - map[string]interface{}{ - "relyingparty": "N/A", - }, - map[string]interface{}{ - "primaryauth": "N/A", - }, - }, - }, - }, - }, - }, - }, { description: "Decoding with multiple xml objects", config: decodeXMLConfig{ diff --git a/libbeat/reader/message.go b/libbeat/reader/message.go index 79116bfcfad..5798c3a9869 100644 --- a/libbeat/reader/message.go +++ b/libbeat/reader/message.go @@ -20,7 +20,6 @@ package reader import ( "time" - "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" ) @@ -76,21 +75,3 @@ func (m *Message) AddFlagsWithKey(key string, flags ...string) error { return common.AddTagsWithKey(m.Fields, key, flags) } - -// ToEvent converts a Message to an Event that can be published -// to the output. -func (m *Message) ToEvent() beat.Event { - - if len(m.Content) > 0 { - if m.Fields == nil { - m.Fields = common.MapStr{} - } - m.Fields["message"] = string(m.Content) - } - - return beat.Event{ - Timestamp: m.Ts, - Meta: m.Meta, - Fields: m.Fields, - } -} diff --git a/libbeat/reader/message_test.go b/libbeat/reader/message_test.go deleted file mode 100644 index c73576c4767..00000000000 --- a/libbeat/reader/message_test.go +++ /dev/null @@ -1,66 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package reader - -import ( - "testing" - - "github.com/stretchr/testify/require" - - "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common" -) - -func TestToEvent(t *testing.T) { - testCases := map[string]struct { - msg Message - expected beat.Event - }{ - "empty message; emtpy event": { - Message{}, - beat.Event{}, - }, - "empty content, one field": { - Message{Fields: common.MapStr{"my_field": "my_value"}}, - beat.Event{Fields: common.MapStr{"my_field": "my_value"}}, - }, - "content, no field": { - Message{Content: []byte("my message")}, - beat.Event{Fields: common.MapStr{"message": "my message"}}, - }, - "content, one field": { - Message{Content: []byte("my message"), Fields: common.MapStr{"my_field": "my_value"}}, - beat.Event{Fields: common.MapStr{"message": "my message", "my_field": "my_value"}}, - }, - "content, message field": { - Message{Content: []byte("my message"), Fields: common.MapStr{"message": "my_message_value"}}, - beat.Event{Fields: common.MapStr{"message": "my message"}}, - }, - "content, meta, message field": { - Message{Content: []byte("my message"), Fields: common.MapStr{"my_field": "my_value"}, Meta: common.MapStr{"meta": "id"}}, - beat.Event{Fields: common.MapStr{"message": "my message", "my_field": "my_value"}, Meta: common.MapStr{"meta": "id"}}, - }, - } - - for name, test := range testCases { - t.Run(name, func(t *testing.T) { - require.Equal(t, test.expected, test.msg.ToEvent()) - }) - } - -} diff --git a/libbeat/reader/readfile/bench_test.go b/libbeat/reader/readfile/bench_test.go deleted file mode 100644 index b1f6e7667f6..00000000000 --- a/libbeat/reader/readfile/bench_test.go +++ /dev/null @@ -1,83 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package readfile - -import ( - "bytes" - "encoding/hex" - "fmt" - "io" - "io/ioutil" - "math/rand" - "testing" - - "golang.org/x/text/encoding" -) - -func BenchmarkEncoderReader(b *testing.B) { - const ( - bufferSize = 1024 - lineMaxLimit = 1000000 // never hit by the input data - ) - - runBench := func(name string, lineMaxLimit int, lines []byte) { - b.Run(name, func(b *testing.B) { - b.ReportAllocs() - for bN := 0; bN < b.N; bN++ { - reader, err := NewEncodeReader(ioutil.NopCloser(bytes.NewReader(lines)), Config{encoding.Nop, bufferSize, LineFeed, lineMaxLimit}) - if err != nil { - b.Fatal("failed to initialize reader:", err) - } - // Read decodec lines and test - size := 0 - for i := 0; ; i++ { - msg, err := reader.Next() - if err != nil { - if err == io.EOF { - b.ReportMetric(float64(i), "processed_lines") - break - } else { - b.Fatal("unexpected error:", err) - } - } - size += msg.Bytes - } - b.ReportMetric(float64(size), "processed_bytes") - } - }) - } - - runBench("buffer-sized lines", lineMaxLimit, createBenchmarkLines(100, 1020)) - runBench("short lines", lineMaxLimit, createBenchmarkLines(100, 10)) - runBench("long lines", lineMaxLimit, createBenchmarkLines(100, 10_000)) - // short lineMaxLimit to exercise skipUntilNewLine - runBench("skip lines", 1024, createBenchmarkLines(100, 10_000)) -} - -func createBenchmarkLines(numLines int, lineLength int) []byte { - buf := bytes.NewBuffer(nil) - for i := 0; i < numLines; i++ { - line := make([]byte, hex.DecodedLen(lineLength)) - if _, err := rand.Read(line); err != nil { - panic(fmt.Sprintf("failed to generate random input: %v", err)) - } - buf.WriteString(hex.EncodeToString(line)) - buf.WriteRune('\n') - } - return buf.Bytes() -} diff --git a/libbeat/reader/readfile/line.go b/libbeat/reader/readfile/line.go index 78331a7d246..c36b524dde2 100644 --- a/libbeat/reader/readfile/line.go +++ b/libbeat/reader/readfile/line.go @@ -30,11 +30,12 @@ import ( const unlimited = 0 -// LineReader reads lines from underlying reader, decoding the input stream +// lineReader reads lines from underlying reader, decoding the input stream // using the configured codec. The reader keeps track of bytes consumed // from raw input stream for every decoded line. type LineReader struct { reader io.ReadCloser + bufferSize int maxBytes int // max bytes per line limit to avoid OOM with malformatted files nl []byte decodedNl []byte @@ -43,11 +44,10 @@ type LineReader struct { inOffset int // input buffer read offset byteCount int // number of bytes decoded from input buffer into output buffer decoder transform.Transformer - tempBuffer []byte logger *logp.Logger } -// NewLineReader creates a new reader object +// New creates a new reader object func NewLineReader(input io.ReadCloser, config Config) (*LineReader, error) { encoder := config.Codec.NewEncoder() @@ -64,13 +64,13 @@ func NewLineReader(input io.ReadCloser, config Config) (*LineReader, error) { return &LineReader{ reader: input, + bufferSize: config.BufferSize, maxBytes: config.MaxBytes, decoder: config.Codec.NewDecoder(), nl: nl, decodedNl: terminator, inBuffer: streambuf.New(nil), outBuffer: streambuf.New(nil), - tempBuffer: make([]byte, config.BufferSize), logger: logp.NewLogger("reader_line"), }, nil } @@ -133,17 +133,18 @@ func (r *LineReader) advance() error { r.inOffset = newOffset } + buf := make([]byte, r.bufferSize) + // Try to read more bytes into buffer - n, err := r.reader.Read(r.tempBuffer) + n, err := r.reader.Read(buf) if err == io.EOF && n > 0 { // Continue processing the returned bytes. The next call will yield EOF with 0 bytes. err = nil } - // Write to buffer also in case of err - r.inBuffer.Write(r.tempBuffer[:n]) - + // Appends buffer also in case of err + r.inBuffer.Append(buf[:n]) if err != nil { return err } @@ -169,7 +170,7 @@ func (r *LineReader) advance() error { // If newLine is not found and the incoming data buffer exceeded max bytes limit, then skip until the next newLine if idx == -1 && r.inBuffer.Len() > r.maxBytes { - skipped, err := r.skipUntilNewLine() + skipped, err := r.skipUntilNewLine(buf) if err != nil { r.logger.Error("Error skipping until new line, err:", err) return err @@ -203,7 +204,7 @@ func (r *LineReader) advance() error { return err } -func (r *LineReader) skipUntilNewLine() (int, error) { +func (r *LineReader) skipUntilNewLine(buf []byte) (int, error) { // The length of the line skipped skipped := r.inBuffer.Len() @@ -220,14 +221,14 @@ func (r *LineReader) skipUntilNewLine() (int, error) { // Read until the new line is found for idx := -1; idx == -1; { - n, err := r.reader.Read(r.tempBuffer) + n, err := r.reader.Read(buf) // Check bytes read for newLine if n > 0 { - idx = bytes.Index(r.tempBuffer[:n], r.nl) + idx = bytes.Index(buf[:n], r.nl) if idx != -1 { - r.inBuffer.Write(r.tempBuffer[idx+len(r.nl) : n]) + r.inBuffer.Append(buf[idx+len(r.nl) : n]) skipped += idx } else { skipped += n @@ -248,13 +249,14 @@ func (r *LineReader) skipUntilNewLine() (int, error) { func (r *LineReader) decode(end int) (int, error) { var err error + buffer := make([]byte, 1024) inBytes := r.inBuffer.Bytes() start := 0 for start < end { var nDst, nSrc int - nDst, nSrc, err = r.decoder.Transform(r.tempBuffer, inBytes[start:end], false) + nDst, nSrc, err = r.decoder.Transform(buffer, inBytes[start:end], false) if err != nil { // Check if error is different from destination buffer too short if err != transform.ErrShortDst { @@ -268,7 +270,7 @@ func (r *LineReader) decode(end int) (int, error) { } start += nSrc - r.outBuffer.Write(r.tempBuffer[:nDst]) + r.outBuffer.Write(buffer[:nDst]) } r.byteCount += start diff --git a/libbeat/reader/readfile/metafields.go b/libbeat/reader/readfile/metafields.go index 734069b5950..8d6c34eca63 100644 --- a/libbeat/reader/readfile/metafields.go +++ b/libbeat/reader/readfile/metafields.go @@ -51,9 +51,7 @@ func (r *FileMetaReader) Next() (reader.Message, error) { message.Fields.DeepUpdate(common.MapStr{ "log": common.MapStr{ "offset": r.offset, - "file": common.MapStr{ - "path": r.path, - }, + "path": r.path, }, }) return message, err diff --git a/libbeat/reader/readfile/metafields_test.go b/libbeat/reader/readfile/metafields_test.go index 978591c1b1b..eb198a776c0 100644 --- a/libbeat/reader/readfile/metafields_test.go +++ b/libbeat/reader/readfile/metafields_test.go @@ -60,9 +60,7 @@ func TestMetaFieldsOffset(t *testing.T) { if len(msg.Content) != 0 { expectedFields = common.MapStr{ "log": common.MapStr{ - "file": common.MapStr{ - "path": path, - }, + "path": path, "offset": offset, }, } diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index 6c18412767b..2c57769dadc 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -12029,6 +12029,19 @@ type: long -- +*`docker.diskio.reads`*:: ++ +-- + +deprecated:[6.4] + +Number of current reads per second + + +type: scaled_float + +-- + [float] === write @@ -12098,6 +12111,19 @@ type: long -- +*`docker.diskio.writes`*:: ++ +-- + +deprecated:[6.4] + +Number of current writes per second + + +type: scaled_float + +-- + [float] === summary @@ -12167,6 +12193,19 @@ type: long -- +*`docker.diskio.total`*:: ++ +-- + +deprecated:[6.4] + +Number of reads and writes per second + + +type: scaled_float + +-- + [float] === event @@ -12664,6 +12703,104 @@ type: keyword -- +[float] +=== in + +Incoming network stats per second. + + + +*`docker.network.in.bytes`*:: ++ +-- +Total number of incoming bytes. + + +type: long + +format: bytes + +-- + +*`docker.network.in.dropped`*:: ++ +-- +Total number of dropped incoming packets. + + +type: scaled_float + +-- + +*`docker.network.in.errors`*:: ++ +-- +Total errors on incoming packets. + + +type: long + +-- + +*`docker.network.in.packets`*:: ++ +-- +Total number of incoming packets. + + +type: long + +-- + +[float] +=== out + +Outgoing network stats per second. + + + +*`docker.network.out.bytes`*:: ++ +-- +Total number of outgoing bytes. + + +type: long + +format: bytes + +-- + +*`docker.network.out.dropped`*:: ++ +-- +Total number of dropped outgoing packets. + + +type: scaled_float + +-- + +*`docker.network.out.errors`*:: ++ +-- +Total errors on outgoing packets. + + +type: long + +-- + +*`docker.network.out.packets`*:: ++ +-- +Total number of outgoing packets. + + +type: long + +-- + [float] === inbound diff --git a/metricbeat/mb/module/wrapper.go b/metricbeat/mb/module/wrapper.go index c3d279d2859..8d18dfbe552 100644 --- a/metricbeat/mb/module/wrapper.go +++ b/metricbeat/mb/module/wrapper.go @@ -251,14 +251,14 @@ func (msw *metricSetWrapper) fetch(ctx context.Context, reporter reporter) { err := fetcher.Fetch(reporter.V2()) if err != nil { reporter.V2().Error(err) - logp.Err("Error fetching data for metricset %s.%s: %s", msw.module.Name(), msw.Name(), err) + logp.Info("Error fetching data for metricset %s.%s: %s", msw.module.Name(), msw.Name(), err) } case mb.ReportingMetricSetV2WithContext: reporter.StartFetchTimer() err := fetcher.Fetch(ctx, reporter.V2()) if err != nil { reporter.V2().Error(err) - logp.Err("Error fetching data for metricset %s.%s: %s", msw.module.Name(), msw.Name(), err) + logp.Info("Error fetching data for metricset %s.%s: %s", msw.module.Name(), msw.Name(), err) } default: panic(fmt.Sprintf("unexpected fetcher type for %v", msw)) diff --git a/metricbeat/module/docker/diskio/_meta/fields.yml b/metricbeat/module/docker/diskio/_meta/fields.yml index 74532058ec3..71f9e22859a 100644 --- a/metricbeat/module/docker/diskio/_meta/fields.yml +++ b/metricbeat/module/docker/diskio/_meta/fields.yml @@ -28,12 +28,17 @@ Total time to service IO requests, in nanoseconds - name: wait_time type: long - description: > + description: > Total time requests spent waiting in queues for service, in nanoseconds - name: queued type: long description: > Total number of queued requests + - name: reads + type: scaled_float + deprecated: 6.4 + description: > + Number of current reads per second - name: write type: group description: > @@ -58,12 +63,17 @@ Total time to service IO requests, in nanoseconds - name: wait_time type: long - description: > + description: > Total time requests spent waiting in queues for service, in nanoseconds - name: queued type: long description: > Total number of queued requests + - name: writes + type: scaled_float + deprecated: 6.4 + description: > + Number of current writes per second - name: summary type: group description: > @@ -88,9 +98,14 @@ Total time to service IO requests, in nanoseconds - name: wait_time type: long - description: > + description: > Total time requests spent waiting in queues for service, in nanoseconds - name: queued type: long description: > Total number of queued requests + - name: total + type: scaled_float + deprecated: 6.4 + description: > + Number of reads and writes per second diff --git a/metricbeat/module/docker/diskio/data.go b/metricbeat/module/docker/diskio/data.go index 4d5ae9b0e5c..04665ca85cc 100644 --- a/metricbeat/module/docker/diskio/data.go +++ b/metricbeat/module/docker/diskio/data.go @@ -30,6 +30,9 @@ func eventsMapping(r mb.ReporterV2, blkioStatsList []BlkioStats) { func eventMapping(r mb.ReporterV2, stats *BlkioStats) { fields := common.MapStr{ + "reads": stats.reads, + "writes": stats.writes, + "total": stats.totals, "read": common.MapStr{ "ops": stats.serviced.reads, "bytes": stats.servicedBytes.reads, diff --git a/metricbeat/module/docker/fields.go b/metricbeat/module/docker/fields.go index 9c88da1e5b9..500a172a399 100644 --- a/metricbeat/module/docker/fields.go +++ b/metricbeat/module/docker/fields.go @@ -32,5 +32,5 @@ func init() { // AssetDocker returns asset data. // This is the base64 encoded zlib format compressed contents of module/docker. func AssetDocker() string { - return "eJzsnE9v47oRwO/5FIP0UOAhsdGipxwKvGa32KBv3wa7SXt4ePCjqbE9tURqScpe76cv+EeyLVGW/8hOgq4Pe4ismR+HM8MhOd5bmOPqDhLJ56iuAAyZFO/g+p37w/UVQIKaK8oNSXEHf78CAPAPQRtmNHCZpsgNJjBRMgvPBlcAClNkGu9gyq4ANBpDYqrv4LdrrdPr3+3fZlKZEZdiQtM7mLBU4xXAhDBN9J3TdAuCZbjBZz9mlVupShZ5+EuE0X4exESqjNk/AxOJAyZtiGtgY1mYIPbPGlQhBIkpcCkMI4FKD4KUTZpNouqb1ZMY2A64DUNWsiBDo4hXyu1n24zlp461jZZlTCRbz0q4Oa6WUtWf7UC0n3svEMyMGVgyDfgNeWGnnASYGTbGMYhzKWQG41wJM3gY1DtmEJYz9ARrE1q+oCmOYb2g0H1ap1TtJce1Uj5iSaJQa4zrpvxYtQ+PUIluGTJ9r1s37quHDZe+Y8xjocU/N4mUlGY0qVtiDZZKMY087GBznydpWOrh5ARYmjoHmVCKuvTXFkfdAlyeg+1LoFoTuZiasQXCGFGUngtSAZ8xMcUENAmO/gFJEZ9gw6Y9evRDxqboZA6aeS8vTsl4nwthKEO4f3zuJ9nNUQlMBzk30fFrzlJMRpNUsvoX/NpwBzkqjqL+tMNEj/4layc7nXZIJAIM6JxxjE9UwBVSZa+QGSwXS+k7JjBeOS8VRTZGZV+wU8alassxYWSG+DzuipGw6Uo1j8/g5O1nW73SBl/crC77eHJvYGvFgLYL+zW4xA72U1wjjLBv1whgTmxccaFRvbRNgyUtyi7ndaivwQcavKfMvBvV2VJCl02dP1/cnk9VFBWaTXeivch81/hOmV77aPBT6wjk+L/YeOT/OLqkT29nNNKee9eIdk7Mqx7WTQ/z2R6w3UM/PKR/3aKrgjsyUdVpAOk5yZM23qTn8DD81E8NqpDFd7VHbK9+5rzIitRtAqxcDUmhSEzdRKY0qbYPsQOINtBNWJmfY9e1nsSjoNd445VpbJA7Acugant5jwH8w77q4I9nV81DjE70g2zLC6VQmGDj3K5+yGXjqGej8kK1II4jmybOQOaXEpeDjCyVwcMnUPi1QG30jY1kwYT0nM25KUGXjMwFKEsu0Lm1o9Vqp5oEfC2wQG09qRzH3uzu1eYc9AW+zt5eUTWIaC5aKmo4YS/JyAl+c9noOOrXko4svUHxBjJSsPOPlPQjJTVgdJFlTK3OVyEx8VbTky1BZY7KHe2+2TTlqqZyEt5Gvtow+o+c9SNnbYHgYntjfuy1bl3O4RvLvq8q31uimNTqlrLHW2OvjBJ/ScsWjFI2TjGqd6Jk1vswZaF4XJ2V3Z+6pxm6161v+bMQwIxcu4NLe3U/WHMwbmWeh2SnVllPwSesxk1hXatqw8u6hr0HRzn8h3flarPfVGwZxhhF42LXUho9AIP6IdhJo/g3UyQLbYUMFywtcINre2w3kGCOIrGjkwLI6G3PLsc1Q5aaGZ8hn/eQ1jakNY/Ptl74sPHNhBkGS0pTkCJdwRjXGcE3DiW1HhJt84ZCO9wtoeF7f3x4//MvTx/uP7y//9cfQEIbVbhoghnT/i690JjYBXVcUJo4s4V3Kaudyx+emSeMUhJTbRSyeTSWSBicNkqdjvnnUvDCFShWASZQn7TzrQ2bk+VlA5dJPH/GwujoDOKEBWMf2kaCIhlFWodgV1/RHkh1e6BI4pI2JkOZS5A4RbtZZGHyIpaieshNmygteqqp+UZm1PCgTZJ4hBxnlIa7VmuNjfUesp6T0891QUuRdUTo2AXPg6VsZVMmJSgMTajZ2dQVSWFjdB63gWdBX4uSdQ0JU1rYRJ2H1Sve5LSJmbMzUj6swcI664BvgCZAxnq024u55Wo5Iz7zu9qwpfSDS0ghN+nKKURRT2ln7IV0HZp2d1Y1RXqi7obIHrsDfeuYa77zLnmoHy5ImYKlZ9gGbjXfNUqAbQqF0yJlsdTUc3uiZWFpCpzxGSYeSwPTWnJyJ1xGNp2spdwq4VM2xvTY+9sTGga93g64y3UqkpicdEf8ICayTPgwZraYtNWlMbm+Gw4TyfXA15MDLrMhiikJHCqcoELBcchyGvrnI4WZNDhiOY0Wfxn89W/DPw0T0nnKVre+h+l2SQne0rpd/dQG8LKG7iusPy1QOTfd6nU+OLhzZmvyM0RV/YjHK4q08zeZQuv/BaDaf2TQpNJG5vlFTBU07UXlupYuwORW2l2mOsd5VahRyl2u1CZaTsU5XN6OshzeENNqDa+lmekyzOTW/crBue6jk9BPeeszw09Hrj8Rc208H2Usz0lMw5evf7o+zLSf2TJYK/x6ydVyboF11tLh6cA+dRsUNWEth4hcZhn1tgu+d9KMa9pyBz0C/kMikcu6V3Xl2KNitIerIO+1cQFV/m8ellwC7RHZPExXp4ErVEULZnC0lGpuHU6jGcRM28q+i7uDOeiGoBs0mk7eCaN0wGXRci6zoyOxA+afjOy6X9hYiCfhlNrioF+zhCTl1MVJlO6t4vn85ctWpji01HnZMAzkCrVbwqwHuS3Hjo119FS703mgs6V1T+6PLcSl1NZOatfE3NesP2t/ynP8vGfs2wvM+kf2raSONJ3D65tn33reNrfw2gKpZtRGBSbQ2GR9Sgn2qxdxfA0WL0yjJcxJdXIJWol2qlrqczGWRctPkY85XRJcZnZFDPYORZz/heT2z4DdQXn9xKs7fF+qkaZe81M5UiezPToSdal9YtC0JssZn2MzQW7cACglG0cQ/aF58e7ic2+k8IULmGs308ZdTa8B8qkwU/l/ESCyHOmrC5CK7PUEyP5IlwuQdqbaojpq9o/G46NaJsdo2H6LbruKnRd4+SHHG11r2mO5u4pv7AzvU9vTfYe6IulT3fO7bnWjlAz2rPMXMrhbMfGs11m8/9gxUvuv/61q3nJqecRJ4Qzd/6QBj+u2pyrD3wCXSqHOpe8QMhKGuZJ8+FtOye9DgfHusDVnr5hrwHJpqhT5Rp3wW8W98bUbwf8CAAD//+ANZsY=" + return "eJzsXE1v4zjSvudXFPIeXqCR2NjFYA8+LDCb7kUHOz0ddCe7h8HAQ1Nlu9YSqSYpu92/fkFSkm2JkvwhO8kgPuQQWlVPfRfJkm9hgesRRJIvUF0BGDIxjuD6vfvH9RVAhJorSg1JMYK/XwEA+EXQhhkNXMYxcoMRTJVM8rXBFYDCGJnGEczYFYBGY0jM9Ah+u9Y6vv7d/m8ulRlzKaY0G8GUxRqvAKaEcaRHjtMtCJbgFj77MevUUlUyS/P/BDDaz72YSpUw+29gInKASRviGthEZiYn+/8aVCYEiRlwKQwjgUoPcirbaLYRld8sV0LAWsBtKbKkBQkaRbxkbj+7aiw+VVi70JKEiWhnrQC3wPVKqupaC0T7ufMEwcyZgRXTgN+RZ9bkJMDMsSbHIIxLITMYxhUxg4eBes8MwmqOHsFGhRZfzikMw3pBpvvUTsHaUw5zpXTMokih1hjmTemxbO8foCTdIDL9qGo37KuHiUs/MOSx0OCf24iUlGY8rWpiAyyWYhZY7MDmPo/SsNiDk1NgcewcZEox6sJfGxx1B+DqHNi+5qg2iFxMzdkSYYIoCs8FqYDPmZhhBJoER79AUoQNbNisR4++T9gMHc1BPe+l2SkZ70smDCUIdw9P/SS7BSqB8SDlJii/5izGaDyNJat+wdeGEaSoOIrqaoeKHvxDVk/WnFYkEjkY0CnjGDZUDldIlbxAzGBxsZh+YASTtfNSkSUTVPYBazIuVVOOySUzxBdhVwyETVeqeXgCR28/3eq1NvjsanXZxyP3CrZazKG1wX4JLtGC/RTXyCXs2zVyYI5smHGmUT23TnNNWihtzuugvgQfqOE9xfJOqrOlhC6dOn++uD4fyyjKNJu1QnsWe1fwnWJeuzR41yiBnPwXa0v+n+NL+vRuRiPtcbdJ1GqYFy3WTQ/2bA7YbtEPD+lfd9CVwR0wVHkaQHpB8qSNN+kF3A8/99ODKmThXe0R26ufOc+SLHabAEtXQ5QpEjNnyJim5fYhdADRBHQbrEzPsevaGPEo0Bt4k7WpbZA7ARZB1fTwHgL8wz7qwB+PXdUPMTqhH6RbnimFwuQ6Tm31Qy5rRz1bnReqJXEc2zRxBmS+lLgcZGTBDO4/g8JvGWqjb2wkCyakx1m3TQF0xcj0gBK6YBbAQKdWkZattTUJ+JZhhtq6UiHI3uDdo3Uj9KXfTfr2jEohGpNROHm3VKUIU4XcJp0R/G3w07EJfC//LE2uqBYuvaRNR/jV5c3jUL+UxGnRGxSvIHfmen5Lnm/JM6BJ5xzPnD3bPbT0zixJmFqfr+9k4rWmUtvYyxSVOzB/tSnV9aKFEV5Hbt1S+lt+fcuvdTDu2OuZ0mstqwVctMCJy92zmWNv9qt0Dj9b6Pu2+oNFFKJaXlT3ODjgmVHk7+nZklHMJjEG+U6VTHoXU2aKh9lZ2v2xe5yje9z6mT8OA0zITby4HF31gw0Oxi3N8yBp5Sqr9eKE1qFOrKsFqHlZl9h74CjEv39flMb9TLGjGGMUTbK2uh88A4XqOehJUvybKZKZtkSGSxZnuIVrV7Ybmx1RRFY6KYCM3vXsQq45stjM+Rz5ooe0tkWtfoK688DHrW9GzDBYURyDFPEaJrjJCH52LKqMEWmbNxRacXeI5t/74+OHn395/Hj38cPdv/4AEtqozEUTzJn24xSZxshW/0lGceTUlj9LSeVq5vDMPGUUk5hpo5AtgrFEwuCs1pd12J9LwTPXTVkGGEHVaOerDdvG8rSByyicP0NhdHQGccRyZR86SYQiGgemx6BttGwPSFV9oIjClLaMocwlkDhG7VhkZtIslKJ6yE3bUBr4lKb5TmZc86BtJOEIOU4pNXcta42N9R6ynqPTz41RQ5N1ROjYgueBxWxtUyZFKAxNqT7c1hVJ+S7uPG4DT4K+ZQXWDUiY0dIm6jSvXuE5t22YKTsjyvsNsLzOOsA3QFMgYz3abRxduVrNic/9Fjzf/3rhIlLITbx2DFFUU9oZx2HdkK7dSZZzsR5R90xsjwOifnrQzV96lzzUD5ekTFbbJkLf85e1FmAXhcJZFrNQaup5QtViYXEMnPE5Rh6WBqa15OSO44ysO1lDu1WAj9kE42Ov8E+YGfV8O8BdbliVxPSkMYF7MZVFwocJs82k7S6NSfVoOIwk1wPfTw64TIYoZiRwqHCKCgXHIUtp6NfHChNpcMxSGi//MvjrT8P/G0ak05itb/0Y2+2KIrylzRsLp74DUPTQfYX15yUq56Y74+4HB3fKbE9+hqiqHkd5RoE3OuqY8rc/LgCq+T2TOiptZJpeRFU5p71QhU7wzoHJVdo2VZ3jvCrvUYpdrtQm2E6Fcbi8HcRy+ExUozY8l3qmSzCRO5dBB+e6T45CP+2tzwzvjqw/AXVtrY8TlqYkZvmXr99dH6baL2yVayt/gc31cq7AOm3pfHVgV90GRU1ZwyEil0lCve2C7xw14+b23EGPgP+QiOSq6lVdOfaoGO3h3sp7bZhAmf/rhyWXgPaAbJGbq1PBJVRFS2ZwvJJqYR1Ooxk0X2AEsLfh7sCc84acN2g0nXinjOIBl1nDuUzrDUsrmH8ysnU/s7EQTsIxNcVBv2rJk5RjF0aidG8dz5evX3cyxaGtzvOGYY5coXYlzHqQ23K0bKyDp9qdzgOdU8174v7UgLig2jhM7+bY+7L6k/anPMfbPWHfn8Hqn9j3AnXgvQN4eXb2bx802RZeWiBVlFrrwAQam6xPacF+9SSO78HCjWmwhTmpTy6AlqQdq4b+PHy5GY7MEy767wWXiS2VuSHy7m5zyX9oGD/X9E+196dCMEezOUoi1b5f7AjtI5DlHDcIU8YXWE+YWzcCSsnakQT0tn305N1F6N6Q8i9cYEvbjmnr7uYyAfM5MzP5ZwwYWQj2YgOmRPhyAmZ/SJcLmHZMmwIzkVnDz50cc30RriP+Vxh2f2rE3cRWr1ReT5z0VVj6M/hbQTlPQek1QBrqxp8wQPoqJP0HyFsBObGAVHZt4/rbFOH4KPdhEzRsv11dM4vWCZH0kPPzrpr2UBzfNYxl8z65Pd51sMuiPtk9ve9mN47JYM88fyGD7YyJJ71a8e5Th6T2r/89jLThWuyIq6g5ul/rgofNXG2Z4W+AS6VQp9KPoBoJw1RJPvwtpej3ocDw+PEGZ68wNwCL0lQy8pOg+e8h7A1fOwn+FwAA//+qunky" } diff --git a/metricbeat/module/docker/network/_meta/fields.yml b/metricbeat/module/docker/network/_meta/fields.yml index 68af440a9bf..035047eb091 100644 --- a/metricbeat/module/docker/network/_meta/fields.yml +++ b/metricbeat/module/docker/network/_meta/fields.yml @@ -9,6 +9,52 @@ type: keyword description: > Network interface name. + - name: in + type: group + deprecated: 6.4 + description: > + Incoming network stats per second. + fields: + - name: bytes + type: long + format: bytes + description: > + Total number of incoming bytes. + - name: dropped + type: scaled_float + description: > + Total number of dropped incoming packets. + - name: errors + type: long + description: > + Total errors on incoming packets. + - name: packets + type: long + description: > + Total number of incoming packets. + - name: out + type: group + deprecated: 6.4 + description: > + Outgoing network stats per second. + fields: + - name: bytes + type: long + format: bytes + description: > + Total number of outgoing bytes. + - name: dropped + type: scaled_float + description: > + Total number of dropped outgoing packets. + - name: errors + type: long + description: > + Total errors on outgoing packets. + - name: packets + type: long + description: > + Total number of outgoing packets. - name: inbound type: group description: > diff --git a/metricbeat/module/docker/network/data.go b/metricbeat/module/docker/network/data.go index c537032abb1..b4a2b90c405 100644 --- a/metricbeat/module/docker/network/data.go +++ b/metricbeat/module/docker/network/data.go @@ -33,6 +33,20 @@ func eventMapping(r mb.ReporterV2, stats *NetStats) { RootFields: stats.Container.ToMapStr(), MetricSetFields: common.MapStr{ "interface": stats.NameInterface, + // Deprecated + "in": common.MapStr{ + "bytes": stats.RxBytes, + "dropped": stats.RxDropped, + "errors": stats.RxErrors, + "packets": stats.RxPackets, + }, + // Deprecated + "out": common.MapStr{ + "bytes": stats.TxBytes, + "dropped": stats.TxDropped, + "errors": stats.TxErrors, + "packets": stats.TxPackets, + }, "inbound": common.MapStr{ "bytes": stats.Total.RxBytes, "dropped": stats.Total.RxDropped, diff --git a/metricbeat/module/system/load/load.go b/metricbeat/module/system/load/load.go index 0a991542a7d..dd10d24cef1 100644 --- a/metricbeat/module/system/load/load.go +++ b/metricbeat/module/system/load/load.go @@ -20,11 +20,12 @@ package load import ( + "runtime" + "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/metric/system/cpu" - "github.com/elastic/beats/v7/libbeat/metric/system/numcpu" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" ) @@ -59,7 +60,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { normAvgs := load.NormalizedAverages() event := common.MapStr{ - "cores": numcpu.NumCPU(), + "cores": runtime.NumCPU(), "1": avgs.OneMinute, "5": avgs.FiveMinute, "15": avgs.FifteenMinute, diff --git a/monitors.d/plaintodos.yml b/monitors.d/plaintodos.yml deleted file mode 100644 index 5927ab74a0e..00000000000 --- a/monitors.d/plaintodos.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: Todos - id: todos - type: browser - enabled: true - schedule: "@every 3m" - tags: todos-app - params: - url: "https://elastic.github.io/synthetics-demo/" - source: - zip_url: - url: "https://github.com/elastic/synthetics-demo/archive/refs/heads/main.zip" - folder: "todos/synthetics-tests" diff --git a/testing/environments/docker/kafka/Dockerfile b/testing/environments/docker/kafka/Dockerfile index ff38db49e39..484b294c39a 100644 --- a/testing/environments/docker/kafka/Dockerfile +++ b/testing/environments/docker/kafka/Dockerfile @@ -22,11 +22,7 @@ ADD healthcheck.sh /healthcheck.sh EXPOSE 9092 EXPOSE 2181 -# healthcheck.sh tries to create and delete an empty kafka topic (the topic -# string is based on the timestamp), and reports healthy if topic creation -# was successful. -# With these parameters, Docker will consider the container unhealthy if the -# Kafka server is unresponsive for 3 minutes. -HEALTHCHECK --start-period=10s --interval=5s --timeout=5s --retries=36 CMD /healthcheck.sh +# Healthcheck creates an empty topic foo. As soon as a topic is created, it assumes broke is available +HEALTHCHECK --interval=1s --retries=600 CMD /healthcheck.sh ENTRYPOINT ["/run.sh"] diff --git a/testing/environments/docker/kafka/healthcheck.sh b/testing/environments/docker/kafka/healthcheck.sh index 99e533c4634..feebbb8786d 100755 --- a/testing/environments/docker/kafka/healthcheck.sh +++ b/testing/environments/docker/kafka/healthcheck.sh @@ -8,5 +8,5 @@ if [[ $rc != 0 ]]; then exit $rc fi -${KAFKA_HOME}/bin/kafka-topics.sh --zookeeper=127.0.0.1:2181 --delete --topic "${TOPIC}" +${KAFKA_HOME}/bin/kafka-topic.sh --zookeeper=127.0.0.1:2181 --delete --topic "${TOPIC}" exit 0 diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index 9bcda5fe195..367c8059a37 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -83,10 +83,6 @@ - Disable monitoring during fleet-server bootstrapping. {pull}27222[27222] - Change output.elasticsearch.proxy_disabled flag to output.elasticsearch.proxy_disable so fleet uses it. {issue}27670[27670] {pull}27671[27671] - Add validation for certificate flags to ensure they are absolute paths. {pull}27779[27779] -- Migrate state on upgrade {pull}27825[27825] -- Add "_monitoring" suffix to monitoring instance names to remove ambiguity with the status command. {issue}25449[25449] -- Ignore ErrNotExists when fixing permissions. {issue}27836[27836] {pull}27846[27846] -- Snapshot artifact lookup will use agent.download proxy settings. {issue}27903[27903] {pull}27904[27904] ==== New features diff --git a/x-pack/elastic-agent/pkg/agent/application/application.go b/x-pack/elastic-agent/pkg/agent/application/application.go index e2f7a55ce3e..7806eb78688 100644 --- a/x-pack/elastic-agent/pkg/agent/application/application.go +++ b/x-pack/elastic-agent/pkg/agent/application/application.go @@ -15,7 +15,6 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/upgrade" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" @@ -31,7 +30,7 @@ type Application interface { } type reexecManager interface { - ReExec(callback reexec.ShutdownCallbackFn, argOverrides ...string) + ReExec(argOverrides ...string) } type upgraderControl interface { diff --git a/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_settings.go b/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_settings.go index efed0be97f7..e45ef26724f 100644 --- a/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_settings.go +++ b/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_settings.go @@ -9,7 +9,6 @@ import ( "fmt" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/storage/store" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" @@ -17,7 +16,7 @@ import ( ) type reexecManager interface { - ReExec(cb reexec.ShutdownCallbackFn, argOverrides ...string) + ReExec(argOverrides ...string) } // Settings handles settings change coming from fleet and updates log level. @@ -62,7 +61,7 @@ func (h *Settings) Handle(ctx context.Context, a fleetapi.Action, acker store.Fl h.log.Errorf("failed to commit acker after acknowledging action with id '%s'", action.ActionID) } - h.reexec.ReExec(nil) + h.reexec.ReExec() return nil } diff --git a/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_upgrade.go b/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_upgrade.go index 2c39907d16d..b0e2b65ff3a 100644 --- a/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_upgrade.go +++ b/x-pack/elastic-agent/pkg/agent/application/pipeline/actions/handlers/handler_action_upgrade.go @@ -38,8 +38,7 @@ func (h *Upgrade) Handle(ctx context.Context, a fleetapi.Action, acker store.Fle return fmt.Errorf("invalid type, expected ActionUpgrade and received %T", a) } - _, err := h.upgrader.Upgrade(ctx, &upgradeAction{action}, true) - return err + return h.upgrader.Upgrade(ctx, &upgradeAction{action}, true) } type upgradeAction struct { diff --git a/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go b/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go index 5ccc870d948..b21bb9b8c46 100644 --- a/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go +++ b/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go @@ -5,7 +5,6 @@ package reexec import ( - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" ) @@ -13,7 +12,7 @@ import ( type ExecManager interface { // ReExec asynchronously re-executes command in the same PID and memory address // as the currently running application. - ReExec(callback ShutdownCallbackFn, argOverrides ...string) + ReExec(argOverrides ...string) // ShutdownChan returns the shutdown channel the main function should use to // handle shutdown of the current running application. @@ -32,9 +31,6 @@ type manager struct { complete chan bool } -// ShutdownCallbackFn is called once everything is shutdown and allows cleanup during reexec process. -type ShutdownCallbackFn func() error - // NewManager returns the reexec manager. func NewManager(log *logger.Logger, exec string) ExecManager { return &manager{ @@ -46,18 +42,11 @@ func NewManager(log *logger.Logger, exec string) ExecManager { } } -func (m *manager) ReExec(shutdownCallback ShutdownCallbackFn, argOverrides ...string) { +func (m *manager) ReExec(argOverrides ...string) { go func() { close(m.trigger) <-m.shutdown - if shutdownCallback != nil { - if err := shutdownCallback(); err != nil { - // panic; because there is no going back, everything is shutdown - panic(errors.New(errors.TypeUnexpected, err, "failure occured during shutdown cleanup")) - } - } - if err := reexec(m.logger, m.exec, argOverrides...); err != nil { // panic; because there is no going back, everything is shutdown panic(err) diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go index 915106ad0e3..424cac6c9ff 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go @@ -12,11 +12,8 @@ import ( "path/filepath" "strings" - "github.com/otiai10/copy" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" @@ -65,7 +62,7 @@ type Action interface { } type reexecManager interface { - ReExec(callback reexec.ShutdownCallbackFn, argOverrides ...string) + ReExec(argOverrides ...string) } type acker interface { @@ -104,9 +101,8 @@ func (u *Upgrader) Upgradeable() bool { return u.upgradeable } -// Upgrade upgrades running agent, function returns shutdown callback if some needs to be executed for cases when -// reexec is called by caller. -func (u *Upgrader) Upgrade(ctx context.Context, a Action, reexecNow bool) (_ reexec.ShutdownCallbackFn, err error) { +// Upgrade upgrades running agent +func (u *Upgrader) Upgrade(ctx context.Context, a Action, reexecNow bool) (err error) { // report failed defer func() { if err != nil { @@ -117,14 +113,14 @@ func (u *Upgrader) Upgrade(ctx context.Context, a Action, reexecNow bool) (_ ree }() if !u.upgradeable { - return nil, fmt.Errorf( + return fmt.Errorf( "cannot be upgraded; must be installed with install sub-command and " + "running under control of the systems supervisor") } if u.caps != nil { if _, err := u.caps.Apply(a); err == capabilities.ErrBlocked { - return nil, nil + return nil } } @@ -133,16 +129,16 @@ func (u *Upgrader) Upgrade(ctx context.Context, a Action, reexecNow bool) (_ ree sourceURI, err := u.sourceURI(a.Version(), a.SourceURI()) archivePath, err := u.downloadArtifact(ctx, a.Version(), sourceURI) if err != nil { - return nil, err + return err } newHash, err := u.unpack(ctx, a.Version(), archivePath) if err != nil { - return nil, err + return err } if newHash == "" { - return nil, errors.New("unknown hash") + return errors.New("unknown hash") } if strings.HasPrefix(release.Commit(), newHash) { @@ -151,35 +147,32 @@ func (u *Upgrader) Upgrade(ctx context.Context, a Action, reexecNow bool) (_ ree u.ackAction(ctx, action) } u.log.Warn("upgrading to same version") - return nil, nil + return nil } if err := copyActionStore(newHash); err != nil { - return nil, errors.New(err, "failed to copy action store") + return errors.New(err, "failed to copy action store") } if err := ChangeSymlink(ctx, newHash); err != nil { rollbackInstall(ctx, newHash) - return nil, err + return err } if err := u.markUpgrade(ctx, newHash, a); err != nil { rollbackInstall(ctx, newHash) - return nil, err + return err } if err := InvokeWatcher(u.log); err != nil { rollbackInstall(ctx, newHash) - return nil, errors.New("failed to invoke rollback watcher", err) + return errors.New("failed to invoke rollback watcher", err) } - cb := shutdownCallback(u.log, paths.Home(), release.Version(), a.Version(), release.TrimCommit(newHash)) if reexecNow { - u.reexec.ReExec(cb) - return nil, nil + u.reexec.ReExec() } - - return cb, nil + return nil } // Ack acks last upgrade action @@ -284,79 +277,3 @@ func copyActionStore(newHash string) error { return nil } - -// shutdownCallback returns a callback function to be executing during shutdown once all processes are closed. -// this goes through runtime directory of agent and copies all the state files created by processes to new versioned -// home directory with updated process name to match new version. -func shutdownCallback(log *logger.Logger, homePath, prevVersion, newVersion, newHash string) reexec.ShutdownCallbackFn { - if release.Snapshot() { - // SNAPSHOT is part of newVersion - prevVersion += "-SNAPSHOT" - } - - return func() error { - runtimeDir := filepath.Join(homePath, "run") - processDirs, err := readProcessDirs(log, runtimeDir) - if err != nil { - return err - } - - oldHome := homePath - newHome := filepath.Join(filepath.Dir(homePath), fmt.Sprintf("%s-%s", agentName, newHash)) - for _, processDir := range processDirs { - newDir := strings.ReplaceAll(processDir, prevVersion, newVersion) - newDir = strings.ReplaceAll(newDir, oldHome, newHome) - if err := copyDir(processDir, newDir); err != nil { - return err - } - } - return nil - } -} - -func readProcessDirs(log *logger.Logger, runtimeDir string) ([]string, error) { - pipelines, err := readDirs(log, runtimeDir) - if err != nil { - return nil, err - } - - processDirs := make([]string, 0) - for _, p := range pipelines { - dirs, err := readDirs(log, p) - if err != nil { - return nil, err - } - - processDirs = append(processDirs, dirs...) - } - - return processDirs, nil -} - -// readDirs returns list of absolute paths to directories inside specified path. -func readDirs(log *logger.Logger, dir string) ([]string, error) { - dirEntries, err := os.ReadDir(dir) - if err != nil && !os.IsNotExist(err) { - return nil, err - } - - dirs := make([]string, 0, len(dirEntries)) - for _, de := range dirEntries { - if !de.IsDir() { - continue - } - - dirs = append(dirs, filepath.Join(dir, de.Name())) - } - - return dirs, nil -} - -func copyDir(from, to string) error { - return copy.Copy(from, to, copy.Options{ - OnSymlink: func(_ string) copy.SymlinkAction { - return copy.Shallow - }, - Sync: true, - }) -} diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade_test.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade_test.go deleted file mode 100644 index 81f57c85734..00000000000 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade_test.go +++ /dev/null @@ -1,56 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package upgrade - -import ( - "fmt" - "io/ioutil" - "os" - "path/filepath" - "strings" - "testing" - - "github.com/stretchr/testify/require" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" -) - -func TestShutdownCallback(t *testing.T) { - l, _ := logger.New("test", false) - tmpDir, err := ioutil.TempDir("", "shutdown-test-") - require.NoError(t, err) - defer os.RemoveAll(tmpDir) - - // make homepath agent consistent (in a form of elastic-agent-hash) - homePath := filepath.Join(tmpDir, fmt.Sprintf("%s-%s", agentName, release.ShortCommit())) - - filename := "file.test" - newCommit := "abc123" - sourceVersion := "7.14.0" - targetVersion := "7.15.0" - - content := []byte("content") - newHome := strings.ReplaceAll(homePath, release.ShortCommit(), newCommit) - sourceDir := filepath.Join(homePath, "run", "default", "process-"+sourceVersion) - targetDir := filepath.Join(newHome, "run", "default", "process-"+targetVersion) - - require.NoError(t, os.MkdirAll(sourceDir, 0755)) - require.NoError(t, os.MkdirAll(targetDir, 0755)) - - cb := shutdownCallback(l, homePath, sourceVersion, targetVersion, newCommit) - - oldFilename := filepath.Join(sourceDir, filename) - err = ioutil.WriteFile(oldFilename, content, 0640) - require.NoError(t, err, "preparing file failed") - - err = cb() - require.NoError(t, err, "callback failed") - - newFilename := filepath.Join(targetDir, filename) - newContent, err := ioutil.ReadFile(newFilename) - require.NoError(t, err, "reading file failed") - require.Equal(t, content, newContent, "contents are not equal") -} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/run.go b/x-pack/elastic-agent/pkg/agent/cmd/run.go index d598460b22b..cf24a932a91 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/run.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/run.go @@ -172,7 +172,7 @@ func run(streams *cli.IOStreams, override cfgOverrider) error { case sig := <-signals: if sig == syscall.SIGHUP { rexLogger.Infof("SIGHUP triggered re-exec") - rex.ReExec(nil) + rex.ReExec() } else { breakout = true } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/status.go b/x-pack/elastic-agent/pkg/agent/cmd/status.go index d78e64d1e45..e14311f3e8a 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/status.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/status.go @@ -10,7 +10,6 @@ import ( "fmt" "io" "os" - "text/tabwriter" "time" "gopkg.in/yaml.v2" @@ -97,16 +96,14 @@ func humanOutput(w io.Writer, status *client.AgentStatus) error { fmt.Fprint(w, "Applications: (none)\n") } else { fmt.Fprint(w, "Applications:\n") - tw := tabwriter.NewWriter(w, 4, 1, 2, ' ', 0) for _, app := range status.Applications { - fmt.Fprintf(tw, " * %s\t(%s)\n", app.Name, app.Status) + fmt.Fprintf(w, " * %s\t(%s)\n", app.Name, app.Status) if app.Message == "" { - fmt.Fprint(tw, "\t(no message)\n") + fmt.Fprint(w, " (no message)\n") } else { - fmt.Fprintf(tw, "\t%s\n", app.Message) + fmt.Fprintf(w, " %s\n", app.Message) } } - tw.Flush() } return nil } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/status_test.go b/x-pack/elastic-agent/pkg/agent/cmd/status_test.go deleted file mode 100644 index 6c4aebed58b..00000000000 --- a/x-pack/elastic-agent/pkg/agent/cmd/status_test.go +++ /dev/null @@ -1,125 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package cmd - -import ( - "os" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" -) - -var testStatus = &client.AgentStatus{ - Status: client.Healthy, - Message: "", - Applications: []*client.ApplicationStatus{{ - ID: "id_1", - Name: "filebeat", - Status: client.Healthy, - Message: "Running", - Payload: nil, - }, { - ID: "id_2", - Name: "metricbeat", - Status: client.Healthy, - Message: "Running", - Payload: nil, - }, { - ID: "id_3", - Name: "filebeat_monitoring", - Status: client.Healthy, - Message: "Running", - Payload: nil, - }, { - ID: "id_4", - Name: "metricbeat_monitoring", - Status: client.Healthy, - Message: "Running", - Payload: nil, - }, - }, -} - -func ExamplehumanOutput() { - humanOutput(os.Stdout, testStatus) - // Output: - // Status: HEALTHY - // Message: (no message) - // Applications: - // * filebeat (HEALTHY) - // Running - // * metricbeat (HEALTHY) - // Running - // * filebeat_monitoring (HEALTHY) - // Running - // * metricbeat_monitoring (HEALTHY) - // Running -} - -func ExamplejsonOutput() { - jsonOutput(os.Stdout, testStatus) - // Output: - // { - // "Status": 2, - // "Message": "", - // "Applications": [ - // { - // "ID": "id_1", - // "Name": "filebeat", - // "Status": 2, - // "Message": "Running", - // "Payload": null - // }, - // { - // "ID": "id_2", - // "Name": "metricbeat", - // "Status": 2, - // "Message": "Running", - // "Payload": null - // }, - // { - // "ID": "id_3", - // "Name": "filebeat_monitoring", - // "Status": 2, - // "Message": "Running", - // "Payload": null - // }, - // { - // "ID": "id_4", - // "Name": "metricbeat_monitoring", - // "Status": 2, - // "Message": "Running", - // "Payload": null - // } - // ] - // } -} - -func ExampleyamlOutput() { - yamlOutput(os.Stdout, testStatus) - // Output: - // status: 2 - // message: "" - // applications: - // - id: id_1 - // name: filebeat - // status: 2 - // message: Running - // payload: {} - // - id: id_2 - // name: metricbeat - // status: 2 - // message: Running - // payload: {} - // - id: id_3 - // name: filebeat_monitoring - // status: 2 - // message: Running - // payload: {} - // - id: id_4 - // name: metricbeat_monitoring - // status: 2 - // message: Running - // payload: {} -} diff --git a/x-pack/elastic-agent/pkg/agent/control/server/server.go b/x-pack/elastic-agent/pkg/agent/control/server/server.go index 56f43a245fd..de7d5ca0f65 100644 --- a/x-pack/elastic-agent/pkg/agent/control/server/server.go +++ b/x-pack/elastic-agent/pkg/agent/control/server/server.go @@ -110,7 +110,7 @@ func (s *Server) Status(_ context.Context, _ *proto.Empty) (*proto.StatusRespons // Restart performs re-exec. func (s *Server) Restart(_ context.Context, _ *proto.Empty) (*proto.RestartResponse, error) { - s.rex.ReExec(nil) + s.rex.ReExec() return &proto.RestartResponse{ Status: proto.ActionStatus_SUCCESS, }, nil @@ -128,7 +128,7 @@ func (s *Server) Upgrade(ctx context.Context, request *proto.UpgradeRequest) (*p Error: "cannot be upgraded; perform upgrading using Fleet", }, nil } - cb, err := u.Upgrade(ctx, &upgradeRequest{request}, false) + err := u.Upgrade(ctx, &upgradeRequest{request}, false) if err != nil { return &proto.UpgradeResponse{ Status: proto.ActionStatus_FAILURE, @@ -139,7 +139,7 @@ func (s *Server) Upgrade(ctx context.Context, request *proto.UpgradeRequest) (*p // this ensures that the upgrade response over GRPC is returned go func() { <-time.After(time.Second) - s.rex.ReExec(cb) + s.rex.ReExec() }() return &proto.UpgradeResponse{ Status: proto.ActionStatus_SUCCESS, diff --git a/x-pack/elastic-agent/pkg/agent/install/perms_unix.go b/x-pack/elastic-agent/pkg/agent/install/perms_unix.go index 9a9a2638dfc..ff5cbe52763 100644 --- a/x-pack/elastic-agent/pkg/agent/install/perms_unix.go +++ b/x-pack/elastic-agent/pkg/agent/install/perms_unix.go @@ -7,7 +7,6 @@ package install import ( - "errors" "io/fs" "os" "path/filepath" @@ -30,8 +29,6 @@ func recursiveRootPermissions(path string) error { } // remove any world permissions from the file err = os.Chmod(name, info.Mode().Perm()&0770) - } else if errors.Is(err, fs.ErrNotExist) { - return nil } return err }) diff --git a/x-pack/elastic-agent/pkg/agent/install/perms_windows.go b/x-pack/elastic-agent/pkg/agent/install/perms_windows.go index 8ca5fd3057e..d755dc03265 100644 --- a/x-pack/elastic-agent/pkg/agent/install/perms_windows.go +++ b/x-pack/elastic-agent/pkg/agent/install/perms_windows.go @@ -7,7 +7,6 @@ package install import ( - "errors" "io/fs" "path/filepath" @@ -31,8 +30,6 @@ func recursiveSystemAdminPermissions(path string) error { inherit = false } err = systemAdministratorsOnly(name, inherit) - } else if errors.Is(err, fs.ErrNotExist) { - return nil } return err }) diff --git a/x-pack/elastic-agent/pkg/agent/operation/operator.go b/x-pack/elastic-agent/pkg/agent/operation/operator.go index 2cd68512606..922246050dd 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operator.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operator.go @@ -305,11 +305,9 @@ func (o *Operator) getApp(p Descriptor) (Application, error) { var err error monitor := o.monitor - appName := p.BinaryName() if app.IsSidecar(p) { // make watchers unmonitorable monitor = noop.NewMonitor() - appName += "_monitoring" } if p.ServicePort() == 0 { @@ -317,7 +315,7 @@ func (o *Operator) getApp(p Descriptor) (Application, error) { a, err = process.NewApplication( o.bgContext, p.ID(), - appName, + p.BinaryName(), o.pipelineID, o.config.LoggingConfig.Level.String(), desc, @@ -333,7 +331,7 @@ func (o *Operator) getApp(p Descriptor) (Application, error) { a, err = service.NewApplication( o.bgContext, p.ID(), - appName, + p.BinaryName(), o.pipelineID, o.config.LoggingConfig.Level.String(), p.ServicePort(), diff --git a/x-pack/elastic-agent/pkg/agent/program/supported.go b/x-pack/elastic-agent/pkg/agent/program/supported.go index 9da40a4ae16..2e4289149f3 100644 --- a/x-pack/elastic-agent/pkg/agent/program/supported.go +++ b/x-pack/elastic-agent/pkg/agent/program/supported.go @@ -25,7 +25,7 @@ func init() { // spec/metricbeat.yml // spec/osquerybeat.yml // spec/packetbeat.yml - unpacked := packer.MustUnpack("eJzMWll3q7iWfu+fUa+3B4bjVNFr3QdDiskOKeMTSegNSbbBFtgV4wF69X/vJWawk5zkVK3bD2flWAhpa2sP3/42//PL8bCi/xUekv84rl7Pq9f/zBP+y3//QhIzw9/3mwXQvTnwOE0xp5vDlsDFg2OZF7KUC4xcBSNnFiBXCiGOAvXus5QW+w287DeO4WT+0jk6hpsFcBJhBWQYTqR5Ak4BdI8YLjRmuzJeOkcjnm6cWDad+LJxksGaJ2yZUgC0gtkuD6BcfPw+2yJV5zTxOEkXmmtn+svv8ncfuNAH7tqXNHtR7K9Pj7rmbA7MSMA3amk5s8AOKTJntnsI1KcHxzzOHGMaB0jP5qjWSewcDS7NaAqOGD09iH3nS31LVH2CVP+MlOuBqoty3DGmG8fiEobSg2PhI4ZAasdt//wc6weS6jKzn2blmDHdEGWyDhTthJProdLv5EzUqXieOZYc0cd9O5daphQ+7jc4uXKMFt14T7ZmbL7UcwzlM0vAOlTA5Hmzb59V//RXjHbiPreBAgoqaxG1eDn3S+vYLq90yk/40p8jbWgCMqJijpSMr75352n+levGurCXE5vuy3dwwr8h1ZNoAiLyfb9ZqVKtE3wgts8p15QAXuXBuW2PEwtsmaXl93Rd7yOtkM67d3BEbMBpMZArK+180cpyZBbIu7PrBYZXHqj+maY3er/Zt1pPk5mty9X5Ot307jJzLH4KE7BlprbH0Nxh5BbPsf7renFQQwucnmP9iOEkZdZm79pZvY+nzZbTfziP000AJzvHiiIqZXy13OxWSr2nLR0dg3FimQWz+JYqIKKJt3fzy8ZVXY4tXrj5RciQhoqZhMrv6dyYpsTSUqr6EVU26Wyx/+cv/14Fk1XKDvs4zUahxIeTHbW0A0kXmxcFbBlyD8zezQJF3j3HOieJfyEKPzFDLjD0ZJpwabU4RDT1Dzgxt0yYdrdGhi2gGGnphodAeXlwHgP1+XEzC6AnhVA7IYWfqA0kpPoTaoHiebPPHAucsK2fQziRjOR6xrJ2CZC/r65X3wXIVUP47cExnPN3i8c0MfPVUjMb1cyl7v256kkB8vlcuZ5xrvXkl/6ci7VzR6x5DOFEXj3uN06snam9OPvwGlHVPwS5ZnbvaAWzTAkvtSNR6Ll/zlk8EWOxMCOm8BO2NFWEVGf39IDM64ImWkoTM3N+xwdigQKZ11be8v/NHuaViutiFqDIEme/0rv7JN4eQ++11J/qR8S6PBixtMEo4oGsJSG88sbUm5DjJD29II8HKshD5E+cel6dBmaNWTsidCY8WS2dbiyWMmFSzTvz5TSmqi/MPG/GmMUzDDVZ2MJTMZ1RSyuYKeT3pABej/Udf8PQWwu3xE04sfWIWZsHx3Dv21kjh2XmWG1dNnMMt127L9d8Kbd3Us8rmOVzmjq9MSebI3DBqhth62U07nKqaLJISTTv6eANPQ7nTx5CNK3X06UQypyoQHqOp8rT43RGbZcjFZxCOBE2dSSP+9l8qfOVBbZIETbyUp9PL23/OZ7GfTugnW82e0Q0YUUvtIvzyiRp7SPuQtztPd7Xzx252zR1P7zX42WoReooLL8X2q0yrWyYzS94UdtRYh4ZBO2ZhH5au5iW+hJ2LmHkrsdzqQKOGHoSUZ0HEZJFjKF1SqtTCCeJGRML7OqzjlNR5th+zuBLeSYCzcvYnwYp3HZlYg1kfTvl1melCshZAnKj9Ic6JW5vddX3ySFskDYhnFwY8otW5lGKKuVA+EAVfiab/YwpESfb/YaIGKv6+5nh/1qt6Y9S0JWThEmhIVJQrT9VOjiP3zZPhh6RZLEJLbNYKmAi1hA2Iuasl5eNq4BjgER89woMzTwoU89hS5SJgIOR8BsRG107yxmclDY2T8S8SHOM3zXHYBFNJMUz6KxJV+uYr8gqvElXInxAlwdo0aSoMvQFCYjY9FC5RKyTAdJMPc5scJkn/EiWk9YM/oDCXD3uxGUWjecvL/HcmMZUARJD0xOzQEata8SslxOGkygQanuUkwBei1s0K0ckMVMs3Cdd9OdLNAU3ewhXxCJt5JMjRpiTR3mHoSvj/EOUbC1fruZiB3RgavZ3iT0+b3+/PNlSLBDvEPULPfnFvAwvIMbQlIzU5SU6SP21QLHNNSLF2wdwkuLSJV0ZLw45g9fSlUu3Q9Gaqn6OoZlV6GbfRz4Hkvh81aBeW6T2lwdHpDP1qXSnEE7+FO7Zhg+gXWiibTHyCuGytUueCdeE2STE4iW0EOESI1dCipmIENOEKYEGBbIiCisqd+qh7iatjMLACHFnjuWdqc3XIo3crQrK1Pbbg2PXMqM+OryVlSTamfaRogW+BQq4iGcwd9vKqLpXvqv+tlVSZXu2ey6RvaLlNHfZWFZmaWti8YI99pGvfhC2+hzrPZ26xVfP0enc5TjRcrwobSAXNk1gm6YSmmjZTVgfVExee2ajhgAiHASqX53B1Eq5u3Qxujd1JG9TpY3PMarS3grfw9Cpt/bdhFYhG0m9o4CPg/DdyFXZdV93WYD0C0bOwGYEvCQKqyBZaaN0WD1ZQCkr7Drtl35yGVZoZUxIF2cBtUroa3sStvhptA9nCRAwVQrUqZBvO7C/3joM+pfnWJexPR3JUsLkHVG8V3EOx/LPgZJxOqoYRbya11UHUr0jUZk4V1lBirHb89MzVXkh3nuO9WKFvJ4e3qsum8oUFBhoZ4b8C+ulvw/fswSUNttY1aV2lxOoKRho5by+vDU82AXIj9r4tJycAihzqupRoLx8ef95Uv4uRAr/m6FSxNSnLFCu4q7VAPnbcDp8Roun9hwBOsg0eckq+/D3DHZwt14jIaqAve6kH4NI6ot03trHfKk3ttNBFsW7zJEuB6knB928PbP9C1J6pV67biQxW/+TKtqpGzucGXJPAbzuurEswkkWdb87v5kv9Ywiv7fmhDMLH4na2RwpnhQPmjK2uNS3i579ZiM/E78nVBnsI3ytixnQv3RzwSlEm+6Zwk/C/juZqlKwiok/D51bjDF90yZK7FHF3jZXV4xNmbPxuc7ls4Yda97FqXsWEH8UMyVS7EuZGwzWP8MtFHf7svRwWjt249/CF6nqn2nyMsQNSsQDKEqVpwfHzjRjc5dd6fYwJv8ypmXNV6vsPnHrV2h+89JUAomX4a6yyNoKIakqXsc8iqq2ujJDzojic+cG5lWkZUt+bg791Faa3cpsiFmpVt+QJLsxvw8qqi5MD1Pi2ARHVUzWq4D+mv2tFj59KEMFa2udvJUOatdqYHEjZyMLEpWo9dtd8rIk1HM9IRbgzJi0xHiz1jy5qZI2aNGep676O5eoSeuGtFyLkEnu6qckHElrB2lDgk8uRLkeAnV3CuHi3l5NWDk9Ge3cZt8DKdfx19gCSYDAkdn3SdtbEvZGjj1RPWlEuN7oqSSi7xOtp8Zu5qlXkOm752ibHPU5sgBNe3I3EHNM9A+r+W7/MYk8/ZBM7p2xR46Pn0ub0NIKNt2/2zQYVftvyvmDZL1MFdCWfF9rPNyFVz+1xjwRZQUoqGVu8eJL5xpDt/K3KOO/1hTpyovahmrWyfmU/X+ywfBBM+FfyeR0qS1aha/ZHVpmaYGIpn5FMdQ5LRyM9fLZiGYJ4TXrNwtxYh6pUs35LCXzmWZmb64o19IQTtJ5chUl1fEP6PMgBeltrm0olYiL8Zp2yjHypKAsmbUTamCFqW1Dyzxh5eWhYRZHDcl7tMr9vChraoj8PRJwRAHf+rHifoPMFaXniqoiX0W8hDX5b6fZ5U4zbDuMM++xrO+99x40vcO2DiFqk3OSQ5nrAshEWSJyXiIg500jcftGHhzFxRv57sLOtrzgK1Suw42U7bEou/9iXxKwkSZgF6KndF7qhr0GEL8GSyogaElniXIxNOjB2Pyz9btklb3G9I7jfYdAognf1oZYfwlQd8eVmie93+0vMPJlKnCyJX3MbzYcaupzgvSSI7nrtNOf+aLgesYKO5CEnkjJkVw0bIGYQTpeNw1k7YKRuxXr/rH0f/3+Al5edvzxc7zoUE80AUL5OTO1M+EN9+CvAyWKSMKEQ1XGmupnWgGytpVTJ/EyuQxaXIN2nHzGdhkATtjQCmFsGEqnFZSPXVtGF4EkxWjxIPRHFL9M+PNkUfIpIgDOU54RY7ILkVfdmeF82KbpO1cIJzuMNg8jLjXDyM+FsY7qxYbDW/e5ycbRbr+E4BVYE3Vm6rc8QcldCGBd2yu9/FWc4ju875g/vG3ZVF+EKOaRmJpEZO0YIk8acn/l3t2evUDyzlcgzV3yleVxai/KxNcEepqXNnzARvm37UdUfqbnRPE4VT0BLOMGtL/79YpIAsjn4q4H/PHlq+do7zDGELe1OEaRRBNT2ESpJ6RwCUO5eItnbc/btOEaGUfjJTfdFXh323xIZQdmRWuagBSjqOV2b5Ofngs7Q/G313n3lVDT8rufvPrtuJsvVN5LeG8UoTdfp3TF57AguSlg3rJTofcTVQTwAWumcCk0tRxDxlf2dGAHzR30ucI+IJg9aos/qqL9H/P4eLjVUV1Eiz0e9xt3UOCXgLzkRYftTZwTRbrHj5d8EYHajsEr73gwOQoVsA6QmwdjLra2kTZOjEB8ZSuNzCInPX2Cm+29N/3xtu0YzPzQO4Ov4aS/hD/++hq3BdaPnIEhj7dgtmq/vwvQRIwIFO3SytTYxYi8Gdyh0vGIY9tqOEjSxzgtrzfIDW2e/ExrfbDuD3KSgzxqgQhboCR+yvPfBY2Dc54aX/gpEFkBxxxD/0DzEjj+EIjcH/88rV7zeyhS9a4Mgnw17KyfqWrKGLmTcXf9E531zyPIfpccmqfS0iA4MaO3PirLqeHcNzvqLvtE13vwYVt5bvvpTMb6efdjNq2gCHCa7mZG2kby+zTsgOHmJ2yBb89jxGRpaZ0VW8trPBupPbTQWLsl5PLOJMHHEHpSlV0qKi+AWGo7NXe69H9jd6q1pR/sRowol7t0WzaOLH3v/btKuM992EKL58cg7XvhIaS71T0O5cUyt6ECpEEpZ+tRoGScWaNSLqeZX7n7B2WcmHMzV8C2Cym/bLx12rLtkctm+Vd5/7OW4dw3y7cUveFYdHjmr/MoP8lXDOHSm1zFJYDeK+64+Q/S4Ve4w3Gfo05VbT/i/8VHxbNf/vff/i8AAP//tGNZYA==") + unpacked := packer.MustUnpack("eJzMWll3q7iWfu+fUa+3B4bjVNFr3QdDiskOKeMTSegNSbaxLbArxgP06v/eS2IwYCc5yalatx/OyrEQ0tbWHr79bf7nl8N+Qf8r3qf/cVi8nhav/1mk/Jf//oWkdo6/71YzYAZTEHCaYU5X+w2BswfPsc9krpYY+RpG3iRCvhJDnET63WcZLXcreN6tPMvLw7l38Cw/j+AowRrIMRwp0xQcI+gfMJwZzPVVPPcO1nq88taq7a3PKy/trXnEjq1EwCiZ6/MIquXH77MN0k1O04CTbGb4bm6+/K5+D4EPQ+AvQ8VwZ+Xu8vRoGt5qz6wUfKOOUTAHbJGmcub6+0h/evDsw8SzxusImfkU1TpZeweLKxOagQNGTw9i3+nc3BDdHCE9PCHtsqf6TI571njlOVzBUHnwHHzAECjtuBuentfmnmSmytyniRyzxiuijZaRZhxxetlX+h2diD4Wz3PPURP6uGvnUsdW4sfdCqcXjtHsOt6RrRmbzs0CQ/XEUrCMNTB6Xu3aZ9U/8xWjrbjPTaSBkqpGQh0u535pHdfnlU75EZ+7c5QVTUFOdMyRlvPF9+t5mn9y3bUp7OXIxjv5Dk75N6QHCk1BQr7vVgtdqXWC98QNOeWGFsGL2ju3G3DigA1zjOKerut9lAUy+fUdnBAXcFr25Mqlnc9aWQ7MAcX17GaJ4YVHenii2Y3eb/at1jNU5ppqdb6rbjp3mXsOP8Yp2DDb2GFobzHyy+e1+etyttdjBxyf1+YBw1HGnNXOd/N6n8CYzMf/8B7HqwiOtp6TJFTJ+WK+2i60ek9XOXgW48SxS+bwDdVAQtNg5xfnla/7HDu89IuzkCGLNTuNtd+zqTXOiGNkVA8Tqq2yyWz3z1/+vQomi4ztd+ssH4SSEI621DH2JJutXjSwYcjfM3c7iTR1+7w2OUnDM9H4kVlqiWGg0pQri9k+oVm4x6m9YcK0r2vk2AGalUk33Efay4P3GOnPj6tJBAMlhsYRafxIXaAgPRxRB5TPq13uOeCIXfMUw5FipZcTVo1zhMJddb3mNkK+HsNvD57lnb47fE1Tu1jMDbtRzVS5vj/VAyVCIZ9qlxMujI78yp9TsXbhiTUPMRypi8fdylsbJ+rOTiG8JFQP91Fh2Nd3jJI5toLnxoFo9NQ952Q9EmNrYUZM40fsGLoIqd726QHZlxlNjYymdu79jvfEASWyL6288v/NHvaFiutiDqDIEWe/0Lv7pMEOw+BV6k8PE+KcH6y1ssIo4ZFqpDG88MbUm5DjpR29oIBHOihiFI68el6dBiaNWXsidKY8Xcy969hayYVJNe9M5+M11UNh5kUzxhyeY2iowhaeyvGEOkbJbCF/oETwcqjv+BuGwVK4JW7CiWsmzFk9eJZ/384aORy7wHrrsrln+e3aXbmmc7W9k3peyZyQ08zrjHn5FIEz1v0EOy+DcZ9TzVBFSqJFRwdv6LE/f/QQo3G9nqnEUOVEB8rzeqw9PY4n1PU50sExhiNhUwfyuJtM5yZfOGCDNGEjL/X5TGn7z+vxumsH9OqbzR4JTVnZCe3ivCpJW/tYX0Pc7T3e188duds0dT+81+My1CJ9EJbfC+2OTCsr5vIzntV2lNoHBkF7JqGf1i7GUl/CzhWM/OVwLtXAAcNAIbr3IEKyiDG0Tml1CuEktdfEAdv6rMNUlHtuWDD4Is9EoH0e+lMvhbu+SpyerG+n3PqsVAMFS0FhSX+oU+LmVlddn+zDBmUVw9GZobBsZR6kKCkHwnuq8RNZ7SZMSzjZ7FZExFg93E2s8NdqzXCQgi6cpEyJLZGCav3pyt57/LZ6ssyEpLNV7NjlXAMjsYawETFnOT+vfA0cIiTie1BiaBeRTD37DdFGAg4mwm9EbPTdvGBwJG1smop5ieFZvxuexRKaKlpg0UmTrpZrviCL+CZdifABfR6hWZOiZOiLUpCw8b5yibVJekgzCzhzwXma8gOZj1oz+AMKcw24t5ZZdD19eVlPrfGaakBhaHxkDsipc0mY83LEcJREQm2PahrBS3mLZtWEpHaGhftks+58hWbgZg/hilikjWJ0wAhz8qhuMfRVXHyIkp35y8WebYEJbMP9rrDH583v5ydXWQvE20f9Qk9hOZXhBawxtBUr87lEB1m4FCi2uUakBbsIjjIsXdJX8WxfMHiRrizdDiVLqocFhnZeoZtdF/nsSRryRYN6XZHaXx48kc70J+lOMRz9KdyzDR/AONPU2GAUlMJla5c8EW4Is0mJwyW0EOESI19Bmp2KENOEKYEGBbIiGisrd+qg7iatDMLAAHHnnhOcqMuXIo3crQpkavvtwXNrmVEXHd7KSlLjRLtI0QHfIg2cxTNY+G1lVN0r31Z/2yqpsj3XP0lkrxkFLXw2lJU5xpI4vGSPXeRr7oWtPq/Njk798qvnuOrc5zg1CjyTNlAImyawTVMpTY38Jqz3KqagPbNVQwARDiI9rM5gG1Lua7oY3Js+kLep0obnGFRpb4Xvfug0W/tuQquQjWTBQcDHXvhu5Krsuqu7PELmGSOvZzMCXhKNVZBM2ijtV08O0GSFXad96SfnfoUmY0I2OwmoJaGvGyjY4cfBPpylQMBUJdLHQr5Nz/466zAYnp/Xpord8UAWCZO3RAtexTk8JzxFWs7poGIU8WpaVx1IDw5EZ+JcsoIUY7fnpyeq81K897w2ywUKOnp4r7psKlNQYmCcGArPrJP+PnzPEVDabmPVNbX7nEBDw8CQ87ry1vBgG6EwaePTfHSMoMqpbiaR9vLl/aep/F2KFP43Q6WE6U95pF3EXesRCjfxuP+Mlk/tOSK0V2n6klf2Ee4YvMLdeo2U6AL2+qNuDCJZKNJ5ax/TudnYzhWyaMF5ikw1ygI1us7bMTc8I61T6rXrJgpzzT+pZhyvY3mC0zy5/r76yHRu5hSFnfdHnDn4QPSrfZHySQugrWKHK10b6NhqPvAp8XtEtd4+wq+u8QGG5+tccIzR6vpM40dh61eZqrKvin8/D5NbPDF+8/4lzqjibJuXK3ZG5md8qvP2pGHCmndx5p8EnB/ER4WUOylzg7e6Z7iF3X5Xlg4ma8dufFn4HdXDE01f+hhBS3gERVny9OC5uWGt7jIp1z2s0b+MVVnyxSK/T9KGFXJfvTSoPw1yfK0i8rYaSKvq1rMPooKtrsxSc6KF3LuBdBVB2RKdq303jUmzW9gNCavU6usTYjfm90H1dA3J/fQ3NMFBxZJ3qp2/Zn+nhUofylBB2Fonb4X+2rUaCNzI2ciCRNXp/HaXqJTkeWGmxAGcWaOWBG/WmqY3FdEKzdrz1BX+1SVqgrohKJciPJK7+pHkImntIGsI79GZaJd9pG+PMZzd26sJK8cnq53b7Lsncp1wiR2QRggcmHufoL0lXG/k2BE9UAbk6o2eJOl8n1Q9NnYzzYKSjN89R9vQqM+RR2jckbuBk0NSv1+5X/cfEsbjD4njzhk7RPjwubKKHaNk4927DYJBZf+mnD9IzKtUA21597Umw10o9VNrTFNRQoCSOvYGz750riFMk79Fyf61Bsi1lKhtqGaYvE/Z/yebCR80Dv6VrM01tSWL+DW/Q8HMHZDQLKzohDqnxb2xTj4bUCoxvOTdxiBO7QPVqjmfpV8+07jszBWlWRbDUTZNL6J8OvwBQx5lILvNtQ19knAxXlNMBUaBEsny2DiiBlbYxiZ27CPWXh4aFnHQfLxHodzPi6qhxyjcIQFHNPCtGyvuN8N8UWYuqC7yVcIlrCl+O07Odxpfm36ceY9Rfe+996DpHWa1D1GbnJPuZa6LIBMliMh5qYCcN03DzRt5cBAXb+S7Czvb8oIvkFyHWxnbYVFi/8W+JGAjTcE2Rk/ZVOqGvUYQv0ZzKiCopK5EaRhbdG+t/tn6XbrIX9f0juN9h0ChKd/Uhlh3/etOuFZzovc7+yVGoUoFTnaUj7nMhi/NQk6QKfmQu047/pmvBy4nrLE9SemRSD7kbGAHrBmkw3WzSDXOGPkbse4f8/DX7y/g5WXLHz/Hgfb1RFMglF8w2zgR3vAM4TLSkoSkTDhUZayZeaIVIGvbNnUSl8ml187qtd7UE3ZlADhiyyiFsWGoHBdQPVxbMKYIJBlGswehP6KFMuFP05nkTkQAnGY8J9ZoG6OgujPL+7Al03WuGI62GK0eBrxpjlFYCGMd1IsNX7fs8pCNo91+9cArsCbqzCxsOQHJUwhgXdsrPf9V/OE7HO+QK7xtz1Rff2j2gdiGQlTjEKNA6fN8cu/rnp1A8s4XH81d8oUTcOrOZOJrAj0tpA3vsSX/tr2Hys/MgmgBp3oggOW6Ae3vfqkikgAKubjrHld8/uo52jtcY4jbWhyjRKGpLWxC6glpXMFQLd/iVNvzNi23RsbBuOShrwXe3ZYe0tmeOcmSpiDDKGl53NvkZxbCztD62+v0+kVQ0967n7y6rbebr1HeS3hvFKE3X6Jci89+QXJTwLxlp0LvR6oJ4AOWTONKbBsFhowv3HHPDpo76PKCXUAweTRmf1RF+z+m68P+Vkd1ES32eNyt/F6BLwG55ED7rUxcEE25x4VLvohAY8vghV95MDWJNbCMkF9EQ961tpE2TgxAfGUrjcwiJz19goftvDf+8RbtEMz80Du9L9+Uv4Qr/voatwXWj5yBoYC3YLZqtb8L0ESMiDTj3MrU2MWAvOndoXblEYe21XCQpItxWl6vlxvaPPmZNnpv3R/kJHt51AEJdoAkfuT574LG3jmPjS/8FIisgGOBYbinhQSOPwQid4c/j4vX4h6K1IMLg6BY9LvoJ6rbKkb+aNhJ/0QX/fMIstsRh/ZRWhoER2Z11keynOrPfbN77rNPdLh7H7HJc7tPJzLUz7sfrhklRYDTbDuxsjaS36dheww3P2IHfHseIibHyOqs2Fpe49lI76CFxtodIVdwIik+xDBQquxSUXkRxErblbnTkf8bO1GtLf1gN2JAudyl2/JhZOl6799Vwn3uIxZaPj9GWdcL9zHdLu5xKC+OvYk1oPRKOddMIi3nzBmUcgXNw8rdPyjjxJybuQK2nYn8ivHWaWXbo1Bt+Vd7/xOW/tw3y7cMveFYtH/mr/MoP8lX9OHSm1zFOYLBK75y8x+kw69wh8M+R52q2n7E/4sPiCe//O+//V8AAAD//0oTUkc=") SupportedMap = make(map[string]Spec) for f, v := range unpacked { diff --git a/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go b/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go index a08295ba49b..acf6b32328f 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go +++ b/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go @@ -7,9 +7,9 @@ package snapshot import ( "encoding/json" "fmt" + gohttp "net/http" "strings" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download/http" @@ -27,7 +27,7 @@ func NewDownloader(config *artifact.Config, versionOverride string) (download.Do } func snapshotConfig(config *artifact.Config, versionOverride string) (*artifact.Config, error) { - snapshotURI, err := snapshotURI(versionOverride, config) + snapshotURI, err := snapshotURI(versionOverride) if err != nil { return nil, fmt.Errorf("failed to detect remote snapshot repo, proceeding with configured: %v", err) } @@ -43,7 +43,7 @@ func snapshotConfig(config *artifact.Config, versionOverride string) (*artifact. }, nil } -func snapshotURI(versionOverride string, config *artifact.Config) (string, error) { +func snapshotURI(versionOverride string) (string, error) { version := release.Version() if versionOverride != "" { if strings.HasSuffix(versionOverride, "-SNAPSHOT") { @@ -52,13 +52,8 @@ func snapshotURI(versionOverride string, config *artifact.Config) (string, error version = versionOverride } - client, err := config.HTTPTransportSettings.Client(httpcommon.WithAPMHTTPInstrumentation()) - if err != nil { - return "", err - } - artifactsURI := fmt.Sprintf("https://artifacts-api.elastic.co/v1/search/%s-SNAPSHOT/elastic-agent", version) - resp, err := client.Get(artifactsURI) + resp, err := gohttp.Get(artifactsURI) if err != nil { return "", err } diff --git a/x-pack/elastic-agent/pkg/release/version.go b/x-pack/elastic-agent/pkg/release/version.go index 4cc161a9899..05f0063afdf 100644 --- a/x-pack/elastic-agent/pkg/release/version.go +++ b/x-pack/elastic-agent/pkg/release/version.go @@ -27,15 +27,6 @@ var allowEmptyPgp string // with upgrade without requiring Agent to be installed correctly var allowUpgrade string -// TrimCommit trims commit up to 6 characters. -func TrimCommit(commit string) string { - hash := commit - if len(hash) > hashLen { - hash = hash[:hashLen] - } - return hash -} - // Commit returns the current build hash or unknown if it was not injected in the build process. func Commit() string { return libbeatVersion.Commit() @@ -43,7 +34,11 @@ func Commit() string { // ShortCommit returns commit up to 6 characters. func ShortCommit() string { - return TrimCommit(Commit()) + hash := Commit() + if len(hash) > hashLen { + hash = hash[:hashLen] + } + return hash } // BuildTime returns the build time of the binaries. diff --git a/x-pack/elastic-agent/spec/filebeat.yml b/x-pack/elastic-agent/spec/filebeat.yml index af9fdf89e75..6f47c1ebdee 100644 --- a/x-pack/elastic-agent/spec/filebeat.yml +++ b/x-pack/elastic-agent/spec/filebeat.yml @@ -75,7 +75,6 @@ rules: - gcp-pubsub - http_endpoint - httpjson - - journald - kafka - log - mqtt diff --git a/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc b/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc index 0585f10d46e..6b5444be055 100644 --- a/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc @@ -466,7 +466,7 @@ Available transforms for request: [`append`, `delete`, `set`]. Can read state from: [`.last_response.*`, `.last_event.*`, `.cursor.*`, `.header.*`, `.url.*`, `.body.*`]. -Can write state to: [`body.*`, `header.*`, `url.*`]. +Can write state to: [`header.*`, `url.params.*`, `body.*`]. ["source","yaml",subs="attributes"] ---- @@ -566,11 +566,6 @@ Required if using split type of `string`. This is the sub string used to split Valid when used with `type: map`. When not empty, defines a new field where the original key value will be stored. -[float] -==== `response.split[].ignore_empty_value` - -If set to true, empty or missing value will be ignored and processing will pass on to the next nested split operation instead of failing with an error. Default: `false`. - [float] ==== `response.split[].split` diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 2fc7721ea27..b30193416cc 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -41,7 +41,7 @@ filebeat.modules: - module: activemq # Audit logs audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -49,7 +49,7 @@ filebeat.modules: # Application logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -462,7 +462,7 @@ filebeat.modules: - module: azure # All logs activitylogs: - enabled: false + enabled: true var: # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub eventhub: "insights-operational-logs" @@ -505,7 +505,7 @@ filebeat.modules: #------------------ Barracuda Web Application Firewall Module ------------------ - module: barracuda waf: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -524,7 +524,7 @@ filebeat.modules: # var.tz_offset: local spamfirewall: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -545,7 +545,7 @@ filebeat.modules: #-------------------------- Blue Coat Director Module -------------------------- - module: bluecoat director: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -566,7 +566,7 @@ filebeat.modules: #--------------------------------- CEF Module --------------------------------- - module: cef log: - enabled: false + enabled: true var: syslog_host: localhost syslog_port: 9003 @@ -582,7 +582,7 @@ filebeat.modules: #------------------------------ Checkpoint Module ------------------------------ - module: checkpoint firewall: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: syslog @@ -605,7 +605,7 @@ filebeat.modules: #-------------------------------- Cisco Module -------------------------------- - module: cisco asa: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: syslog @@ -631,7 +631,7 @@ filebeat.modules: #var.external_zones: [ "External" ] ftd: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: syslog @@ -657,7 +657,7 @@ filebeat.modules: #var.external_zones: [ "External" ] ios: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: syslog @@ -674,7 +674,7 @@ filebeat.modules: #var.paths: nexus: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -693,7 +693,7 @@ filebeat.modules: # var.tz_offset: local meraki: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -712,7 +712,7 @@ filebeat.modules: # var.tz_offset: local umbrella: - enabled: false + enabled: true #var.input: aws-s3 # AWS SQS queue url @@ -727,7 +727,7 @@ filebeat.modules: #var.api_timeout: 120s amp: - enabled: false + enabled: true # Set which input to use between httpjson (default) or file. #var.input: httpjson @@ -747,7 +747,7 @@ filebeat.modules: - module: coredns # Fileset for native deployment log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -757,16 +757,39 @@ filebeat.modules: - module: crowdstrike falcon: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: +#------------------------------ Cyber-Ark Module ------------------------------ +# The cyberark module is deprecated and will be removed in future releases. +# Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. +- module: cyberark + corepas: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9527 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #----------------------------- CyberArk PAS Module ----------------------------- - module: cyberarkpas audit: - enabled: false + enabled: true # Set which input to use between tcp (default), udp, or file. # @@ -792,7 +815,7 @@ filebeat.modules: #---------------------------- CylanceProtect Module ---------------------------- - module: cylance protect: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -814,32 +837,32 @@ filebeat.modules: - module: elasticsearch # Server log server: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: @@ -848,7 +871,7 @@ filebeat.modules: - module: envoyproxy # Fileset for native deployment log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -857,7 +880,7 @@ filebeat.modules: #--------------------- Big-IP Access Policy Manager Module --------------------- - module: f5 bigipapm: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -876,7 +899,7 @@ filebeat.modules: # var.tz_offset: local bigipafm: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -897,7 +920,7 @@ filebeat.modules: #------------------------------- Fortinet Module ------------------------------- - module: fortinet firewall: - enabled: false + enabled: true # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -920,7 +943,7 @@ filebeat.modules: #var.external_interfaces: [ "WAN" ] clientendpoint: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -939,7 +962,7 @@ filebeat.modules: # var.tz_offset: local fortimail: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -958,7 +981,7 @@ filebeat.modules: # var.tz_offset: local fortimanager: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -979,7 +1002,7 @@ filebeat.modules: #--------------------- Google Cloud Platform (GCP) Module --------------------- - module: gcp vpcflow: - enabled: false + enabled: true # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1007,7 +1030,7 @@ filebeat.modules: #var.internal_networks: [ "private" ] firewall: - enabled: false + enabled: true # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1034,7 +1057,7 @@ filebeat.modules: #var.internal_networks: [ "private" ] audit: - enabled: false + enabled: true # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1054,7 +1077,7 @@ filebeat.modules: #--------------------------- Google_workspace Module --------------------------- - module: google_workspace saml: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1062,7 +1085,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h user_accounts: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1070,7 +1093,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h login: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1078,7 +1101,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h admin: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1086,7 +1109,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h drive: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1094,7 +1117,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h groups: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1103,11 +1126,120 @@ filebeat.modules: # var.interval: 2h +#----------------------------- Googlecloud Module ----------------------------- +# googlecloud module is deprecated, please use gcp instead +- module: gcp + vpcflow: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be + # configured to use this topic as a sink for VPC flow logs. + var.topic: gcp-vpc-flowlogs + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-vpc-flowlogs-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + firewall: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-firewall + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-firewall-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + audit: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-audit + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-audit + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + +#-------------------------------- Gsuite Module -------------------------------- +# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. +- module: gsuite + saml: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + user_accounts: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + #------------------------------- HAProxy Module ------------------------------- - module: haproxy # All logs log: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: @@ -1120,7 +1252,7 @@ filebeat.modules: - module: ibmmq # All logs errorlog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1193,7 +1325,7 @@ filebeat.modules: #------------------------- Imperva SecureSphere Module ------------------------- - module: imperva securesphere: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1214,7 +1346,7 @@ filebeat.modules: #---------------------------- Infoblox NIOS Module ---------------------------- - module: infoblox nios: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1235,7 +1367,7 @@ filebeat.modules: #------------------------------- Iptables Module ------------------------------- - module: iptables log: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: @@ -1247,7 +1379,7 @@ filebeat.modules: #---------------------------- Juniper JUNOS Module ---------------------------- - module: juniper junos: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1266,7 +1398,7 @@ filebeat.modules: # var.tz_offset: local netscreen: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1285,7 +1417,7 @@ filebeat.modules: # var.tz_offset: local srx: - enabled: false + enabled: true # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -1301,7 +1433,7 @@ filebeat.modules: - module: kafka # All logs log: - enabled: false + enabled: true # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. @@ -1315,7 +1447,7 @@ filebeat.modules: - module: kibana # Server logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1323,7 +1455,7 @@ filebeat.modules: # Audit logs audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1351,7 +1483,7 @@ filebeat.modules: - module: microsoft # ATP configuration defender_atp: - enabled: false + enabled: true # How often the API should be polled #var.interval: 5m @@ -1364,7 +1496,7 @@ filebeat.modules: # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" m365_defender: - enabled: false + enabled: true # How often the API should be polled #var.interval: 5m @@ -1381,7 +1513,7 @@ filebeat.modules: #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" dhcp: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1404,7 +1536,7 @@ filebeat.modules: - module: misp threat: - enabled: false + enabled: true # API key to access MISP #var.api_key @@ -1435,7 +1567,7 @@ filebeat.modules: - module: mssql # Fileset for native deployment log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1470,7 +1602,7 @@ filebeat.modules: #--------------------------- MySQL Enterprise Module --------------------------- - module: mysqlenterprise audit: - enabled: false + enabled: true # Sets the input type. Currently only supports file #var.input: file @@ -1484,7 +1616,7 @@ filebeat.modules: - module: nats # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1493,7 +1625,7 @@ filebeat.modules: #------------------------------- NetFlow Module ------------------------------- - module: netflow log: - enabled: false + enabled: true var: netflow_host: localhost netflow_port: 2055 @@ -1506,7 +1638,7 @@ filebeat.modules: #-------------------------- Arbor Peakflow SP Module -------------------------- - module: netscout sightline: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1561,7 +1693,7 @@ filebeat.modules: #------------------------------ Office 365 Module ------------------------------ - module: o365 audit: - enabled: false + enabled: true # Set the application_id (also known as client ID): var.application_id: "" @@ -1608,7 +1740,7 @@ filebeat.modules: #--------------------------------- Okta Module --------------------------------- - module: okta system: - enabled: false + enabled: true # You must configure the URL with your Okta domain and provide an # API token to access the logs API. #var.url: https://yourOktaDomain/api/v1/logs @@ -1617,7 +1749,7 @@ filebeat.modules: #-------------------------------- Oracle Module -------------------------------- - module: oracle database_audit: - enabled: false + enabled: true # Set which input to use between syslog or file (default). #var.input: file @@ -1627,9 +1759,9 @@ filebeat.modules: #var.paths: ["/home/user/oracleauditlogs/*.aud"] #------------------------------- Osquery Module ------------------------------- -#- module: osquery - #result: - #enabled: true +- module: osquery + result: + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1643,7 +1775,7 @@ filebeat.modules: #--------------------------------- Panw Module --------------------------------- - module: panw panos: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: @@ -1665,7 +1797,7 @@ filebeat.modules: - module: pensando # Firewall logs dfw: - enabled: false + enabled: true var.syslog_host: 0.0.0.0 var.syslog_port: 9001 @@ -1690,7 +1822,7 @@ filebeat.modules: #---------------------- Proofpoint Email Security Module ---------------------- - module: proofpoint emailsecurity: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1712,7 +1844,7 @@ filebeat.modules: - module: rabbitmq # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1721,7 +1853,7 @@ filebeat.modules: #-------------------------- Radware DefensePro Module -------------------------- - module: radware defensepro: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1762,7 +1894,7 @@ filebeat.modules: #----------------------------- Google Santa Module ----------------------------- - module: santa log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: @@ -1770,7 +1902,7 @@ filebeat.modules: #--------------------------- Snort/Sourcefire Module --------------------------- - module: snort log: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1791,7 +1923,7 @@ filebeat.modules: #--------------------------------- Snyk Module --------------------------------- - module: snyk audit: - enabled: false + enabled: true # Set which input to use between httpjson (default) or file. #var.input: httpjson # @@ -1820,7 +1952,7 @@ filebeat.modules: #var.email_address: "" vulnerabilities: - enabled: false + enabled: true # Set which input to use between httpjson (default) or file. #var.input: httpjson # How often the API should be polled. Data from the Snyk API is automatically updated @@ -1895,7 +2027,7 @@ filebeat.modules: #----------------------------- Sonicwall-FW Module ----------------------------- - module: sonicwall firewall: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1916,7 +2048,7 @@ filebeat.modules: #-------------------------------- Sophos Module -------------------------------- - module: sophos xg: - enabled: false + enabled: true # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -1940,7 +2072,7 @@ filebeat.modules: utm: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1961,7 +2093,7 @@ filebeat.modules: #-------------------------------- Squid Module -------------------------------- - module: squid log: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1983,7 +2115,7 @@ filebeat.modules: - module: suricata # All logs eve: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1992,7 +2124,7 @@ filebeat.modules: #----------------------------- Threatintel Module ----------------------------- - module: threatintel abuseurl: - enabled: false + enabled: true # Input used for ingesting threat intel data. var.input: httpjson @@ -2004,7 +2136,7 @@ filebeat.modules: var.interval: 10m abusemalware: - enabled: false + enabled: true # Input used for ingesting threat intel data. var.input: httpjson @@ -2016,7 +2148,7 @@ filebeat.modules: var.interval: 10m malwarebazaar: - enabled: false + enabled: true # Input used for ingesting threat intel data. var.input: httpjson @@ -2028,7 +2160,7 @@ filebeat.modules: var.interval: 10m misp: - enabled: false + enabled: true # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson @@ -2057,7 +2189,7 @@ filebeat.modules: var.interval: 5m otx: - enabled: false + enabled: true # Input used for ingesting threat intel data var.input: httpjson @@ -2084,7 +2216,7 @@ filebeat.modules: var.interval: 5m anomali: - enabled: false + enabled: true # Input used for ingesting threat intel data var.input: httpjson @@ -2106,7 +2238,7 @@ filebeat.modules: var.interval: 5m anomalithreatstream: - enabled: false + enabled: true # Input used for ingesting threat intel data var.input: http_endpoint @@ -2131,7 +2263,7 @@ filebeat.modules: # var.ssl_key: path/to/ssl_key.pem recordedfuture: - enabled: false + enabled: true # Input used for ingesting threat intel data var.input: httpjson @@ -2165,7 +2297,7 @@ filebeat.modules: #---------------------------- Apache Tomcat Module ---------------------------- - module: tomcat log: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2201,83 +2333,83 @@ filebeat.modules: #--------------------------------- Zeek Module --------------------------------- - module: zeek capture_loss: - enabled: false + enabled: true connection: - enabled: false + enabled: true dce_rpc: - enabled: false + enabled: true dhcp: - enabled: false + enabled: true dnp3: - enabled: false + enabled: true dns: - enabled: false + enabled: true dpd: - enabled: false + enabled: true files: - enabled: false + enabled: true ftp: - enabled: false + enabled: true http: - enabled: false + enabled: true intel: - enabled: false + enabled: true irc: - enabled: false + enabled: true kerberos: - enabled: false + enabled: true modbus: - enabled: false + enabled: true mysql: - enabled: false + enabled: true notice: - enabled: false + enabled: true ntp: - enabled: false + enabled: true ntlm: - enabled: false + enabled: true ocsp: - enabled: false + enabled: true pe: - enabled: false + enabled: true radius: - enabled: false + enabled: true rdp: - enabled: false + enabled: true rfb: - enabled: false + enabled: true signature: - enabled: false + enabled: true sip: - enabled: false + enabled: true smb_cmd: - enabled: false + enabled: true smb_files: - enabled: false + enabled: true smb_mapping: - enabled: false + enabled: true smtp: - enabled: false + enabled: true snmp: - enabled: false + enabled: true socks: - enabled: false + enabled: true ssh: - enabled: false + enabled: true ssl: - enabled: false + enabled: true stats: - enabled: false + enabled: true syslog: - enabled: false + enabled: true traceroute: - enabled: false + enabled: true tunnel: - enabled: false + enabled: true weird: - enabled: false + enabled: true x509: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -2287,14 +2419,14 @@ filebeat.modules: - module: zookeeper # All logs audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -2303,7 +2435,7 @@ filebeat.modules: #--------------------------------- Zoom Module --------------------------------- - module: zoom webhook: - enabled: false + enabled: true # The type of input to use #var.input: http_endpoint @@ -2324,7 +2456,7 @@ filebeat.modules: #----------------------------- Zscaler NSS Module ----------------------------- - module: zscaler zia: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index adfb028469c..995cc2a7a0e 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -24,6 +24,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cisco" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/coredns" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/crowdstrike" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberark" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberarkpas" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cylance" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/envoyproxy" @@ -31,6 +32,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/fortinet" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gcp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/google_workspace" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gsuite" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/ibmmq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/imperva" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/infoblox" diff --git a/x-pack/filebeat/input/awss3/config.go b/x-pack/filebeat/input/awss3/config.go index 404997ddc60..4e887003477 100644 --- a/x-pack/filebeat/input/awss3/config.go +++ b/x-pack/filebeat/input/awss3/config.go @@ -12,7 +12,6 @@ import ( "github.com/elastic/beats/v7/libbeat/common/cfgtype" "github.com/elastic/beats/v7/libbeat/common/match" - "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/reader/parser" "github.com/elastic/beats/v7/libbeat/reader/readfile" "github.com/elastic/beats/v7/libbeat/reader/readfile/encoding" @@ -51,8 +50,7 @@ func defaultConfig() config { func (c *config) Validate() error { if c.QueueURL == "" && c.BucketARN == "" { - logp.NewLogger(inputName).Warnf("neither queue_url nor bucket_arn were provided, input %s will stop", inputName) - return nil + return fmt.Errorf("queue_url or bucket_arn must provided") } if c.QueueURL != "" && c.BucketARN != "" { diff --git a/x-pack/filebeat/input/awss3/config_test.go b/x-pack/filebeat/input/awss3/config_test.go index cd75d4df19c..9fdf4c1dffb 100644 --- a/x-pack/filebeat/input/awss3/config_test.go +++ b/x-pack/filebeat/input/awss3/config_test.go @@ -92,7 +92,7 @@ func TestConfig(t *testing.T) { }, }, "", - func(queueURL, s3Bucket string) config { + func(queueURL, s3Bucketr string) config { c := makeConfig(queueURL, "") regex := match.MustCompile("/CloudTrail/") c.FileSelectors = []fileSelectorConfig{ @@ -112,10 +112,8 @@ func TestConfig(t *testing.T) { "queue_url": "", "bucket_arn": "", }, - "", - func(queueURL, s3Bucket string) config { - return makeConfig("", "") - }, + "queue_url or bucket_arn must provided", + nil, }, { "error on both queueURL and s3Bucket", diff --git a/x-pack/filebeat/input/httpjson/internal/v2/config_response.go b/x-pack/filebeat/input/httpjson/internal/v2/config_response.go index 1bc3056ab17..0bb51910387 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/config_response.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/config_response.go @@ -24,14 +24,13 @@ type responseConfig struct { } type splitConfig struct { - Target string `config:"target" validation:"required"` - Type string `config:"type"` - Transforms transformsConfig `config:"transforms"` - Split *splitConfig `config:"split"` - KeepParent bool `config:"keep_parent"` - KeyField string `config:"key_field"` - DelimiterString string `config:"delimiter"` - IgnoreEmptyValue bool `config:"ignore_empty_value"` + Target string `config:"target" validation:"required"` + Type string `config:"type"` + Transforms transformsConfig `config:"transforms"` + Split *splitConfig `config:"split"` + KeepParent bool `config:"keep_parent"` + KeyField string `config:"key_field"` + DelimiterString string `config:"delimiter"` } func (c *responseConfig) Validate() error { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/pagination.go b/x-pack/filebeat/input/httpjson/internal/v2/pagination.go index 6ea063a10af..de6261b3fd0 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/pagination.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/pagination.go @@ -19,7 +19,7 @@ const paginationNamespace = "pagination" func registerPaginationTransforms() { registerTransform(paginationNamespace, appendName, newAppendPagination) registerTransform(paginationNamespace, deleteName, newDeletePagination) - registerTransform(paginationNamespace, setName, newSetRequestPagination) + registerTransform(paginationNamespace, setName, newSetPagination) } type pagination struct { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/request.go b/x-pack/filebeat/input/httpjson/internal/v2/request.go index 921b13b9ab7..6c223d746a9 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/request.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/request.go @@ -22,7 +22,7 @@ const requestNamespace = "request" func registerRequestTransforms() { registerTransform(requestNamespace, appendName, newAppendRequest) registerTransform(requestNamespace, deleteName, newDeleteRequest) - registerTransform(requestNamespace, setName, newSetRequestPagination) + registerTransform(requestNamespace, setName, newSetRequest) } type httpClient struct { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/split.go b/x-pack/filebeat/input/httpjson/internal/v2/split.go index 56c89f7f9ef..9cb686e63ad 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/split.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/split.go @@ -21,24 +21,18 @@ var ( errExpectedSplitString = errors.New("split was expecting field to be a string") ) -// split is a split processor chain element. Split processing is executed -// by applying elements of the chain's linked list to an input until completed -// or an error state is encountered. type split struct { - log *logp.Logger - targetInfo targetInfo - kind string - transforms []basicTransform - child *split - keepParent bool - ignoreEmptyValue bool - keyField string - isRoot bool - delimiter string + log *logp.Logger + targetInfo targetInfo + kind string + transforms []basicTransform + child *split + keepParent bool + keyField string + isRoot bool + delimiter string } -// newSplitResponse returns a new split based on the provided config and -// logging to the provided logger, tagging the split as the root of the chain. func newSplitResponse(cfg *splitConfig, log *logp.Logger) (*split, error) { if cfg == nil { return nil, nil @@ -48,13 +42,11 @@ func newSplitResponse(cfg *splitConfig, log *logp.Logger) (*split, error) { if err != nil { return nil, err } - // We want to be able to identify which split is the root of the chain. + // we want to be able to identify which split is the root of the chain split.isRoot = true return split, nil } -// newSplit returns a new split based on the provided config and -// logging to the provided logger. func newSplit(c *splitConfig, log *logp.Logger) (*split, error) { ti, err := getTargetInfo(c.Target) if err != nil { @@ -79,27 +71,22 @@ func newSplit(c *splitConfig, log *logp.Logger) (*split, error) { } return &split{ - log: log, - targetInfo: ti, - kind: c.Type, - keepParent: c.KeepParent, - ignoreEmptyValue: c.IgnoreEmptyValue, - keyField: c.KeyField, - delimiter: c.DelimiterString, - transforms: ts, - child: s, + log: log, + targetInfo: ti, + kind: c.Type, + keepParent: c.KeepParent, + keyField: c.KeyField, + delimiter: c.DelimiterString, + transforms: ts, + child: s, }, nil } -// run runs the split operation on the contents of resp, sending successive -// split results on ch. ctx is passed to transforms that are called during -// the split. func (s *split) run(ctx *transformContext, resp transformable, ch chan<- maybeMsg) error { root := resp.body() return s.split(ctx, root, ch) } -// split recursively executes the split processor chain. func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybeMsg) error { v, err := root.GetValue(s.targetInfo.Name) if err != nil && err != common.ErrKeyNotFound { @@ -107,12 +94,6 @@ func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybe } if v == nil { - if s.ignoreEmptyValue { - if s.child != nil { - return s.child.split(ctx, root, ch) - } - return nil - } if s.isRoot { return errEmptyRootField } @@ -128,12 +109,6 @@ func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybe } if len(varr) == 0 { - if s.ignoreEmptyValue { - if s.child != nil { - return s.child.split(ctx, root, ch) - } - return nil - } if s.isRoot { return errEmptyRootField } @@ -155,12 +130,6 @@ func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybe } if len(vmap) == 0 { - if s.ignoreEmptyValue { - if s.child != nil { - return s.child.split(ctx, root, ch) - } - return nil - } if s.isRoot { return errEmptyRootField } @@ -182,12 +151,6 @@ func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybe } if len(vstr) == 0 { - if s.ignoreEmptyValue { - if s.child != nil { - return s.child.split(ctx, root, ch) - } - return nil - } if s.isRoot { return errEmptyRootField } @@ -206,8 +169,6 @@ func (s *split) split(ctx *transformContext, root common.MapStr, ch chan<- maybe return errors.New("unknown split type") } -// sendMessage sends an array or map split result value, v, on ch after performing -// any necessary transformations. If key is "", the value is an element of an array. func (s *split) sendMessage(ctx *transformContext, root common.MapStr, key string, v interface{}, ch chan<- maybeMsg) error { obj, ok := toMapStr(v) if !ok { @@ -259,8 +220,6 @@ func toMapStr(v interface{}) (common.MapStr, bool) { return common.MapStr{}, false } -// sendMessage sends a string split result value, v, on ch after performing any -// necessary transformations. If key is "", the value is an element of an array. func (s *split) sendMessageSplitString(ctx *transformContext, root common.MapStr, v string, ch chan<- maybeMsg) error { clone := root.Clone() _, _ = clone.Put(s.targetInfo.Name, v) diff --git a/x-pack/filebeat/input/httpjson/internal/v2/split_test.go b/x-pack/filebeat/input/httpjson/internal/v2/split_test.go index c385771667b..2c53d0fcbe1 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/split_test.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/split_test.go @@ -354,270 +354,6 @@ func TestSplit(t *testing.T) { {"@timestamp": "1234567890", "items": "Line 3"}, }, }, - { - name: "An empty array in an object", - config: &splitConfig{ - Target: "body.response", - Type: "array", - Split: &splitConfig{ - Target: "body.Event.Attributes", - IgnoreEmptyValue: true, - KeepParent: true, - Split: &splitConfig{ - Target: "body.Event.OtherAttributes", - KeepParent: true, - }, - }, - }, - ctx: emptyTransformContext(), - resp: transformable{ - "body": common.MapStr{ - "response": []interface{}{ - map[string]interface{}{ - "Event": map[string]interface{}{ - "timestamp": "1606324417", - "Attributes": []interface{}{}, - "OtherAttributes": []interface{}{ - map[string]interface{}{ - "key": "value", - }, - map[string]interface{}{ - "key2": "value2", - }, - }, - }, - }, - }, - }, - }, - expectedMessages: []common.MapStr{ - { - "Event": common.MapStr{ - "timestamp": "1606324417", - "Attributes": []interface{}{}, - "OtherAttributes": common.MapStr{ - "key": "value", - }, - }, - }, - { - "Event": common.MapStr{ - "timestamp": "1606324417", - "Attributes": []interface{}{}, - "OtherAttributes": common.MapStr{ - "key2": "value2", - }, - }, - }, - }, - expectedErr: nil, - }, - { - name: "A missing array in an object", - config: &splitConfig{ - Target: "body.response", - Type: "array", - Split: &splitConfig{ - Target: "body.Event.Attributes", - IgnoreEmptyValue: true, - KeepParent: true, - Split: &splitConfig{ - Target: "body.Event.OtherAttributes", - KeepParent: true, - }, - }, - }, - ctx: emptyTransformContext(), - resp: transformable{ - "body": common.MapStr{ - "response": []interface{}{ - map[string]interface{}{ - "Event": map[string]interface{}{ - "timestamp": "1606324417", - "OtherAttributes": []interface{}{ - map[string]interface{}{ - "key": "value", - }, - map[string]interface{}{ - "key2": "value2", - }, - }, - }, - }, - }, - }, - }, - expectedMessages: []common.MapStr{ - { - "Event": common.MapStr{ - "timestamp": "1606324417", - "OtherAttributes": common.MapStr{ - "key": "value", - }, - }, - }, - { - "Event": common.MapStr{ - "timestamp": "1606324417", - "OtherAttributes": common.MapStr{ - "key2": "value2", - }, - }, - }, - }, - expectedErr: nil, - }, - { - name: "An empty map in an object", - config: &splitConfig{ - Target: "body.response", - Type: "array", - Split: &splitConfig{ - Target: "body.Event.Attributes", - Type: "map", - IgnoreEmptyValue: true, - KeepParent: true, - Split: &splitConfig{ - Type: "map", - Target: "body.Event.OtherAttributes", - KeepParent: true, - }, - }, - }, - ctx: emptyTransformContext(), - resp: transformable{ - "body": common.MapStr{ - "response": []interface{}{ - map[string]interface{}{ - "Event": map[string]interface{}{ - "timestamp": "1606324417", - "Attributes": map[string]interface{}{}, - "OtherAttributes": map[string]interface{}{ - // Only include a single item here to avoid - // map iteration order flakes. - "1": map[string]interface{}{ - "key": "value", - }, - }, - }, - }, - }, - }, - }, - expectedMessages: []common.MapStr{ - { - "Event": common.MapStr{ - "timestamp": "1606324417", - "Attributes": common.MapStr{}, - "OtherAttributes": common.MapStr{ - "key": "value", - }, - }, - }, - }, - expectedErr: nil, - }, - { - name: "A missing map in an object", - config: &splitConfig{ - Target: "body.response", - Type: "array", - Split: &splitConfig{ - Target: "body.Event.Attributes", - Type: "map", - IgnoreEmptyValue: true, - KeepParent: true, - Split: &splitConfig{ - Type: "map", - Target: "body.Event.OtherAttributes", - KeepParent: true, - }, - }, - }, - ctx: emptyTransformContext(), - resp: transformable{ - "body": common.MapStr{ - "response": []interface{}{ - map[string]interface{}{ - "Event": map[string]interface{}{ - "timestamp": "1606324417", - "OtherAttributes": map[string]interface{}{ - // Only include a single item here to avoid - // map iteration order flakes. - "1": map[string]interface{}{ - "key": "value", - }, - }, - }, - }, - }, - }, - }, - expectedMessages: []common.MapStr{ - { - "Event": common.MapStr{ - "timestamp": "1606324417", - "OtherAttributes": common.MapStr{ - "key": "value", - }, - }, - }, - }, - expectedErr: nil, - }, - { - name: "An empty string", - config: &splitConfig{ - Target: "body.items", - Type: "string", - DelimiterString: "\n", - IgnoreEmptyValue: true, - Split: &splitConfig{ - Target: "body.other_items", - Type: "string", - DelimiterString: "\n", - }, - }, - ctx: emptyTransformContext(), - resp: transformable{ - "body": common.MapStr{ - "@timestamp": "1234567890", - "items": "", - "other_items": "Line 1\nLine 2\nLine 3", - }, - }, - expectedMessages: []common.MapStr{ - {"@timestamp": "1234567890", "items": "", "other_items": "Line 1"}, - {"@timestamp": "1234567890", "items": "", "other_items": "Line 2"}, - {"@timestamp": "1234567890", "items": "", "other_items": "Line 3"}, - }, - }, - { - name: "A missing string", - config: &splitConfig{ - Target: "body.items", - Type: "string", - DelimiterString: "\n", - IgnoreEmptyValue: true, - Split: &splitConfig{ - Target: "body.other_items", - Type: "string", - DelimiterString: "\n", - }, - }, - ctx: emptyTransformContext(), - resp: transformable{ - "body": common.MapStr{ - "@timestamp": "1234567890", - "other_items": "Line 1\nLine 2\nLine 3", - }, - }, - expectedMessages: []common.MapStr{ - {"@timestamp": "1234567890", "other_items": "Line 1"}, - {"@timestamp": "1234567890", "other_items": "Line 2"}, - {"@timestamp": "1234567890", "other_items": "Line 3"}, - }, - }, } for _, tc := range cases { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/transform_set.go b/x-pack/filebeat/input/httpjson/internal/v2/transform_set.go index c38f1719faf..26a389c01da 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/transform_set.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/transform_set.go @@ -39,7 +39,7 @@ type set struct { func (set) transformName() string { return setName } -func newSetRequestPagination(cfg *common.Config, log *logp.Logger) (transform, error) { +func newSetRequest(cfg *common.Config, log *logp.Logger) (transform, error) { set, err := newSet(cfg, log) if err != nil { return nil, err @@ -52,8 +52,6 @@ func newSetRequestPagination(cfg *common.Config, log *logp.Logger) (transform, e set.runFunc = setHeader case targetURLParams: set.runFunc = setURLParams - case targetURLValue: - set.runFunc = setURLValue default: return nil, fmt.Errorf("invalid target type: %s", set.targetInfo.Type) } @@ -77,6 +75,28 @@ func newSetResponse(cfg *common.Config, log *logp.Logger) (transform, error) { return &set, nil } +func newSetPagination(cfg *common.Config, log *logp.Logger) (transform, error) { + set, err := newSet(cfg, log) + if err != nil { + return nil, err + } + + switch set.targetInfo.Type { + case targetBody: + set.runFunc = setBody + case targetHeader: + set.runFunc = setHeader + case targetURLParams: + set.runFunc = setURLParams + case targetURLValue: + set.runFunc = setURLValue + default: + return nil, fmt.Errorf("invalid target type: %s", set.targetInfo.Type) + } + + return &set, nil +} + func newSet(cfg *common.Config, log *logp.Logger) (set, error) { c := &setConfig{} if err := cfg.Unpack(c); err != nil { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/transform_set_test.go b/x-pack/filebeat/input/httpjson/internal/v2/transform_set_test.go index 6a3a2d8915c..a011302da33 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/transform_set_test.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/transform_set_test.go @@ -41,40 +41,72 @@ func TestNewSet(t *testing.T) { expectedErr: "invalid target: cursor.foo", }, { - name: "newSetRequestPagination targets body", - constructor: newSetRequestPagination, + name: "newSetRequest targets body", + constructor: newSetRequest, config: map[string]interface{}{ "target": "body.foo", }, expectedTarget: targetInfo{Name: "foo", Type: "body"}, }, { - name: "newSetRequestPagination targets header", - constructor: newSetRequestPagination, + name: "newSetRequest targets header", + constructor: newSetRequest, config: map[string]interface{}{ "target": "header.foo", }, expectedTarget: targetInfo{Name: "foo", Type: "header"}, }, { - name: "newSetRequestPagination targets url param", - constructor: newSetRequestPagination, + name: "newSetRequest targets url param", + constructor: newSetRequest, config: map[string]interface{}{ "target": "url.params.foo", }, expectedTarget: targetInfo{Name: "foo", Type: "url.params"}, }, { - name: "newSetRequestPagination targets url value", - constructor: newSetRequestPagination, + name: "newSetRequest targets something else", + constructor: newSetRequest, + config: map[string]interface{}{ + "target": "cursor.foo", + }, + expectedErr: "invalid target: cursor.foo", + }, + { + name: "newSetPagination targets body", + constructor: newSetPagination, + config: map[string]interface{}{ + "target": "body.foo", + }, + expectedTarget: targetInfo{Name: "foo", Type: "body"}, + }, + { + name: "newSetPagination targets header", + constructor: newSetPagination, + config: map[string]interface{}{ + "target": "header.foo", + }, + expectedTarget: targetInfo{Name: "foo", Type: "header"}, + }, + { + name: "newSetPagination targets url param", + constructor: newSetPagination, + config: map[string]interface{}{ + "target": "url.params.foo", + }, + expectedTarget: targetInfo{Name: "foo", Type: "url.params"}, + }, + { + name: "newSetPagination targets url value", + constructor: newSetPagination, config: map[string]interface{}{ "target": "url.value", }, expectedTarget: targetInfo{Type: "url.value"}, }, { - name: "newSetRequestPagination targets something else", - constructor: newSetRequestPagination, + name: "newSetPagination targets something else", + constructor: newSetPagination, config: map[string]interface{}{ "target": "cursor.foo", }, diff --git a/x-pack/filebeat/input/httpjson/internal/v2/transform_test.go b/x-pack/filebeat/input/httpjson/internal/v2/transform_test.go index 2ac43b3faf9..dbc788e6001 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/transform_test.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/transform_test.go @@ -46,7 +46,7 @@ func TestTransformableClone(t *testing.T) { } func TestNewTransformsFromConfig(t *testing.T) { - registerTransform("test", setName, newSetRequestPagination) + registerTransform("test", setName, newSetRequest) t.Cleanup(func() { registeredTransforms = newRegistry() }) cases := []struct { @@ -126,7 +126,7 @@ func TestNewBasicTransformsFromConfig(t *testing.T) { return fakeTransform{}, nil } - registerTransform("test", setName, newSetRequestPagination) + registerTransform("test", setName, newSetRequest) registerTransform("test", "fake", fakeConstr) t.Cleanup(func() { registeredTransforms = newRegistry() }) diff --git a/x-pack/filebeat/magefile.go b/x-pack/filebeat/magefile.go index c4532d5f56a..9c7f436e2e4 100644 --- a/x-pack/filebeat/magefile.go +++ b/x-pack/filebeat/magefile.go @@ -45,12 +45,12 @@ func Build() error { // GolangCrossBuild builds the Beat binary inside of the golang-builder. // Do not use directly, use crossBuild instead. func GolangCrossBuild() error { - return filebeat.GolangCrossBuild() + return devtools.GolangCrossBuild(devtools.DefaultGolangCrossBuildArgs()) } // CrossBuild cross-builds the beat for all target platforms. func CrossBuild() error { - return filebeat.CrossBuild() + return devtools.CrossBuild() } // BuildGoDaemon builds the go-daemon binary (use crossBuildGoDaemon). @@ -130,7 +130,6 @@ func ExportDashboard() error { // Config generates both the short and reference configs. func Config() { mg.Deps(configYML, devtools.GenerateDirModulesD) - mg.SerialDeps(devtools.ValidateDirModulesD, devtools.ValidateDirModulesDDatasetsDisabled) } func configYML() error { diff --git a/x-pack/filebeat/module/activemq/_meta/config.yml b/x-pack/filebeat/module/activemq/_meta/config.yml index 8c965bd1a8e..593c6c1632d 100644 --- a/x-pack/filebeat/module/activemq/_meta/config.yml +++ b/x-pack/filebeat/module/activemq/_meta/config.yml @@ -1,7 +1,7 @@ - module: activemq # Audit logs audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Application logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/aws/_meta/docs.asciidoc b/x-pack/filebeat/module/aws/_meta/docs.asciidoc index f852da55a41..a36b1bd599b 100644 --- a/x-pack/filebeat/module/aws/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/aws/_meta/docs.asciidoc @@ -192,29 +192,6 @@ Required when using temporary security credentials. *`var.role_arn`*:: AWS IAM Role to assume. -[float] -=== config behaviour -Beware that in case both `var.queue_url` and `var.bucket_arn` are not set -instead of failing to start Filebeat with a config validation error, only the -specific fileset input will be stopped and a warning printed: -``` -2021-08-26T14:33:03.661-0600 WARN [aws-s3] awss3/config.go:54 neither queue_url nor bucket_arn were provided, input aws-s3 will stop -2021-08-26T14:33:10.668-0600 INFO [input.aws-s3] compat/compat.go:111 Input aws-s3 starting {"id": "29F3565F5B2A7070"} -2021-08-26T14:33:10.668-0600 INFO [input.aws-s3] compat/compat.go:124 Input 'aws-s3' stopped {"id": "29F3565F5B2A7070"} -``` - -This behaviour is required in order to reduce destruction of existing Filebeat setup -where not all AWS module's filesets are defined and will change in next major release. - -Setting `enabled: false` in the unused fileset will silence the warning and it is -the suggested setup. For example (assuming `cloudtrail` as unused fileset): -``` -- module: aws - cloudtrail: - enabled: false - -``` - [float] === cloudtrail fileset diff --git a/x-pack/filebeat/module/aws/_meta/kibana/7/map/0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json b/x-pack/filebeat/module/aws/_meta/kibana/7/map/0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json index 3f128a002ea..5082eae2c9e 100644 --- a/x-pack/filebeat/module/aws/_meta/kibana/7/map/0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json +++ b/x-pack/filebeat/module/aws/_meta/kibana/7/map/0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json @@ -1,154 +1,8 @@ { "attributes": { "description": "", - "layerListJSON": [ - { - "alpha": 1, - "id": "19047c4c-18d7-4aec-b0ce-98de2828244d", - "label": "Hits", - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "isAutoSelect": true, - "type": "EMS_TMS" - }, - "style": {}, - "type": "VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "id": "1d457cd4-01be-4f96-95fd-af4ac535ebea", - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "applyGlobalQuery": true, - "geoField": "source.geo.location", - "id": "1e82f50f-424a-4718-905b-ad45db14db62", - "indexPatternRefName": "layer_1_source_index_pattern", - "requestType": "point", - "resolution": "COARSE", - "type": "ES_GEO_GRID" - }, - "style": { - "properties": { - "fillColor": { - "options": { - "color": "Blues", - "field": { - "label": "count", - "name": "doc_count", - "origin": "source" - }, - "fieldMetaOptions": { - "isEnabled": false, - "sigma": 3 - } - }, - "type": "DYNAMIC" - }, - "icon": { - "options": { - "value": "airfield" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "field": { - "label": "count", - "name": "doc_count", - "origin": "source" - }, - "fieldMetaOptions": { - "isEnabled": false, - "sigma": 3 - }, - "maxSize": 32, - "minSize": 4 - }, - "type": "DYNAMIC" - }, - "lineColor": { - "options": { - "color": "#167a6d" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 1 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - } - ], - "mapStateJSON": { - "center": { - "lat": 50.97903, - "lon": 13.666 - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "filebeat-*", - "key": "fileset.name", - "negate": false, - "params": { - "query": "elb" - }, - "type": "phrase", - "value": "elb" - }, - "query": { - "match": { - "fileset.name": { - "query": "elb", - "type": "phrase" - } - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "refreshConfig": { - "interval": 0, - "isPaused": false - }, - "settings": { - "autoFitToDataBounds": false - }, - "timeFilters": { - "from": "now-15m", - "to": "now" - }, - "zoom": 3.9 - }, + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"19047c4c-18d7-4aec-b0ce-98de2828244d\",\"label\":\"Hits\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"id\":\"1e82f50f-424a-4718-905b-ad45db14db62\",\"geoField\":\"source.geo.location\",\"requestType\":\"point\",\"resolution\":\"COARSE\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"applyGlobalQuery\":true},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"label\":\"count\",\"name\":\"doc_count\",\"origin\":\"source\"},\"color\":\"Blues\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#167a6d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"label\":\"count\",\"name\":\"doc_count\",\"origin\":\"source\"},\"minSize\":4,\"maxSize\":32,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}}}},\"id\":\"1d457cd4-01be-4f96-95fd-af4ac535ebea\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\"}]", + "mapStateJSON": "{\"zoom\":3.9,\"center\":{\"lon\":13.666,\"lat\":50.97903},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"filebeat-*\",\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"fileset.name\",\"value\":\"elb\",\"params\":{\"query\":\"elb\"}},\"query\":{\"match\":{\"fileset.name\":{\"query\":\"elb\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"settings\":{\"autoFitToDataBounds\":false}}", "title": "ELB Requests Geolocation [Filebeat AWS] ECS", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/aws/_meta/kibana/7/map/513a3d70-4482-11ea-ad63-791a5dc86f10.json b/x-pack/filebeat/module/aws/_meta/kibana/7/map/513a3d70-4482-11ea-ad63-791a5dc86f10.json index 94698371beb..558f5987a06 100644 --- a/x-pack/filebeat/module/aws/_meta/kibana/7/map/513a3d70-4482-11ea-ad63-791a5dc86f10.json +++ b/x-pack/filebeat/module/aws/_meta/kibana/7/map/513a3d70-4482-11ea-ad63-791a5dc86f10.json @@ -1,189 +1,8 @@ { "attributes": { "description": "", - "layerListJSON": [ - { - "alpha": 1, - "id": "842c201e-96d7-413d-8688-de5ee4f8a1e0", - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "isAutoSelect": true, - "type": "EMS_TMS" - }, - "style": {}, - "type": "VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "id": "401944dd-a371-4698-be17-bc4542e9a5d4", - "label": "vpc flow action accept", - "maxZoom": 24, - "minZoom": 0, - "query": { - "language": "kuery", - "query": "aws.vpcflow.action : \"ACCEPT\" " - }, - "sourceDescriptor": { - "applyGlobalQuery": true, - "filterByMapBounds": true, - "geoField": "destination.geo.location", - "id": "97903038-e08d-4451-bbd2-eb92c894bdf5", - "indexPatternRefName": "layer_1_source_index_pattern", - "scalingType": "LIMIT", - "sortField": "@timestamp", - "sortOrder": "desc", - "tooltipProperties": [], - "topHitsSize": 1, - "type": "ES_SEARCH" - }, - "style": { - "properties": { - "fillColor": { - "options": { - "color": "#1EA593" - }, - "type": "STATIC" - }, - "icon": { - "options": { - "value": "airfield" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "size": 5 - }, - "type": "STATIC" - }, - "lineColor": { - "options": { - "color": "#167a6d" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 1 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - }, - { - "alpha": 0.75, - "id": "b1d44a5c-3a04-4c80-8080-57585b02fd48", - "label": "vpc flow action reject", - "maxZoom": 24, - "minZoom": 0, - "query": { - "language": "kuery", - "query": "aws.vpcflow.action : \"REJECT\" " - }, - "sourceDescriptor": { - "applyGlobalQuery": true, - "filterByMapBounds": true, - "geoField": "source.geo.location", - "id": "9c0e7cce-4f21-4bcd-bb50-ae36c0fffffb", - "indexPatternRefName": "layer_2_source_index_pattern", - "scalingType": "LIMIT", - "sortField": "@timestamp", - "sortOrder": "desc", - "tooltipProperties": [], - "topHitsSize": 1, - "type": "ES_SEARCH" - }, - "style": { - "properties": { - "fillColor": { - "options": { - "color": "#f00f0b" - }, - "type": "STATIC" - }, - "icon": { - "options": { - "value": "airfield" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "size": 5 - }, - "type": "STATIC" - }, - "lineColor": { - "options": { - "color": "#7a1a18" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 1 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - } - ], - "mapStateJSON": { - "center": { - "lat": 0, - "lon": -108.92402 - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "refreshConfig": { - "interval": 0, - "isPaused": false - }, - "settings": { - "autoFitToDataBounds": false - }, - "timeFilters": { - "from": "now-15d", - "to": "now" - }, - "zoom": 0.47 - }, + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"842c201e-96d7-413d-8688-de5ee4f8a1e0\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"97903038-e08d-4451-bbd2-eb92c894bdf5\",\"type\":\"ES_SEARCH\",\"geoField\":\"destination.geo.location\",\"filterByMapBounds\":true,\"tooltipProperties\":[],\"topHitsSize\":1,\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#1EA593\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#167a6d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":5}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}}}},\"id\":\"401944dd-a371-4698-be17-bc4542e9a5d4\",\"label\":\"vpc flow action accept\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"query\":{\"query\":\"aws.vpcflow.action : \\\"ACCEPT\\\" \",\"language\":\"kuery\"}},{\"sourceDescriptor\":{\"id\":\"9c0e7cce-4f21-4bcd-bb50-ae36c0fffffb\",\"type\":\"ES_SEARCH\",\"geoField\":\"source.geo.location\",\"filterByMapBounds\":true,\"tooltipProperties\":[],\"topHitsSize\":1,\"indexPatternRefName\":\"layer_2_source_index_pattern\",\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#f00f0b\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#7a1a18\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":5}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}}}},\"id\":\"b1d44a5c-3a04-4c80-8080-57585b02fd48\",\"label\":\"vpc flow action reject\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"query\":{\"query\":\"aws.vpcflow.action : \\\"REJECT\\\" \",\"language\":\"kuery\"}}]", + "mapStateJSON": "{\"zoom\":0.47,\"center\":{\"lon\":-108.92402,\"lat\":0},\"timeFilters\":{\"from\":\"now-15d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false}}", "title": "VPC Flow Action Geo Location[Filebeat AWS]", "uiStateJSON": { "isLayerTOCOpen": false, diff --git a/x-pack/filebeat/module/aws/_meta/kibana/7/map/dae24080-739a-11ea-a345-f985c61fe654.json b/x-pack/filebeat/module/aws/_meta/kibana/7/map/dae24080-739a-11ea-a345-f985c61fe654.json index a1b23ec8fbe..1908bdc747b 100644 --- a/x-pack/filebeat/module/aws/_meta/kibana/7/map/dae24080-739a-11ea-a345-f985c61fe654.json +++ b/x-pack/filebeat/module/aws/_meta/kibana/7/map/dae24080-739a-11ea-a345-f985c61fe654.json @@ -1,148 +1,8 @@ { "attributes": { "description": "", - "layerListJSON": [ - { - "alpha": 1, - "id": "2c7b49fb-3fb5-4e18-b27f-fabe930971f3", - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "isAutoSelect": true, - "type": "EMS_TMS" - }, - "style": {}, - "type": "VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "id": "a10fa758-30ad-4e2a-bf9d-472e133a7f17", - "joins": [], - "label": "CloudTrail Soure Location", - "maxZoom": 24, - "minZoom": 0, - "query": { - "language": "kuery", - "query": "event.dataset:aws.cloudtrail" - }, - "sourceDescriptor": { - "applyGlobalQuery": true, - "filterByMapBounds": true, - "geoField": "source.geo.location", - "id": "7bfe2df9-9398-4f1a-8cf7-b57aa5f3f31e", - "indexPatternRefName": "layer_1_source_index_pattern", - "scalingType": "LIMIT", - "sortField": "", - "sortOrder": "desc", - "tooltipProperties": [], - "topHitsSize": 1, - "type": "ES_SEARCH" - }, - "style": { - "isTimeAware": true, - "properties": { - "fillColor": { - "options": { - "color": "#54B399" - }, - "type": "STATIC" - }, - "icon": { - "options": { - "value": "marker" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "size": 6 - }, - "type": "STATIC" - }, - "labelBorderColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "labelBorderSize": { - "options": { - "size": "SMALL" - } - }, - "labelColor": { - "options": { - "color": "#000000" - }, - "type": "STATIC" - }, - "labelSize": { - "options": { - "size": 14 - }, - "type": "STATIC" - }, - "labelText": { - "options": { - "value": "" - }, - "type": "STATIC" - }, - "lineColor": { - "options": { - "color": "#41937c" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 1 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - } - ], - "mapStateJSON": { - "center": { - "lat": 19.94277, - "lon": 0 - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "refreshConfig": { - "interval": 0, - "isPaused": false - }, - "settings": { - "autoFitToDataBounds": false - }, - "timeFilters": { - "from": "now-15m", - "to": "now" - }, - "zoom": 1.97 - }, + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"2c7b49fb-3fb5-4e18-b27f-fabe930971f3\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"7bfe2df9-9398-4f1a-8cf7-b57aa5f3f31e\",\"geoField\":\"source.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"LIMIT\",\"topHitsSize\":1,\"type\":\"ES_SEARCH\",\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"a10fa758-30ad-4e2a-bf9d-472e133a7f17\",\"label\":\"CloudTrail Soure Location\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[],\"query\":{\"query\":\"event.dataset:aws.cloudtrail\",\"language\":\"kuery\"}}]", + "mapStateJSON": "{\"zoom\":1.97,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false}}", "title": "CloudTrail Source Location [Filebeat AWS]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/azure/_meta/config.yml b/x-pack/filebeat/module/azure/_meta/config.yml index 02f06ae956d..fdea9b1f252 100644 --- a/x-pack/filebeat/module/azure/_meta/config.yml +++ b/x-pack/filebeat/module/azure/_meta/config.yml @@ -1,7 +1,7 @@ - module: azure # All logs activitylogs: - enabled: false + enabled: true var: # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub eventhub: "insights-operational-logs" diff --git a/x-pack/filebeat/module/barracuda/_meta/config.yml b/x-pack/filebeat/module/barracuda/_meta/config.yml index c6e7a48e75b..36ecc93be83 100644 --- a/x-pack/filebeat/module/barracuda/_meta/config.yml +++ b/x-pack/filebeat/module/barracuda/_meta/config.yml @@ -1,6 +1,6 @@ - module: barracuda waf: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -19,7 +19,7 @@ # var.tz_offset: local spamfirewall: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/bluecoat/_meta/config.yml b/x-pack/filebeat/module/bluecoat/_meta/config.yml index 76056292f7b..b4c71666b1c 100644 --- a/x-pack/filebeat/module/bluecoat/_meta/config.yml +++ b/x-pack/filebeat/module/bluecoat/_meta/config.yml @@ -1,6 +1,6 @@ - module: bluecoat director: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/cef/_meta/config.yml b/x-pack/filebeat/module/cef/_meta/config.yml index 53a29aa10ba..1b9ff319441 100644 --- a/x-pack/filebeat/module/cef/_meta/config.yml +++ b/x-pack/filebeat/module/cef/_meta/config.yml @@ -1,6 +1,6 @@ - module: cef log: - enabled: false + enabled: true var: syslog_host: localhost syslog_port: 9003 diff --git a/x-pack/filebeat/module/checkpoint/_meta/config.yml b/x-pack/filebeat/module/checkpoint/_meta/config.yml index 69357058b66..8ed0c7d11c2 100644 --- a/x-pack/filebeat/module/checkpoint/_meta/config.yml +++ b/x-pack/filebeat/module/checkpoint/_meta/config.yml @@ -1,6 +1,6 @@ - module: checkpoint firewall: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: syslog diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index 3fd735c050d..3af897a1225 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -1,6 +1,6 @@ - module: cisco asa: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: syslog @@ -26,7 +26,7 @@ #var.external_zones: [ "External" ] ftd: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: syslog @@ -52,7 +52,7 @@ #var.external_zones: [ "External" ] ios: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: syslog @@ -69,7 +69,7 @@ #var.paths: nexus: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -88,7 +88,7 @@ # var.tz_offset: local meraki: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -107,7 +107,7 @@ # var.tz_offset: local umbrella: - enabled: false + enabled: true #var.input: aws-s3 # AWS SQS queue url @@ -122,7 +122,7 @@ #var.api_timeout: 120s amp: - enabled: false + enabled: true # Set which input to use between httpjson (default) or file. #var.input: httpjson diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index e321a6cf3a2..f41b0383a11 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -187,15 +187,3 @@ default_field: false description: > The WebVPN group name the user belongs to - - - name: termination_initiator - type: keyword - default_field: false - description: > - Interface name of the side that initiated the teardown - - - name: tunnel_type - type: keyword - default_field: false - description: > - SA type (remote access or L2L) diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log index e1666f72432..0c3aef67223 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log @@ -17,7 +17,7 @@ May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10 May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839) -May 5 18:29:32 dev01: %ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 +May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006 May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111 @@ -83,10 +83,3 @@ Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unaccept Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! -Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group "inbound" -Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group "OUTSIDE_in" -Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944 -May 5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269 -May 5 19:02:25 dev01: %ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018 -May 5 19:02:25 dev01: %ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466 -May 5 19:02:25 dev01: %ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054 diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 8866c2baa1b..cbe5e2b82eb 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -31,7 +31,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, - "network.community_id": "1:Fw2gM6G3TtQ3pHWsZKBU6LW96pQ=", "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", @@ -92,7 +91,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 162, - "network.community_id": "1:IVpSg0ysDmubwwgwjXBIZ47C7h0=", "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", @@ -340,9 +338,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 770, - "network.community_id": "1:fZKugXq2jG4PzddJfuy6XDBSNb4=", - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "tcp flow", "observer.egress.interface.name": "fw111", "observer.hostname": "dev01", "observer.ingress.interface.name": "fw111", @@ -399,7 +395,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 932, - "network.community_id": "1:RAjPAJDWj8kCZQnmEJzqMl9E6h8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "fw109", @@ -451,7 +446,6 @@ "input.type": "log", "log.level": "debug", "log.offset": 1119, - "network.community_id": "1:7GE6gaRtd6w4KEJWhDLHwfgp1Do=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "fw111", @@ -625,7 +619,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 1722, - "network.community_id": "1:adLbp2MSbpgtKlYEN938sSARKPs=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "dev01", @@ -867,7 +860,6 @@ "log.level": "informational", "log.offset": 2298, "network.bytes": 0, - "network.community_id": "1:4wndP8OTPk0tlCwv5mj9vURDLQ0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "fw111", @@ -924,7 +916,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2462, - "network.community_id": "1:N0ZlFq5yxkndvN9h3uigv6XgVms=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -954,7 +945,7 @@ }, { "cisco.asa.destination_interface": "out111", - "cisco.asa.message_id": "305012", + "cisco.asa.message_id": "302012", "cisco.asa.source_interface": "fw111", "destination.address": "192.168.2.2", "destination.ip": "192.168.2.2", @@ -963,13 +954,13 @@ "event.category": [ "network" ], - "event.code": 305012, + "event.code": 302012, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2021-05-05T18:29:32.000-02:00", "event.kind": "event", "event.module": "cisco", - "event.original": "%ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", + "event.original": "%ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", "event.severity": 6, "event.start": "2021-05-05T20:29:32.000Z", "event.timezone": "-02:00", @@ -982,7 +973,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2623, - "network.community_id": "1:PyQWTuzAdzYav2//+TQFcJTt2os=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "out111", @@ -1034,7 +1024,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 2768, - "network.community_id": "1:adLbp2MSbpgtKlYEN938sSARKPs=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "dev01", @@ -1083,7 +1072,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2904, - "network.community_id": "1:hoENwaIuofrQAf7gW+y4f0XXbxc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "out111", @@ -1135,7 +1123,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 3029, - "network.community_id": "1:+xI89PlchTpu6dxTMHpkmkd99Ns=", "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1202,7 +1189,6 @@ "log.level": "critical", "log.offset": 3172, "network.bytes": 64585, - "network.community_id": "1:eOIoJBMMmanddR7cRZ0I9vTVI7o=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "net", @@ -1259,7 +1245,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 3328, - "network.community_id": "1:QsMj86uzy+H1c1pPwrevpSOTh6Q=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1320,7 +1305,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 3491, - "network.community_id": "1:QsMj86uzy+H1c1pPwrevpSOTh6Q=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1378,7 +1362,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 3654, - "network.community_id": "1:mPK7q/c5ZVhrh2fX6Uqp5314u3M=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "out111", @@ -1478,7 +1461,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 3935, - "network.community_id": "1:CQXm0MA6TgkTzvcatvgQvikqqes=", "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", @@ -1530,7 +1512,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4053, - "network.community_id": "1:CctaOB5wLrJrIATPwYjXODlSpRk=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "dev01", @@ -1581,7 +1562,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4197, - "network.community_id": "1:ghA7Jv5D0sCP4HhHb948hjqh3H4=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "dev01", @@ -1632,7 +1612,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4337, - "network.community_id": "1:daEI7UiyuAFNVP1xsUsb/AHJ/1I=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "dev01", @@ -1682,7 +1661,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4472, - "network.community_id": "1:1Rjth0DOphFZyLUBP572S4VdEu0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "net", @@ -1733,7 +1711,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4631, - "network.community_id": "1:1Rjth0DOphFZyLUBP572S4VdEu0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "net", @@ -1839,7 +1816,6 @@ "log.level": "informational", "log.offset": 4949, "network.bytes": 0, - "network.community_id": "1:A692g/lxHLbLsT0d0M1RFfiHIs0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "net", @@ -1895,7 +1871,6 @@ "log.level": "informational", "log.offset": 5142, "network.bytes": 0, - "network.community_id": "1:pcILvYGm5J7rxuqU5/TRGZGGe3E=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "unknown", @@ -2027,7 +2002,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 5571, - "network.community_id": "1:XgYjYk8hbPPlEnBcHqCD172wQQE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "fw111", @@ -2081,7 +2055,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 5743, - "network.community_id": "1:a99mceIcFv0NTz6Aw/+bwE1TnPA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "fw111", @@ -2201,7 +2174,6 @@ "input.type": "log", "log.level": "debug", "log.offset": 6256, - "network.community_id": "1:pXZbIlTv2J4XdRhqORC4IQqpKKg=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "net", @@ -2320,7 +2292,6 @@ "input.type": "log", "log.level": "error", "log.offset": 6722, - "network.community_id": "1:4MHSMLtBw+4q7Wke3ztBRVwtgt0=", "network.direction": "inbound", "network.iana_number": 1, "network.transport": "icmp", @@ -2413,7 +2384,6 @@ "input.type": "log", "log.level": "error", "log.offset": 7071, - "network.community_id": "1:frDwW4LN1XFwCsYClx5AmXSlEBE=", "network.direction": "inbound", "network.transport": "sctp", "observer.egress.interface.name": "fw111", @@ -2463,7 +2433,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 7178, - "network.community_id": "1:gZP3lWRSgL55d5cZvFu18yXen5M=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "out111", @@ -2719,7 +2688,6 @@ "log.level": "informational", "log.offset": 7808, "network.bytes": 245, - "network.community_id": "1:GUlUhGicslkTpg27XLqbp4L0H68=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "server.deflan", @@ -2781,7 +2749,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 8003, - "network.community_id": "1:B0rqhFg9+Gx1GmU4JRhiyO3+xmE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "srv", @@ -3470,7 +3437,6 @@ "input.type": "log", "log.level": "error", "log.offset": 9934, - "network.community_id": "1:9NRUY+1nxDxjlLBwQoakpBYA9sc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3738,122 +3704,6 @@ "forwarded" ] }, - { - "cisco.asa.message_id": "602303", - "cisco.asa.tunnel_type": "LAN-to-LAN", - "destination.address": "192.168.2.2", - "destination.ip": "192.168.2.2", - "event.action": "created", - "event.code": 602303, - "event.dataset": "cisco.asa", - "event.module": "cisco", - "event.original": "%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created.", - "event.outcome": "success", - "event.severity": 6, - "event.timezone": "-02:00", - "fileset.name": "asa", - "host.hostname": "dev01", - "input.type": "log", - "log.level": "informational", - "log.offset": 10775, - "network.direction": "outbound", - "network.type": "ipsec", - "observer.hostname": "dev01", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "dev01" - ], - "related.ip": [ - "192.168.2.2", - "91.240.17.178" - ], - "related.user": [ - "admin" - ], - "service.type": "cisco", - "source.address": "91.240.17.178", - "source.as.number": 201126, - "source.as.organization.name": "CDW Ltd", - "source.geo.city_name": "London", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "GB", - "source.geo.country_name": "United Kingdom", - "source.geo.location.lat": 51.5888, - "source.geo.location.lon": -0.0247, - "source.geo.region_iso_code": "GB-ENG", - "source.geo.region_name": "England", - "source.ip": "91.240.17.178", - "tags": [ - "cisco-asa", - "forwarded" - ], - "user.name": "admin" - }, - { - "cisco.asa.message_id": "602304", - "cisco.asa.tunnel_type": "LAN-to-LAN", - "destination.address": "192.168.2.2", - "destination.ip": "192.168.2.2", - "event.action": "deleted", - "event.category": [ - "network" - ], - "event.code": 602304, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted.", - "event.outcome": "success", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "allowed", - "deletion", - "info", - "user" - ], - "fileset.name": "asa", - "host.hostname": "dev01", - "input.type": "log", - "log.level": "informational", - "log.offset": 10937, - "network.direction": "outbound", - "network.type": "ipsec", - "observer.hostname": "dev01", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "dev01" - ], - "related.ip": [ - "192.168.2.2", - "91.240.17.178" - ], - "related.user": [ - "admin" - ], - "service.type": "cisco", - "source.address": "91.240.17.178", - "source.as.number": 201126, - "source.as.organization.name": "CDW Ltd", - "source.geo.city_name": "London", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "GB", - "source.geo.country_name": "United Kingdom", - "source.geo.location.lat": 51.5888, - "source.geo.location.lon": -0.0247, - "source.geo.region_iso_code": "GB-ENG", - "source.geo.region_name": "England", - "source.ip": "91.240.17.178", - "tags": [ - "cisco-asa", - "forwarded" - ], - "user.name": "admin" - }, { "cisco.asa.message_id": "750002", "destination.address": "192.168.2.2", @@ -4267,356 +4117,5 @@ "cisco-asa", "forwarded" ] - }, - { - "cisco.asa.destination_interface": "inside", - "cisco.asa.message_id": "106023", - "cisco.asa.rule_name": "inbound", - "cisco.asa.source_interface": "outside", - "destination.address": "172.31.98.44", - "destination.ip": "172.31.98.44", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 106023, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group \"inbound\"", - "event.outcome": "failure", - "event.severity": 4, - "event.timezone": "-02:00", - "event.type": [ - "denied", - "info" - ], - "fileset.name": "asa", - "host.hostname": "dev01", - "input.type": "log", - "log.level": "warning", - "log.offset": 12205, - "network.community_id": "1:Uo11LCySQ1S0c9jtHZVIb4Pm/2k=", - "network.iana_number": 47, - "observer.egress.interface.name": "inside", - "observer.hostname": "dev01", - "observer.ingress.interface.name": "outside", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "dev01" - ], - "related.ip": [ - "100.66.124.24", - "172.31.98.44" - ], - "service.type": "cisco", - "source.address": "100.66.124.24", - "source.ip": "100.66.124.24", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "cisco.asa.destination_interface": "OUTSIDE", - "cisco.asa.message_id": "106023", - "cisco.asa.rule_name": "OUTSIDE_in", - "cisco.asa.source_interface": "OUTSIDE", - "destination.address": "fe00:afa0::1", - "destination.ip": "fe00:afa0::1", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 106023, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group \"OUTSIDE_in\"", - "event.outcome": "failure", - "event.severity": 4, - "event.timezone": "-02:00", - "event.type": [ - "denied", - "info" - ], - "fileset.name": "asa", - "host.hostname": "dev01", - "input.type": "log", - "log.level": "warning", - "log.offset": 12341, - "network.community_id": "1:VA3lwFPBuRus2kxMs1BexFp+gp4=", - "network.iana_number": 1, - "network.transport": "icmp", - "observer.egress.interface.name": "OUTSIDE", - "observer.hostname": "dev01", - "observer.ingress.interface.name": "OUTSIDE", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "dev01" - ], - "related.ip": [ - "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", - "fe00:afa0::1" - ], - "service.type": "cisco", - "source.address": "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", - "source.as.number": 16509, - "source.as.organization.name": "Amazon.com, Inc.", - "source.geo.city_name": "Stockholm", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "SE", - "source.geo.country_name": "Sweden", - "source.geo.location.lat": 59.3333, - "source.geo.location.lon": 18.05, - "source.geo.region_iso_code": "SE-AB", - "source.geo.region_name": "Stockholm", - "source.ip": "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "cisco.asa.connection_id": "123364823", - "cisco.asa.destination_interface": "identity", - "cisco.asa.message_id": "302016", - "cisco.asa.source_interface": "OUTSIDE", - "destination.address": "85.0.0.1", - "destination.as.number": 3303, - "destination.as.organization.name": "Bluewin", - "destination.geo.city_name": "Kolliken", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "CH", - "destination.geo.country_name": "Switzerland", - "destination.geo.location.lat": 47.3388, - "destination.geo.location.lon": 8.0264, - "destination.geo.region_iso_code": "CH-AG", - "destination.geo.region_name": "Aargau", - "destination.ip": "85.0.0.1", - "destination.port": 500, - "event.action": "flow-expiration", - "event.category": [ - "network" - ], - "event.code": 302016, - "event.dataset": "cisco.asa", - "event.duration": 332660000000000, - "event.end": "2020-04-27T02:03:03.000-02:00", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944", - "event.severity": 4, - "event.start": "2020-04-23T07:38:43.000Z", - "event.timezone": "-02:00", - "event.type": [ - "connection", - "end" - ], - "fileset.name": "asa", - "host.hostname": "dev01", - "input.type": "log", - "log.level": "warning", - "log.offset": 12518, - "network.bytes": 4671944, - "network.community_id": "1:rwM9yFUsWh6N2utKviU7S94dS9U=", - "network.iana_number": 17, - "network.transport": "udp", - "observer.egress.interface.name": "identity", - "observer.hostname": "dev01", - "observer.ingress.interface.name": "OUTSIDE", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "dev01" - ], - "related.ip": [ - "82.0.0.1", - "85.0.0.1" - ], - "service.type": "cisco", - "source.address": "82.0.0.1", - "source.as.number": 5089, - "source.as.organization.name": "Virgin Media Limited", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "GB", - "source.geo.country_name": "United Kingdom", - "source.geo.location.lat": 51.4964, - "source.geo.location.lon": -0.1224, - "source.ip": "82.0.0.1", - "source.port": 500, - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "cisco.asa.burst.avg_rate": "5", - "cisco.asa.burst.configured_avg_rate": "4", - "cisco.asa.burst.configured_rate": "8", - "cisco.asa.burst.cumulative_count": "19269", - "cisco.asa.burst.current_rate": "0", - "cisco.asa.burst.id": "rate-2", - "cisco.asa.burst.object": "Scanning", - "cisco.asa.message_id": "733100", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 733100, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269", - "event.severity": 4, - "event.timezone": "-02:00", - "event.type": [ - "info" - ], - "fileset.name": "asa", - "host.hostname": "dev01", - "input.type": "log", - "log.level": "warning", - "log.offset": 12677, - "observer.hostname": "dev01", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "dev01" - ], - "service.type": "cisco", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "cisco.asa.burst.avg_rate": "5", - "cisco.asa.burst.configured_avg_rate": "5", - "cisco.asa.burst.configured_rate": "10", - "cisco.asa.burst.cumulative_count": "6018", - "cisco.asa.burst.current_rate": "0", - "cisco.asa.burst.id": "rate-1", - "cisco.asa.burst.object": "192.168.0.1", - "cisco.asa.message_id": "733100", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 733100, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018", - "event.severity": 4, - "event.timezone": "-02:00", - "event.type": [ - "info" - ], - "fileset.name": "asa", - "host.hostname": "dev01", - "input.type": "log", - "log.level": "warning", - "log.offset": 12907, - "observer.hostname": "dev01", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "dev01" - ], - "service.type": "cisco", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "cisco.asa.burst.avg_rate": "20", - "cisco.asa.burst.configured_avg_rate": "5", - "cisco.asa.burst.configured_rate": "10", - "cisco.asa.burst.cumulative_count": "12466", - "cisco.asa.burst.current_rate": "8", - "cisco.asa.burst.id": "rate-1", - "cisco.asa.burst.object": "Port-5432 5432", - "cisco.asa.message_id": "733100", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 733100, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466", - "event.severity": 4, - "event.timezone": "-02:00", - "event.type": [ - "info" - ], - "fileset.name": "asa", - "host.hostname": "dev01", - "input.type": "log", - "log.level": "warning", - "log.offset": 13142, - "observer.hostname": "dev01", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "dev01" - ], - "service.type": "cisco", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "cisco.asa.burst.avg_rate": "5", - "cisco.asa.burst.configured_avg_rate": "5", - "cisco.asa.burst.configured_rate": "10", - "cisco.asa.burst.cumulative_count": "3054", - "cisco.asa.burst.current_rate": "63", - "cisco.asa.burst.id": "rate-1", - "cisco.asa.burst.object": "RDP 3389", - "cisco.asa.message_id": "733100", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 733100, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054", - "event.severity": 4, - "event.timezone": "-02:00", - "event.type": [ - "info" - ], - "fileset.name": "asa", - "host.hostname": "dev01", - "input.type": "log", - "log.level": "warning", - "log.offset": 13384, - "observer.hostname": "dev01", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "dev01" - ], - "service.type": "cisco", - "tags": [ - "cisco-asa", - "forwarded" - ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 9335237a31b..39e67069061 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -4,7 +4,7 @@ "cisco.asa.destination_interface": "Inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "Outside", - "cisco.asa.source_username": "LOCAL\\Elastic", + "cisco.asa.source_username": "(LOCAL\\Elastic)", "cisco.asa.termination_user": "zzzzzz", "destination.address": "10.233.123.123", "destination.ip": "10.233.123.123", @@ -33,7 +33,6 @@ "log.level": "informational", "log.offset": 0, "network.bytes": 148, - "network.community_id": "1:9aBQ+NznvYals1agEGRVJm37dvQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "Inside", @@ -49,14 +48,10 @@ "10.123.123.123", "10.233.123.123" ], - "related.user": [ - "Elastic" - ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 53723, - "source.user.name": "Elastic", "tags": [ "cisco-asa", "forwarded" @@ -90,7 +85,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 200, - "network.community_id": "1:kV/6Jt4iMhVyUT1AW+UO0itOhqU=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "Outside", @@ -141,7 +135,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 381, - "network.community_id": "1:7nrIUULEgk5A+nhbh4kNmEkwL3o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -166,7 +159,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "Inside_access_in", "cisco.asa.source_interface": "Inside", - "cisco.asa.source_username": "LOCAL\\Elastic", + "cisco.asa.source_username": "(LOCAL\\Elastic)", "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "destination.port": 57621, @@ -191,7 +184,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 545, - "network.community_id": "1:LM0R4Wi8tEf+1pe2ukofXQKxfMc=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "Outside", @@ -206,14 +198,10 @@ "related.ip": [ "10.123.123.123" ], - "related.user": [ - "Elastic" - ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 57621, - "source.user.name": "Elastic", "tags": [ "cisco-asa", "forwarded" @@ -341,7 +329,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 989, - "network.community_id": "1:/zjqku0IM1BTHL37aH0DvJSecYY=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "identity", @@ -390,7 +377,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 1171, - "network.community_id": "1:F0lY+M777B6QL2SDSKa9RfuUJ7s=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -439,7 +425,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 1334, - "network.community_id": "1:F0lY+M777B6QL2SDSKa9RfuUJ7s=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -489,7 +474,6 @@ "input.type": "log", "log.level": "error", "log.offset": 1514, - "network.community_id": "1:kRCfRJ9T/IeRNAhAhzOsF6EjIV4=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -549,7 +533,6 @@ "input.type": "log", "log.level": "alert", "log.offset": 1723, - "network.community_id": "1:cJpy7sqGDQbchRUXDtR8k10HinM=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "outside", diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 81c80ebf991..59fdb927a87 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -27,7 +27,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 0, - "network.community_id": "1:ygCOhTlTMVGn+PXlTgyzRveBJ9g=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -87,7 +86,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 150, - "network.community_id": "1:aH+Rcp4nenimMGZQ733uys/x0js=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -150,7 +148,6 @@ "log.level": "informational", "log.offset": 345, "network.bytes": 38110, - "network.community_id": "1:nawleoAMDhKg7pshv6H5enEaKV8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -212,7 +209,6 @@ "log.level": "informational", "log.offset": 535, "network.bytes": 44010, - "network.community_id": "1:XqwLVHNEt7Z1fB2ZZXj1piBH4PM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -274,7 +270,6 @@ "log.level": "informational", "log.offset": 725, "network.bytes": 7652, - "network.community_id": "1:Q18EvtK0EmoGK6hViBJu2B9syjc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -336,7 +331,6 @@ "log.level": "informational", "log.offset": 913, "network.bytes": 7062, - "network.community_id": "1:k3K4xSa45aJwCWLM9eIJsqCydLQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -398,7 +392,6 @@ "log.level": "informational", "log.offset": 1101, "network.bytes": 5738, - "network.community_id": "1:Qq/qwMDt7lmCdvQnPYJ86wHp5mY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -460,7 +453,6 @@ "log.level": "informational", "log.offset": 1290, "network.bytes": 4176, - "network.community_id": "1:ezm9yQGN1cdh1QEJ2nw19295QfU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -522,7 +514,6 @@ "log.level": "informational", "log.offset": 1478, "network.bytes": 1715, - "network.community_id": "1:dV1ILqqOHNIkUwdYUt2iodkCTIg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -584,7 +575,6 @@ "log.level": "informational", "log.offset": 1666, "network.bytes": 45595, - "network.community_id": "1:M9jSkRNBaw+CV8aYYGLeh+1c4LQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -646,7 +636,6 @@ "log.level": "informational", "log.offset": 1853, "network.bytes": 27359, - "network.community_id": "1:kcIahkhuYMj1cJNDgmYdpgb8b5o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -708,7 +697,6 @@ "log.level": "informational", "log.offset": 2043, "network.bytes": 4457, - "network.community_id": "1:Oll9UOQVtF14Vb1gAqDgbQ8GVN0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -770,7 +758,6 @@ "log.level": "informational", "log.offset": 2231, "network.bytes": 26709, - "network.community_id": "1:SRok/PbYRZCXwEJ9MQDvhiR0OZc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -832,7 +819,6 @@ "log.level": "informational", "log.offset": 2420, "network.bytes": 22097, - "network.community_id": "1:agnIkBJhbPXkAM0Ai6Q8vvm22FM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -894,7 +880,6 @@ "log.level": "informational", "log.offset": 2609, "network.bytes": 2209, - "network.community_id": "1:dyOBaLTo8f2aK6FSqmPQ8iEKQCM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -956,7 +941,6 @@ "log.level": "informational", "log.offset": 2798, "network.bytes": 10404, - "network.community_id": "1:JG3x+PLXI8vDNUP0xc2b7cGmtO8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1018,7 +1002,6 @@ "log.level": "informational", "log.offset": 2987, "network.bytes": 123694, - "network.community_id": "1:aVhOiCMAQUL3DYMg+b1hd6++Tsw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1080,7 +1063,6 @@ "log.level": "informational", "log.offset": 3177, "network.bytes": 35835, - "network.community_id": "1:yvanaru1i/rrH9fF3MeSmHfJVH0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1142,7 +1124,6 @@ "log.level": "informational", "log.offset": 3367, "network.bytes": 0, - "network.community_id": "1:h36yIuCF0zHqn+9q0Z5lLEIz2FE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1197,7 +1178,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3552, - "network.community_id": "1:tCQw5Th130a6dZONq7h6PjILJZY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -1257,7 +1237,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3703, - "network.community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1319,7 +1298,6 @@ "log.level": "informational", "log.offset": 3896, "network.bytes": 148, - "network.community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1379,7 +1357,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4071, - "network.community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1441,7 +1418,6 @@ "log.level": "informational", "log.offset": 4264, "network.bytes": 164, - "network.community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1496,7 +1472,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4439, - "network.community_id": "1:IqCv9QrYpJkgySoRM91LE2Ao1Ug=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1556,7 +1531,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4589, - "network.community_id": "1:sxPO5rXtxG30Oh+QP2ncQZ0N1U8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1612,7 +1586,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4784, - "network.community_id": "1:MZcBg2aQ/SdpVmPXf2Ze+Ng4g9Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1672,7 +1645,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4934, - "network.community_id": "1:G5HU7oEz3i/eGfSUoq5HuDVo7u4=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1733,7 +1705,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5129, - "network.community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1794,7 +1765,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5326, - "network.community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1856,7 +1826,6 @@ "log.level": "informational", "log.offset": 5519, "network.bytes": 111, - "network.community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1917,7 +1886,6 @@ "log.level": "informational", "log.offset": 5696, "network.bytes": 237, - "network.community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1972,7 +1940,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5871, - "network.community_id": "1:/KJCwT2FUqlgb+8c7f4b8fvqWFE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2032,7 +1999,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6021, - "network.community_id": "1:gFO9U+lgj3sty9R349zScds2rBg=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2088,7 +2054,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6218, - "network.community_id": "1:kpfWE+K4tPLbC1LWM9M8v5zQqyk=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2148,7 +2113,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6369, - "network.community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2209,7 +2173,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6566, - "network.community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2271,7 +2234,6 @@ "log.level": "informational", "log.offset": 6759, "network.bytes": 87, - "network.community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2332,7 +2294,6 @@ "log.level": "informational", "log.offset": 6935, "network.bytes": 221, - "network.community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2387,7 +2348,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7110, - "network.community_id": "1:J8j4D9Hm6tPmF+enIkcOgaYzEg4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2447,7 +2407,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7260, - "network.community_id": "1:2VKYvyM6qODR0XAXnVUFrYSP/IU=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2508,7 +2467,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7455, - "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2569,7 +2527,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7652, - "network.community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2631,7 +2588,6 @@ "log.level": "informational", "log.offset": 7849, "network.bytes": 101, - "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2692,7 +2648,6 @@ "log.level": "informational", "log.offset": 8026, "network.bytes": 126, - "network.community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2747,7 +2702,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8203, - "network.community_id": "1:TO0ui5exOUfDCukU8mR9bJIjkLY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2807,7 +2761,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8353, - "network.community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2870,7 +2823,6 @@ "log.level": "informational", "log.offset": 8548, "network.bytes": 862, - "network.community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -2930,7 +2882,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8733, - "network.community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2992,7 +2943,6 @@ "log.level": "informational", "log.offset": 8930, "network.bytes": 104, - "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3053,7 +3003,6 @@ "log.level": "informational", "log.offset": 9107, "network.bytes": 176, - "network.community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3108,7 +3057,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9284, - "network.community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3168,7 +3116,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9434, - "network.community_id": "1:2YT6PqWSIyoyRYVbl2cIXiGcMsw=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3224,7 +3171,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9625, - "network.community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3284,7 +3230,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9775, - "network.community_id": "1:XheyUG03AcgRSOyMnpafZQNi3wY=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3340,7 +3285,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9966, - "network.community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3400,7 +3344,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10116, - "network.community_id": "1:cKgOVwHWv3CzYQlpMkVbynKHE30=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3461,7 +3404,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10307, - "network.community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -3523,7 +3465,6 @@ "log.level": "informational", "log.offset": 10500, "network.bytes": 104, - "network.community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3578,7 +3519,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10675, - "network.community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3638,7 +3578,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10825, - "network.community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3694,7 +3633,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11018, - "network.community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3754,7 +3692,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11168, - "network.community_id": "1:wH3OQfGQv6qlex3KDY6fleRZ3W4=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3815,7 +3752,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11361, - "network.community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -3878,7 +3814,6 @@ "log.level": "informational", "log.offset": 11554, "network.bytes": 593, - "network.community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3933,7 +3868,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11738, - "network.community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3993,7 +3927,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11888, - "network.community_id": "1:9aaIbdVfxtctEtHtisDVEKYc8wI=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4055,7 +3988,6 @@ "log.level": "informational", "log.offset": 12081, "network.bytes": 375, - "network.community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -4110,7 +4042,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12256, - "network.community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4170,7 +4101,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12406, - "network.community_id": "1:CUxMKGQ8Da35o4Z5ZJ3cqjyBcjE=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4200,29 +4130,20 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "cisco.asa.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8267, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4230,12 +4151,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12599, - "network.community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4244,14 +4160,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1454, "tags": [ "cisco-asa", "forwarded" @@ -4285,7 +4194,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12769, - "network.community_id": "1:24J8khLuXWoetlU/J6WYj+4RnIU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4345,7 +4253,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12920, - "network.community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4375,29 +4282,20 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "cisco.asa.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8268, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4405,12 +4303,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13115, - "network.community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4419,14 +4312,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1455, "tags": [ "cisco-asa", "forwarded" @@ -4434,29 +4320,20 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "cisco.asa.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8269, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4464,12 +4341,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13285, - "network.community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4478,14 +4350,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1456, "tags": [ "cisco-asa", "forwarded" @@ -4493,29 +4358,20 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "cisco.asa.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8270, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4523,12 +4379,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13455, - "network.community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4537,14 +4388,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1457, "tags": [ "cisco-asa", "forwarded" @@ -4552,29 +4396,20 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "cisco.asa.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8271, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4582,12 +4417,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13625, - "network.community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4596,14 +4426,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1458, "tags": [ "cisco-asa", "forwarded" @@ -4611,29 +4434,20 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "cisco.asa.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8272, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4641,12 +4455,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13795, - "network.community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4655,14 +4464,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1459, "tags": [ "cisco-asa", "forwarded" @@ -4670,29 +4472,20 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "cisco.asa.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8273, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4700,12 +4493,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13965, - "network.community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4714,14 +4502,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1460, "tags": [ "cisco-asa", "forwarded" @@ -4762,7 +4543,6 @@ "log.level": "informational", "log.offset": 14135, "network.bytes": 575, - "network.community_id": "1:pux42VCSy7BX42P3cpyd4c/X1M8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4824,7 +4604,6 @@ "log.level": "informational", "log.offset": 14320, "network.bytes": 5391, - "network.community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4879,7 +4658,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14509, - "network.community_id": "1:mWEQuMzgDppOFGfUpnRU2SOVLC4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4939,7 +4717,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14660, - "network.community_id": "1:WPQ7PgW0xK/OsH/dwOA4osO4W+M=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4998,7 +4775,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 14855, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5056,7 +4832,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15020, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5114,7 +4889,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15185, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5172,7 +4946,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15350, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5230,7 +5003,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15515, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5288,7 +5060,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15680, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5346,7 +5117,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15845, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5404,7 +5174,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16010, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5462,7 +5231,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16175, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5520,7 +5288,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16340, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5578,7 +5345,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16505, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5636,7 +5402,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16670, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5694,7 +5459,6 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16835, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5749,7 +5513,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17000, - "network.community_id": "1:ZuhnndzENnR8d8NKvStxJffM+XM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -5809,7 +5572,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17150, - "network.community_id": "1:7t0ua2FV3S8YYwDwaXzw5Tm8M80=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -5865,7 +5627,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17343, - "network.community_id": "1:ZhyIop0bR8c1qT9K7cSplqrW0ew=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -5925,7 +5686,6 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17494, - "network.community_id": "1:vvawE2mM1hKl2WU/GmHBmMoI3G8=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 1ae3aa1f563..5b15b5338d8 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -62,7 +62,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 174, - "network.community_id": "1:bEmZObpc4rxeHLkGwSyEBNS+Sxg=", "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index e959ed69145..adfb513bdb9 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -76,7 +76,6 @@ "log.file.path": "hostnames.log", "log.level": "informational", "log.offset": 169, - "network.community_id": "1:TIG5OyXflKDSW/Fgd/O5r5A7Zk4=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "MYHOSTNAME", diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 09357b0121b..bf0c3a439e7 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -79,7 +79,6 @@ "log.file.path": "not-ip.log", "log.level": "informational", "log.offset": 201, - "network.community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "localhost", @@ -139,7 +138,6 @@ "log.file.path": "not-ip.log", "log.level": "warning", "log.offset": 360, - "network.community_id": "1:d9RGgqBro5rzu16MqJQFehDRaKY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "wan", diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log b/x-pack/filebeat/module/cisco/asa/test/sample.log index 6553ffa18ef..73ea89341b0 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log @@ -70,18 +70,3 @@ Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username) -Jan 13 2021 19:12:37: %ASA-5-304001: USER001@192.168.0.1(LOCAL\USER001) Accessed URL 172.17.6.211:http://testingserver.com/somewebpage.html -Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\USER001) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (USER001) -Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\user@domain.tld) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (user@domain.tld) -Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\USER001) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER001) type 3 code 3 -Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\user@domain.tld) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (user@domain.tld) type 3 code 3 -Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(AD\USER002) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER002) type 3 code 3 -Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:192.168.0.1/59677(LOCAL\USER001) to OUTSIDE:75.0.0.1/18449 duration 0:00:00 -Jan 15 2021 19:12:37: %ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::2205:baff:fe9d:f637/0 laddr fe80::2205:baff:fe9d:f637/0 type 134 code 0 -Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 251933191 for OUTSIDE:fe00::fede:bbe1/62477 (fe00::fede:bbe1/62477) to OUTSIDE:2a03:2880:f253:cb:face:b00c:0:43fe/443 (2a03:2880:f253:cb:face:b00c:0:43fe/443) (soc@danskecommodities.com) -Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:81.0.0.1/50120(LOCAL\domain\USER001) to OUTSIDE:181.0.0.1/50120 duration 0:02:05 -Jan 15 2021 19:12:37: %ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:81.0.0.1/50120(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\USER001) -Jan 15 2021 19:12:37: %ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:81.0.0.1/63790 (82.0.0.1/63790)(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\USER001) -Jan 15 2021 19:12:37: %ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:81.0.0.1/63790(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\USER001) -Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:81.0.0.1/50120 (82.0.0.1/50120)(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\USER001) -Jul 29 2021 08:35:29: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 12.12.12.12 and 12.12.12.12 (user= 12.12.12.12) has been deleted. diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 50e7be1889e..33522a3339c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -29,7 +29,6 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 0, - "network.community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -80,7 +79,6 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 139, - "network.community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -132,7 +130,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 294, - "network.community_id": "1:/AVpSqNe7QhujyFPgKMbMS9Ct44=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -184,7 +181,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 465, - "network.community_id": "1:462QRxMFThXYxhSyvR50cIDJegg=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -240,7 +236,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 632, - "network.community_id": "1:c8hH08+kxqP8+dYZZFCsPYYf0oo=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -292,7 +287,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 812, - "network.community_id": "1:oGT+RQ2PYVsSEX/LuKvEW6O6Jiw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -346,7 +340,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 938, - "network.community_id": "1:4NJbCZhuyrAJcj7S647C7IIhAM8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -395,7 +388,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1106, - "network.community_id": "1:ay9S7HyVcpV47ArwMPDsxLg6wBU=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -449,7 +441,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1233, - "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -500,7 +491,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1401, - "network.community_id": "1:fZibb4nXPyoJv3pk+hIlafmMMMY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -555,7 +545,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1527, - "network.community_id": "1:KAOD4KM9MUK44UkzQPDM20+aGPI=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -611,7 +600,6 @@ "log.level": "informational", "log.offset": 1692, "network.bytes": 140, - "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -643,7 +631,6 @@ "destination.address": "10.123.1.35", "destination.ip": "10.123.1.35", "destination.port": 52925, - "destination.user.name": "user2", "event.action": "flow-expiration", "event.category": [ "network" @@ -668,7 +655,6 @@ "log.level": "informational", "log.offset": 1844, "network.bytes": 9999999, - "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -680,20 +666,14 @@ "10.123.1.35", "192.0.2.222" ], - "related.user": [ - "user1", - "user2" - ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 53, - "source.user.name": "user1", "tags": [ "cisco-asa", "forwarded" - ], - "user.name": "user2" + ] }, { "@timestamp": "2011-06-04T21:59:52.000-02:00", @@ -722,7 +702,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2008, - "network.community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "FJSG2NRFW01", @@ -771,7 +750,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2163, - "network.community_id": "1:EsAlPGwbpvnOIWG+1RbOLtWOWaI=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -826,7 +804,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2289, - "network.community_id": "1:m/dSB7tetihSecuyjm6x4Rl/8I8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -876,7 +853,6 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 2454, - "network.community_id": "1:cjsjwTI1K/FNwJ9mwZX971rPjfo=", "network.direction": "inbound", "network.iana_number": 17, "network.protocol": "dns", @@ -927,7 +903,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 2563, - "network.community_id": "1:Zboag8BrI6OW/Oo2vWMZ2CJe4tM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -978,7 +953,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 2722, - "network.community_id": "1:Ne/QE55iCFiCg5J75DhSp3KZzQI=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1029,7 +1003,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 2883, - "network.community_id": "1:nVqNkC3HBTw1Le7RJD28aYfCDTg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1080,7 +1053,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3044, - "network.community_id": "1:c82bgYlFS2zsrs3He7w3jq7x6jY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1131,7 +1103,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3205, - "network.community_id": "1:iQJvtLpa8CzCZimwacqAWJp9sZg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1182,7 +1153,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3366, - "network.community_id": "1:CHFAR3iwADiL0sMiLhocbg8YF4o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1233,7 +1203,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3527, - "network.community_id": "1:fW9fDNL4osH5ogPXIzh5huGyJLU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1284,7 +1253,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3688, - "network.community_id": "1:VqbI7AJvRLmCOZAb2tHFFBTeRZ8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1335,7 +1303,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3847, - "network.community_id": "1:TUJhCk7pGNvVhgiAnf4YJJaoCpo=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -1386,7 +1353,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4004, - "network.community_id": "1:EItD1g2bG+b/iorMXbZ/3Bvjam8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1435,7 +1401,6 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 4163, - "network.community_id": "1:a6VFmKsjwlqdlhQIeSm95/lkWlY=", "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", @@ -1483,7 +1448,6 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 4274, - "network.community_id": "1:96NZ3spb6QBXPZwoL7NadaqTMac=", "network.direction": "inbound", "network.iana_number": 17, "network.protocol": "dns", @@ -1534,7 +1498,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4383, - "network.community_id": "1:DbXtTF7Tt+LJ0/omdap4K0RmodY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1585,7 +1548,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4542, - "network.community_id": "1:8enMIE4IqhVXWyyRuJRvdyDxiBA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1636,7 +1598,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4703, - "network.community_id": "1:3vGj3wfvZB2f5kZmDflH/qfkWYE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1687,7 +1648,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4862, - "network.community_id": "1:Wjdn68t3gwpMPxbO1bBTBvMkQKE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1738,7 +1698,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 5018, - "network.community_id": "1:OHPCPPOkvDP3KMLJodW8pdmntUw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1789,7 +1748,6 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 5174, - "network.community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1840,7 +1798,6 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 5321, - "network.community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1891,7 +1848,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 5468, - "network.community_id": "1:IOafOGWxFLefP+hvoAc06Z1pBj8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1942,7 +1898,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 5631, - "network.community_id": "1:89qba0kw6T/uGNWcSzTTYvNoLeY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1994,7 +1949,6 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 5792, - "network.community_id": "1:3EQcjAJCGY7yJRip464V5VZ2h00=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2047,7 +2001,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 5963, - "network.community_id": "1:xQpx+K3UkeF1wQfNjT+9cuVvkHo=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2100,7 +2053,6 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 6138, - "network.community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2152,7 +2104,6 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 6288, - "network.community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2320,7 +2271,6 @@ "log.level": "informational", "log.offset": 6778, "network.bytes": 14804, - "network.community_id": "1:tVS/eeyng4tH7pSAcq77I2cbedw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2376,7 +2326,6 @@ "log.level": "informational", "log.offset": 6943, "network.bytes": 134781, - "network.community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2432,7 +2381,6 @@ "log.level": "informational", "log.offset": 7109, "network.bytes": 134781, - "network.community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2482,7 +2430,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7275, - "network.community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "network.iana_number": 6, "network.transport": "tcp", "observer.ingress.interface.name": "outside", @@ -2531,7 +2478,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7417, - "network.community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "network.iana_number": 6, "network.transport": "tcp", "observer.ingress.interface.name": "outside", @@ -2582,7 +2528,6 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 7559, - "network.community_id": "1:BouUIZD+TqJZdYklL1aMrJfnbQ0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2636,7 +2581,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7710, - "network.community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2691,7 +2635,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7884, - "network.community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2748,7 +2691,6 @@ "log.level": "informational", "log.offset": 8058, "network.bytes": 11420, - "network.community_id": "1:kugTIYv6tVeitQAN8XRNgUPvZiw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2803,7 +2745,6 @@ "log.level": "informational", "log.offset": 8223, "network.bytes": 1416, - "network.community_id": "1:n1IQHcbrWLb1u8dflqz8hfEElA0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3239,7 +3180,6 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 9335, - "network.community_id": "1:buRYH8vRkdq5apZqKHNDfmztnUo=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3341,7 +3281,6 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 9599, - "network.community_id": "1:XKWgpeop6LmXORBjS+D+pjammJ4=", "network.iana_number": 1, "network.transport": "icmp", "observer.ingress.interface.name": "inside", @@ -3395,7 +3334,6 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 9735, - "network.community_id": "1:ZWjuP5bJeA+f0NH342ubXOWI+Lc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3458,7 +3396,6 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 9986, - "network.community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outsidet", @@ -3517,7 +3454,6 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 10285, - "network.community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outsidet", @@ -3687,7 +3623,6 @@ "cisco.asa.message_id": "302013", "cisco.asa.source_interface": "internet", "cisco.asa.source_username": "LOCAL\\username", - "cisco.asa.termination_user": "username", "destination.address": "1.2.3.4", "destination.geo.city_name": "Moscow", "destination.geo.continent_name": "Europe", @@ -3699,6 +3634,7 @@ "destination.geo.region_name": "Moscow", "destination.ip": "1.2.3.4", "destination.port": 80, + "destination.user.name": "username", "event.action": "firewall-rule", "event.category": [ "network" @@ -3718,7 +3654,6 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 10899, - "network.community_id": "1:iwVZPCmO/50L3MVqIW0tC5ED+bg=", "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3739,1090 +3674,10 @@ "source.ip": "10.2.3.4", "source.nat.ip": "1.2.3.4", "source.port": 49926, - "source.user.name": "username", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-13T19:12:37.000-02:00", - "cisco.asa.message_id": "304001", - "destination.address": "172.17.6.211", - "destination.ip": "172.17.6.211", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 304001, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-5-304001: USER001@192.168.0.1(LOCAL\\USER001) Accessed URL 172.17.6.211:http://testingserver.com/somewebpage.html", - "event.outcome": "success", - "event.severity": 5, - "event.timezone": "-02:00", - "event.type": [ - "allowed", - "info" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "notification", - "log.offset": 11080, - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.ip": [ - "172.17.6.211", - "192.168.0.1" - ], - "related.user": [ - "USER001" - ], - "service.type": "cisco", - "source.address": "192.168.0.1", - "source.ip": "192.168.0.1", - "source.user.name": "USER001", - "tags": [ - "cisco-asa", - "forwarded" - ], - "url.domain": "testingserver.com", - "url.extension": "html", - "url.original": "http://testingserver.com/somewebpage.html", - "url.path": "/somewebpage.html", - "url.scheme": "http" - }, - { - "@timestamp": "2021-01-13T19:12:37.000-02:00", - "cisco.asa.connection_id": "195207391", - "cisco.asa.destination_interface": "OUTSIDE", - "cisco.asa.mapped_destination_ip": "81.0.0.1", - "cisco.asa.mapped_destination_port": 443, - "cisco.asa.mapped_source_ip": "62.0.0.1", - "cisco.asa.mapped_source_port": 34534, - "cisco.asa.message_id": "302013", - "cisco.asa.source_interface": "OUTSIDE", - "cisco.asa.source_username": "LOCAL\\USER001", - "cisco.asa.termination_user": "USER001", - "destination.address": "81.0.0.1", - "destination.as.number": 15704, - "destination.as.organization.name": "Xtra Telecom S.A.", - "destination.geo.city_name": "Madrid", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "ES", - "destination.geo.country_name": "Spain", - "destination.geo.location.lat": 40.4143, - "destination.geo.location.lon": -3.7016, - "destination.geo.region_iso_code": "ES-M", - "destination.geo.region_name": "Madrid", - "destination.ip": "81.0.0.1", - "destination.port": 443, - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 302013, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\\USER001) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (USER001)", - "event.severity": 5, - "event.timezone": "-02:00", - "event.type": [ - "info" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "notification", - "log.offset": 11220, - "network.community_id": "1:80+NOqHrJ3D1YMNcnBpJC7S6Pkg=", - "network.direction": "inbound", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "OUTSIDE", - "observer.ingress.interface.name": "OUTSIDE", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.ip": [ - "62.0.0.1", - "81.0.0.1", - "85.0.0.1" - ], - "related.user": [ - "USER001" - ], - "service.type": "cisco", - "source.address": "85.0.0.1", - "source.as.number": 3303, - "source.as.organization.name": "Bluewin", - "source.geo.city_name": "Kolliken", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "CH", - "source.geo.country_name": "Switzerland", - "source.geo.location.lat": 47.3388, - "source.geo.location.lon": 8.0264, - "source.geo.region_iso_code": "CH-AG", - "source.geo.region_name": "Aargau", - "source.ip": "85.0.0.1", - "source.nat.ip": "62.0.0.1", - "source.nat.port": "34534", - "source.port": 12312, - "source.user.name": "USER001", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-13T19:12:37.000-02:00", - "cisco.asa.connection_id": "195207391", - "cisco.asa.destination_interface": "OUTSIDE", - "cisco.asa.mapped_destination_ip": "81.0.0.1", - "cisco.asa.mapped_destination_port": 443, - "cisco.asa.mapped_source_ip": "62.0.0.1", - "cisco.asa.mapped_source_port": 34534, - "cisco.asa.message_id": "302013", - "cisco.asa.source_interface": "OUTSIDE", - "cisco.asa.source_username": "LOCAL\\user@domain.tld", - "cisco.asa.termination_user": "user@domain.tld", - "destination.address": "81.0.0.1", - "destination.as.number": 15704, - "destination.as.organization.name": "Xtra Telecom S.A.", - "destination.geo.city_name": "Madrid", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "ES", - "destination.geo.country_name": "Spain", - "destination.geo.location.lat": 40.4143, - "destination.geo.location.lon": -3.7016, - "destination.geo.region_iso_code": "ES-M", - "destination.geo.region_name": "Madrid", - "destination.ip": "81.0.0.1", - "destination.port": 443, - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 302013, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\\user@domain.tld) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (user@domain.tld)", - "event.severity": 5, - "event.timezone": "-02:00", - "event.type": [ - "info" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "notification", - "log.offset": 11404, - "network.community_id": "1:80+NOqHrJ3D1YMNcnBpJC7S6Pkg=", - "network.direction": "inbound", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "OUTSIDE", - "observer.ingress.interface.name": "OUTSIDE", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "domain.tld" - ], - "related.ip": [ - "62.0.0.1", - "81.0.0.1", - "85.0.0.1" - ], - "related.user": [ - "user@domain.tld" - ], - "service.type": "cisco", - "source.address": "85.0.0.1", - "source.as.number": 3303, - "source.as.organization.name": "Bluewin", - "source.geo.city_name": "Kolliken", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "CH", - "source.geo.country_name": "Switzerland", - "source.geo.location.lat": 47.3388, - "source.geo.location.lon": 8.0264, - "source.geo.region_iso_code": "CH-AG", - "source.geo.region_name": "Aargau", - "source.ip": "85.0.0.1", - "source.nat.ip": "62.0.0.1", - "source.nat.port": "34534", - "source.port": 12312, - "source.user.domain": "domain.tld", - "source.user.name": "user@domain.tld", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-13T19:12:37.000-02:00", - "cisco.asa.destination_username": "LOCAL\\USER001", - "cisco.asa.icmp_code": 3, - "cisco.asa.icmp_type": 3, - "cisco.asa.mapped_source_ip": "81.0.0.1", - "cisco.asa.message_id": "302020", - "cisco.asa.source_username": "USER001", - "destination.address": "85.0.0.1", - "destination.as.number": 3303, - "destination.as.organization.name": "Bluewin", - "destination.geo.city_name": "Kolliken", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "CH", - "destination.geo.country_name": "Switzerland", - "destination.geo.location.lat": 47.3388, - "destination.geo.location.lon": 8.0264, - "destination.geo.region_iso_code": "CH-AG", - "destination.geo.region_name": "Aargau", - "destination.ip": "85.0.0.1", - "destination.user.name": "USER001", - "event.action": "flow-expiration", - "event.category": [ - "network" - ], - "event.code": 302020, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\\USER001) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER001) type 3 code 3", - "event.severity": 5, - "event.timezone": "-02:00", - "event.type": [ - "connection", - "end" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "notification", - "log.offset": 11604, - "network.direction": "inbound", - "network.protocol": "icmp", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.ip": [ - "81.0.0.1", - "85.0.0.1" - ], - "related.user": [ - "USER001" - ], - "service.type": "cisco", - "source.address": "81.0.0.1", - "source.as.number": 15704, - "source.as.organization.name": "Xtra Telecom S.A.", - "source.geo.city_name": "Madrid", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "ES", - "source.geo.country_name": "Spain", - "source.geo.location.lat": 40.4143, - "source.geo.location.lon": -3.7016, - "source.geo.region_iso_code": "ES-M", - "source.geo.region_name": "Madrid", - "source.ip": "81.0.0.1", - "source.user.name": "USER001", - "tags": [ - "cisco-asa", - "forwarded" - ], - "user.name": "USER001" - }, - { - "@timestamp": "2021-01-13T19:12:37.000-02:00", - "cisco.asa.destination_username": "LOCAL\\user@domain.tld", - "cisco.asa.icmp_code": 3, - "cisco.asa.icmp_type": 3, - "cisco.asa.mapped_source_ip": "81.0.0.1", - "cisco.asa.message_id": "302020", - "cisco.asa.source_username": "user@domain.tld", - "destination.address": "85.0.0.1", - "destination.as.number": 3303, - "destination.as.organization.name": "Bluewin", - "destination.geo.city_name": "Kolliken", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "CH", - "destination.geo.country_name": "Switzerland", - "destination.geo.location.lat": 47.3388, - "destination.geo.location.lon": 8.0264, - "destination.geo.region_iso_code": "CH-AG", - "destination.geo.region_name": "Aargau", - "destination.ip": "85.0.0.1", - "destination.user.domain": "domain.tld", - "destination.user.name": "user@domain.tld", - "event.action": "flow-expiration", - "event.category": [ - "network" - ], - "event.code": 302020, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\\user@domain.tld) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (user@domain.tld) type 3 code 3", - "event.severity": 5, - "event.timezone": "-02:00", - "event.type": [ - "connection", - "end" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "notification", - "log.offset": 11765, - "network.direction": "inbound", - "network.protocol": "icmp", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "domain.tld" - ], - "related.ip": [ - "81.0.0.1", - "85.0.0.1" - ], - "related.user": [ - "user@domain.tld" - ], - "service.type": "cisco", - "source.address": "81.0.0.1", - "source.as.number": 15704, - "source.as.organization.name": "Xtra Telecom S.A.", - "source.geo.city_name": "Madrid", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "ES", - "source.geo.country_name": "Spain", - "source.geo.location.lat": 40.4143, - "source.geo.location.lon": -3.7016, - "source.geo.region_iso_code": "ES-M", - "source.geo.region_name": "Madrid", - "source.ip": "81.0.0.1", - "source.user.domain": "domain.tld", - "source.user.name": "user@domain.tld", - "tags": [ - "cisco-asa", - "forwarded" - ], - "user.name": "user@domain.tld" - }, - { - "@timestamp": "2021-01-13T19:12:37.000-02:00", - "cisco.asa.destination_username": "AD\\USER002", - "cisco.asa.icmp_code": 3, - "cisco.asa.icmp_type": 3, - "cisco.asa.mapped_source_ip": "81.0.0.1", - "cisco.asa.message_id": "302020", - "cisco.asa.source_username": "USER002", - "destination.address": "85.0.0.1", - "destination.as.number": 3303, - "destination.as.organization.name": "Bluewin", - "destination.geo.city_name": "Kolliken", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "CH", - "destination.geo.country_name": "Switzerland", - "destination.geo.location.lat": 47.3388, - "destination.geo.location.lon": 8.0264, - "destination.geo.region_iso_code": "CH-AG", - "destination.geo.region_name": "Aargau", - "destination.ip": "85.0.0.1", - "destination.user.domain": "AD", - "destination.user.name": "USER002", - "event.action": "flow-expiration", - "event.category": [ - "network" - ], - "event.code": 302020, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(AD\\USER002) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER002) type 3 code 3", - "event.severity": 5, - "event.timezone": "-02:00", - "event.type": [ - "connection", - "end" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "notification", - "log.offset": 11942, - "network.direction": "inbound", - "network.protocol": "icmp", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "AD" - ], - "related.ip": [ - "81.0.0.1", - "85.0.0.1" - ], - "related.user": [ - "USER002" - ], - "service.type": "cisco", - "source.address": "81.0.0.1", - "source.as.number": 15704, - "source.as.organization.name": "Xtra Telecom S.A.", - "source.geo.city_name": "Madrid", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "ES", - "source.geo.country_name": "Spain", - "source.geo.location.lat": 40.4143, - "source.geo.location.lon": -3.7016, - "source.geo.region_iso_code": "ES-M", - "source.geo.region_name": "Madrid", - "source.ip": "81.0.0.1", - "source.user.name": "USER002", - "tags": [ - "cisco-asa", - "forwarded" - ], - "user.name": "USER002" - }, - { - "@timestamp": "2021-01-15T19:12:37.000-02:00", - "cisco.asa.destination_interface": "OUTSIDE", - "cisco.asa.message_id": "305012", - "cisco.asa.source_interface": "OUTSIDE", - "cisco.asa.source_username": "LOCAL\\USER001", - "destination.address": "75.0.0.1", - "destination.as.number": 7018, - "destination.as.organization.name": "AT&T Services, Inc.", - "destination.geo.city_name": "Carson City", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.country_name": "United States", - "destination.geo.location.lat": 39.1507, - "destination.geo.location.lon": -119.7459, - "destination.geo.region_iso_code": "US-NV", - "destination.geo.region_name": "Nevada", - "destination.ip": "75.0.0.1", - "destination.port": 18449, - "event.action": "flow-expiration", - "event.category": [ - "network" - ], - "event.code": 305012, - "event.dataset": "cisco.asa", - "event.duration": 0, - "event.end": "2021-01-15T19:12:37.000-02:00", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:192.168.0.1/59677(LOCAL\\USER001) to OUTSIDE:75.0.0.1/18449 duration 0:00:00", - "event.severity": 6, - "event.start": "2021-01-15T21:12:37.000Z", - "event.timezone": "-02:00", - "event.type": [ - "connection", - "end" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 12100, - "network.community_id": "1:kOYfvYjW0lZrPxD+ArQ6vDYnS7g=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "OUTSIDE", - "observer.ingress.interface.name": "OUTSIDE", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.ip": [ - "192.168.0.1", - "75.0.0.1" - ], - "related.user": [ - "USER001" - ], - "service.type": "cisco", - "source.address": "192.168.0.1", - "source.ip": "192.168.0.1", - "source.port": 59677, - "source.user.name": "USER001", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T19:12:37.000-02:00", - "cisco.asa.icmp_code": 0, - "cisco.asa.icmp_type": 134, - "cisco.asa.mapped_source_ip": "fe80::2205:baff:fe9d:f637", - "cisco.asa.message_id": "302021", - "destination.address": "ff02::1", - "destination.ip": "ff02::1", - "event.action": "flow-expiration", - "event.category": [ - "network" - ], - "event.code": 302021, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::2205:baff:fe9d:f637/0 laddr fe80::2205:baff:fe9d:f637/0 type 134 code 0", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "connection", - "end" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 12259, - "network.community_id": "1:bHWN9qumWIGMl/MbjgS2bQi/Jsw=", - "network.iana_number": 1, - "network.transport": "icmp", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.ip": [ - "fe80::2205:baff:fe9d:f637", - "ff02::1" - ], - "service.type": "cisco", - "source.address": "fe80::2205:baff:fe9d:f637", - "source.ip": "fe80::2205:baff:fe9d:f637", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T19:12:37.000-02:00", - "cisco.asa.connection_id": "251933191", - "cisco.asa.destination_interface": "OUTSIDE", - "cisco.asa.mapped_destination_ip": "2a03:2880:f253:cb:face:b00c:0:43fe", - "cisco.asa.mapped_destination_port": 443, - "cisco.asa.mapped_source_ip": "fe00::fede:bbe1", - "cisco.asa.mapped_source_port": 62477, - "cisco.asa.message_id": "302013", - "cisco.asa.source_interface": "OUTSIDE", - "cisco.asa.termination_user": "soc@danskecommodities.com", - "destination.address": "2a03:2880:f253:cb:face:b00c:0:43fe", - "destination.as.number": 32934, - "destination.as.organization.name": "Facebook, Inc.", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "IE", - "destination.geo.country_name": "Ireland", - "destination.geo.location.lat": 53.0, - "destination.geo.location.lon": -8.0, - "destination.ip": "2a03:2880:f253:cb:face:b00c:0:43fe", - "destination.port": 443, - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 302013, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-302013: Built inbound TCP connection 251933191 for OUTSIDE:fe00::fede:bbe1/62477 (fe00::fede:bbe1/62477) to OUTSIDE:2a03:2880:f253:cb:face:b00c:0:43fe/443 (2a03:2880:f253:cb:face:b00c:0:43fe/443) (soc@danskecommodities.com)", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "info" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 12425, - "network.community_id": "1:lOTrEnVpsUc4jukAUBxF/BkD8jE=", - "network.direction": "inbound", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "OUTSIDE", - "observer.ingress.interface.name": "OUTSIDE", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.ip": [ - "2a03:2880:f253:cb:face:b00c:0:43fe", - "fe00::fede:bbe1" - ], - "service.type": "cisco", - "source.address": "fe00::fede:bbe1", - "source.ip": "fe00::fede:bbe1", - "source.port": 62477, - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T19:12:37.000-02:00", - "cisco.asa.destination_interface": "OUTSIDE", - "cisco.asa.message_id": "305012", - "cisco.asa.source_interface": "OUTSIDE", - "cisco.asa.source_username": "LOCAL\\domain\\USER001", - "destination.address": "181.0.0.1", - "destination.as.number": 7303, - "destination.as.organization.name": "Telecom Argentina S.A.", - "destination.geo.continent_name": "South America", - "destination.geo.country_iso_code": "AR", - "destination.geo.country_name": "Argentina", - "destination.geo.location.lat": -34.6033, - "destination.geo.location.lon": -58.3817, - "destination.ip": "181.0.0.1", - "destination.port": 50120, - "event.action": "flow-expiration", - "event.category": [ - "network" - ], - "event.code": 305012, - "event.dataset": "cisco.asa", - "event.duration": 125000000000, - "event.end": "2021-01-15T19:12:37.000-02:00", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:81.0.0.1/50120(LOCAL\\domain\\USER001) to OUTSIDE:181.0.0.1/50120 duration 0:02:05", - "event.severity": 6, - "event.start": "2021-01-15T21:10:32.000Z", - "event.timezone": "-02:00", - "event.type": [ - "connection", - "end" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 12678, - "network.community_id": "1:R7zADbxzUGXOH0O/Hzma4ba6iHU=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "OUTSIDE", - "observer.ingress.interface.name": "OUTSIDE", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "domain" - ], - "related.ip": [ - "181.0.0.1", - "81.0.0.1" - ], - "related.user": [ - "USER001" - ], - "service.type": "cisco", - "source.address": "81.0.0.1", - "source.as.number": 15704, - "source.as.organization.name": "Xtra Telecom S.A.", - "source.geo.city_name": "Madrid", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "ES", - "source.geo.country_name": "Spain", - "source.geo.location.lat": 40.4143, - "source.geo.location.lon": -3.7016, - "source.geo.region_iso_code": "ES-M", - "source.geo.region_name": "Madrid", - "source.ip": "81.0.0.1", - "source.port": 50120, - "source.user.domain": "domain", - "source.user.name": "USER001", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T19:12:37.000-02:00", - "cisco.asa.connection_id": "261246338", - "cisco.asa.destination_interface": "OUTSIDE", - "cisco.asa.message_id": "302014", - "cisco.asa.source_interface": "OUTSIDE", - "cisco.asa.source_username": "LOCAL\\domain\\USER001", - "cisco.asa.termination_initiator": "OUTSIDE", - "cisco.asa.termination_user": "domain\\USER001", - "destination.address": "40.0.0.1", - "destination.as.number": 4249, - "destination.as.organization.name": "Eli Lilly and Company", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.country_name": "United States", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": "40.0.0.1", - "destination.port": 443, - "event.action": "flow-expiration", - "event.category": [ - "network" - ], - "event.code": 302014, - "event.dataset": "cisco.asa", - "event.duration": 125000000000, - "event.end": "2021-01-15T19:12:37.000-02:00", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:81.0.0.1/50120(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\\USER001)", - "event.reason": "TCP FINs", - "event.severity": 6, - "event.start": "2021-01-15T21:10:32.000Z", - "event.timezone": "-02:00", - "event.type": [ - "connection", - "end" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 12842, - "network.bytes": 9610, - "network.community_id": "1:Wki7xXtyiCACPfXpHuQV+NLf33o=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "OUTSIDE", - "observer.ingress.interface.name": "OUTSIDE", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "domain" - ], - "related.ip": [ - "40.0.0.1", - "81.0.0.1" - ], - "related.user": [ - "USER001" - ], - "service.type": "cisco", - "source.address": "81.0.0.1", - "source.as.number": 15704, - "source.as.organization.name": "Xtra Telecom S.A.", - "source.geo.city_name": "Madrid", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "ES", - "source.geo.country_name": "Spain", - "source.geo.location.lat": 40.4143, - "source.geo.location.lon": -3.7016, - "source.geo.region_iso_code": "ES-M", - "source.geo.region_name": "Madrid", - "source.ip": "81.0.0.1", - "source.port": 50120, - "source.user.domain": "domain", - "source.user.name": "USER001", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T19:12:37.000-02:00", - "cisco.asa.connection_id": "261311655", - "cisco.asa.destination_interface": "INSIDE", - "cisco.asa.mapped_destination_ip": "192.168.0.1", - "cisco.asa.mapped_destination_port": 53, - "cisco.asa.mapped_source_ip": "82.0.0.1", - "cisco.asa.mapped_source_port": 63790, - "cisco.asa.message_id": "302015", - "cisco.asa.source_interface": "OUTSIDE", - "cisco.asa.source_username": "LOCAL\\domain\\USER001", - "cisco.asa.termination_user": "domain\\USER001", - "destination.address": "192.168.0.1", - "destination.ip": "192.168.0.1", - "destination.port": 53, - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 302015, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:81.0.0.1/63790 (82.0.0.1/63790)(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\\USER001)", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "info" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 13053, - "network.community_id": "1:BIxqdLncXeXXZrNudh3yrj2zmZc=", - "network.direction": "inbound", - "network.iana_number": 17, - "network.transport": "udp", - "observer.egress.interface.name": "INSIDE", - "observer.ingress.interface.name": "OUTSIDE", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "domain" - ], - "related.ip": [ - "192.168.0.1", - "81.0.0.1", - "82.0.0.1" - ], - "related.user": [ - "USER001" - ], - "service.type": "cisco", - "source.address": "81.0.0.1", - "source.as.number": 15704, - "source.as.organization.name": "Xtra Telecom S.A.", - "source.geo.city_name": "Madrid", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "ES", - "source.geo.country_name": "Spain", - "source.geo.location.lat": 40.4143, - "source.geo.location.lon": -3.7016, - "source.geo.region_iso_code": "ES-M", - "source.geo.region_name": "Madrid", - "source.ip": "81.0.0.1", - "source.nat.ip": "82.0.0.1", - "source.port": 63790, - "source.user.domain": "domain", - "source.user.name": "USER001", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T19:12:37.000-02:00", - "cisco.asa.connection_id": "261311655", - "cisco.asa.destination_interface": "INSIDE", - "cisco.asa.message_id": "302016", - "cisco.asa.source_interface": "OUTSIDE", - "cisco.asa.source_username": "LOCAL\\domain\\USER001", - "cisco.asa.termination_user": "domain\\USER001", - "destination.address": "192.168.0.1", - "destination.ip": "192.168.0.1", - "destination.port": 53, - "event.action": "flow-expiration", - "event.category": [ - "network" - ], - "event.code": 302016, - "event.dataset": "cisco.asa", - "event.duration": 0, - "event.end": "2021-01-15T19:12:37.000-02:00", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:81.0.0.1/63790(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\\USER001)", - "event.severity": 6, - "event.start": "2021-01-15T21:12:37.000Z", - "event.timezone": "-02:00", - "event.type": [ - "connection", - "end" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 13254, - "network.bytes": 139, - "network.community_id": "1:BIxqdLncXeXXZrNudh3yrj2zmZc=", - "network.iana_number": 17, - "network.transport": "udp", - "observer.egress.interface.name": "INSIDE", - "observer.ingress.interface.name": "OUTSIDE", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "domain" - ], - "related.ip": [ - "192.168.0.1", - "81.0.0.1" - ], - "related.user": [ - "USER001" - ], - "service.type": "cisco", - "source.address": "81.0.0.1", - "source.as.number": 15704, - "source.as.organization.name": "Xtra Telecom S.A.", - "source.geo.city_name": "Madrid", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "ES", - "source.geo.country_name": "Spain", - "source.geo.location.lat": 40.4143, - "source.geo.location.lon": -3.7016, - "source.geo.region_iso_code": "ES-M", - "source.geo.region_name": "Madrid", - "source.ip": "81.0.0.1", - "source.port": 63790, - "source.user.domain": "domain", - "source.user.name": "USER001", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T19:12:37.000-02:00", - "cisco.asa.connection_id": "261246338", - "cisco.asa.destination_interface": "OUTSIDE", - "cisco.asa.mapped_destination_ip": "40.0.0.1", - "cisco.asa.mapped_destination_port": 443, - "cisco.asa.mapped_source_ip": "82.0.0.1", - "cisco.asa.mapped_source_port": 50120, - "cisco.asa.message_id": "302013", - "cisco.asa.source_interface": "OUTSIDE", - "cisco.asa.source_username": "LOCAL\\domain\\USER001", - "cisco.asa.termination_user": "domain\\USER001", - "destination.address": "40.0.0.1", - "destination.as.number": 4249, - "destination.as.organization.name": "Eli Lilly and Company", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.country_name": "United States", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": "40.0.0.1", - "destination.port": 443, - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 302013, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:81.0.0.1/50120 (82.0.0.1/50120)(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\\USER001)", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "info" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 13443, - "network.community_id": "1:Wki7xXtyiCACPfXpHuQV+NLf33o=", - "network.direction": "inbound", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "OUTSIDE", - "observer.ingress.interface.name": "OUTSIDE", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.hosts": [ - "domain" - ], - "related.ip": [ - "40.0.0.1", - "81.0.0.1", - "82.0.0.1" - ], - "related.user": [ - "USER001" - ], - "service.type": "cisco", - "source.address": "81.0.0.1", - "source.as.number": 15704, - "source.as.organization.name": "Xtra Telecom S.A.", - "source.geo.city_name": "Madrid", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "ES", - "source.geo.country_name": "Spain", - "source.geo.location.lat": 40.4143, - "source.geo.location.lon": -3.7016, - "source.geo.region_iso_code": "ES-M", - "source.geo.region_name": "Madrid", - "source.ip": "81.0.0.1", - "source.nat.ip": "82.0.0.1", - "source.port": 50120, - "source.user.domain": "domain", - "source.user.name": "USER001", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2021-07-29T08:35:29.000-02:00", - "cisco.asa.message_id": "602304", - "cisco.asa.tunnel_type": "LAN-to-LAN", - "destination.address": "12.12.12.12", - "destination.as.number": 32328, - "destination.as.organization.name": "Alascom, Inc.", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.country_name": "United States", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": "12.12.12.12", - "event.action": "deleted", - "event.category": [ - "network" - ], - "event.code": 602304, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 12.12.12.12 and 12.12.12.12 (user= 12.12.12.12) has been deleted.", - "event.outcome": "success", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "allowed", - "deletion", - "info", - "user" - ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 13641, - "network.direction": "outbound", - "network.type": "ipsec", - "observer.product": "asa", - "observer.type": "firewall", - "observer.vendor": "Cisco", - "related.ip": [ - "12.12.12.12" - ], - "related.user": [ - "12.12.12.12" - ], - "service.type": "cisco", - "source.address": "12.12.12.12", - "source.as.number": 32328, - "source.as.organization.name": "Alascom, Inc.", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 37.751, - "source.geo.location.lon": -97.822, - "source.ip": "12.12.12.12", "tags": [ "cisco-asa", "forwarded" ], - "user.name": "12.12.12.12" + "user.name": "username" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index a1e5fe24bef..b7ffbc2b460 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded zlib format compressed contents of module/cisco. func AssetCisco() string { - return "eJzsvW1zGzmSIPx9fwWuI56z3aGmp93d3pu+3b3QSupp3dhurWW797mYiAoQBZIYo4AygCLF/vUXSKBeWIUiKQooyXvjDw5bIhOZCSCR7/kd+ky3PyPCNJH/hJBhhtOf0YX/b041Uaw0TIqf0b/9E0IIvZV5xSlaSIVWWOSciaX7OBLUbKT6jHK6ZoQiLpd69k8ILRjluf75n+Db9s93SOCC+jVnuCib3yBktiX9GS2VrLo/VZRTrOnPaE4N7vw8pwtccZPBEj+jBeaa7vx6gH39p0NFiZVuiTh/e9NgXv+pKegCqIkwrKDa4KLMBBZSUyJFrnc+WROVY0N7v9iDoP3zYUVb+IgJdFVKskKdhVosg8jRNRUms8tnLA8i9ZluN1L1f3cAr3Okqzm6vkRygcyKumXOUE5LKnLLSincz2CRAzjm1FBiV4qHn+WbBV7jV2C+wYr6pWh+LEZRmWaRalnWrHEAFyKFoMRIlS2r2Nj85WOLT7MO0n4PmVhIVWALABm4FwdQhUsLaIbP/2lHTSCsFN5aPGEBwPrWSgRsaG4xi4T+uuKCKjxnnBlGwyQsODaGCvoAImrEe8vVhBSYM8Jkpd0FOoCzJljMOovH4/tl+2uLNa4vdIfvGJZHc+rYzQyzvzkDmUrvcFFyCiTpkhK2YATlTMEebQH7Y0gjnOIwUXMpA787QNS/uy+hNeYVRWzhSRA0RwvGKdpgjWBJJBUS8ijuewCZBRA+NFyK5f3wvJCVMJbtALTBkQmEWybeB7lSSUK1jo9gA7hBcveAMLHk1J2To89zgzQ2q+gI52yxoMqe5JqRLCryzf3NGgkfnYZWRrjzIRXKJakKKoxu3riH0UJkUVaGqtnk788Z0qxgHCuQiLJEnK4p772DZ2heGVQJ9sXd46Lihll503xMI/vgM7GWfH3wwW+opXeGKoF5xsogqYMfH0FlDRNd39TE1luzkvrojcDEsHVff3yALLz2fK8U3AYq8lIyYRDTyC11nAxs8PPKf4bzXI2LmlMfUM4b64IJQ9UCE7rzxNtX/n6ctXdnljNdSs3ivp0X2NClVOwPXD+fdq3dh/Gbt/Ul/sYy+psLu4PfHEC55rElfCrUccP4gAKQgi6xKGZONke3CerD3oBHc6xpbg+PlpUiFGGRW0CGCceA60Nao2fHrMAkjdKLOW94/vb8AjX360jEyIjQeDTECJdVnjFJJlFcu0Lh+rcLOKuNQmp/AKdao4WSxRFGQou8XkllsiQk3FrQ3Q8lIGTnypXYXovpJEqNfzyh4SlgORWGme2syH+KR8Lby5/QCutVYBsegqNe4e8jHppfz7+PjuUCsHz10+uoeL766fWJmMKbjRVZsbU3uaY7tGAh+rWTvIIB4qY5z/WajsSeZ+V+Dol9NCQ+79NRkfo+RKfEGEw+W4MUM65nuCw5Izi+etUB7NyvHdSv7koumUE3CtBmtYf4kLYQJAD+S/OsACd+PCJusFnVfKZ3lFQGzzkYQjnnyKywARdRvb7XFr29Pd8GiDyBOquS1lZU3P2xkFFBC6m2tbbWP13UU3CkpzyEv6506V0g4z6xB2ufNd7OA7JZUYGw8DtjbdiHb8u0SlGJwTSJ8IxQpaSazClcuw1g1aNEksMP/s6IzCNeX/C2AB4Wrv/0nInljpZxPKZmpSg22aoShonlTNM1VcxsI8p+DxEpqituavnv1kV2XaTokmlD1fgDgC7ACY/eyM13F4oZRjC/H2FMEHjeMkVLa9Sk9fQ1Eqel0m6RW/tExO0PJkKbiTXVhi19ZElh8hniH1pXh0IaY9hDzD0i5hZcjXa9SF/Q97gPLj+r3pxGga6KAquYN8MBrKmQlSGyoLWXLy7yihY0Z5H1ofeUyKKgIge4EN5TVEu+djGxbvRvi0Dkwxt1nOtyjJLY55/lw9Pvj5N9puJvBRV5ZlgRvgz3z5/43aoFfYm6YAJz9gfNLdsJl/qgljN66g1WJjm+VuNsoqsn6GNM5FYplyqqR/6yiaM18AGgdmpygQ1ZwX+GOuWujtMG5N5ef3h/hYw9QuSQWdDbEv+lmAS+YdrUbs4dzPqStHMlKnHPo2QoWUEQKzXqzToPw/5rYXPBjKLZPnRPM0BCvm9Yy2ONri+f6QM8/Lq23HNyP9LRmVkvdwQ/7TOLRZ5xJugMq6ULg8d9By/eXKMGdJ+dF1xWOfrgJPb1bxdek3WmJ+QUHmDxvMxyvJPWiB56HK7aaK7kTlPtBEv/acBDl4ipuziEEzH3rPsLJEmCbPeZlLfn6Bem6AZzvj+bsjlsVGu8HOQqju/eXjbAzjWYeNjIO7YZVcFtaZI5qsWC3R2Jhn/Lfkaaat1XI/fi+Bv8HHO/HsILQxX6/yzCxyIKgcusiYrH4NytC4a2kfZa21twuUF7rec2h7IJosbF7bITnX0IgqriNLP/jIHUu06y6TkhVGt0IYVRkjvJbBfrKkbW+mX7PLi93a00VSlwtXAdXszpaj4M7th5FIbdjZ4MzW6I/h64FrgsaZ7VV6YM4Nn74UEBYxQW2r0HnnfXN7Vz9R64WKPvaK7tzXk/CedRmzOMrX3fAtgOUtpOwGTUCdTDZEe+RN7I3QSQ++xmF6vH2tIu9sfuaxfvFJvbxengDnsbCfL+4ugBoJq5PEIrLepygJdoLo2gxmK6WDAyQ78JkDlrqrbfcbk5Q/avHrhC5lRhQ8/Qii1X9rGBj9v/HEMWca7/bQzKfBhh2zx/45T90prcP6M1U5U+85/p02eU/DsWZ4gaspcen2oZKJM4kZqPPp2z0XuALAxv+l5MGClKKHIJYAFpOsfjcH3x9ma8aGVnwUHs4vQFLahjeT1CZxqx8unmXWdttLN2SBfAZaYokapXAXIQkQdo+FhrthQ0R5fnN6i/eJCVrb2Yhe3FlOj65ZFdvmNTcrlcOovRXmMuCeYIVzkz9jf7yKnJ7z+CR9Jw31eyfQ5bxkMODJwUzqgwSFegAS8qzrfN6RF7qSgVWzNOl3Qm+T3P8Il7Aa5WDJqlbpe3+iVZYbGsNXSvb0qeu6KR44gQdPMEiRB0c5iIeaW0mcn53ynpS7F0l6L2qLhlQewDHmiDlWBiufdCO4zZNMemi61VAtD15Uno+kzkTPVjBEllj09/dsgC+ppScQS2UizYslI0fxyE2/U7uB9GG6+Xj4MvXlOFl/RBjH405DvMDtCBOZebjjtyzwkvKo4NW9OMyEpMJ0yMNJgjUhdLdXBfMaORZoK4GKyXNlD0Z1XzOiJIsdpPoKGq6Lo8JiHt/Py8qWkGf4iiXyowq5ZdhPbhvaHzdSlmrk73Xn6ah+qRv9O5VRBcAS9Q0bh15tRalhoZeSzLfTBUqknQv258jN2Kcs1y79BrQrMucEuxyuVm7zaYSgjKp1Pkb88BNHquaCHtFXYOSqnQm1dvXvxTHz0XDFiYLgoPDwb8whQt5Yaq2hy/pAsqNH0iEYJfPlx+XRECi/A/IgT/iBD8I0LwVUcI0EdN0dXFrf/VTGAzY+U/AgcnBg5C7HzCEYUG3c7v73EE/hFtOIzT7rHo8/kfsYh/xCL+EYvYWfBgLEJTUg3KINx6Qbdhu2Bvufd44zV9YO6th4uuxuvC/ovEQ1KieN94yF5nRipE/+HM+CqdGbsuAia7p/rhLoLr326P6LzYBL7AiMo4u4fec6QxYTU0Z6JZ6HsF0QITKOE4EoXm1bu9urjfoasXQkaizYqRlXtjvctC0QVVGj3vJNafodt3b2/O0O3/f3sGhapa9sAupDKrFzN03gJ3/dwQRiusct8ycc0IPUMYlUoaSSQ/Q/ASutpbJBf9J9seqK02tEBaLowFMkPXBuVUSEN3bEivKBBc6fYswlf7ao4jczY4iL5zwawx82c9SSDXVG0UM/bWqYoOzutwk05vKdo9QsNmRZsVVU5SeD0IrbBGc0oFknNN1U6XqsYFsZOSe4iY4eXbS8r43QKsBd7VeMdXH1t/f+PUQvf7n+1b4R453B+sqf+ZbhHTVipDgJrg0lSe/wpvmosDUo/IgmpLNCR090Aj9EYu0SW1epEKE+JgDYqvTiVnt3mrJS0yYI9wYu57luu6vZuBRAe5QExog4Wp0dBBHANVVccgeKjm6kMnHm6XQNh4cYpr16wLE2H0jprfmRH2GfC7PxscjYZYvZIVz5Gga9ACmnNXYqUpeksNtqhh152nXer5G7nUL28w+UyNfjEAfwl9qvj2rInjY/SeOmHhTrjooDkLMnJouh7HyUP9CS9pqSgBXcFiktMFE9BKiwNarnNCgcswVoVeDqsVY55Av8dv/T2/vvzed/10ek5t19UVaphApo3bLzXYCKAOegD40wKfs9tRYmUYqThW8H2/sbPRkzEAfdJJCZ2MAeTxkzK6Jetp9+TVP/Zk/54E6oIibcjDrq+c/z0DQvrb8mSwW+NThF5y1BR1uu9TxM2yLdX9fxhm2mBDC9pLInkiyEGaZkY4HrTreRLoUWEGjRmeBGKrQPOXJ4EYE6chllZjqiXH0z1pOcWnSI+0bFtQF3CKZUON6DUhOzPQwNNiM9BDBkrCw6yInh4ygH7Aihjn4sDJOgkXu47KIPscuwZkRmIfCnDw3uwjU6jV1SBkVdNf9/LcNWovpCD2ccBGPnXLdkTcrFlacdjl7oVdhi3q9ob+QL6RSxeuqhOiKpFTBc5S6gXVgPQFu6M50hSyU3e+vLuGHjdY6k0YwH6wwdJswgD0vTZl6AmM71867WAO6LoHT+7Hg0FGRpJz+avUpisief9E1vNw/C916Nh0fEhfD38HsxiO4e7+AQ5dxl7frH9sap3GrnufuQPqjfxambvu97iNzt7X/++yd5C0kEQ29OWCc6R1vWU5wmjJ1lQ0TrKvVxEwwSl3j2+B5E9R+fs6IhqjDg1ZbjNFvyTY627wEDYY6PZ1uVduaXQDF+nMe7MNRh+2JUVkMIIHrBDKzIoq9PFamO9fI6nQL1xi88OrdvaID5BB1dWwDeWQ7lPU3a+YbgiDpjM+I/gXgnmUk1jH9cpfvYNBqg1Wgyr2aFpHR6J1yO5y8vrm046+h6HOt7+lqM5tcY+oR9vnS3UnsECBoWJLBqU77ju72soBPqTSv/YkRlzffHodYEE4JwdFYEGD0ZDLMV6f9qAOFcdTX58VxTlVk8Suf4Wl0PXlQ6KkDt9usBTAnBYrfdJONk6y5H42XCta162iBRfFmi4XknOYPfg1CmDLvUfIubFnjmlEHOvqGacdRfWN7KstaA+jn6DFV5D5U1FVC6kh2a2QAs23g01DdRa2BahZUfKt3yf7Yde0GZOVSxd+/idkVqpCr3766QWU0Gvqe1cXfb/XLieehPJ6BCd0KYWm6VhBvppT4Vop1D6Fqpg7oQeD6YMQ0HM8l2vaYQYTwczKWrxpoyguRu8P+WqOzSOziuas6utpMRj1TUhzbBwLbIGY+Vv16k/f/1k7kf6yBAFaI/23ATV/g+4DeEsVeoWuBMGlrnyfYmtS3kuuh6A/MPgRyK0MrfLDK/Svltwz9MMP6F8RkQpaA8E2uUXP0H/n5n/aDzKNdpnyTXALhcwDNedPxNYVG5oRzPkck89pNWCHXF0wgI2fPct0O3DId2EKIgqHI4NBP6n1QRjBiTlgDJhqI5XVrMXWaR32F2vMmRsEgkJIIdeJ3b4wnALyMErjuOTF3RsxgBwjFuivw56w0cgubLnE+VN55zw6SLM/KCqoUcPRAAiGhvc/DLawe+5rIWyffWxajdYN8LLbNkO/yo3dmqHNyQSSyhpjRqLPlJYHmPYkXryvhGlKQjHYmuVZnirq2vTUX1IBRdcayqoqZ0d7u3DNlKkwt0b7ju9dBFwcfsy9qyO0zHBU+Kt+fYmUldYaHCrANKyW1DQfO8gJrRIlPT06J+qWD/s4oZKEgoaCv50Q9t61V7r1573uKTbfjglKBM1qXCDmKwi8+JUyXXKWMrPhSZvzmg3U/iehm1mZm/C8uzLhP9oyTX/qaqvFPyH/NSKMTrws2GAo3wQxehj5KxW6uTi/8bqvL8plhRsrE3giv7o0iOppuD98lw8wxIdNKpFzpe6a8lX7ldZgd3oOWOYz9Oqn12gDfC8oFjDdKOgrAKc+qEmt/whtqHK9QhF0icHaICl65SK7THx0NfHrZmLgrqYI23re/S5VDoxzjS7ISkgul9t+IG7B1ECLRegnRFZYYWIcE+2l3gL+4DQXqBI+p4fv+MxHK2pjF3S7QH3KIMKe2CVYFIWb7lyHERTejMo0kKw9tRIT0FhdjMLPJ0eSEOiFCxC1wSLHKkdCqsJNkQzY8qoI8if3WQ4ns0hW88GTdC8mtVg3yLzkbEGB4oCBrymRIh9RsNvtzrRJ6WfZQxATRBYlpyZ4AEadqBgUeKNYTwx26s2UeaSDfGvXDh7nsaO8ezJHj18hhVlF2qa2PjVWzkub5ZQ/EuOvRJ6C7RbkH1Kk7rawRyza1WsV06XXfuhzeCCikt3oc2TonfGXD62p0p1yinxfHlhgfx962LYUxyKzLdMjUuU0OMY4zin2STb+mdLNirWOUWfaNB/sxteHr5WSxQygVlCUrwkVWDHp1Pqi4oZ9ZxhVCJclr6tf2l42BRZ4GSrNRYhDeGenrU/djwwx80wjuREuMmZwUfY9gx5jaN+q5DD5iBmNyIpZ60bmVM/Q20obMJO6QN3Iy5G8XGzoiZu0V4AtFhbvNZ1CE4JNrhd0vINWUFQQdyCwgPnMa5ZbzQbOQ1iQ3daC7EOPeWEi70qmJqOw3U8XC7qzJ5EZvq37XhkJ+ppFyvX23Osbjbjpoy6cMyuNG3k2GyzZpJPJKrYEKgaK3EMhNvyPfVVAg/xS0Wqyo2RPtztFrXzcYI0AiXzk3ABy38dmakSlYIehCWTasjAJXt9lkQJXGKYcH2gK7bmMKYp2gb6KDjWBrtR5RR7HhOyZj8E3ZvBc3uvNOVVsHpJrpwQL2gei1w0htiMIk4ESH0Ox1hVPHXYasaJkZYgs6EuHQ2O8QFb2oAEmsufCsWDHgBw5IHRNB92UJyOsXt0XAXYiO/tcPmmLFwe9A90r3VS6WGgQdyopYQvWGj5h7dZPAhg5U15XTp/NFNiAxsXI8rZgonZR5T7IEsTbm81TbcKnXSu9awlKhX679amxTNcJAX2/GvJ9YXvzN9BOlaQupWYRBcdRZwvMaZG7DlOQyl/f3dEuPBU3w37rjyWKRFVQxch9ZVGQtgmq2PYQ1q1ka26GE0vufg9IW1ORS+UTZvdSJud/f4TuNXVoN9AVv4tY+lrwAbutBN2PmJP0KXvVfTO8kL7q34sZ7+Va4Sa3WEiDMEwZsUiGE2i5XGZ1osqjCPX6IN5bqE/RM2VH9v0F0q2ga/XuWNguVqXkjGxT3549cuEGEPDNtQXfjsjl4KyuxAx8X3EKiIXFqRSG3qXWWBuEroXz17X9UHGea/sXPKowEhMQCjWAOfA4u2nCWX+scQJZMBa4rEcXN71CsDGKzStDOxJimKPvByFbbb37/IVFhy77A+gebrW4kdjT3xwwBPv5RX4+d0d/Cxi3zRyOuuGgbnO+1JqqGbql7cSLGV5SaOXtM90XUtU4DGDXYJzeTtzEDPf9Tt8KqdBcyY39Xf1Tr2s6s2u0n/R1foOVie2mawDH9qj4O9Wfdz7dnWpmmie8UrKkPqCY6i0+FwhzqkyTXaTaRf3PXHjLi49OEwBIQgoozDkSUnynaEnBktmX/QBmw5RPTj2kubFXTDPI+CVzEbY6/DOgbMPMyivLTtajS1hwDtUmAknx3VLaf+95Cdy4nYDimJBu3AkGvgQELJJygax0MIzqGbptZUp/sEG3sioNxheunK/S1ohxJaMu2Sb34tczHiPCK23qA+n/M9gm+ArTdid9TbT3b1jFF347rgJNrv24Gxa26F1bpnRK2bNDhpfF8hKwQFhrSdxkI7sbQXsSNuwN+0x/RhiVq61mBHOUM/35DJUKZqLAJLpnYUUZK3xK7eU9H3pXZ6NwQQ1VGpVYQxcvDY0cXC8CIovCSjG5E7QfltbsDNVDw6fJvQePpfF19jDBw+TEN5FFWQ3vYIJtw2jDRC43Pp+WSEFoac6aTIpRZgzIXFScb9GXCnPn/MxlgZnwUkN0FuJy5Onqej1jqUt7SLcq4RsmPtPc1wLViehYg3fKGyj2N980qM1Yvm/j+KArRFJR153s5NwSfQRq9H67fSy8fiu95xXdDtv1NEFnN3ku0WiEERerXxOwded/v6b9Q2RNe8F4+jvekPwLrNZcY0XzilBUR45o2N2mqWKYZ4HXNNkjcgtL1mpz/33sPID2hRn1C1DyWZ/UciCGx9ivbh+6Fdar5oZatTBQZViRlcv8rWtsmjLDixpSr0WYJaRZZqYVsd9q/j+sNEVWngvEIOeuEoRTrOyPoBFei5ovIGyH4LnCzsPRByf8BlM6n/iLRWQxr8cxy8XOg+XLRtU9Xi+YFzy1p6+rjQAC4x6/aQKkgStx4VZ3PRnHPaXOgkvuGm/Y57zM15fonZM0z33jBuSm7XXGqL4I69XOAf0YvvyO+/n6EljqS94aMTH0HuxG5FwaoCNh5g6RlQUbpsNG6lpvU/ay343q+gJtpy7s9WOPzNZOfOku2kHL15cHNdlY/rkDmqxF7JXIW412hi5cfabvd8rdL/Zrs4Cg2v3E9994d9y8Mk3lpjTNY1QJTrXjjHQPykaiNVYMz/mgCtA1ZWAClRyPCAJNhU7aH2VnQ7uqqlt5ZiWV1TDq+kJm9/n25fVNX4dGvmWs8yiM1WWfOFDw6FrINtLikETXwqBbthQYhMXIES2lStm89tlAftlDelPrbhK6OsI/LSLd2eX2lOUycHDe/fYBMUF4lVMrzvwgW/v1GXp+VQ8wvnEOEQcWpPcs7BeByNzksU1wTrVPSxgzpj9blfsEvO5RitdxY77zT8N7pj/vCbkaxZZLqtKNsAuz7FM3FuBxcCOaFdUryXN7epytPjJpdCf0PoFnYRh791L5+XunY7xomnFcX4bLSI6OzhNZlNnEeVewKz73Csa4Ov+erubfWXSkgPrUhZvNnVdkzErzaukjZY11MW+kpVTQecDK9Rq/kSlxfhD5oyiAw676C5h97h4iS8RIa+TnVohi9BaTup9yWLm1ImhSO0aK72oFVe2XQs7WjD7UWlGso+cGa4NNFUtxbvxRmPFHMzvs4nN5h1j+cvz9si9rNQWGFqOPg8bH7i5YLMJXt37HEk/fGxzyy+HcvVOeMyZkFSvG2akj0cvod8pK0phOh4FH9sfIgFN3Ztw5EuecW7mHdEUI1XpRcXRl10dE5lTbI1E3+w1bFkzk9C4yAzjT5jTN84GyBRYGU0zVSMypgvhmgRXjkMET8OC5+LtYIgxM/M5+N0iZSHAO5dw1F3okjdivjp43+ZwlVbr0RbdOwgxY5lWENiG+7vD0YqTI0Lm5hu9x6oQSp3w1SV7eV+U+bX+JmdAopwYzHnAyzGVlOt8bIU3yyXMza48tbvLYAI/xh9TQouTJsnnOUU4X2IeAfOfLOobvszWtVrymiuMtFHIZ6R9X9DxwI+0vwOr236aLugrc+eq1YaaCxowoSFhrGwwbNj30ukaNYnX8OwTHxjSBrCKyKOx9SnOMLhx0xDrJvqWSa5Y7/1ndRa6gejQRKpfk9EDj/b1lvzDeao2km5cXVg3uSkh6ehxZX6+eVtb/Xc5P9DudTN7/lnMfgAnfrpKla5x7CQnFbudvb67R9UCh6qKRrGutry7Zj0HEwq6mGnYZ1ZC+jz/M51aHlXsnIrK5zFNXfA0q7vpKh8cFWVxG1KNV/G4JLmQwQeV5xwXsS4ddAm0TD2FLljehnBEnXhHbahyUgUd4+eMpeQ3dZZXymaqne998dN1z6kAUJGvcUVJ1vQgu9WtOQ+WtdRemfYkbEzhCgl7xfNch0lRX4jVmHA8DGahxhSOor1xQpUYmLbg7dIqvP17czRsrhW8A5QKwA5J8uoFmy9mIRGRFNq/yfBvdP8OKLGodUAdupelpjc73eqniQ1RMRuxy0Cuxy3Q1RUEC093sVddzFVc5M01lXdsXzWMUGmzXVmw4UdKGF/YT6bLEYnNwPZlVfvHpCj33tRKfKm515TnjUMABeWBXd6XU9pMv0HdDR4PoR2E+C7kRO4aQpqSCZhbrXegjkzYJnsAF108Lvair3N/50qQ3dInJFn0cNdc4myv8GEX5fuEdFjOBCszEQuGC7k3HKLGCqb3p+yTsKJc3sCx6J3OXHN22BexknQWQQge0L0gVsIxIZSHt9o17Rzfo10qAKflW5pSj50ysZ9+eISbJGZrbv6j9CwvMt5rp2bfh+KIhZbbgeDA5P7YOtavhX9wgWBR8XSAnt/XwK7nY26jByKSYup/OPZ51GwRNlT3IQYTWRVy528Ps09vfsaLog0sA/vbbT29/P39/9e23Lud2jRVmo2dyI9XnmCXLBy/Y7/WC3QjbqBMMi9hKhK/ZidulpHkOMLHPxTaBCbOQigrNSEwB0nElJcC4iO8FCcQHYgHNNpgNhxM/2DsAvc9jA7XXJ3aJuq7miS6FmefaqNiV71Cvncwh1n1Lo72jdc1HOifpqcUu7WCwgUrji03auhdf72JBLNioo6kmNZkj9lRSg92IAmT2y3vCQvnkfoL3d1xY5L3+/364aqsyu8l/j3LE8o6P3iOyF8lHORx1HHcfflJOkLS1s7Mdu/S5aTLa6yw76JP5Atxug5N7ODJdt6xmU8TDoOhrgRm3vK6budx4mXF92a1tg05c1hw0dBloYTCeVVjnXGdWRTyBnlMSryHd2lcfXciiqETfEzXATpzWuOmh2L2jd+YvNKxTN7jp0zTrh+J2i0X+7zIcNWtxM9iwUyTDg7EbLryDnK50yQiT0bJEp7LgAfsNVmIYdHjqqGtRlJlMJYxv3729Qb85P2qblBpG5MukqQS3//EGfamoGundWnGRKdrv1Jk2uaHjEN2i93XRWTCtq9HSScSHtAtUxh4jYIGWJzmODkE1geDYg+Hm8Qc0YI5VkWC3LNgE7gVcRixAboBWebSptDsw43a72gGdY9PXCh8Kd04FWRVYxSoraeBuSzwYX/zg6BMmg3SqKDCzVfSzQOgibgFVA3ixhFZLCcDK+d8TQC1x9EkYruNU9OMFQfeMxX5wfOe2glrVMzrSIsMEBqPELz+xsLWIaLx3AM+X5fpHcWdW0d93IjJiVJbrqH3XO9At5NMiT0cAXnMcXWKIjIolExGLIoegU+RGi2yR6Q0zJLr8ENmCy43GRfzclS5sYdbpoCeIuhCRMZFSnDBRUlXMt9ES3gewS/I5DfA15inOCiuzUkkjs/ghKYC+/jEDj2N82DzZ3eRymeUpmG0Bx89/IyIr8F1mTCy3wS5ge6I5TfAoFEwkQpqJdEiXXGd8zrPYYdEd2H9KCDx6Z/AO7Ni9ELuwY1f1dmH/lBD264Sw/zkh7P+REPaf08A2suR4TlOIlAZ6fPNMZEXFQfmebxO8kzXw8nMCvaSoOFsWZRrt22qZmC9jJyF5yCyFUqLpFxLfNyIy7RISE+ygViSNNWkBp7Em9VZXZYJZpEQ0ZdVJTFUjjTU96F0CEWKksYZZKthg1iQBXgl2J7CQmpIEh3D92nIl0aOwfi1Ls6I4T+BWk0WZEZ7Ah20BJwiSAFw135r4blELWSeBXFZZgpgGUcwwgnmCAiKd4SUVZBsx66oLW2C+/YPm8xR4rzNoA5oEsmsHkwZrl1ibBPp8Wa5fp/FB62zOzJ+TNBojOos7K64HWMnoolonueYAlRIVv8pNOx9/tFlbHcDUrJyfP75zxAEHtS8JcNdNPl4HuQ7sBeM0hQ2js0WKTWSLmMXZu4BT6AY6YyUkKWZJRB0r1z/m2pSDZv6RYGtFksDmbEFTmDEaHM0FzVm0gtFd2EykOSWFzCtONZEpuO2Bs2UC2SRLvcEm6sz/DvRQBnkUwIoumTYKx/eEtLATaHyKlqlYrZLxWkMncpVIvrrMfHfEE0A3iuIigSLpSoFSoZ1Oud6sJNOZmzAbH/oWK5zkgOcjhbAxIK/dfPvYcJk2WESfc5xrM69UrGGBNVTqZgWlgFpFxzW+Hl3XJMcGC5MbFvGHXZ/aaWAfzCXO89h3gOWxw6p166AEbxErMqKkLJJ0JbKAE5hprMjSJEf6jkcp2Fx+jt6eqdTxW5ayUpeKRQbKsWGmip59xpmg8VrstFB11Ik6DVwovo3v1uLSdT3NFlxGf84b4AlS/q3NG13qWKAJJI61oROgGj03gctlkqMrlkkucClVbAFWzKtlimtWME1SiIVCJzmwKeZACGqguVJ0uNFluGsAHTvjz0GNnY4nNpvYFkiSijLpBkBHt0RlfM1IKrbMAvO4Hgx3I6iK/2aVmRvKGx1s1MnULVg34jXJIUtQuOln4sQWBh5sbGlQZs6RFB1drLX9ZUZWser8B6DpXcmiBwJKqoqlwsIMeu7GgLxJAjj+0+s6kX382JsCGgGwkssM6zLiwIAuaIVjQ1UU8xT6naIE+OC6jiYCHp/JFnLcFq4dyFLlCTCO78jUCXzD2vmGE+QDaBo7EcANPE5gnGj6Jf4BCDVojQY1gSml2TKB4NVlbC+bViTFPVAkj65Ia0VCXXEjADbxRmx1YVY6elfNNRGxCyWC02IfCtQ16YxNvlma+MfKAY0f0WtmesaGuy2jd2ut8nmSPPRK8QRvYaWpynIWu+o9ydiKOjKUgg2GaIOL2N7gdcaENniRQDNYM2VSqOHrUiRo3WSkqkRMN2uoLVqgo+h5ZSR6Xwk0WLrJHkk4LO8T5ixHF4rmzKALrHLfzVBD+/cwOm5yVkIujU0IBTAwRB9BfwMiOQqV6jT5EEyk49xVUXK5pYPBggf5t5BVtKbeR54xy0PnM4J5Z4ou6R0qcL/RQhuLFcuqPwwkOZKcaRjOUK/utx4aKCFdlaVUBg0bjyK0WWGDmEGloouxo/CAtNz7DKEIMd5bHQ0KiAnf2X2kLzRnIvVE/g6qdrUunhoZuaRmRdWs/bxeyWrwoiEk6JqqZhyRkajESlP0lhoME8HdXcUNC56/kUv98saVvb5Al37E1xkyq8CUImgG/J760ceAtkDvqPmdGUF1eJ+HhzoJ8xYwsru5RbC4I1ZTrMhqxgQL4gczdyfor90TnzALA5IhXnJcCZj1u6xgjmvdxD3cwL3Xr30PTenbcTc0NU24/fziEWPfbkQWsabpuM6rsCz6QO8M3Ioxd8EU06hHBFI7uO4dTKgWfGTiJXTPTTgOHPrnamqQol8qqs2ept2nZyvfv1e+UxlgLI9b1UnsvkeqyTvddafsw8lhBLGxnZ9Dh3b9c5DymLP/D883tItdX9ZCAdYOnw2wGuIl8d7zCNvHZY41RS5du8EGDW5Vs0v+G4+Dr2hGwTeYS+Xa1wfZiBDWSFMK487w/nlVCguNyQTjfQcdpt3SAtTe9tCQSsEEtH1Il1QVzKkbUyHdLukGc7A143RJEadryhHWmi2F27h2Xn/46ENL5keU37D+npM+f5RJzxazSrAvFe2PScThy9fB97SOiadNQak1Gpa7C0mkEBRyK9CGmdWYoEAoUBnSaOyKnlRedG/TwrIT5EnzRHG5ZARzZDEYMX0Ai8fFDpYaGdP4eLwrV1sdRq+TzraRvazW2A885gzrbCWT2wTOiGvMNZil0g41slKxO4In3A8AuUtjsYU3zQ9iIZxiNTvnWlpDfOe+XUKwHP3qvzFD52Lb/G8A3YAtr4VBOJ8RWZSVoSoshpO48S1h6cyzb/p7ATMWdzaEmb9Vr/70/Z+t7XvZ2Y6aY98E0fbnNIsbMTvWcYO3VKF/bnxy+qVHA5AL3/rY9T/pz7xocd459Xv348Tk5UOy7Vl/YIpdZ4be/fbhytJOFXXOE/CX5kwTRUssyNZqlV494/1cEAQcOkMf3v6MroX54dUZun53efWfP6OP18K8/hE936y2SFBmVlQhspLaj0qTSlFi4FPfv/5f/+3FsyBHqFkllHF9foBMnRU4PI5HJz5997zmt+4sXtdIha94/rSQ7sqmA5if2DDu6Ac+hG9PMW2tk09MmQpz9Ob8XRDZP6Sg6XxZp52M/yMFnYV5a9H9akQoEHJYeMIWPMU3eM8+LLGhG/wII9LhdN+g8zxX4Kd1pzyETvP0kqI8Nc750FjI9cXbG/cqjYbHCqwnjH7sOJWcpurfbnR9Y1EZ8X5ZHp44CSIKD+3a4zysNbHMTdeaVkB00MV5zuyHMW8Dtp1Z/uF3bsIDYE1CuODS3/DL3SMwQKXNtU6i1x37pGH0zmN4I5VpRPJA6OYQYIMNYGZ7WPLqiXnv6GFiWT8mNVlvxxgvaMhunMqL67EDyxdrLQmzKqfzGw10HGTlssJiSWeN6USkWLBlpWiO5luASUUOWUNhOVOe2HpgUDQ6oi0HF10k6HfAI+r+3RKu6A4ARQtpaOYzu+PnGcVnbS50hjOXip8AdGlUGuCLBEdikaBamKe4Dqn6n5QJmIrzrPbEpVPL+xa8pWPWX63rTHgEDfbKrKgS1KAP25KeoY/1M/YGHGA/oJvaATZ4CX4b09TqUT0TKBMjpnGNtPeLnyHMeVCZKNsPQoIbVpCYt6bKvoFMGIm0gcecCfTxelSgEEiQTSavootsC1SWCca+WcCK6tgZvRZsghIX9yLGTkUHf3sCbN1ohYxTsYw+KRJwtspHQi10RAN1Kg/mnQCMQATSCRYIo1+k2mCVD+d0I3S+hGQvhbC98XeQSzenZkOpCKuekbsm3jfGLQ3m3VCdQwZBy3jIjBhQyITPc4W0hIIZK5b8iI0wiWuOxRRx/CMclHWCSMdFOSBw12XZRlLW1oJdggG7+/LEjlRSAl0I1vH6wR0XscfKMFJxrBD0i0Y1Es+v7n5+I5dysQhPf6ckMyuafHt3kP1gF3S3sYP3lcXbontemRUVxieLj6Ktq5idE45L6HFLjqP+UVM1irCsDJHTctovOY7wbUUI1XoEZ+g8flpztNMSTwAvZFXcpVRbFChMGOA2hXDawZH2cLRSCQJ8upTCvitWboWUw+aLaKAo7VK1jtePbuTdxMh1LYWaAc5o3tDj/TA9fZgJpJmpAvITQXEB9SLaQ11hjXAuS/u6mBVlCsmNaLfMMc7gOylkMZJXCzM5NHMt6qdVIqxyz0Ru5Y9UumEARr8wTtG5R2w2YMMxzl7REObu5GjCeEP/o6QrjLLg1mctxOVCiMYAI2LWuz+AES5f79bXa8TmxHhC6FymrB4IED+nK7xmsgLtksiiVLJgIxmKdGrkrgSecygiW6CL/bgxsW7ETkIk+xjuaJ0oiMAOhlGHy5yAYGD9Br/Uu9t5Zdv7Nnrs2jLLSph+OVtsjT6HMvCMnGLWH6UFwXu8pIIqRmqSgCGQ6NdPLWBmBU9taLYb8sjOyPczbdR48LOm6ZS2W49G06v9NHn1wq2VkK6gadoY4YYVVFu57rQ9RUs6GkTyuxCtKcTBjYDGgw/cBnXk0Tqld/ejHa0fjqPp+0xHG3J6NGneYXyIwgFtQHErEI4QBl8vda8OUqcm3Tt30aLQpg7vXLReqtMIkANyvBEgX+9x/OHwlsUabTDNlh0nH9WkEiTmHTtCfkx6HGPSNjiMjVIPJWg9P3X0yp3KrLKCmpV8hCgJ3vEkI4eG/9johkMvJSWTep32RHXeS+79tRaRPecykSfkP2c//elP6Pmby/ObF+iSacPEsmJ6RXMohQ/iwuVSJu8LtC8SBtmyC4eH32b44EjGmJKJvYr76j/troYwaG4MeOSjDX2+z3UhkPbf1P12HH+AUyhmikWoTXqbKYZ5rO50PULe45xV2q2ApEKaFYxj5cSTFZv2DhF418PlVXDPNcun7DTSzZT/aA9C7UXs9cVsL3m6Ootzse+uQ1jDVxp2/L/eSQS/GZwF77ihnbKMPOzKlCplYsAgZAOslmqJBftjT1a1SHcUjmX2CZzunqkRdi+YCtaSJur684tdDl4L1+LL9S7ayWr+lWJuVgQrikpFc1kwgYMFdx3xdIMNo8Log+nxHE9J7Rv8qMS61o+0THRw7dV5ZgVXiZWBZkgtqfvF6oTNjrywOUaiLmhOFTY0z6Ille05H1b4/FKv2ATPbpRcs7xpHuY/h8uSe011cDB88x/7rO3qtGEFpyWS5RNR2Szpe/2Z7QiZweGhkDm5Zi56vuor7iMt4BqlM+ZQ8PtqnvQOdKbOlzqV0MsAoU5HBY0Va6SNVE7iW2gFNRhWewafmtlPPQtTX7A853Q6KfcW1jtWzgW2tyP3TpJz9XiMaci98at1OgyJbR2dPUMlx3bL7PssFaKCqG055uWHVMgJ7MkjMuhUY1v+KrVBbzFZMTFi0uU4keT4ps/rjwIy/UtFrfiw+pFrcqZn6E2OS/QJ/uP0o1wKV3f6t+HjiVZ4Ta3mxClW6EtF1RZBD0JdSqFprVGFi1MtvRl8Zxp56XvgEQtZsboLpHDku75843jWJE2AanuA3vvmqMdiClOe0jrM+me8bi2908TI2ob+4WUaqUqIoB2rz5qXx0WeXRupkRo7DzHzFmb6jcBow0QuNxrpkhK2YMT+5ixUJ+jzZIcXxJLn8G1zbtBz6AhLBWmfIQhdvuhwC1UC3vE3dInJFn3Uu41vmwhs0S+kjZ5da1eYwGAfee27phagArVqcMjsizjgeNMHIFD9v1NpCuU8Q/btkp1eoR7rzuvU6wDFQGHwoPnvnEDsNHm9Y6T6DF/veq9l3RWQPt4FdEjNNA67JmCwuzdtQqbbhsEOhRtSHC5+hrKBmCMBRyvcgOScLpjwvnoQTtDVr8DlSNNBwO6kQrFEuLUOmJ76F1swNj7b1LT7XkojvSkbH7YxmKyKiVvgt6sCw9HAOupuR5IhL3Mm4k0Qi3o3LMlQVJj28QwIqW7ZDmyLa6PdlvcHpnYOsE779h3AusSqPlP2x2ctKZsVG7RSR/Z2WFvWJb8fRZ6JPrPEtbWQaptuw/9Fl1j828GOMTUiu13Ua/U89DRZtvzLS4B+gLZHU4kGVNX91vdTNXoKMiqMkuUpoiOX1XzgXDjqjPs1rbVND5QjAI6uumPae3ghixKLbXMf4drBOH1nr6ypss9QxsRChpUCrD+nrhE6ID96VmSN2Yam7Yq++JIqR+CXivMt+o8Kc7ZgNEeXUPfsnINBVDZ0nhEpP7NHCrr/TufIrd/az5iPafPRu8224fCyMqBynzjC9PBdf98s4afseHe088nP0Idt6UhvPQeWOW4HxzdP0UUWtZlsD22Lg3NEqGc61La2j8wUrrpGudzFznkWS6lqbz+EmN+/GdnyTq+cyMep5kWZdg7RHlbYlQ967ms0lZSJNJFdpOw6dj9QiU3YNUlEhnXMaH8HsPLl9JEhV4pH3OYO1Ii70hijWaVieUM6MDVVGV7Gsylb0NGfp13QUdMfd0H7U59AsNA7QwWoVvGNEws/2mluFL2Vor1UmdgalVtiilrCHZn7AZYF9eql//eFR+Gl/4fPawq5/TGnKpyd58l5xOi5I6YbPAePa2fU2oCc3A9EsyYVEwuq1EjcdUj3JHR1Ff+DrA+6ZydAsu5LvOhsQ+BKQVhbJr1SgSUmO35XLm5vj90HyCBW3R/9lQ4TtMYHfrJyRdU0/girs/uMp+cXMPrxBbqA9cOoUWUmapYywucLqvzwT7qThbmnOS9NGjruMLKz4XbRZ7rTKXrvTrM/TvVK3r81Sni30S37I+ytYZ8TyZTrv14hQZfSMLeB5QrrkQlQmkzdVqizlW7x8eGCdquTTYAaJLj0zljdOL2uvwknpGi2nKKiYre/UTP18MPooGUrTZjWVXSlEyBDslQ6b93DYiiAIVUqqQ90sCld6XllF0e3EJzeJ50myZBoOoP7KPLzW0jt3P8YdaTnaUjeX3ruwXFchGrNs3XKF70fUvWO7CAyeWaPHq6it2nUqQCzz9Rb1ImaG3zTjivpPkggW39EGuJ1UqHr2/O/vr1BN/adQr+JkekrLbaJKqlPwfbDRoaxBTFEVpR81ic5kY8Twml7kIWGzjX9OpsWYZAG6kcQtlJwj5ZLFRs0hXwEJdfh0XQFGTUaAGeDTTXZhM8ulmvMWe4OYgCJviCcrKv1PkEIHPtMt7ovtiOd/DqBNDLslTGlzhjMoE0CGrYyBUMIfgK3iS1FXfkiFTPbAzeKyKJI2ifuSLwdHt4hFC7B3zBFed/SjO1i2XAsMq0fa+CtXdnJ8N89tXWNVhBbV2qclZJNkVYdQthhgAADQCpsDQBbyQoLMWickbrdlF8VEBmJ2U7Utrl5WPzMw9/fnL/z797L3vLNg2Kk6vv+o/dsY/pztpa8SsWA83qOs/BzbprJ2PU430owo9Fzh4R+Ad06oLC3nqjbA48A6SA1vEokzd54XD8KZny6wGy36GBNFWQKLCqOiBSElsYayrduD0faK2w2KaWvY7w12OsR2hbRUiqDpOXvr/9+HkrBDbI99rmTajl9gmW/wGDHxTrHrtlJsFHMX65+u7m+QW/xXcFE3oz1Dm+rpW3yNMydIYojZHkyBtTtI6tRn8Ili9HTs12VY7aYrmDzsYvwa5KTqx07zjIvla8vfZdej8VeDPl0m/LIvQJqiov/8nXDTWGOyIeaZOzbDf4Sa0I/UnajH1cNVnwT1C1cce8Z0lUgRR1r9C/aKCmW/zbnmHzmTBua/8tL/7Oz5rdMLCgJ/2rBFN1gHlRk8Jx3voOwyJGWaORYKrpk2qitteynFBYlNivfrL/BAfVxGCAJTqmp0HSF0K5ei0jV6ULe6JMN5lSYTk5KjbcfyDhrpqnNepd/HPcxvHO6wBU3GdyJn9EC851S5B2SdjP433WSI+pJke3I+LZszSi8WDACgwTmlAok59A3otPQq9kXje9BTP9iHyBleOsbl7HFWiRWJwuduk3SiERReIMKqjVe+r5ERFr5DQPMQorkG7lEl5TIfCTs42FF91G5ns8RE5h6CE8pjaAI075ocoGY0AYLU6MRtvENO+kRz4fvVFAVh3vIrHVrXJ1TO54AraxtCxN2f2dGUK3r3T88BUHQNVXdBhUlVpqit9Rg0NR9zW2z1PM3cqlf3rik2hcD8Jc+HaxVKzB6T52wcCdcdNAc6SRD10lcOA+LNhd6mVZ59nv81t/z68vvfcDFtX1rrWvoCXCHiUFcLt1+DfvaAHUwydqfFvic3p07ZL/vN3Y2ejIGoE86KaGTMYA8flJGt2Q97Z68+see7N8Tu2qaDXnY9ZXzv2fBXldPBrt1qlDpw1BTNGVW7MPZlur+PwwzsP3SFdw/DDlc5cxk0I/6KaK3azg9IcRWESfqRkWMidMQS6sx1ZLj6Z60nJ40LDYt2xaU5qmLQMbDFt22ia6RJM0HeshASXiYFdHTQwbQD1gR41ycvs68Pxg3yD7HrgGZkdiHAhy8N/vIFGq1jw40arRq6Pc/2u4atRdSEPs4YCOfumU7Im6gSV1Ccdjl7oVdxiW/dO7zG7n0Y119FQP0krMmiKJeUA1IX7A7miNNYdLuzpd319DjBku9CQPYDzZYmk0YgL7Xpgw9gfH9S6cdzAFd9+DJ/XgQscXCnnP5a51X6k8k759ITUXTeZjLpQ4dm44P6evhLzvlgA2+NMrY65v1j20/wJHr3mfugHojv1bmrl+nZu/r/3fZm7j2yfO4LxecI63rLcsRRku2pqJxkn29ioBl0Wn+i7QWSP4Ulb+vI6Ix6tCQ5TZT9EuCve4GD2GDgW7fzO/K9xS7gYt05r3ZBrsKa4KHEmRO6+TRj9fCfP8aSYV+4RKbH17tpnkRKRZsWanx/JaW7lPU3a+YbgiDPtWySbCMJ+iZMZYdU1cTfe0OBqk2WOXJlLr9k+qdQvJpR9/DSFGOh6lprrWqf0Q92r4ZJpxU3Xb5kIotmcC8/s6utnKAD6n0rz2JEdc3n14HWICC3WRRBBY0GA25HOP1aQ/qUHE89fVZUZwnLK/fMe1gKXR9+ZAoqcO3GywFMKfFSp+0k42TLLmfDTc5uK2iBRfFmi4XknPom/o1CmDLvUfIubFnjmlEHOvq8XAdRfWNHI6zGGf0E7T4CjJ/KqpqIbWpC/fm28GmNZO4LEDNipJv/T7ZD0MyM8VkhTTLKXr+J2RWqkKvfvrpBdpgP0qoXmUPJ56E8noEJ/xcnWSsIF/NqXBDVWqfQtN31V5lHYSAnuO5XNMOM1i4RKcWb9ooiovR+0O+mmPzyKyiOTupacIhRn0T0hwbxwJbIGbqvj8g0l+6NqE10sNxVn9DUC+ypQq9QleC4FJXHDfNyu4l10PQHxj8CORWhlb54RX6V0vuGfrhB/SviEhl9WXXc6Aepvbfufmf9oNMo12mhNtfCJnTJ2vrig3NCOZ8jsnn9KVPORXS1KPRwK6wTKxrXsA0GZtKB4cjeTMjODLQcBtzwNjNsTdSWc1abJ3WYX/RaUYRQgqhhaxEbl8YDgMZNHQEOC55cfdGDCDHiAX667AnbDSyC1sucf5U3jmPDtLsDxhGqRgJWB3eFO5+GGxh99zXQtg++9i0Gq1c1Ns2Q7/Kjd2aoc3JBJLKGmNGos+UlgeY9iRevK+EaW4wRbZOOfD8qpY8MJbKzacWMIm/YxeumYKRqdeXu753EXBxdGe6AzMcFf6qX18iZaW1BofKcLbI6PT/hhPJ6pkfnRO780hG8uWShIKGgr9tfvUeuuE3M5qJotgPAhoRlPZPHYj5CgIvfqVMl5yl7l7yZM15zVIVwj4wRfq0plHHnne4dfYNqCcC+VNXWy3+CfmvEWF04mUwLmiSGD2MAJIK3Vyc33jdl2Bh2cOKUqq+xovgifzq0iCqp+H++OieKjDEQ6Nu0dCUr9qvtAa703PAMp+hVz+9Rhvge0GxQJjzsK+grn5eoNZ/hDZUUQcWG8Qp1gZJ0SsX2WXio6uJXzcTA3c1RdjW8+53qXJgHGQ1UbISksvlth+IWzA10GIR+gmRFVaYGMdECu2LLBZugjuqhM/p4Ts+89GK2tgF3S5QnzKIsG/agrUoCqtkSlGHERTejMo0kKw9tRIT0FhdjEJ4n4MkpFI1RG2wyLHKkZCqwJz9EcrvlaoI8if3WQ4ns+i4WXh7mNRi3SDzkrMFBYoDBr6mRIp8RMFutzvTZoKG9iGCmCCyKDk1wQMw6kTFoMCPN5rWBivzSAf51q4dPM5jR3n3ZI4ev0KK6J2Q80GCxIObHoj8kRh/JfIUbLcg/5Dikbrn1KvXKqZLr/3Q5/BARCW70ecIhnH7EeS+HW6NXb4vDyywvw89bNv+KPCHg1SUSJXTPN076JNs/DOlmxVrHaPOtGk+2I2vD18rJYsZQK2gKF8TKrBi0qn1RcUN+84wqhAuS15Xv7S9bAos8DJUmosQh/BObS86pByuGjHzTCO5ES4yZnBR9j2DHuN6atLw9hmNyIpZ60bmVM/Q20obMJO6QF33rJG8XGzoiZu0V4AtFhbvNZ1CE4JNrhd0vHND0wRxBwJb1Tpna5ZbzQbOQ1iQ3daC7EOPeWEi70qmJqOw3U8XC7qzJ5EZvnXEaiv0rL5mkYIDut83GnHTD3T7ruXZbLBk212tii2BiuijOBv+x74qoEF+qWg12VGyp9udolY+bjCMPa26Dbi6aJaAXKxRDw1TIyoFOwxNINOWhUnw+i6LFLiWWQJUyyyF9lzGFEW7QGON+mihJtCVOq/I45iQPfMx+MYMnst7vTmnis1Dcu2UYEH7QPS6IcR2BGEyUOJjKNa64o/UNF9WhsiCvnQ4NMaLH+AyOCFYeBbsGJAjB4SuqWImdWvQse7TfnVfBDg2mrTn8pl4cJt7pZtKFwsN4k5u1H1r+IS1WxfMGeup4nXl9NlMgQ1oXIwsH0yGbSbBBvEOTZFJuAmfdq30riUoFfrt1qfGMl0nBPT9arB+vUNjVZK6lJpFFBxHnS0wp0Xedhdu7u5oF56Kmyxd66J7iiJRFVQxcl9ZFKRtosnPR1SyNTfDiSV3vwekranIYU7yQbkl539/hO41dWhXDqfTdhFLXws+YDfMA96LmJP0KXvVfTM6CdaLGe/lWuEmt1hIg3AzSS2cQMvlMqsTVR5FqNcH8d5CfYqeKTuy7y+QbgVdq4dtvxvFX3JGtlNM2xmRCzeAgG+uLfh2RC5XPGXedJiB7yvf/D8sTqUw9C61xtogdN2OCqirq/Jc27/gUcW8RijUAObA40xWWCxpJugmtSwYC1zSTSfUD0qIMYrNK0M7EmKYo68d6lZb7z5/I0OJSxxN2DWc44MJHZPcHDAE+/lFDpmu/hYwbqECzDKsbjio25wvtaZqhm6p25RKUzXDSwqtvH2m+0KqGocB7BqM09sJfB+573f6VkiF5kpu7O/qn5J6jqM1u0b7SV/nN1iZ2G66BnBsj4q/U3JQHTrVnZI8b2eQJrpSsqQ+oJjqLT4XCHOqTJNdpNpF/c9ceMuLj04TAEhCCijMORJSfKdoScGS2Zf9MMVclN0++qFpKE6Pe8lchK0O/wwo80M1WlmPLmHBOVSbCCTFd0tp/73nJQAlJQsojgnpxp1g4EtAwCIpFwgmzDOqZ+i2lSn9wQbdyqo0GF+4cr5KWyPGlYy6ZJvci99mmgnhlTb1gfT/GWwTfIVpu5O+Jtr7N6ziC78dV4Em137cDQtb9K4tUzql7Nkhw8tieQlYIKy1JAz8pXY3gvYkbNgb9pn+3BlkCIMLz1CpYCbKGaKGPAsryljhWAOrDwSxYClqqNKoxBq6eGlo5OCnScuisFJM7gTth6U11JC96p57Dx5L4+vsYYKHyYlvIouyGt7BBNuG0YaJXG58Pq2fNnnWZFKMMmNA5qLifIu+VJg752cuC8z8IF6gu16Iy5Gnq+v1TDTAfjAajonPNPe1QHUiOtbgnfIGiv3NNw1qM5bv2zg+6AqRVNR1Jzs5t0QfgRq9324fC6/fSu95RbfDdj1N0JmqgvUHO6V2sfo1O2Py9mvaP0TWtBeMp7/jDcm/wGrNNVY0rwhFdeSIht1tbqZ+FnhNkz0itztj/PvvY+cBtC/MqF+Aks/6pJYDMTzGfnX70K2wXjU31KqFgSrDiqxc5m9dY9OUGV7UkHotwiwhzTIzrYj9VvP/YaUpsvJcIAY5d5UgnGJlfwSN8FrUfAFhPfm1Luw8HH1wwq8a9nl60i8WkcW8Gd+72HmwfNmousfrtWaq0lN7+rraCCAw7vGbJkAauBIXbnXXk3HcU+osuOkG1zov8/WlH8GNnvvGDfVsSlf0a3F7EdarnQP6sQb8e/fz9WV3vmsjJobeg92InEsDdCTM3CGysmDDdNhIXettyl72u1FdX6Dt1IW9fmzhjO+Jxx1fNAuj68uDmmws/9wBTdYi9krkrUY7QxeuPtP3O+XuF/u1WUBQ7X7i+2+8O25emaZyU5rmMaoEp9pxRroHZSPRGiuG53xQBeiaMjCBSo5HBIGmQiftj7KzoV1V1a08s5LKahh1fSGz+3z78vqmr0Mj3zLWeRTG6rJPHCh4dC1kG2lxSKJrYdAtWwoMwmLkiJZSpWxe+2wgv+whval1NwldHeGfFpHOXYZTlsvAwXn32wfEBOFVTq0484Ns7ddn6PnVHS5KTn9GN84h4sCC9J6F/SIQmZs8tgnOqfZpCWPG9Gercp+A1z1K8TpuzHf+aXjP9Oc9IVej2HJJVboRdmGWferGAjwOoJ2uFNUryXN7epytPjJpdCf0PoFnYRh791L5+XunY7xomnFcX4bLSI6OzhNZlNnEeVewKz73Csa4Ov+erubfWXSkgPrUBYybkXlFxqw0r5Y+UtZYF/NGWkoFnQesXK/xG5kSh1W+wepxMvSGXfWtdMX+IbJEjLRGfm6FKEZvMan7KYeVWyuCJrVjpPiuVlDVfinkbM3oQ60VxTp6brA22FSxFOfGH4UZfzSzwy4+l3eI5S/H3y/7slZTYGgx+jhofOzugsUifHXrdyzx9L3BIb8czt075TljQlaxYpydOhK9jH6nrCSN6XQYeGR/jAw4dWfGnSNxzrmVe0hXhFCtFxVHV3Z9RGROtT0SdbPfsGXBRE7vIjOAM21O0zwfKFtgYTDFVI3EnCqIbxZYMQ4ZPAEPnou/iyXCwMTv7HeDlIkE51DOXXOhR9KI/eroeZPPWVKlS1906yTMgGVeRWgT4usOTy9Gigydm2v4HqdOKHHKV5Pk5X1V7tP2l5gJjXJqMOMBJ8NcVqbzvRHSJJ88N7P22OImjw3wGH9IDS1Kniyb5xzldIF9CMh3vqxj+D5b02rFa6o43kIhl5H+cUXPAzfS/gKsbv9tuqirwJ2vXhtmKmjMiIKEtbbBsGHTQ69r1ChWx79DcGxME8gqIovC3qc0x+jCQUesk+xbKrlmufOf1V3kCqpHE6FySU4PNN7fW/YL463WSLp5eWHV4K6EpKfHkfX16mll/d/l/ES/08nk/W859wGY8O0qWbrGuZeQUOx2/vbmGl0PFKouGsm61vrqkv0YRCzsaqphl1EN6fv4w3xudVi5dyIim8s8dcXXoOKur3R4XJDFZUQ9WsXvluBCBhNUnndcwL502CXQNvEQtmR5E8oZceIVsa3GQRl4hJc/npLX0F1WKZ+perr3zUfXPacOREGyxh0lVdeL4FK/5jRU3lp3YdqXuDGBIyToFc93HSJNdSVeY8bxMJCBGlc4gvrKBVVqZNKCu0On+Prjxd28sVL4BlAuADsgyacbaLacjUhEVmTzKs+30f0zrMii1gF14FaantbofK+XKj5ExWTELge9ErtMV1MUJDDdzV51PVdxlTPTVNa1fdE8RqHBdm3FhhMlbXhhP5EuSyw2B9eTWeUXn67Qc18r8aniVleeMw4FHJAHdnVXSm0/+QJ9N3Q0iH4U5rOQG7FjCGlKKmhmsd6FPjJpk+AJXHD9tNCLusr9nS9NekOXmGzRx1FzjbO5wo9RlO8X3mExE6jATCwULujedIwSK5jam75Pwo5yeQPLoncyd8nRbVvATtZZACl0QPuCVAHLiFQW0m7fuHd0g36tBJiSb2VOOXrOxHr27Rlikpyhuf2L2r+wwHyrmZ59G44vGlJmC44Hk/Nj61C7Gv7FDYJFwdcFcnJbD7+Si72NGoxMiqn76dzjWbdB0FTZgxxEaF3Elbs9zD69/R0rij64BOBvv/309vfz91fffutybtdYYTZ6JjdSfY5Zsnzwgv1eL9iNsI06wbCIrUT4mp24XUqa5wAT+1xsE5gwC6mo0IzEFCAdV1ICjIv4XpBAfCAW0GyD2XA48YO9A9D7PDZQe31il6jrap7oUph5ro2KXfkO9drJHGLdtzTaO1rXfKRzkp5a7NIOBhuoNL7YpK178fUuFsSCjTqaalKTOWJPJTXYjShAZr+8JyyUT+4neH/HhUXe6//vh6u2KrOb/PcoRyzv+Og9InuRfJTDUcdx9+En5QRJWzs727FLn5smo73OsoM+mS/A7TY4uYcj03XLajZFPAyKvhaYccvrupnLjZcZ15fd2jboxGXNQUOXgRYG41mFdc51ZlXEE+g5JfEa0q199dGFLIpK9D1RA+zEaY2bHordO3pn/kLDOnWDmz5Ns34obrdY5P8uw1GzFjeDDTtFMjwYu+HCO8jpSpeMMBktS3QqCx6w32AlhkGHp466FkWZyVTC+Pbd2xv0m/OjtkmpYUS+TJpKcPsfb9CXiqqR3q0VF5mi/U6daZMbOg7RLXpfF50F07oaLZ1EfEi7QGXsMQIWaHmS4+gQVBMIjj0Ybh5/QAPmWBUJdsuCTeBewGXEAuQGaJVHm0q7AzNut6sd0Dk2fa3woXDnVJBVgVWsspIG7rbEg/HFD44+YTJIp4oCM1tFPwuELuIWUDWAF0totZQArJz/PQHUEkefhOE6TkU/XhB0z1jsB8d3biuoVT2jIy0yTGAwSvzyEwtbi4jGewfwfFmufxR3ZhX9fSciI0ZluY7ad70D3UI+LfJ0BOA1x9ElhsioWDIRsShyCDpFbrTIFpneMEOiyw+RLbjcaFzEz13pwhZmnQ56gqgLERkTKcUJEyVVxXwbLeF9ALskn9MAX2Oe4qywMiuVNDKLH5IC6OsfM/A4xofNk91NLpdZnoLZFnD8/DcisgLfZcbEchvsArYnmtMEj0LBRCKkmUiHdMl1xuc8ix0W3YH9p4TAo3cG78CO3QuxCzt2VW8X9k8JYb9OCPufE8L+Hwlh/zkNbCNLjuc0hUhpoMc3z0RWVByU7/k2wTtZAy8/J9BLioqzZVGm0b6tlon5MnYSkofMUiglmn4h8X0jItMuITHBDmpF0liTFnAaa1JvdVUmmEVKRFNWncRUNdJY04PeJRAhRhprmKWCDWZNEuCVYHcCC6kpSXAI168tVxI9CuvXsjQrivMEbjVZlBnhCXzYFnCCIAnAVfOtie8WtZB1EshllSWIaRDFDCOYJygg0hleUkG2EbOuurAF5ts/aD5Pgfc6gzagSSC7djBpsHaJtUmgz5fl+nUaH7TO5sz8OUmjMaKzuLPieoCVjC6qdZJrDlApUfGr3LTz8UebtdUBTM3K+fnjO0cccFD7kgB33eTjdZDrwF4wTlPYMDpbpNhEtohZnL0LOIVuoDNWQpJilkTUsXL9Y65NOWjmHwm2ViQJbM4WNIUZo8HRXNCcRSsY3YXNRJpTUsi84lQTmYLbHjhbJpBNstQbbKLO/O9AD2WQRwGs6JJpo3B8T0gLO4HGp2iZitUqGa81dCJXieSry8x3RzwBdKMoLhIokq4UKBXa6ZTrzUoynbkJs/Ghb7HCSQ54PlIIGwPy2s23jw2XaYNF9DnHuTbzSsUaFlhDpW5WUAqoVXRc4+vRdU1ybLAwuWERf9j1qZ0G9sFc4jyPfQdYHjusWrcOSvAWsSIjSsoiSVciCziBmcaKLE1ypO94lILN5efo7ZlKHb9lKSt1qVhkoBwbZqro2WecCRqvxU4LVUedqNPAheLb+G4tLl3X02zBZfTnvAGeIOXf2rzRpY4FmkDiWBs6AarRcxO4XCY5umKZ5AKXUsUWYMW8Wqa4ZgXTJIVYKHSSA5tiDoSgBporRYcbXYa7BtCxM/4c1NjpeGKziW2BJKkok24AdHRLVMbXjKRiyywwj+vBcDeCqvhvVpm5obzRwUadTN2CdSNekxyyBIWbfiZObGHgwcaWBmXmHEnR0cVa219mZBWrzn8Amt6VLHogoKSqWCoszKDnbgzImySA4z+9rhPZx4+9KaARACu5zLAuIw4M6IJWODZURTFPod8pSoAPrutoIuDxmWwhx23h2oEsVZ4A4/iOTJ3AN6ydbzhBPoCmsRMB3MDjBMaJpl/iH4BQg9ZoUBOYUpotEwheXcb2smlFUtwDRfLoirRWJNQVNwJgE2/EVhdmpaN31VwTEbtQIjgt9qFAXZPO2OSbpYl/rBzQ+BG9ZqZnbLjbMnq31iqfJ8lDrxRP8BZWmqosZ7Gr3pOMragjQynYYIg2uIjtDV5nTGiDFwk0gzVTJoUavi5FgtZNRqpKxHSzhtqiBTqKnldGoveVQIOlm+yRhMPyPmHOcnShaM4MusAq990MNbR/D6PjJmcl5NLYhFAAA0P0EfQ3IJKjUKlOkw/BRDrOXRUll1s6GCx4kH8LWUVr6n3kGbM8dD4jmHem6JLeoQL3Gy20sVixrPrDQJIjyZmG4Qz16n7roYES0lVZSmXQsPEoQpsVNogZVCq6GDsKD0jLvc8QihDjvdXRoICY8J3dR/pCcyZST+TvoGpX6+KpkZFLalZUzdrP65WsBi8aQoKuqWrGERmJSqw0RW+pwTAR3N1V3LDg+Ru51C9vXNnrC3TpR3ydIbMKTCmCZsDvqR99DGgL9I6a35kRVIf3eXiokzBvASO7m1sEiztiNcWKrGZMsCB+MHN3gv7aPfEJszAgGeIlx5WAWb/LCua41k3cww3ce/3a99CUvh13Q1PThNvPLx4x9u1GZBFrmo7rvArLog/0zsCtGHMXTDGNekQgtYPr3sGEasFHJl5C99yE48Chf66mBin6paLa7GnafXq28v175TuVAcbyuFWdxO57pJq80113yj6cHEYQG9v5OXRo1z8HKY85+//wfEO72PVlLRRg7fDZAKshXhLvPY+wfVzmWFPk0rUbbNDgVjW75L/xOPiKZhR8g7lUrn19kI0IYY00pTDuDO+fV6Ww0JhMMN530GHaLS1A7W0PDakUTEDbh3RJVcGcujEV0u2SbjAHWzNOlxRxuqYcYa3ZUriNa+f1h48+tGR+RPkN6+856fNHmfRsMasE+1LR/phEHL58HXxP65h42hSUWqNhubuQRApBIbcCbZhZjQkKhAKVIY3GruhJ5UX3Ni0sO0GeNE8Ul0tGMEcWgxHTB7B4XOxgqZExjY/Hu3K11WH0OulsG9nLao39wGPOsM5WMrlN4Iy4xlyDWSrtUCMrFbsjeML9AJC7NBZbeNP8IBbCKVazc66lNcR37tslBMvRr/4bM3Quts3/BtAN2PJaGITzGZFFWRmqwmI4iRvfEpbOPPumvxcwY3FnQ5j5W/XqT9//2dq+l53tqDn2TRBtf06zuBGzYx03eEsV+ufGJ6dfejQAufCtj13/k/7MixbnnVO/dz9OTF4+JNue9Qem2HVm6N1vH64s7VRR5zwBf2nONFG0xIJsrVbp1TPezwVBwKEz9OHtz+hamB9enaHrd5dX//kz+ngtzOsf0fPNaosEZWZFFSIrqf2oNKkUJQY+9f3r//XfXjwLcoSaVUIZ1+cHyNRZgcPjeHTi03fPa37rzuJ1jVT4iudPC+mubDqA+YkN445+4EP49hTT1jr5xJSpMEdvzt8Fkf1DCprOl3Xayfg/UtBZmLcW3a9GhAIhh4UnbMFTfIP37MMSG7rBjzAiHU73DTrPcwV+WnfKQ+g0Ty8pylPjnA+NhVxfvL1xr9JoeKzAesLox45TyWmq/u1G1zcWlRHvl+XhiZMgovDQrj3Ow1oTy9x0rWkFRAddnOfMfhjzNmDbmeUffucmPADWJIQLLv0Nv9w9AgNU2lzrJHrdsU8aRu88hjdSmUYkD4RuDgE22ABmtoclr56Y944eJpb1Y1KT9XaM8YKG7MapvLgeO7B8sdaSMKtyOr/RQMdBVi4rLJZ01phORIoFW1aK5mi+BZhU5JA1FJYz5YmtBwZFoyPacnDRRYJ+Bzyi7t8t4YruAFC0kIZmPrM7fp5RfNbmQmc4c6n4CUCXRqUBvkhwJBYJqoV5iuuQqv9JmYCpOM9qT1w6tbxvwVs6Zv3Vus6ER9Bgr8yKKkEN+rAt6Rn6WD9jb8AB9gO6qR1gg5fgtzFNrR7VM4EyMWIa10h7v/gZwpwHlYmy/SAkuGEFiXlrquwbyISRSBt4zJlAH69HBQqBBNlk8iq6yLZAZZlg7JsFrKiOndFrwSYocXEvYuxUdPC3J8DWjVbIOBXL6JMiAWerfCTUQkc0UKfyYN4JwAhEIJ1ggTD6RaoNVvlwTjdC50tI9lII2xt/B7l0c2o2lIqw6hm5a+J9Y9zSYN4N1TlkELSMh8yIAYVM+DxXSEsomLFiyY/YCJO45lhMEcc/wkFZJ4h0XJQDAnddlm0kZW0t2CUYsLsvT+xIJSXQhWAdrx/ccRF7rAwjFccKQb9oVCPx/Oru5zdyKReL8PR3SjKzosm3dwfZD3ZBdxs7eF9ZvC2655VZUWF8svgo2rqK2TnhuIQet+Q46h81VaMIy8oQOS2n/ZLjCN9WhFCtR3CGzuOnNUc7LfEE8EJWxV1KtUWBwoQBblMIpx0caQ9HK5UgwKdLKey7YuVWSDlsvogGitIuVet4/ehG3k2MXNdSqBngjOYNPd4P09OHmUCamSogPxEUF1Avoj3UFdYI57K0r4tZUaaQ3Ih2yxzjDL6TQhYjebUwk0Mz16J+WiXCKvdM5Fb+SKUbBmD0C+MUnXvEZgM2HOPsFQ1h7k6OJow39D9KusIoC2591kJcLoRoDDAiZr37Axjh8vVufb1GbE6MJ4TOZcrqgQDxc7rCayYr0C6JLEolCzaSoUinRu5K4DmHIrIFutiPGxPrRuwkRLKP4Y7WiYII7GAYdbjMCQgG1m/wS727nVe2vW+jx64ts6yE6ZezxdbocygDz8gpZv1RWhC8x0sqqGKkJgkYAol+/dQCZlbw1IZmuyGP7Ix8P9NGjQc/a5pOabv1aDS92k+TVy/cWgnpCpqmjRFuWEG1letO21O0pKNBJL8L0ZpCHNwIaDz4wG1QRx6tU3p3P9rR+uE4mr7PdLQhp0eT5h3Ghygc0AYUtwLhCGHw9VL36iB1atK9cxctCm3q8M5F66U6jQA5IMcbAfL1HscfDm9ZrNEG02zZcfJRTSpBYt6xI+THpMcxJm2Dw9go9VCC1vNTR6/cqcwqK6hZyUeIkuAdTzJyaPiPjW449FJSMqnXaU9U573k3l9rEdlzLhN5Qv5z9tOf/oSev7k8v3mBLpk2TCwrplc0h1L4IC5cLmXyvkD7ImGQLbtwePhthg+OZIwpmdiruK/+0+5qCIPmxoBHPtrQ5/tcFwJp/03db8fxBziFYqZYhNqkt5limMfqTtcj5D3OWaXdCkgqpFnBOFZOPFmxae8QgXc9XF4F91yzfMpOI91M+Y/2INRexF5fzPaSp6uzOBf77jqENXylYcf/651E8JvBWfCOG9opy8jDrkypUiYGDEI2wGqplliwP/ZkVYt0R+FYZp/A6e6ZGmH3gqlgLWmirj+/2OXgtXAtvlzvop2s5l8p5mZFsKKoVDSXBRM4WHDXEU832DAqjD6YHs/xlNS+wY9KrGv9SMtEB9denWdWcJVYGWiG1JK6X6xO2OzIC5tjJOqC5lRhQ/MsWlLZnvNhhc8v9YpN8OxGyTXLm+Zh/nO4LLnXVAcHwzf/sc/ark4bVnBaIlk+EZXNkr7Xn9mOkBkcHgqZk2vmouervuI+0gKuUTpjDgW/r+ZJ70Bn6nypUwm9DBDqdFTQWLFG2kjlJL6FVlCDYbVn8KmZ/dSzMPUFy3NOp5Nyb2G9Y+VcYHs7cu8kOVePx5iG3Bu/WqfDkNjW0dkzVHJst8y+z1IhKojalmNefkiFnMCePCKDTjW25a9SG/QWkxUTIyZdjhNJjm/6vP4oINO/VNSKD6sfuSZneobe5LhEn+A/Tj/KpXB1p38bPp5ohdfUak6cYoW+VFRtEfQg1KUUmtYaVbg41dKbwXemkZe+Bx6xkBWru0AKR77ryzeOZ03SBKi2B+i9b456LKYw5Smtw6x/xuvW0jtNjKxt6B9eppGqhAjasfqseXlc5Nm1kRqpsfMQM29hpt8IjDZM5HKjkS4pYQtG7G/OQnWCPk92eEEseQ7fNucGPYeOsFSQ9hmC0OWLDrdQJeAdf0OXmGzRR73b+LaJwBb9Qtro2bV2hQkM9pHXvmtqASpQqwaHzL6IA443fQAC1f87laZQzjNk3y7Z6RXqse68Tr0OUAwUBg+a/84JxE6T1ztGqs/w9a73WtZdAenjXUCH1EzjsGsCBrt70yZkum0Y7FC4IcXh4mcoG4g5EnC0wg1IzumCCe+rB+EEXf0KXI40HQTsTioUS4Rb64DpqX+xBWPjs01Nu++lNNKbsvFhG4PJqpi4BX67KjAcDayj7nYkGfIyZyLeBLGod8OSDEWFaR/PgJDqlu3Atrg22m15f2Bq5wDrtG/fAaxLrOozZX981pKyWbFBK3Vkb4e1ZV3y+1HkmegzS1xbC6m26Tb8X3SJxb8d7BhTI7LbRb1Wz0NPk2XLv7wE6AdoezSVaEBV3W99P1WjpyCjwihZniI6clnNB86Fo864X9Na2/RAOQLg6Ko7pr2HF7Iosdg29xGuHYzTd/bKmir7DGVMLGRYKcD6c+oaoQPyo2dF1phtaNqu6IsvqXIEfqk436L/qDBnC0ZzdAl1z845GERlQ+cZkfIze6Sg++90jtz6rf2M+Zg2H73bbBsOLysDKveJI0wP3/X3zRJ+yo53Rzuf/Ax92JaO9NZzYJnjdnB88xRdZFGbyfbQtjg4R4R6pkNta/vITOGqa5TLXeycZ7GUqvb2Q4j5/ZuRLe/0yol8nGpelGnnEO1hhV35oOe+RlNJmUgT2UXKrmP3A5XYhF2TRGRYx4z2dwArX04fGXKleMRt7kCNuCuNMZpVKpY3pANTU5XhZTybsgUd/XnaBR01/XEXtD/1CQQLvTNUgGoV3zix8KOd5kbRWynaS5WJrVG5JaaoJdyRuR9gWVCvXvp/X3gUXvp/+LymkNsfc6rC2XmenEeMnjtiusFz8Lh2Rq0NyMn9QDRrUjGxoEqNxF2HdE9CV1fxP8j6oHt2AiTrvsSLzjYErhSEtWXSKxVYYrLjd+Xi9vbYfYAMYtX90V/pMEFrfOAnK1dUTeOPsDq7z3h6fgGjH1+gC1g/jBpVZqJmKSN8vqDKD/+kO1mYe5rz0qSh4w4jOxtuF32mO52i9+40++NUr+T9W6OEdxvdsj/C3hr2OZFMuf7rFRJ0KQ1zG1iusB6ZAKXJ1G2FOlvpFh8fLmi3OtkEqEGCS++M1Y3T6/qbcEKKZsspKip2+xs1Uw8/jA5attKEaV1FVzoBMiRLpfPWPSyGAhhSpZL6QAeb0pWeV3ZxdAvB6X3SaZIMiaYzuI8iP7+F1M79j1FHep6G5P2l5x4cx0Wo1jxbp3zR+yFV78gOIpNn9ujhKnqbRp0KMPtMvUWdqLnBN+24ku6DBLL1R6QhXicVur49/+v/5e7qehs5ufD9+yu4TCS/idSvm64qudluN9Kma7Ub7eXomME2MgMjYDzOv684MHg+sLtKZsZVbxOZeYDD4QDnec7TiqzcPkU+yzPVV05oJ2JSvwbtl1ql0aIbojtG9+ZVl8jf5oSn1SBLFZ2Lep1RIgzTQEMJwpMXvBDlMs0HopBXCHI9jqgKcvbQgJgt2Gq2Cp9tlAcQPPeGmADRd4SzqVpfcoQ4Ynv2YvpueyTLbxJIR257Z21pMo41aCdpGqdyigGh8C9YTXwrG+aL0ty+/MOKoqooJtWJ+0bcHke4EEpT8GuumeifNMe+YqkFyMyYaxW8dV/2Pvxr6G3D0Uqi9VTjrFR8jrTqFGCPgCACBJU+DeCw0h1IORDOmFpuKnwVgZx5s51JtjluLKHm4ddPyz/Cvnff+3zcUKzS/bv/0TXbuNlnByWqqQZg2dRxlqHOTayM3ZTzrSS3htx4EOYW1TqQ2NtU1O01TxB0sjeimsibfQpYnyW3IV3grks6ODCNmQKbShCqJGWldQflv/wcnpFXqOspva8feHdgb0poO6Cl0pYoN74ff12mUnCTwz623Sm9nT/Bsk8w6FyxrsGLnSSFYn7/7fPqcUWe4Fhwmcey3ulpdX2bPQ2zU0TxTLdCNwa9u9StGD6lKYujp2d7lmO2mY+weW0SftPlycOOzmVZ8MqP74NKb0BxEaGYb1KurBXQ9Lj4z/OGIzFH5sNIcuzVjfcl7gh9pezGUK4aT/HxUbfw5N4FMVUiRR0MeWesVnL7y1oA3QtuLMvf3Ye/LeJ/udwwmv7XhmtWg0gGMrAWrd8QkDkxipwxS8223Fj94k72czqLEuwuiPVHDKSPYQASL6XmgumJ0J6vRZVuqZDHeDIiZ9K2clJON+6GqruqWGsmRPs0n7b0Dp5u+v0HXAK4Yh9co+Q5NNreWIfrpCc3x3snlvODcwEKIUtJQGuI+fc53yCN1ba+QzQT+NYT5hh5rakoIFw4jgTtC2av0MpfVWjPrjuVjOANl70ftxVg6Y6ZZPCqBKcvWfNiOHwYfANUFAeKj5FemcJDiRKD3DQKJHdkeQAu8J3slH1PvscVDmt1SEZZHdyjjbENqm8n6G5UC8iD2EGD+IPShB2hKAVbkD8VFFxukVdQWZSFaiqqppCvhaJ7lmfjW0jfGjTS608k7LZlrJmDHLCcmYIfLk9BMMJRLaeZgBqz67H9hftjSDC37Gjvd7YQKTxmB5nZwXc//jQGmo/sSHK+ZcY2/qCr+pBe9nDIcmZ99d/R5jW2GK4GKFW6VRWGgLT8wHVlCJNbLk8FVpDZwqUp/c+TbqCCcZwncfs9XsoJQUrlBoh7UoCsQTorbKkRkZvV8/I2GKiJzzWlVkfuIjiHG5yHsJWWLVpf7KihIGW3fG+cgqLMcm5KZfggan2L+8X3jDbr0ES8GIsgIoTqt7JlfgCUQHgCUbvge6VVM483y6fVrethCTraV7P3+aIwj3HayIZhBsXPhIJbuORBMJAL1y6nXFW4lz/LvVR1cordgBQew/D+7pUj8rg5fX4xKKUWvta11OXT6hw6Q5UezYVgY30kmAPqEPiACEOKyE33sW7DX3GTWXMh3EivBcikE8/BAmWDsgBvgN0ev2gJ78ECecDveJceyICBB1oZpv+PfH0fk2jYbDhN4fUVDPsn5zfADafiuFHGp2hfq9tWUjJx97+/AwAA//8ypVmA" + return "eJzs/W1zGzmSII6/30+B64j/2e5Q09Pubu9N3+5eaCX1tG5st9ay3fu/mIgKEAWSGKOAMoAixf70v0AC9cAqFElRQEneHb9w2BKZyEwAiXzO79Bnuv0ZEaaJ/CeEDDOc/owu/H9zqolipWFS/Iz+7Z8QQuitzCtO0UIqtMIi50ws3ceRoGYj1WeU0zUjFHG51LN/QmjBKM/1z/8E37Z/vkMCF9SvOcNF2fwGIbMt6c9oqWTV/aminGJNf0ZzanDn5zld4IqbDJb4GS0w13Tn1wPs6z8dKkqsdEvE+dubBvP6T01BF0BNhGEF1QYXZSawkJoSKXK988maqBwb2vvFHgTtnw8r2sJHTKCrUpIV6izUYhlEjq6pMJldPmN5EKnPdLuRqv+7A3idI13N0fUlkgtkVtQtc4ZyWlKRW1ZK4X4GixzAMaeGErtSPPws3yzwGr8C8w1W1C9F82Mxiso0i1TLsmaNA7gQKQQlRqpsWcXG5i8fW3yadZD2e8jEQqoCWwDIwL04gCpcWkAzfP5PO2oCYaXw1uIJCwDWt1YiYENzi1kk9NcVF1ThOePMMBomYcGxMVTQBxBRI95briakwJwRJivtLtABnDXBYtZZPB7fL9tfW6xxfaE7fMewPJpTx25mmP3NGchUeoeLklMgSZeUsAUjKGcK9mgL2B9DGuEUh4maSxn43QGi/t19Ca0xryhiC0+CoDlaME7RBmsESyKpkJBHcd8DyCyA8KHhUizvh+eFrISxbAegDY5MINwy8T7IlUoSqnV8BBvADZK7B4SJJafunBx9nhuksVlFRzhniwVV9iTXjGRRkW/ub9ZI+Og0tDLCnQ+pUC5JVVBhdPPGPYwWIouyMlTNJn9/zpBmBeNYgUSUJeJ0TXnvHTxD88qgSrAv7h4XFTfMypvmYxrZB5+JteTrgw9+Qy29M1QJzDNWBkkd/PgIKmuY6PqmJrbempXUR28EJoat+/rjA2Thted7peA2UJGXkgmDmEZuqeNkYIOfV/4znOdqXNSc+oBy3lgXTBiqFpjQnSfevvL346y9O7Oc6VJqFvftvMCGLqVif+D6+bRr7T6M37ytL/E3ltHfXNgd/OYAyjWPLeFToY4bxgcUgBR0iUUxc7I5uk1QH/YGPJpjTXN7eLSsFKEIi9wCMkw4Blwf0ho9O2YFJmmUXsx5w/O35xeouV9HIkZGhMajIUa4rPKMSTKJ4toVCte/XcBZbRRS+wM41RotlCyOMBJa5PVKKpMlIeHWgu5+KAEhO1euxPZaTCdRavzjCQ1PAcupMMxsZ0X+UzwS3l7+hFZYrwLb8BAc9Qp/H/HQ/Hr+fXQsF4Dlq59eR8Xz1U+vT8QU3mysyIqtvck13aEFC9GvneQVDBA3zXmu13Qk9jwr93NI7KMh8XmfjorU9yE6JcZg8tkapJhxPcNlyRnB8dWrDmDnfu2gfnVXcskMulGANqs9xIe0hSAB8F+aZwU48eMRcYPNquYzvaOkMnjOwRDKOUdmhQ24iOr1vbbo7e35NkDkCdRZlbS2ouLuj4WMClpIta21tf7pop6CIz3lIfx1pUvvAhn3iT1Y+6zxdh6QzYoKhIXfGWvDPnxbplWKSgymSYRnhCol1WRO4dptAKseJZIcfvB3RmQe8fqCtwXwsHD9p+dMLHe0jOMxNStFsclWlTBMLGearqliZhtR9nuISFFdcVPLf7cususiRZdMG6rGHwB0AU549EZuvrtQzDCC+f0IY4LA85YpWlqjJq2nr5E4LZV2i9zaJyJufzAR2kysqTZs6SNLCpPPEP/QujoU0hjDHmLuETG34Gq060X6gr7HfXD5WfXmNAp0VRRYxbwZDmBNhawMkQWtvXxxkVe0oDmLrA+9p0QWBRU5wIXwnqJa8rWLiXWjf1sEIh/eqONcl2OUxD7/LB+efn+c7DMVfyuoyDPDivBluH/+xO9WLehL1AUTmLM/aG7ZTrjUB7Wc0VNvsDLJ8bUaZxNdPUEfYyK3SrlUUT3yl00crYEPALVTkwtsyAr+M9Qpd3WcNiD39vrD+ytk7BEih8yC3pb4L8Uk8A3TpnZz7mDWl6SdK1GJex4lQ8kKglipUW/WeRj2XwubC2YUzfahe5oBEvJ9w1oea3R9+Uwf4OHXteWek/uRjs7Merkj+GmfWSzyjDNBZ1gtXRg87jt48eYaNaD77LzgssrRByexr3+78JqsMz0hp/AAi+dlluOdtEb00ONw1UZzJXeaaidY+k8DHrpETN3FIZyIuWfdXyBJEmS7z6S8PUe/MEU3mPP92ZTNYaNa4+UgV3F89/ayAXauwcTDRt6xzagKbkuTzFEtFuzuSDT8W/Yz0lTrvhq5F8ff4OeY+/UQXhiq0P/PInwsohC4zJqoeAzO3bpgaBtpr7W9BZcbtNd6bnMomyBqXNwuO9HZhyCoKk4z+88YSL3rJJueE0K1RhdSGCW5k8x2sa5iZK1fts+D29vdSlOVAlcL1+HFnK7mw+COnUdh2N3oydDshujvgWuBy5LmWX1lygCevR8eFDBGYaHde+B5d31TO1fvgYs1+o7m2t6c95NwHrU5w9ja9y2A7SCl7QRMRp1APUx25EvkjdxNALnPbnaxeqwt7WJ/7L528U6xuV2cDu6wt5Eg7y+OHgCqmcsjtNKiLgd4iebSCGosposFIzP0mwCZs6Zq+x2XmzNk/+qBK2ROFTb0DK3YcmUfG/i4/c8xZBHn+t/GoMyHEbbN8zdO2S+tyf0zWjNV6TP/mT59Rsm/Y3GGqCF76fGploEyiROp+ejTORu9B8jC8KbvxYSRooQilwAWkKZzPA7XF29vxotWdhYcxC5OX9CCOpbXI3SmESufbt511kY7a4d0AVxmihKpehUgBxF5gIaPtWZLQXN0eX6D+osHWdnai1nYXkyJrl8e2eU7NiWXy6WzGO015pJgjnCVM2N/s4+cmvz+I3gkDfd9JdvnsGU85MDASeGMCoN0BRrwouJ825wesZeKUrE143RJZ5Lf8wyfuBfgasWgWep2eatfkhUWy1pD9/qm5LkrGjmOCEE3T5AIQTeHiZhXSpuZnP+dkr4US3cpao+KWxbEPuCBNlgJJpZ7L7TDmE1zbLrYWiUAXV+ehK7PRM5UP0aQVPb49GeHLKCvKRVHYCvFgi0rRfPHQbhdv4P7YbTxevk4+OI1VXhJH8ToR0O+w+wAHZhzuem4I/ec8KLi2LA1zYisxHTCxEiDOSJ1sVQH9xUzGmkmiIvBemkDRX9WNa8jghSr/QQaqoquy2MS0s7Pz5uaZvCHKPqlArNq2UVoH94bOl+XYubqdO/lp3moHvk7nVsFwRXwAhWNW2dOrWWpkZH/1MfXuaUXpovNw93SvzBFS7mhqjYML+mCCk2fiK/6lw+XX5ev2iL8D1/1P3zV//BVf9W+avRRU3R1cet/NRPYzFj5Dxf2iS7sEDufsG+7Qbfz+3scgX/4vQ/jtHss+nz+h1f8H17xf3jFdxY86BXXlFSDhHy3XtCB1S7YW+493nhNH5h76+Giq/EKpf8invmUKN7XM7/XrE6F6H9bs5pJHdWsvv7t9oi+eU3YAgyPjLN76ApHKuBWq3FmjYW+9/IuMIEE/PuazrdXF/fbqHohZCTarBhZuXfJm/mKLqjS6HknLfoM3b57e3OGbv//t2dQZqhlD+xCKrN6MUPnLXDXjQthtMIq9w3v1ozQM4RRqaSRRPIzBK+Hq5xEctF/5qxdtdWGFkjLhbFAZujaoJwKaeiO3eUfV4Ir3fDefbWvGjgyZ4OD6OvOZ41pPOvdHrmmaqOYscJBVXRwXoebdHpDyO4RGraa2ayocrfL6w5ohTWaUyqQnGuqdnoMNWb7TkLlIWKGl28vKeN3C7AWeFdLHF99bP39bS8L3e9etW+Fe2TgfrDm8We6teZzpV14keDSVJ7/Cm+aiwNmNpEF1ZZoSMftgUbojVyiS2p1CRUmxMEalM6cSs5u601LWmTAHuHE3Pcs13VzLgNharlATGiDhanR0EEcAzUxxyB4qGLmQyeaaZdA2Hhximt3pnPyY/SOmt+ZEfYZ8Ls/GxyNhli9khXPkaBreDmbc1dipSl6Sw22qGHXW6Vd6vkbudQvbzD5TI1+MQB/CV2G+PasicJi9J46YeFOuOigOQsycmjuHcfJQ93lLmmpKAEb1WKS0wUT0AiJA1qu7r3AZRirQi+HtWYxT6Df47f+nl9ffu97NjrHWm0L1fVFmECehNsvNdgIoA4quP1pgc/Z7SixMoxUHCv4vt/Y2ejJGIA+6aSETsYA8vhJGd2S9bR78uofe7J/TwJVHZE25GHXV87/ngEh/W15Mtit8SlCLzlqijrd9yniZtmW6v4/DDNtsKEF7aUAPBHkIMkuIxwPmq08CfSoMIOy+ieB2CrQuuNJIMbEaYil1ZhqyfF0T1pO8SnSIy3bFtQFaWLZUCN6TcjODLRftNgM9JCBkvAwK6KnhwygH7Aixrk4cExOwkXR8aoE2efYNSAzEvtQgIP3Zh+ZQq2uBmGemv66E+OuUXshBbGPAzbyqVu2I+JmzdKKwy53L+wybFE3p/MH8o1cuhBPnURUiZwqcJZSL6gGpC/YHc2RppBbuPPl3TX0uMFSb8IA9oMNlmYTBqDvtSlDT2B8/9JpB3NA1z14cj8eDLIYkpzLX6U2XRHJ+yeynmbif6lDx6bjQ/p6+DvopH8Md/e33+8y9vpm/WNTqTJ23fvMHVBv5NfK3HW/Q2l09r7+78veQaA/iWzoywXnSOt6y3KE0ZKtqWicZF+vImCCM8oe3wLJn6Ly93VENEYdGrLcZop+SbDX3eAhbDDQ7asqr9zS6AYu0pn3ZhuMPmxLishggApYIZSZFVXo47Uw379GUqFfuMTmh1ft5AgfIIOamWETwSHdp6i7XzHdEAZNZ3xG8C8Ecw8nsY7rlb96B4NUG6wGNcjRtI6OROuQ3eXk9c2nHX0PQ5Vmf0tRndviHlGPNlQ40J35GVAeptiSQbmL+86utnKAD6n0rz2JEdc3n14HWBDOyUERWNBgNORyjNenPahDxfHU12dFcU7VJLHrX2EpdH35kCipw7cbLAUwp8VKn7STjZMsuZ8N14rWdatowUWxpsuF5Bwmx32NAthy7xFybuyZYxoRx7p6QmVHUX0j+2oL2sPoJ2jxFWT+VFTVQmpIdiukQPPtYNNQnblsAWpWlHzr98l+2LXcxWSFNMspev4nZFaqQq9++ukFFEBr6jsPF32/1y4nnoTyegQndCmFpulYQb6aU+EK4WufQlXMndCDseJBCOg5nss17TCDiWBmZS3etFEUF6P3h3w1x+aRWUVzVvX1tBiM+iakOTaOBbZAzPytevWn7/+snUh/WYIArZH+24Cav1l78A3eUoVeoStBcKkr32XWmpT3kush6A8MfgRyK0Or/PAK/asl9wz98AP6V0SkgsYusE1u0TP0P7n53/aDTKNdpnwT3EIh80Cd9hOxdcWGZgRzPsfkc1oN2CFXFwxg4yeHMt2Oi/E9dIKIwuHIYExLan0QBihiDhgDptpIZTVrsXVah/3FGnPmxjigEFLI9dG2LwyngDwMQjgueXH3Rgwgx4gF+uuwJ2w0sgtbLnH+VN45jw7S7A+KCmrUsLE7gpHP/Q+DLeye+1oI22cfm1ajdeOX7LbN0K9yY7dmaHMygaSyxpiR6DOl5QGmPYkX7ythmpshn61ZnuWpoq5NR/QlFVCorKGsqnJ2tLcL10yZCnNrtO/43kXAxeGHlLvau3YSvr/q15dIWWmtwaECTMNqSU3zsYOc0CpR0tOjc6Juk7CPEypJKGgo+Nv5Tu9pIQ1Ft/681x2h5tsxQYmgwYsLxHwFgRe/UqZLzlJmNjxpc16zgdr/JHQzK3MTnne4dfYNqMs0/amrrRb/hPzXiDA68bJgg5FqE8ToYWCrVOjm4vzG676+KJcVbihI4In86tIgqqfh/vCdMcAQH7YYRM6VumvKV+1XWoPd6Tlgmc/Qq59eow3wvaBYwGyaoK8AnPqgJrX+I7ShynV6RNBZBWuDpOiVi+wy8dHVxK+biYG7miJs63n3u1Q5MM41hyArIblcbvuBuAVTAy0WoZ8QWWGFiXFMtJd6C/iD01ygSvicHr7jMx+tqI1d0O0C9SmDCHtil2BRFG42bx1GUHgzKtNAsvbUSkxAY3UxCj9dGklCoJMpQNQGixyrHAmpCjcDMGDLqyLIn9xnOZzMIlnNB0/SvZjUYt0g85KzBQWKAwa+pkSKfETBbrc70yaln2UPQUwQWZScmuABGHWiYlDgjWI9MdipN1PmkQ7yrV07eJzHjvLuyRw9foUUZhVpm9r61Fg5L22WU/5IjL8SeQq2W5B/SJG628IesWhXr1VMl177oc/hgYhKdqPPkaF3xl8+tKZKd8op8n15YIH9fehh21Ici8y2TI9IldPgENo4p9gn2fhnSjcr1jpGnWnTfLAbXx++VkoWM4BaQVG+JlRgxaRT64uKG/adYVQhXJa8rn5pe9kUWOBlqDQXIQ7hnZ22PnUPL8TMM43kRrjImMFF2fcMeoyh5amSw+QjZjQiK2atG5lTPUNvK23ATOoCdQMLR/JysaEnbtJeAbZYWLzXdApNCDa5XtDxDlpBUUHcgcACpuuuWW41GzgPYUF2WwuyDz3mhYm8K5majMJ2P10s6M6eRGb4tu57ZSToaxYp1w9zr2804qaPunDOrDRu5NlssGSTTiar2BKoGChyD4XY8D/2VQEN8ktFq8mOkj3d7hS18nGDNQIk8pFzA8h9H5upEZWCHYYmkGnLwiR4fZdFClxhFG58oCm05zKmKNoF+io61AS6UucVeRwTsmc+Bt+YwXN5rzfnVLF5SK6dEixoH4heN4TYjiBMBkp8DMVaVzx12GnEipKVIbKgLx0OjfECWdmDBpjIngvHgh0DcuSA0DUddCCejLB6dV8E2Ins7HP5pC1eHPQOdK90U+lioUHcqaSELVhr+IS1W989f+RMeV05fTZTYAMaFyPL24KJ2kWV+yBLEG9vNk+1CZ92rfSuJSgV+u3Wp8YyXScE9P1qyPeF7c2sQDtVkrqUmkUUHEedLTCnRe46TEEqf313R7vwVNwMe5Q/ligSVUEVI/eVRUHaJqhi20NYt5KtuRlOLLn7PSBtTUUulU+Y3UuZnP/9EbrX1KHdQCf5LmLpa8EH7LYSdD9iTtKn7FX3zfBC+qp/L2a8l2uFm9xiIQ3CMJnDIhlOoOVymdWJKo8i1OuDeG+hPkXPlB3Z9xdIt4Ku1btDPbtYlZIzsk19e/bIhRtAwDfXFnw7IpeD860SM/B9xSkgFhanUhh6l1pjbRC6Fs5f1/ZDxXmu7V/wqMJAQ0Ao1ADmwOPsZsFm/aG0CWTBWOCyHjzb9ArBxig2rwztSIhhjr4fY2u19e7zFxYduuwPbXu41eIGGk9/c8AQ7OcX+enKHf0tYNw2syvqhoO6zflSa6pm6Ja2UyJmeEmhlbfPdF9IVeMwgF2DcXo7cVMm3Pc7fSukQnMlN/Z39U+9runMrtF+0tf5DVYmtpuuARzbo+LvVH9a9XR3qplInfBKyZL6gGKqt/hcIMypMk12kWoX9T9z4S0vPjpNACAJKaAw50hI8Z2iJQVLZl/2A5gNUz459Yjdxl4xzRjal8xF2Orwz4CyDTMrryw7WY8uYcE5VJsIJMV3S2n/veclcCNqAopjQrpxJxj4EhCwSMoFstLBMKpn6LaVKf3BBt3KqjQYX7hyvkpbI8aVjLpkm9yLX894jAivtKkPpP/PYJvgK0zbnfQ10d6/YRVf+O24CjS59uNuWNiid22Z0illzw4ZXhbLS8ACYa0lYeAvtbsRtCdhw96wz/RnhFG52mpGMEc505/PUKlgJgpMb3sWVpSxwqfUXt7zoXd1NgoX1MDIfqyhi5eGRg6uFwGRRWGlmNwJ2g9La3YG0aHh0+Teg8fS+Dp7mOBhcuKbyKKshncwwbZhtGEilxufT0ukILQ0Z00mxSgzBmQuKs636EuFuXN+5rLATHipIToLcTnydHW9nrHUpT2kW5XwDROfae5rgepEdKzBO+UNFPubbxrUZizft3F80BUiqajrTnZybok+AjV6v90+Fl6/ld7zim6H7XqaoLObR5doNMKIi9WvCdi6879f0/4hsqa9YDz9HW9I/gVWa66xonlFKKojRzTsbtNUMcyzwGua7BG5hSVrtbn/PnYeQPvCjPoFKPmsT2o5EMNj7Fe3D90K61VzQ61aGKgyrMjKZf7WNTZNmeFFDanXIswS0iwz04rYbzX/H1aaIivPBWKQc1cJwilW9kfQCK9FzRcQtkPwXGHn4eiDE36DyZZP/MUispjXI4zlYufB8mWj6h6vF8zYndrT19VGAIFxj980AdLAlbhwq7uejOOeUmfBJXeNN+xzXubrS/TOSZrnvnEDctP2OqNHX4T1aueAfgxffsf9fH0JLPUlb42YGHoPdiNyLg3QkTBzh8jKgg3TYSN1rbcpe9nvRnV9gbZTF/b6sUfmUSe+dBftcOLry4OabCz/3AFN1iL2SuStRjtDF64+0/c75e4X+7VZQFDtfuL7b7w7bl6ZpnJTmuYxqgSn2nFGugdlI9EaK4bnfFAF6JoyMIFKjkcEgaZCJ+2PsrOhXVXVrTyzkspqGHV9IbP7fPvy+qavQyPfMtZ5FMbqsk8cKHh0LWQbaXFIomth0C1bCgzCYuSIllKlbF77bCC/7CG9qXU3CV0d4Z8Wke68b3vKchk4OO9++4CYILzKqRVnfpCt/foMPb+qBxjfOIeIAwvSexb2i0BkbvLYJjin2qcljBnTn63KfQJe9yjF67gx3/mn4T3Tn/eEXI1iyyVV6UbYhVn2qRsL8Di4Ec2K6pXkuT09zlYfmTS6E3qfwLMwjL17qfz8vdMxXjTNOK4vw2UkR0fniSzKbOK8K9gVn3sFY1ydf09X8+8sOlJAferCzebOKzJmpXm19JGyxrqYN9JSKug8YOV6jd/IlDg/iPxRFMBhV/0FzD53D5ElYqQ18nMrRDF6i0ndTzms3FoRNKkdI8V3tYKq9kshZ2tGH2qtKNbRc4O1waaKpTg3/ijM+KOZHXbxubxDLH85/n7Zl7WaAkOL0cdB42N3FywW4atbv2OJp+8NDvnlcO7eKc8ZE7KKFePs1JHoZfQ7ZSVpTKfDwCP7Y2TAqTsz7hyJc86t3EO6IoRqvag4urLrIyJzqu2RqJv9hi0LJnJ6F5kBnGlzmub5QNkCC4Mppmok5lRBfLPAinHI4Al48Fz8XSwRBiZ+Z78bpEwkOIdy7poLPZJG7FdHz5t8zpIqXfqiWydhBizzKkKbEF93eHoxUmTo3FzD9zh1QolTvpokL++rcp+2v8RMaJRTgxkPOBnmsjKd742QJvnkuZm1xxY3eWyAx/hDamhR8mTZPOcopwvsQ0C+82Udw/fZmlYrXlPF8RYKuYz0jyt6HriR9hdgdftv00VdBe589dowU0FjRhQkrLUNhg2bHnpdo0axOv4dgmNjmkBWEVkU9j6lOUYXDjpinWTfUsk1y53/rO4iV1A9mgiVS3J6oPH+3rJfGG+1RtLNywurBnclJD09jqyvV08r6/8u5yf6nU4m7//KuQ/AhG9XydI1zr2EhGK387c31+h6oFB10UjWtdZXl+zHIGJhV1MNu4xqSN/HH+Zzq8PKvRMR2VzmqSu+BhV3faXD44IsLiPq0Sp+twQXMpig8rzjAvalwy6BtomHsCXLm1DOiBOviG01DsrAI7z88ZS8hu6ySvlM1dO9bz667jl1IAqSNe4oqbpeBJf6Naeh8ta6C9O+xI0JHCFBr3i+6xBpqivxGjOOh4EM1LjCEdRXLqhSI5MW3B06xdcfL+7mjZXCN4ByAdgBST7dQLPlbEQisiKbV3m+je6fYUUWtQ6oA7fS9LRG53u9VPEhKiYjdjnoldhlupqiIIHpbvaq67mKq5yZprKu7YvmMQoNtmsrNpwoacML+4l0WWKxObiezCq/+HSFnvtaiU8Vt7rynHEo4IA8sKu7Umr7yRfou6GjQfSjMJ+F3IgdQ0hTUkEzi/Uu9JFJmwRP4ILrp4Ve1FXu73xp0hu6xGSLPo6aa5zNFX6Mony/8A6LmUAFZmKhcEH3pmOUWMHU3vR9EnaUyxtYFr2TuUuObtsCdrLOAkihA9oXpApYRqSykHb7xr2jG/RrJcCUfCtzytFzJtazb88Qk+QMze1f1P6FBeZbzfTs23B80ZAyW3A8mJwfW4fa1fAvbhAsCr4ukJPbeviVXOxt1GBkUkzdT+cez7oNgqbKHuQgQusirtztYfbp7e9YUfTBJQB/++2nt7+fv7/69luXc7vGCrPRM7mR6nPMkuWDF+z3esFuhG3UCYZFbCXC1+zE7VLSPAeY2Odim8CEWUhFhWYkpgDpuJISYFzE94IE4gOxgGYbzIbDiR/sHYDe57GB2usTu0RdV/NEl8LMc21U7Mp3qNdO5hDrvqXR3tG65iOdk/TUYpd2MNhApfHFJm3di693sSAWbNTRVJOazBF7KqnBbkQBMvvlPWGhfHI/wfs7LizyXv9/P1y1VZnd5L9HOWJ5x0fvEdmL5KMcjjqOuw8/KSdI2trZ2Y5d+tw0Ge11lh30yXwBbrfByT0cma5bVrMp4mFQ9LXAjFte181cbrzMuL7s1rZBJy5rDhq6DLQwGM8qrHOuM6sinkDPKYnXkG7tq48uZFFUou+JGmAnTmvc9FDs3tE78xca1qkb3PRpmvVDcbvFIv93GY6atbgZbNgpkuHB2A0X3kFOV7pkhMloWaJTWfCA/QYrMQw6PHXUtSjKTKYSxrfv3t6g35wftU1KDSPyZdJUgtv/eIO+VFSN9G6tuMgU7XfqTJvc0HGIbtH7uugsmNbVaOkk4kPaBSpjjxGwQMuTHEeHoJpAcOzBcPP4Axowx6pIsFsWbAL3Ai4jFiA3QKs82lTaHZhxu13tgM6x6WuFD4U7p4KsCqxilZU0cLclHowvfnD0CZNBOlUUmNkq+lkgdBG3gKoBvFhCq6UEYOX87wmgljj6JAzXcSr68YKge8ZiPzi+c1tBreoZHWmRYQKDUeKXn1jYWkQ03juA58ty/aO4M6vo7zsRGTEqy3XUvusd6BbyaZGnIwCvOY4uMURGxZKJiEWRQ9ApcqNFtsj0hhkSXX6IbMHlRuMifu5KF7Yw63TQE0RdiMiYSClOmCipKubbaAnvA9gl+ZwG+BrzFGeFlVmppJFZ/JAUQF//mIHHMT5snuxucrnM8hTMtoDj578RkRX4LjMmlttgF7A90ZwmeBQKJhIhzUQ6pEuuMz7nWeyw6A7sPyUEHr0zeAd27F6IXdixq3q7sH9KCPt1Qtj/nBD2/0oI+89pYBtZcjynKURKAz2+eSayouKgfM+3Cd7JGnj5OYFeUlScLYsyjfZttUzMl7GTkDxklkIp0fQLie8bEZl2CYkJdlArksaatIDTWJN6q6sywSxSIpqy6iSmqpHGmh70LoEIMdJYwywVbDBrkgCvBLsTWEhNSYJDuH5tuZLoUVi/lqVZUZwncKvJoswIT+DDtoATBEkArppvTXy3qIWsk0AuqyxBTIMoZhjBPEEBkc7wkgqyjZh11YUtMN/+QfN5CrzXGbQBTQLZtYNJg7VLrE0Cfb4s16/T+KB1Nmfmz0kajRGdxZ0V1wOsZHRRrZNcc4BKiYpf5aadjz/arK0OYGpWzs8f3znigIPalwS46yYfr4NcB/aCcZrChtHZIsUmskXM4uxdwCl0A52xEpIUsySijpXrH3NtykEz/0iwtSJJYHO2oCnMGA2O5oLmLFrB6C5sJtKckkLmFaeayBTc9sDZMoFskqXeYBN15n8HeiiDPApgRZdMG4Xje0Ja2Ak0PkXLVKxWyXitoRO5SiRfXWa+O+IJoBtFcZFAkXSlQKnQTqdcb1aS6cxNmI0PfYsVTnLA85FC2BiQ126+fWy4TBssos85zrWZVyrWsMAaKnWzglJAraLjGl+PrmuSY4OFyQ2L+MOuT+00sA/mEud57DvA8thh1bp1UIK3iBUZUVIWSboSWcAJzDRWZGmSI33HoxRsLj9Hb89U6vgtS1mpS8UiA+XYMFNFzz7jTNB4LXZaqDrqRJ0GLhTfxndrcem6nmYLLqM/5w3wBCn/1uaNLnUs0AQSx9rQCVCNnpvA5TLJ0RXLJBe4lCq2ACvm1TLFNSuYJinEQqGTHNgUcyAENdBcKTrc6DLcNYCOnfHnoMZOxxObTWwLJElFmXQDoKNbojK+ZiQVW2aBeVwPhrsRVMV/s8rMDeWNDjbqZOoWrBvxmuSQJSjc9DNxYgsDDza2NCgz50iKji7W2v4yI6tYdf4D0PSuZNEDASVVxVJhYQY9d2NA3iQBHP/pdZ3IPn7sTQGNAFjJZYZ1GXFgQBe0wrGhKop5Cv1OUQJ8cF1HEwGPz2QLOW4L1w5kqfIEGMd3ZOoEvmHtfMMJ8gE0jZ0I4AYeJzBONP0S/wCEGrRGg5rAlNJsmUDw6jK2l00rkuIeKJJHV6S1IqGuuBEAm3gjtrowKx29q+aaiNiFEsFpsQ8F6pp0xibfLE38Y+WAxo/oNTM9Y8PdltG7tVb5PEkeeqV4grew0lRlOYtd9Z5kbEUdGUrBBkO0wUVsb/A6Y0IbvEigGayZMinU8HUpErRuMlJVIqabNdQWLdBR9LwyEr2vBBos3WSPJByW9wlzlqMLRXNm0AVWue9mqKH9exgdNzkrIZfGJoQCGBiij6C/AZEchUp1mnwIJtJx7qooudzSwWDBg/xbyCpaU+8jz5jlofMZwbwzRZf0DhW432ihjcWKZdUfBpIcSc40DGeoV/dbDw2UkK7KUiqDho1HEdqssEHMoFLRxdhReEBa7n2GUIQY762OBgXEhO/sPtIXmjOReiJ/B1W7WhdPjYxcUrOiatZ+Xq9kNXjREBJ0TVUzjshIVGKlKXpLDYaJ4O6u4oYFz9/IpX5548peX6BLP+LrDJlVYEoRNAN+T/3oY0BboHfU/M6MoDq8z8NDnYR5CxjZ3dwiWNwRqylWZDVjggXxg5m7E/TX7olPmIUByRAvOa4EzPpdVjDHtW7iHm7g3uvXvoem9O24G5qaJtx+fvGIsW83IotY03Rc51VYFn2gdwZuxZi7YIpp1CMCqR1c9w4mVAs+MvESuucmHAcO/XM1NUjRLxXVZk/T7tOzle/fK9+pDDCWx63qJHbfI9Xkne66U/bh5DCC2NjOz6FDu/45SHnM2f+H5xvaxa4va6EAa4fPBlgN8ZJ473mE7eMyx5oil67dYIMGt6rZJf+Nx8FXNKPgG8ylcu3rg2xECGukKYVxZ3j/vCqFhcZkgvG+gw7TbmkBam97aEilYALaPqRLqgrm1I2pkG6XdIM52JpxuqSI0zXlCGvNlsJtXDuvP3z0oSXzI8pvWH/PSZ8/yqRni1kl2JeK9sck4vDl6+B7WsfE06ag1BoNy92FJFIICrkVaMPMakxQIBSoDGk0dkVPKi+6t2lh2QnypHmiuFwygjmyGIyYPoDF42IHS42MaXw83pWrrQ6j10ln28heVmvsBx5zhnW2ksltAmfENeYazFJphxpZqdgdwRPuB4DcpbHYwpvmB7EQTrGanXMtrSG+c98uIViOfvXfmKFzsW3+N4BuwJbXwiCcz4gsyspQFRbDSdz4lrB05tk3/b2AGYs7G8LM36pXf/r+z9b2vexsR82xb4Jo+3OaxY2YHeu4wVuq0D83Pjn90qMByIVvfez6n/RnXrQ475z6vftxYvLyIdn2rD8wxa4zQ+9++3BlaaeKOucJ+EtzpomiJRZka7VKr57xfi4IAg6doQ9vf0bXwvzw6gxdv7u8+s+f0cdrYV7/iJ5vVlskKDMrqhBZSe1HpUmlKDHwqe9f/5//8eJZkCPUrBLKuD4/QKbOChwex6MTn757XvNbdxava6TCVzx/Wkh3ZdMBzE9sGHf0Ax/Ct6eYttbJJ6ZMhTl6c/4uiOwfUtB0vqzTTsb/k4LOwry16H41IhQIOSw8YQue4hu8Zx+W2NANfoQR6XC6b9B5nivw07pTHkKneXpJUZ4a53xoLOT64u2Ne5VGw2MF1hNGP3acSk5T9W83ur6xqIx4vywPT5wEEYWHdu1xHtaaWOama00rIDro4jxn9sOYtwHbziz/8Ds34QGwJiFccOlv+OXuERig0uZaJ9Hrjn3SMHrnMbyRyjQieSB0cwiwwQYwsz0sefXEvHf0MLGsH5OarLdjjBc0ZDdO5cX12IHli7WWhFmV0/mNBjoOsnJZYbGks8Z0IlIs2LJSNEfzLcCkIoesobCcKU9sPTAoGh3RloOLLhL0O+ARdf9uCVd0B4CihTQ085nd8fOM4rM2FzrDmUvFTwC6NCoN8EWCI7FIUC3MU1yHVP1PygRMxXlWe+LSqeV9C97SMeuv1nUmPIIGe2VWVAlq0IdtSc/Qx/oZewMOsB/QTe0AG7wEv41pavWongmUiRHTuEba+8XPEOY8qEyU7QchwQ0rSMxbU2XfQCaMRNrAY84E+ng9KlAIJMgmk1fRRbYFKssEY98sYEV17IxeCzZBiYt7EWOnooO/PQG2brRCxqlYRp8UCThb5SOhFjqigTqVB/NOAEYgAukEC4TRL1JtsMqHc7oROl9CspdC2N74O8ilm1OzoVSEVc/IXRPvG+OWBvNuqM4hg6BlPGRGDChkwue5QlpCwYwVS37ERpjENcdiijj+EQ7KOkGk46IcELjrsmwjKWtrwS7BgN19eWJHKimBLgTreP3gjovYY2UYqThWCPpFoxqJ51d3P7+RS7lYhKe/U5KZFU2+vTvIfrALutvYwfvK4m3RPa/Migrjk8VH0dZVzM4JxyX0uCXHUf+oqRpFWFaGyGk57ZccR/i2IoRqPYIzdB4/rTnaaYkngBeyKu5Sqi0KFCYMcJtCOO3gSHs4WqkEAT5dSmHfFSu3Qsph80U0UJR2qVrH60c38m5i5LqWQs0AZzRv6PF+mJ4+zATSzFQB+YmguIB6Ee2hrrBGOJelfV3MijKF5Ea0W+YYZ/CdFLIYyauFmRyauRb10yoRVrlnIrfyRyrdMACjXxin6NwjNhuw4Rhnr2gIc3dyNGG8of9R0hVGWXDrsxbiciFEY4ARMevdH8AIl6936+s1YnNiPCF0LlNWDwSIn9MVXjNZgXZJZFEqWbCRDEU6NXJXAs85FJEt0MV+3JhYN2InIZJ9DHe0ThREYAfDqMNlTkAwsH6DX+rd7byy7X0bPXZtmWUlTL+cLbZGn0MZeEZOMeuP0oLgPV5SQRUjNUnAEEj066cWMLOCpzY02w15ZGfk+5k2ajz4WdN0StutR6Pp1X6avHrh1kpIV9A0bYxwwwqqrVx32p6iJR0NIvldiNYU4uBGQOPBB26DOvJondK7+9GO1g/H0fR9pqMNOT2aNO8wPkThgDaguBUIRwiDr5e6VwepU5PunbtoUWhTh3cuWi/VaQTIATneCJCv9zj+cHjLYo02mGbLjpOPalIJEvOOHSE/Jj2OMWkbHMZGqYcStJ6fOnrlTmVWWUHNSj5ClATveJKRQ8N/bHTDoZeSkkm9TnuiOu8l9/5ai8iec5nIE/Kfs5/+9Cf0/M3l+c0LdMm0YWJZMb2iOZTCB3HhcimT9wXaFwmDbNmFw8NvM3xwJGNMycRexX31n3ZXQxg0NwY88tGGPt/nuhBI+2/qfjuOP8ApFDPFItQmvc0UwzxWd7oeIe9xzirtVkBSIc0KxrFy4smKTXuHCLzr4fIquOea5VN2Gulmyn+0B6H2Ivb6YraXPF2dxbnYd9chrOErDTv+X+8kgt8MzoJ33NBOWUYedmVKlTIxYBCyAVZLtcSC/bEnq1qkOwrHMvsETnfP1Ai7F0wFa0kTdf35xS4Hr4Vr8eV6F+1kNf9KMTcrghVFpaK5LJjAwYK7jni6wYZRYfTB9HiOp6T2DX5UYl3rR1omOrj26jyzgqvEykAzpJbU/WJ1wmZHXtgcI1EXNKcKG5pn0ZLK9pwPK3x+qVdsgmc3Sq5Z3jQP85/DZcm9pjo4GL75j33WdnXasILTEsnyiahslvS9/sx2hMzg8FDInFwzFz1f9RX3kRZwjdIZcyj4fTVPegc6U+dLnUroZYBQp6OCxoo10kYqJ/EttIIaDKs9g0/N7KeehakvWJ5zOp2UewvrHSvnAtvbkXsnybl6PMY05N741TodhsS2js6eoZJju2X2fZYKUUHUthzz8kMq5AT25BEZdKqxLX+V2qC3mKyYGDHpcpxIcnzT5/VHAZn+paJWfFj9yDU50zP0Jscl+gT/cfpRLoWrO/3b8PFEK7ymVnPiFCv0paJqi6AHoS6l0LTWqMLFqZbeDL4zjbz0PfCIhaxY3QVSOPJdX75xPGuSJkC1PUDvfXPUYzGFKU9pHWb9M163lt5pYmRtQ//wMo1UJUTQjtVnzcvjIs+ujdRIjZ2HmHkLM/1GYLRhIpcbjXRJCVswYn9zFqoT9HmywwtiyXP4tjk36Dl0hKWCtM8QhC5fdLiFKgHv+Bu6xGSLPurdxrdNBLboF9JGz661K0xgsI+89l1TC1CBWjU4ZPZFHHC86QMQqP7fqTSFcp4h+3bJTq9Qj3Xndep1gGKgMHjQ/HdOIHaavN4xUn2Gr3e917LuCkgf7wI6pGYah10TMNjdmzYh023DYIfCDSkOFz9D2UDMkYCjFW5Ack4XTHhfPQgn6OpX4HKk6SBgd1KhWCLcWgdMT/2LLRgbn21q2n0vpZHelI0P2xhMVsXELfDbVYHhaGAddbcjyZCXORPxJohFvRuWZCgqTPt4BoRUt2wHtsW10W7L+wNTOwdYp337DmBdYlWfKfvjs5aUzYoNWqkjezusLeuS348iz0SfWeLaWki1Tbfh/6JLLP7tYMeYGpHdLuq1eh56mixb/uUlQD9A26OpRAOq6n7r+6kaPQUZFUbJ8hTRkctqPnAuHHXG/ZrW2qYHyhEAR1fdMe09vJBFicW2uY9w7WCcvrNX1lTZZyhjYiHDSgHWn1PXCB2QHz0rssZsQ9N2RV98SZUj8EvF+Rb9R4U5WzCao0uoe3bOwSAqGzrPiJSf2SMF3X+nc+TWb+1nzMe0+ejdZttweFkZULlPHGF6+K6/b5bwU3a8O9r55Gfow7Z0pLeeA8sct4Pjm6foIovaTLaHtsXBOSLUMx1qW9tHZgpXXaNc7mLnPIulVLW3H0LM79+MbHmnV07k41Tzokw7h2gPK+zKBz33NZpKykSayC5Sdh27H6jEJuyaJCLDOma0vwNY+XL6yJArxSNucwdqxF1pjNGsUrG8IR2YmqoML+PZlC3o6M/TLuio6Y+7oP2pTyBY6J2hAlSr+MaJhR/tNDeK3krRXqpMbI3KLTFFLeGOzP0Ay4J69dL/+8Kj8NL/w+c1hdz+mFMVzs7z5Dxi9NwR0w2eg8e1M2ptQE7uB6JZk4qJBVVqJO46pHsSurqK/0HWB92zEyBZ9yVedLYhcKUgrC2TXqnAEpMdvysXt7fH7gNkEKvuj/5Khwla4wM/Wbmiahp/hNXZfcbT8wsY/fgCXcD6YdSoMhM1Sxnh8wVVfvgn3cnC3NOclyYNHXcY2dlwu+gz3ekUvXen2R+neiXv3xolvNvolv0R9tawz4lkyvVfr5CgS2mY28ByhfXIBChNpm4r1NlKt/j4cEG71ckmQA0SXHpnrG6cXtffhBNSNFtOUVGx29+omXr4YXTQspUmTOsqutIJkCFZKp237mExFMCQKpXUBzrYlK70vLKLo1sITu+TTpNkSDSdwX0U+fktpHbuf4w60vM0JO8vPffgOC5CtebZOuWL3g+pekd2EJk8s0cPV9HbNOpUgNln6i3qRM0NvmnHlXQfJJCtPyIN8Tqp0PXt+V/f3qAb+06h38TI9JUW20SV1Kdg+2Ejw9iCGCIrSj7rk5zIxwnhtD3IQkPnmn6dTYswSAP1IwhbKbhHy6WKDZpCPoKS6/BouoKMGg2As8GmmmzCZxfLNeYsdwcxgERfEE7W1XqfIASOfaZb3RfbkU5+nUAaGfbKmFJnDGbQJgENW5mCIQQ/gdvElqKufJGKme2BG0VkUSTtE3ck3g4P7xAKl+BvmKK8b2nGdrFsOBaZ1o818Nau7GT4757aukYriK0rNc5KyaZIqw4h7DBAgAEgFbYGgK1khYUYNM5I3W7KrwqIjMRsJ2rb3Dwsfubh72/O3/l372Vv+eZBMVL1ff/Re7Yx/TlbS16lYsB5PcdZ+Dk3zWTsepxvJZjR6LlDQr+Abh1Q2FtP1O2BR4B0kBpeJZJmbzyuHwUzPl1gtlt0sKYKMgUWFUdECkJLYw3lW7eHI+0VNpuU0tcx3hrs9Qhti2gplUHS8vfXfz8PpeAG2R773Em1nD7Bsl9gsONinWPX7CTYKOYvV7/dXN+gt/iuYCJvxnqHt9XSNnka5s4QxRGyPBkD6vaR1ahP4ZLF6OnZrsoxW0xXsPnYRfg1ycnVjh1nmZfK15e+S6/HYi+GfLpNeeReATXFxX/5uuGmMEfkQ00y9u0Gf4k1oR8pu9GPqwYrvgnqFq649wzpKpCijjX6F22UFMt/m3NMPnOmDc3/5aX/2VnzWyYWlIR/tWCKbjAPKjJ4zjvfQVjkSEs0ciwVXTJt1NZa9lMKixKblW/W3+CA+jgMkASn1FRoukJoV69FpOp0IW/0yQZzKkwnJ6XG2w9knDXT1Ga9yz+O+xjeOV3gipsM7sTPaIH5TinyDkm7GfzvOskR9aTIdmR8W7ZmFF4sGIFBAnNKBZJz6BvRaejV7IvG9yCmf7EPkDK89Y3L2GItEquThU7dJmlEoii8QQXVGi99XyIirfyGAWYhRfKNXKJLSmQ+EvbxsKL7qFzP54gJTD2Ep5RGUIRpXzS5QExog4Wp0Qjb+Iad9Ijnw3cqqIrDPWTWujWuzqkdT4BW1raFCbu/MyOo1vXuH56CIOiaqm6DihIrTdFbajBo6r7mtlnq+Ru51C9vXFLtiwH4S58O1qoVGL2nTli4Ey46aI50kqHrJC6ch0WbC71Mqzz7PX7r7/n15fc+4OLavrXWNfQEuMPEIC6Xbr+GfW2AOphk7U8LfE7vzh2y3/cbOxs9GQPQJ52U0MkYQB4/KaNbsp52T179Y0/274ldNc2GPOz6yvnfs2CvqyeD3TpVqPRhqCmaMiv24WxLdf8fhhnYfukK7h+GHK5yZjLoR/0U0ds1nJ4QYquIE3WjIsbEaYil1ZhqyfF0T1pOTxoWm5ZtC0rz1EUg42GLbttE10iS5gM9ZKAkPMyK6OkhA+gHrIhxLk5fZ94fjBtkn2PXgMxI7EMBDt6bfWQKtdpHBxo1WjX0+x9td43aCymIfRywkU/dsh0RN9CkLqE47HL3wi7jkl869/mNXPqxrr6KAXrJWRNEUS+oBqQv2B3NkaYwaXfny7tr6HGDpd6EAewHGyzNJgxA32tThp7A+P6l0w7mgK578OR+PIjYYmHPufy1ziv1J5L3T6Smouk8zOVSh45Nx4f09fCXnXLABl8aZez1zfrHth/gyHXvM3dAvZFfK3PXr1Oz9/V/X/Ymrn3yPO7LBedI63rLcoTRkq2paJxkX68iYFl0mv8irQWSP0Xl7+uIaIw6NGS5zRT9kmCvu8FD2GCg2zfzu/I9xW7gIp15b7bBrsKa4KEEmdM6efTjtTDfv0ZSoV+4xOaHV7tpXkSKBVtWajy/paX7FHX3K6YbwqBPtWwSLOMJemaMZcfU1URfu4NBqg1WeTKlbv+keqeQfNrR9zBSlONhapprreofUY+2b4YJJ1W3XT6kYksmMK+/s6utHOBDKv1rT2LE9c2n1wEWoGA3WRSBBQ1GQy7HeH3agzpUHE99fVYU5wnL63dMO1gKXV8+JErq8O0GSwHMabHSJ+1k4yRL7mfDTQ5uq2jBRbGmy4XkHPqmfo0C2HLvEXJu7JljGhHHuno8XEdRfSOH4yzGGf0ELb6CzJ+KqlpIberCvfl2sGnNJC4LULOi5Fu/T/bDkMxMMVkhzXKKnv8JmZWq0KuffnqBNtiPEqpX2cOJJ6G8HsEJP1cnGSvIV3Mq3FCV2qfQ9F21V1kHIaDneC7XtMMMFi7RqcWbNoriYvT+kK/m2Dwyq2jOTmqacIhR34Q0x8axwBaImbrvD4j0l65NaI30cJzV3xDUi2ypQq/QlSC41BXHTbOye8n1EPQHBj8CuZWhVX54hf7VknuGfvgB/SsiUll92fUcqIep/U9u/rf9INNolynh9hdC5vTJ2rpiQzOCOZ9j8jl96VNOhTT1aDSwKywT65oXME3GptLB4UjezAiODDTcxhwwdnPsjVRWsxZbp3XYX3SaUYSQQmghK5HbF4bDQAYNHQGOS17cvREDyDFigf467AkbjezClkucP5V3zqODNPsDhlEqRgJWhzeFux8GW9g997UQts8+Nq1GKxf1ts3Qr3Jjt2ZoczKBpLLGmJHoM6XlAaY9iRfvK2GaG0yRrVMOPL+qJQ+MpXLzqQVM4u/YhWumYGTq9eWu710EXBzdme7ADEeFv+rXl0hZaa3BoTKcLTI6/b/hRLJ65kfnxO48kpF8uSShoKHgb5tfvYdu+M2MZqIo9oOARgSl/VMHYr6CwItfKdMlZ6m7lzxZc16zVIWwD0yRPq1p1LHnHW6dfQPqiUD+1NVWi39C/mtEGJ14GYwLmiRGDyOApEI3F+c3XvclWFj2sKKUqq/xIngiv7o0iOppuD8+uqcKDPHQqFs0NOWr9iutwe70HLDMZ+jVT6/RBvheUCwQ5jzsK6irnxeo9R+hDVXUgcUGcYq1QVL0ykV2mfjoauLXzcTAXU0RtvW8+12qHBgHWU2UrITkcrntB+IWTA20WIR+QmSFFSbGMZFC+yKLhZvgjirhc3r4js98tKI2dkG3C9SnDCLsm7ZgLYrCKplS1GEEhTejMg0ka0+txAQ0VhejEN7nIAmpVA1RGyxyrHIkpCowZ3+E8nulKoL8yX2Ww8ksOm4W3h4mtVg3yLzkbEGB4oCBrymRIh9RsNvtzrSZoKF9iCAmiCxKTk3wAIw6UTEo8OONprXByjzSQb61aweP89hR3j2Zo8evkCJ6J+R8kCDx4KYHIn8kxl+JPAXbLcg/pHik7jn16rWK6dJrP/Q5PBBRyW70OYJh3H4EuW+HW2OX78sDC+zvQw/btj8K/OEgFSVS5TRP9w76JBv/TOlmxVrHqDNtmg924+vD10rJYgZQKyjK14QKrJh0an1RccO+M4wqhMuS19UvbS+bAgu8DJXmIsQhvFPbiw4ph6tGzDzTSG6Ei4wZXJR9z6DHuJ6aNLx9RiOyYta6kTnVM/S20gbMpC5Q1z1rJC8XG3riJu0VYIuFxXtNp9CEYJPrBR3v3NA0QdyBwFa1ztma5VazgfMQFmS3tSD70GNemMi7kqnJKGz308WC7uxJZIZvHbHaCj2rr1mk4IDu941G3PQD3b5reTYbLNl2V6tiS6Ai+ijOhv+xrwpokF8qWk12lOzpdqeolY8bDGNPq24Dri6aJSAXa9RDw9SISsEOQxPItGVhEry+yyIFrmWWANUyS6E9lzFF0S7QWKM+WqgJdKXOK/I4JmTPfAy+MYPn8l5vzqli85BcOyVY0D4QvW4IsR1BmAyU+BiKta74IzXNl5UhsqAvHQ6N8eIHuAxOCBaeBTsG5MgBoWuqmEndGnSs+7Rf3RcBjo0m7bl8Jh7c5l7pptLFQoO4kxt13xo+Ye3WBXPGeqp4XTl9NlNgAxoXI8sHk2GbSbBBvENTZBJuwqddK71rCUqFfrv1qbFM1wkBfb8arF/v0FiVpC6lZhEFx1FnC8xpkbfdhZu7O9qFp+ImS9e66J6iSFQFVYzcVxYFaZto8vMRlWzNzXBiyd3vAWlrKnKYk3xQbsn53x+he00d2pXD6bRdxNLXgg/YDfOA9yLmJH3KXnXfjE6C9WLGe7lWuMktFtIg3ExSCyfQcrnM6kSVRxHq9UG8t1CfomfKjuz7C6RbQdfqYdvvRvGXnJHtFNN2RuTCDSDgm2sLvh2RyxVPmTcdZuD7yjf/D4tTKQy9S62xNghdt6MC6uqqPNf2L3hUMa8RCjWAOfA4kxUWS5oJukktC8YCl3TTCfWDEmKMYvPK0I6EGOboa4e61da7z9/IUOISRxN2Def4YELHJDcHDMF+fpFDpqu/BYxbqACzDKsbDuo250utqZqhW+o2pdJUzfCSQitvn+m+kKrGYQC7BuP0dgLfR+77nb4VUqG5khv7u/qnpJ7jaM2u0X7S1/kNVia2m64BHNuj4u+UHFSHTnWnJM/bGaSJrpQsqQ8opnqLzwXCnCrTZBepdlH/Mxfe8uKj0wQAkpACCnOOhBTfKVpSsGT2ZT9MMRdlt49+aBqK0+NeMhdhq8M/A8r8UI1W1qNLWHAO1SYCSfHdUtp/73kJQEnJAopjQrpxJxj4EhCwSMoFggnzjOoZum1lSn+wQbeyKg3GF66cr9LWiHEloy7ZJvfit5lmQnilTX0g/X8G2wRfYdrupK+J9v4Nq/jCb8dVoMm1H3fDwha9a8uUTil7dsjwslheAhYIay0JA3+p3Y2gPQkb9oZ9pj93BhnC4MIzVCqYiXKGqCHPwooyVjjWwOoDQSxYihqqNCqxhi5eGho5+GnSsiisFJM7QfthaQ01ZK+6596Dx9L4OnuY4GFy4pvIoqyGdzDBtmG0YSKXG59P66dNnjWZFKPMGJC5qDjfoi8V5s75mcsCMz+IF+iuF+Jy5Onqej0TDbAfjIZj4jPNfS1QnYiONXinvIFif/NNg9qM5fs2jg+6QiQVdd3JTs4t0UegRu+328fC67fSe17R7bBdTxN0pqpg/cFOqV2sfs3OmLz9mvYPkTXtBePp73hD8i+wWnONFc0rQlEdOaJhd5ubqZ8FXtNkj8jtzhj//vvYeQDtCzPqF6Dksz6p5UAMj7Ff3T50K6xXzQ21amGgyrAiK5f5W9fYNGWGFzWkXoswS0izzEwrYr/V/H9YaYqsPBeIQc5dJQinWNkfQSO8FjVfQFhPfq0LOw9HH5zwq4Z9np70i0VkMW/G9y52HixfNqru8Xqtmar01J6+rjYCCIx7/KYJkAauxIVb3fVkHPeUOgtuusG1zst8felHcKPnvnFDPZvSFf1a3F6E9WrngH6sAf/e/Xx92Z3v2oiJofdgNyLn0gAdCTN3iKws2DAdNlLXepuyl/1uVNcXaDt1Ya8fWzjje+JxxxfNwuj68qAmG8s/d0CTtYi9Enmr0c7QhavP9P1OufvFfm0WEFS7n/j+G++Om1emqdyUpnmMKsGpdpyR7kHZSLTGiuE5H1QBuqYMTKCS4xFBoKnQSfuj7GxoV1V1K8+spLIaRl1fyOw+3768vunr0Mi3jHUehbG67BMHCh5dC9lGWhyS6FoYdMuWAoOwGDmipVQpm9c+G8gve0hvat1NQldH+KdFpHOX4ZTlMnBw3v32ATFBeJVTK878IFv79Rl6fnWHi5LTn9GNc4g4sCC9Z2G/CETmJo9tgnOqfVrCmDH92arcJ+B1j1K8jhvznX8a3jP9eU/I1Si2XFKVboRdmGWfurEAjwNopytF9Ury3J4eZ6uPTBrdCb1P4FkYxt69VH7+3ukYL5pmHNeX4TKSo6PzRBZlNnHeFeyKz72CMa7Ov6er+XcWHSmgPnUB42ZkXpExK82rpY+UNdbFvJGWUkHnASvXa/xGpsRhlW+wepwMvWFXfStdsX+ILBEjrZGfWyGK0VtM6n7KYeXWiqBJ7RgpvqsVVLVfCjlbM/pQa0Wxjp4brA02VSzFufFHYcYfzeywi8/lHWL5y/H3y76s1RQYWow+Dhofu7tgsQhf3fodSzx9b3DIL4dz9055zpiQVawYZ6eORC+j3ykrSWM6HQYe2R8jA07dmXHnSJxzbuUe0hUhVOtFxdGVXR8RmVNtj0Td7DdsWTCR07vIDOBMm9M0zwfKFlgYTDFVIzGnCuKbBVaMQwZPwIPn4u9iiTAw8Tv73SBlIsE5lHPXXOiRNGK/Onre5HOWVOnSF906CTNgmVcR2oT4usPTi5EiQ+fmGr7HqRNKnPLVJHl5X5X7tP0lZkKjnBrMeMDJMJeV6XxvhDTJJ8/NrD22uMljAzzGH1JDi5Iny+Y5RzldYB8C8p0v6xi+z9a0WvGaKo63UMhlpH9c0fPAjbS/AKvbf5su6ipw56vXhpkKGjOiIGGtbTBs2PTQ6xo1itXx7xAcG9MEsorIorD3Kc0xunDQEesk+5ZKrlnu/Gd1F7mC6tFEqFyS0wON9/eW/cJ4qzWSbl5eWDW4KyHp6XFkfb16Wln/dzk/0e90Mnn/V859ACZ8u0qWrnHuJSQUu52/vblG1wOFqotGsq61vrpkPwYRC7uaathlVEP6Pv4wn1sdVu6diMjmMk9d8TWouOsrHR4XZHEZUY9W8bsluJDBBJXnHRewLx12CbRNPIQtWd6EckaceEVsq3FQBh7h5Y+n5DV0l1XKZ6qe7n3z0XXPqQNRkKxxR0nV9SK41K85DZW31l2Y9iVuTOAICXrF812HSFNdideYcTwMZKDGFY6gvnJBlRqZtODu0Cm+/nhxN2+sFL4BlAvADkjy6QaaLWcjEpEV2bzK8210/wwrsqh1QB24laanNTrf66WKD1ExGbHLQa/ELtPVFAUJTHezV13PVVzlzDSVdW1fNI9RaLBdW7HhREkbXthPpMsSi83B9WRW+cWnK/Tc10p8qrjVleeMQwEH5IFd3ZVS20++QN8NHQ2iH4X5LORG7BhCmpIKmlmsd6GPTNokeAIXXD8t9KKucn/nS5Pe0CUmW/Rx1FzjbK7wYxTl+4V3WMwEKjATC4ULujcdo8QKpvam75Owo1zewLLoncxdcnTbFrCTdRZACh3QviBVwDIilYW02zfuHd2gXysBpuRbmVOOnjOxnn17hpgkZ2hu/6L2Lyww32qmZ9+G44uGlNmC48Hk/Ng61K6Gf3GDYFHwdYGc3NbDr+Rib6MGI5Ni6n4693jWbRA0VfYgBxFaF3Hlbg+zT29/x4qiDy4B+NtvP739/fz91bffupzbNVaYjZ7JjVSfY5YsH7xgv9cLdiNso04wLGIrEb5mJ26XkuY5wMQ+F9sEJsxCKio0IzEFSMeVlADjIr4XJBAfiAU022A2HE78YO8A9D6PDdRen9gl6rqaJ7oUZp5ro2JXvkO9djKHWPctjfaO1jUf6Zykpxa7tIPBBiqNLzZp6158vYsFsWCjjqaa1GSO2FNJDXYjCpDZL+8JC+WT+wne33Fhkff6//vhqq3K7Cb/PcoRyzs+eo/IXiQf5XDUcdx9+Ek5QdLWzs527NLnpslor7PsoE/mC3C7DU7u4ch03bKaTREPg6KvBWbc8rpu5nLjZcb1Zbe2DTpxWXPQ0GWghcF4VmGdc51ZFfEEek5JvIZ0a199dCGLohJ9T9QAO3Fa46aHYveO3pm/0LBO3eCmT9OsH4rbLRb5v8tw1KzFzWDDTpEMD8ZuuPAOcrrSJSNMRssSncqCB+w3WIlh0OGpo65FUWYylTC+fff2Bv3m/KhtUmoYkS+TphLc/scb9KWiaqR3a8VFpmi/U2fa5IaOQ3SL3tdFZ8G0rkZLJxEf0i5QGXuMgAVanuQ4OgTVBIJjD4abxx/QgDlWRYLdsmATuBdwGbEAuQFa5dGm0u7AjNvtagd0jk1fK3wo3DkVZFVgFauspIG7LfFgfPGDo0+YDNKposDMVtHPAqGLuAVUDeDFElotJQAr539PALXE0SdhuI5T0Y8XBN0zFvvB8Z3bCmpVz+hIiwwTGIwSv/zEwtYiovHeATxflusfxZ1ZRX/ficiIUVmuo/Zd70C3kE+LPB0BeM1xdIkhMiqWTEQsihyCTpEbLbJFpjfMkOjyQ2QLLjcaF/FzV7qwhVmng54g6kJExkRKccJESVUx30ZLeB/ALsnnNMDXmKc4K6zMSiWNzOKHpAD6+scMPI7xYfNkd5PLZZanYLYFHD//jYiswHeZMbHcBruA7YnmNMGjUDCRCGkm0iFdcp3xOc9ih0V3YP8pIfDoncE7sGP3QuzCjl3V24X9U0LYrxPC/ueEsP9XQth/TgPbyJLjOU0hUhro8c0zkRUVB+V7vk3wTtbAy88J9JKi4mxZlGm0b6tlYr6MnYTkIbMUSommX0h834jItEtITLCDWpE01qQFnMaa1FtdlQlmkRLRlFUnMVWNNNb0oHcJRIiRxhpmqWCDWZMEeCXYncBCakoSHML1a8uVRI/C+rUszYriPIFbTRZlRngCH7YFnCBIAnDVfGviu0UtZJ0EclllCWIaRDHDCOYJCoh0hpdUkG3ErKsubIH59g+az1Pgvc6gDWgSyK4dTBqsXWJtEujzZbl+ncYHrbM5M39O0miM6CzurLgeYCWji2qd5JoDVEpU/Co37Xz80WZtdQBTs3J+/vjOEQcc1L4kwF03+Xgd5DqwF4zTFDaMzhYpNpEtYhZn7wJOoRvojJWQpJglEXWsXP+Ya1MOmvlHgq0VSQKbswVNYcZocDQXNGfRCkZ3YTOR5pQUMq841USm4LYHzpYJZJMs9QabqDP/O9BDGeRRACu6ZNooHN8T0sJOoPEpWqZitUrGaw2dyFUi+eoy890RTwDdKIqLBIqkKwVKhXY65XqzkkxnbsJsfOhbrHCSA56PFMLGgLx28+1jw2XaYBF9znGuzbxSsYYF1lCpmxWUAmoVHdf4enRdkxwbLExuWMQfdn1qp4F9MJc4z2PfAZbHDqvWrYMSvEWsyIiSskjSlcgCTmCmsSJLkxzpOx6lYHP5OXp7plLHb1nKSl0qFhkox4aZKnr2GWeCxmux00LVUSfqNHCh+Da+W4tL1/U0W3AZ/TlvgCdI+bc2b3SpY4EmkDjWhk6AavTcBC6XSY6uWCa5wKVUsQVYMa+WKa5ZwTRJIRYKneTAppgDIaiB5krR4UaX4a4BdOyMPwc1djqe2GxiWyBJKsqkGwAd3RKV8TUjqdgyC8zjejDcjaAq/ptVZm4ob3SwUSdTt2DdiNckhyxB4aafiRNbGHiwsaVBmTlHUnR0sdb2lxlZxarzH4CmdyWLHggoqSqWCgsz6LkbA/ImCeD4T6/rRPbxY28KaATASi4zrMuIAwO6oBWODVVRzFPod4oS4IPrOpoIeHwmW8hxW7h2IEuVJ8A4viNTJ/ANa+cbTpAPoGnsRAA38DiBcaLpl/gHINSgNRrUBKaUZssEgleXsb1sWpEU90CRPLoirRUJdcWNANjEG7HVhVnp6F0110TELpQITot9KFDXpDM2+WZp4h8rBzR+RK+Z6Rkb7raM3q21yudJ8tArxRO8hZWmKstZ7Kr3JGMr6shQCjYYog0uYnuD1xkT2uBFAs1gzZRJoYavS5GgdZORqhIx3ayhtmiBjqLnlZHofSXQYOkmeyThsLxPmLMcXSiaM4MusMp9N0MN7d/D6LjJWQm5NDYhFMDAEH0E/Q2I5ChUqtPkQzCRjnNXRcnllg4GCx7k30JW0Zp6H3nGLA+dzwjmnSm6pHeowP1GC20sViyr/jCQ5EhypmE4Q72633pooIR0VZZSGTRsPIrQZoUNYgaVii7GjsID0nLvM4QixHhvdTQoICZ8Z/eRvtCcidQT+Tuo2tW6eGpk5JKaFVWz9vN6JavBi4aQoGuqmnFERqISK03RW2owTAR3dxU3LHj+Ri71yxtX9voCXfoRX2fIrAJTiqAZ8HvqRx8D2gK9o+Z3ZgTV4X0eHuokzFvAyO7mFsHijlhNsSKrGRMsiB/M3J2gv3ZPfMIsDEiGeMlxJWDW77KCOa51E/dwA/dev/Y9NKVvx93Q1DTh9vOLR4x9uxFZxJqm4zqvwrLoA70zcCvG3AVTTKMeEUjt4Lp3MKFa8JGJl9A9N+E4cOifq6lBin6pqDZ7mnafnq18/175TmWAsTxuVSex+x6pJu90152yDyeHEcTGdn4OHdr1z0HKY87+Pzzf0C52fVkLBVg7fDbAaoiXxHvPI2wflznWFLl07QYbNLhVzS75bzwOvqIZBd9gLpVrXx9kI0JYI00pjDvD++dVKSw0JhOM9x10mHZLC1B720NDKgUT0PYhXVJVMKduTIV0u6QbzMHWjNMlRZyuKUdYa7YUbuPaef3how8tmR9RfsP6e076/FEmPVvMKsG+VLQ/JhGHL18H39M6Jp42BaXWaFjuLiSRQlDIrUAbZlZjggKhQGVIo7ErelJ50b1NC8tOkCfNE8XlkhHMkcVgxPQBLB4XO1hqZEzj4/GuXG11GL1OOttG9rJaYz/wmDOss5VMbhM4I64x12CWSjvUyErF7giecD8A5C6NxRbeND+IhXCK1eyca2kN8Z37dgnBcvSr/8YMnYtt878BdAO2vBYG4XxGZFFWhqqwGE7ixreEpTPPvunvBcxY3NkQZv5WvfrT93+2tu9lZztqjn0TRNuf0yxuxOxYxw3eUoX+ufHJ6ZceDUAufOtj1/+kP/OixXnn1O/djxOTlw/Jtmf9gSl2nRl699uHK0s7VdQ5T8BfmjNNFC2xIFurVXr1jPdzQRBw6Ax9ePszuhbmh1dn6Prd5dV//ow+Xgvz+kf0fLPaIkGZWVGFyEpqPypNKkWJgU99//r//I8Xz4IcoWaVUMb1+QEydVbg8Dgenfj03fOa37qzeF0jFb7i+dNCuiubDmB+YsO4ox/4EL49xbS1Tj4xZSrM0Zvzd0Fk/5CCpvNlnXYy/p8UdBbmrUX3qxGhQMhh4Qlb8BTf4D37sMSGbvAjjEiH032DzvNcgZ/WnfIQOs3TS4ry1DjnQ2Mh1xdvb9yrNBoeK7CeMPqx41Rymqp/u9H1jUVlxPtleXjiJIgoPLRrj/Ow1sQyN11rWgHRQRfnObMfxrwN2HZm+YffuQkPgDUJ4YJLf8Mvd4/AAJU21zqJXnfsk4bRO4/hjVSmEckDoZtDgA02gJntYcmrJ+a9o4eJZf2Y1GS9HWO8oCG7cSovrscOLF+stSTMqpzObzTQcZCVywqLJZ01phORYsGWlaI5mm8BJhU5ZA2F5Ux5YuuBQdHoiLYcXHSRoN8Bj6j7d0u4ojsAFC2koZnP7I6fZxSftbnQGc5cKn4C0KVRaYAvEhyJRYJqYZ7iOqTqf1ImYCrOs9oTl04t71vwlo5Zf7WuM+ERNNgrs6JKUIM+bEt6hj7Wz9gbcID9gG5qB9jgJfhtTFOrR/VMoEyMmMY10t4vfoYw50Flomw/CAluWEFi3poq+wYyYSTSBh5zJtDH61GBQiBBNpm8ii6yLVBZJhj7ZgErqmNn9FqwCUpc3IsYOxUd/O0JsHWjFTJOxTL6pEjA2SofCbXQEQ3UqTyYdwIwAhFIJ1ggjH6RaoNVPpzTjdD5EpK9FML2xt9BLt2cmg2lIqx6Ru6aeN8YtzSYd0N1DhkELeMhM2JAIRM+zxXSEgpmrFjyIzbCJK45FlPE8Y9wUNYJIh0X5YDAXZdlG0lZWwt2CQbs7ssTO1JJCXQhWMfrB3dcxB4rw0jFsULQLxrVSDy/uvv5jVzKxSI8/Z2SzKxo8u3dQfaDXdDdxg7eVxZvi+55ZVZUGJ8sPoq2rmJ2TjguocctOY76R03VKMKyMkROy2m/5DjCtxUhVOsRnKHz+GnN0U5LPAG8kFVxl1JtUaAwYYDbFMJpB0faw9FKJQjw6VIK+65YuRVSDpsvooGitEvVOl4/upF3EyPXtRRqBjijeUOP98P09GEmkGamCshPBMUF1ItoD3WFNcK5LO3rYlaUKSQ3ot0yxziD76SQxUheLczk0My1qJ9WibDKPRO5lT9S6YYBGP3COEXnHrHZgA3HOHtFQ5i7k6MJ4w39j5KuMMqCW5+1EJcLIRoDjIhZ7/4ARrh8vVtfrxGbE+MJoXOZsnogQPycrvCayQq0SyKLUsmCjWQo0qmRuxJ4zqGIbIEu9uPGxLoROwmR7GO4o3WiIAI7GEYdLnMCgoH1G/xS727nlW3v2+ixa8ssK2H65WyxNfocysAzcopZf5QWBO/xkgqqGKlJAoZAol8/tYCZFTy1odluyCM7I9/PtFHjwc+aplPabj0aTa/20+TVC7dWQrqCpmljhBtWUG3lutP2FC3paBDJ70K0phAHNwIaDz5wG9SRR+uU3t2PdrR+OI6m7zMdbcjp0aR5h/EhCge0AcWtQDhCGHy91L06SJ2adO/cRYtCmzq8c9F6qU4jQA7I8UaAfL3H8YfDWxZrtME0W3acfFSTSpCYd+wI+THpcYxJ2+AwNko9lKD1/NTRK3cqs8oKalbyEaIkeMeTjBwa/mOjGw69lJRM6nXaE9V5L7n311pE9pzLRJ6Q/5z99Kc/oedvLs9vXqBLpg0Ty4rpFc2hFD6IC5dLmbwv0L5IGGTLLhwefpvhgyMZY0om9iruq/+0uxrCoLkx4JGPNvT5PteFQNp/U/fbcfwBTqGYKRahNultphjmsbrT9Qh5j3NWabcCkgppVjCOlRNPVmzaO0TgXQ+XV8E91yyfstNIN1P+oz0ItRex1xezveTp6izOxb67DmENX2nY8f96JxH8ZnAWvOOGdsoy8rArU6qUiQGDkA2wWqolFuyPPVnVIt1ROJbZJ3C6e6ZG2L1gKlhLmqjrzy92OXgtXIsv17toJ6v5V4q5WRGsKCoVzWXBBA4W3HXE0w02jAqjD6bHczwltW/woxLrWj/SMtHBtVfnmRVcJVYGmiG1pO4XqxM2O/LC5hiJuqA5VdjQPIuWVLbnfFjh80u9YhM8u1FyzfKmeZj/HC5L7jXVwcHwzX/ss7ar04YVnJZIlk9EZbOk7/VntiNkBoeHQubkmrno+aqvuI+0gGuUzphDwe+redI70Jk6X+pUQi8DhDodFTRWrJE2UjmJb6EV1GBY7Rl8amY/9SxMfcHynNPppNxbWO9YORfY3o7cO0nO1eMxpiH3xq/W6TAktnV09gyVHNsts++zVIgKorblmJcfUiEnsCePyKBTjW35q9QGvcVkxcSISZfjRJLjmz6vPwrI9C8VteLD6keuyZmeoTc5LtEn+I/Tj3IpXN3p34aPJ1rhNbWaE6dYoS8VVVsEPQh1KYWmtUYVLk619GbwnWnkpe+BRyxkxeoukMKR7/ryjeNZkzQBqu0Beu+box6LKUx5Susw65/xurX0ThMjaxv6h5dppCohgnasPmteHhd5dm2kRmrsPMTMW5jpNwKjDRO53GikS0rYghH7m7NQnaDPkx1eEEuew7fNuUHPoSMsFaR9hiB0+aLDLVQJeMff0CUmW/RR7za+bSKwRb+QNnp2rV1hAoN95LXvmlqACtSqwSGzL+KA400fgED1/06lKZTzDNm3S3Z6hXqsO69TrwMUA4XBg+a/cwKx0+T1jpHqM3y9672WdVdA+ngX0CE10zjsmoDB7t60CZluGwY7FG5Icbj4GcoGYo4EHK1wA5JzumDC++pBOEFXvwKXI00HAbuTCsUS4dY6YHrqX2zB2PhsU9PueymN9KZsfNjGYLIqJm6B364KDEcD66i7HUmGvMyZiDdBLOrdsCRDUWHaxzMgpLplO7Atro12W94fmNo5wDrt23cA6xKr+kzZH5+1pGxWbNBKHdnbYW1Zl/x+FHkm+swS19ZCqm26Df8XXWLxbwc7xtSI7HZRr9Xz0NNk2fIvLwH6AdoeTSUaUFX3W99P1egpyKgwSpaniI5cVvOBc+GoM+7XtNY2PVCOADi66o5p7+GFLEosts19hGsH4/SdvbKmyj5DGRMLGVYKsP6cukbogPzoWZE1Zhuativ64kuqHIFfKs636D8qzNmC0RxdQt2zcw4GUdnQeUak/MweKej+O50jt35rP2M+ps1H7zbbhsPLyoDKfeII08N3/X2zhJ+y493Rzic/Qx+2pSO99RxY5rgdHN88RRdZ1GayPbQtDs4RoZ7pUNvaPjJTuOoa5XIXO+dZLKWqvf0QYn7/ZmTLO71yIh+nmhdl2jlEe1hhVz7oua/RVFIm0kR2kbLr2P1AJTZh1yQRGdYxo/0dwMqX00eGXCkecZs7UCPuSmOMZpWK5Q3pwNRUZXgZz6ZsQUd/nnZBR01/3AXtT30CwULvDBWgWsU3Tiz8aKe5UfRWivZSZWJrVG6JKWoJd2TuB1gW1KuX/t8XHoWX/h8+rynk9secqnB2nifnEaPnjphu8Bw8rp1RawNycj8QzZpUTCyoUiNx1yHdk9DVVfwPsj7onp0Aybov8aKzDYErBWFtmfRKBZaY7Phdubi9PXYfIINYdX/0VzpM0Bof+MnKFVXT+COszu4znp5fwOjHF+gC1g+jRpWZqFnKCJ8vqPLDP+lOFuae5rw0aei4w8jOhttFn+lOp+i9O83+ONUref/WKOHdRrfsj7C3hn1OJFOu/3qFBF1Kw9wGliusRyZAaTJ1W6HOVrrFx4cL2q1ONgFqkODSO2N14/S6/iackKLZcoqKit3+Rs3Uww+jg5atNGFaV9GVToAMyVLpvHUPi6EAhlSppD7QwaZ0peeVXRzdQnB6n3SaJEOi6Qzuo8jPbyG1c/9j1JGepyF5f+m5B8dxEao1z9YpX/R+SNU7soPI5Jk9eriK3qZRpwLMPlNvUSdqbvBNO66k+yCBbP0RaYjXSYWub8//+vYG3dh3Cv0mRqavtNgmqqQ+BdsPGxnGFsQQWVHyWZ/kRD5OCKftQRYaOtf062xahEEaqB9B2ErBPVouVWzQFPIRlFyHR9MVZNRoAJz/P+6upbdxGwjf+yt4TAA3Afq6dFHAzXa7ATat0TbYozCmaJswRQokZTn/vuDwYT1ot2hkpdhrAlMfZ4bDITnfjAXbzNbhs4vyAIKX3hAzIIaOcLaq1pccIUpsz17M0G1PZPkxgXTisXfW1qbg2IP2KkOjKq8hEAr/g9XEtzIyX5Tm9uUfVhRVVXXVOnH/ErfHES6E8hT8lmsmhifNqa9YWgGyMOatGt66L3sf/jnMNnK0smg91bioFZ8jrToH2CMgiABB5U8DKFa6AylHhTOuXW4qfBWBnHmznalsc9pYQs/Dz5+Wv4V9737w+bShWKWHd/+T12zjZl8clGiuJYBl7OMsQ5+b1Bk7tvNtJLeG3HgQ5hardSCxN3bUHQxPEHR2NqK5kjf7FLA+S25DusBdn3RwYBozBTaNIFRJymrrDsp/eh2eKa/Qttf0vl7w7sAeW2g7oLXSlign348/L3MpuFmxT213Sm/nT7AcEgx6V6xr8MVOsoVifv3l99XjijzBseKyTG2982p1c5s9DbPXRPHMtMI0RrO7NK0UPuUpi5OnZ3uWY7GZj7D51iT8OOWrhx29y7LglR/fhyq9AcVFhGI+pbxxrYA44+qL5w0nYo4sx5Hk1Ksb70vcEfqNshtDu2o8xadH3cqTexfENJkUdTDknbFaye1PawF0L7ixrHx3H/62SP/lcsNo/l8brlkLIhvIwFp0fkNAlsQocsYsNdtyY/WLO9nP6SxqsLtQrD9hIEMMI5B4KTUXTE+E9nwtqnSnCnmKJxNyJm0nJ+V0426oumuqtWZCdE/zeUvv4emn33/AJYAr9sENSp7DoN2NdbxOBuXm+ODEcl44F6AQspQEtIaUf1/yDdJYbec7RDOBbz1Bx8hrzUUB4cJxImh/YfYKbfxVhfbsulPLCB657MO4rQJLd8xkg1clOH0p4ovh+GHwFVCxOFB6jPSVKTyUVGKQm1iB5I4sD8AFvpOdsu/Jt7jCYa0O2Sirh3syGdtQ9e0E3Um1gjIUO4iIPyhN2BGqWrAF+UNBxeUWeQWNxbJQsaNqDvlaKLpnZTG9hQytQSO9/kTC7lrGmjnIAcsZFXx3WQXBCCe1nKiAFrPrcfyF+2NIMLfsaO93thI5PGYHhdnBN9//MAWaj+xISr5lxkZ/0K/6kF/2cChKZn3338n0mkYMVwOUKt3pCkNAWn7gujGEyS2XpwYryGzh0tT+51k30MA0zpO4/R4v5YQgtXIC4p4UIFuQzgo71YjIzep5eRsM1KTnmlqrI3cRnMMNzkPYRssOrS9N1FCQst++N6mgqouSm1oZPopaX+N+8T2jyzo0CS/GIogIofqtbFkeAEsgPIFoXfC90irq8Wb5tLp1M6xBJ/uKe59vCvOY1EY2DDMofiQU3MIlD4KBXLhxOeWqwb38We6larMqdgKpPIbx/d1/lMjj5vT5xaiVWvha31KXT6tz6AxVejIXgoMNkWAOqEPgAyIMKRI33ce6kb/ilNlyIZyk1wJk1omXYIGyUVuAV8Duyi9ZwnuwQB7wO96lBzJg4IE2humvka/vYxINmw2nOby+g+Hw5PwKuOFUnDbK9BTte3XbRkom7r76OwAA//8VqLns" } diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml index 5e9678f9adb..88f1d922df1 100644 --- a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml @@ -126,9 +126,3 @@ default_field: false description: > The WebVPN group name the user belongs to - - - name: termination_initiator - type: keyword - default_field: false - description: > - Interface name of the side that initiated the teardown diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 5b4432fe41b..9f144579c5e 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -5,7 +5,7 @@ "cisco.ftd.destination_interface": "Inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "Outside", - "cisco.ftd.source_username": "LOCAL\\Elastic", + "cisco.ftd.source_username": "(LOCAL\\Elastic)", "cisco.ftd.termination_user": "zzzzzz", "destination.address": "10.233.123.123", "destination.ip": "10.233.123.123", @@ -34,7 +34,6 @@ "log.level": "informational", "log.offset": 0, "network.bytes": 148, - "network.community_id": "1:9aBQ+NznvYals1agEGRVJm37dvQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "Inside", @@ -50,14 +49,10 @@ "10.123.123.123", "10.233.123.123" ], - "related.user": [ - "Elastic" - ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 53723, - "source.user.name": "Elastic", "tags": [ "cisco-ftd", "forwarded" @@ -92,7 +87,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 200, - "network.community_id": "1:kV/6Jt4iMhVyUT1AW+UO0itOhqU=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "Outside", @@ -144,7 +138,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 381, - "network.community_id": "1:7nrIUULEgk5A+nhbh4kNmEkwL3o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -170,7 +163,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "Inside_access_in", "cisco.ftd.source_interface": "Inside", - "cisco.ftd.source_username": "LOCAL\\Elastic", + "cisco.ftd.source_username": "(LOCAL\\Elastic)", "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "destination.port": 57621, @@ -195,7 +188,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 545, - "network.community_id": "1:LM0R4Wi8tEf+1pe2ukofXQKxfMc=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "Outside", @@ -210,14 +202,10 @@ "related.ip": [ "10.123.123.123" ], - "related.user": [ - "Elastic" - ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 57621, - "source.user.name": "Elastic", "tags": [ "cisco-ftd", "forwarded" diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 4aa3fad3d8b..21e4da22dbc 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -26,7 +26,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, - "network.community_id": "1:ygCOhTlTMVGn+PXlTgyzRveBJ9g=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -85,7 +84,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 150, - "network.community_id": "1:aH+Rcp4nenimMGZQ733uys/x0js=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -147,7 +145,6 @@ "log.level": "informational", "log.offset": 345, "network.bytes": 38110, - "network.community_id": "1:nawleoAMDhKg7pshv6H5enEaKV8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -208,7 +205,6 @@ "log.level": "informational", "log.offset": 535, "network.bytes": 44010, - "network.community_id": "1:XqwLVHNEt7Z1fB2ZZXj1piBH4PM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -269,7 +265,6 @@ "log.level": "informational", "log.offset": 725, "network.bytes": 7652, - "network.community_id": "1:Q18EvtK0EmoGK6hViBJu2B9syjc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -330,7 +325,6 @@ "log.level": "informational", "log.offset": 913, "network.bytes": 7062, - "network.community_id": "1:k3K4xSa45aJwCWLM9eIJsqCydLQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -391,7 +385,6 @@ "log.level": "informational", "log.offset": 1101, "network.bytes": 5738, - "network.community_id": "1:Qq/qwMDt7lmCdvQnPYJ86wHp5mY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -452,7 +445,6 @@ "log.level": "informational", "log.offset": 1290, "network.bytes": 4176, - "network.community_id": "1:ezm9yQGN1cdh1QEJ2nw19295QfU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -513,7 +505,6 @@ "log.level": "informational", "log.offset": 1478, "network.bytes": 1715, - "network.community_id": "1:dV1ILqqOHNIkUwdYUt2iodkCTIg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -574,7 +565,6 @@ "log.level": "informational", "log.offset": 1666, "network.bytes": 45595, - "network.community_id": "1:M9jSkRNBaw+CV8aYYGLeh+1c4LQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -635,7 +625,6 @@ "log.level": "informational", "log.offset": 1853, "network.bytes": 27359, - "network.community_id": "1:kcIahkhuYMj1cJNDgmYdpgb8b5o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -696,7 +685,6 @@ "log.level": "informational", "log.offset": 2043, "network.bytes": 4457, - "network.community_id": "1:Oll9UOQVtF14Vb1gAqDgbQ8GVN0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -757,7 +745,6 @@ "log.level": "informational", "log.offset": 2231, "network.bytes": 26709, - "network.community_id": "1:SRok/PbYRZCXwEJ9MQDvhiR0OZc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -818,7 +805,6 @@ "log.level": "informational", "log.offset": 2420, "network.bytes": 22097, - "network.community_id": "1:agnIkBJhbPXkAM0Ai6Q8vvm22FM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -879,7 +865,6 @@ "log.level": "informational", "log.offset": 2609, "network.bytes": 2209, - "network.community_id": "1:dyOBaLTo8f2aK6FSqmPQ8iEKQCM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -940,7 +925,6 @@ "log.level": "informational", "log.offset": 2798, "network.bytes": 10404, - "network.community_id": "1:JG3x+PLXI8vDNUP0xc2b7cGmtO8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1001,7 +985,6 @@ "log.level": "informational", "log.offset": 2987, "network.bytes": 123694, - "network.community_id": "1:aVhOiCMAQUL3DYMg+b1hd6++Tsw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1062,7 +1045,6 @@ "log.level": "informational", "log.offset": 3177, "network.bytes": 35835, - "network.community_id": "1:yvanaru1i/rrH9fF3MeSmHfJVH0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1123,7 +1105,6 @@ "log.level": "informational", "log.offset": 3367, "network.bytes": 0, - "network.community_id": "1:h36yIuCF0zHqn+9q0Z5lLEIz2FE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1177,7 +1158,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 3552, - "network.community_id": "1:tCQw5Th130a6dZONq7h6PjILJZY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -1236,7 +1216,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 3703, - "network.community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1297,7 +1276,6 @@ "log.level": "informational", "log.offset": 3896, "network.bytes": 148, - "network.community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1356,7 +1334,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4071, - "network.community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1417,7 +1394,6 @@ "log.level": "informational", "log.offset": 4264, "network.bytes": 164, - "network.community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1471,7 +1447,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4439, - "network.community_id": "1:IqCv9QrYpJkgySoRM91LE2Ao1Ug=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1530,7 +1505,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4589, - "network.community_id": "1:sxPO5rXtxG30Oh+QP2ncQZ0N1U8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1585,7 +1559,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4784, - "network.community_id": "1:MZcBg2aQ/SdpVmPXf2Ze+Ng4g9Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1644,7 +1617,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 4934, - "network.community_id": "1:G5HU7oEz3i/eGfSUoq5HuDVo7u4=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1704,7 +1676,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 5129, - "network.community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1764,7 +1735,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 5326, - "network.community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1825,7 +1795,6 @@ "log.level": "informational", "log.offset": 5519, "network.bytes": 111, - "network.community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1885,7 +1854,6 @@ "log.level": "informational", "log.offset": 5696, "network.bytes": 237, - "network.community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1939,7 +1907,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 5871, - "network.community_id": "1:/KJCwT2FUqlgb+8c7f4b8fvqWFE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1998,7 +1965,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 6021, - "network.community_id": "1:gFO9U+lgj3sty9R349zScds2rBg=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2053,7 +2019,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 6218, - "network.community_id": "1:kpfWE+K4tPLbC1LWM9M8v5zQqyk=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2112,7 +2077,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 6369, - "network.community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2172,7 +2136,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 6566, - "network.community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2233,7 +2196,6 @@ "log.level": "informational", "log.offset": 6759, "network.bytes": 87, - "network.community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2293,7 +2255,6 @@ "log.level": "informational", "log.offset": 6935, "network.bytes": 221, - "network.community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2347,7 +2308,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 7110, - "network.community_id": "1:J8j4D9Hm6tPmF+enIkcOgaYzEg4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2406,7 +2366,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 7260, - "network.community_id": "1:2VKYvyM6qODR0XAXnVUFrYSP/IU=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2466,7 +2425,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 7455, - "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2526,7 +2484,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 7652, - "network.community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2587,7 +2544,6 @@ "log.level": "informational", "log.offset": 7849, "network.bytes": 101, - "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2647,7 +2603,6 @@ "log.level": "informational", "log.offset": 8026, "network.bytes": 126, - "network.community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2701,7 +2656,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 8203, - "network.community_id": "1:TO0ui5exOUfDCukU8mR9bJIjkLY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2760,7 +2714,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 8353, - "network.community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2822,7 +2775,6 @@ "log.level": "informational", "log.offset": 8548, "network.bytes": 862, - "network.community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -2881,7 +2833,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 8733, - "network.community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2942,7 +2893,6 @@ "log.level": "informational", "log.offset": 8930, "network.bytes": 104, - "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3002,7 +2952,6 @@ "log.level": "informational", "log.offset": 9107, "network.bytes": 176, - "network.community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3056,7 +3005,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 9284, - "network.community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3115,7 +3063,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 9434, - "network.community_id": "1:2YT6PqWSIyoyRYVbl2cIXiGcMsw=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3170,7 +3117,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 9625, - "network.community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3229,7 +3175,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 9775, - "network.community_id": "1:XheyUG03AcgRSOyMnpafZQNi3wY=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3284,7 +3229,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 9966, - "network.community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3343,7 +3287,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 10116, - "network.community_id": "1:cKgOVwHWv3CzYQlpMkVbynKHE30=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3403,7 +3346,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 10307, - "network.community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -3464,7 +3406,6 @@ "log.level": "informational", "log.offset": 10500, "network.bytes": 104, - "network.community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3518,7 +3459,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 10675, - "network.community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3577,7 +3517,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 10825, - "network.community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3632,7 +3571,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 11018, - "network.community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3691,7 +3629,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 11168, - "network.community_id": "1:wH3OQfGQv6qlex3KDY6fleRZ3W4=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3751,7 +3688,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 11361, - "network.community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -3813,7 +3749,6 @@ "log.level": "informational", "log.offset": 11554, "network.bytes": 593, - "network.community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3867,7 +3802,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 11738, - "network.community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3926,7 +3860,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 11888, - "network.community_id": "1:9aaIbdVfxtctEtHtisDVEKYc8wI=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3987,7 +3920,6 @@ "log.level": "informational", "log.offset": 12081, "network.bytes": 375, - "network.community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -4041,7 +3973,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 12256, - "network.community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4100,7 +4031,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 12406, - "network.community_id": "1:CUxMKGQ8Da35o4Z5ZJ3cqjyBcjE=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4130,41 +4060,27 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "cisco.ftd.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8267, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12599, - "network.community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4173,14 +4089,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1454, "tags": [ "cisco-ftd", "forwarded" @@ -4213,7 +4122,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 12769, - "network.community_id": "1:24J8khLuXWoetlU/J6WYj+4RnIU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4272,7 +4180,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 12920, - "network.community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4302,41 +4209,27 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "cisco.ftd.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8268, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13115, - "network.community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4345,14 +4238,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1455, "tags": [ "cisco-ftd", "forwarded" @@ -4360,41 +4246,27 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "cisco.ftd.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8269, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13285, - "network.community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4403,14 +4275,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1456, "tags": [ "cisco-ftd", "forwarded" @@ -4418,41 +4283,27 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "cisco.ftd.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8270, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13455, - "network.community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4461,14 +4312,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1457, "tags": [ "cisco-ftd", "forwarded" @@ -4476,41 +4320,27 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "cisco.ftd.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8271, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13625, - "network.community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4519,14 +4349,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1458, "tags": [ "cisco-ftd", "forwarded" @@ -4534,41 +4357,27 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "cisco.ftd.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8272, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13795, - "network.community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4577,14 +4386,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1459, "tags": [ "cisco-ftd", "forwarded" @@ -4592,41 +4394,27 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", - "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "cisco.ftd.source_interface": "inside", - "destination.address": "100.66.98.44", - "destination.ip": "100.66.98.44", - "destination.port": 8273, - "event.action": "flow-expiration", + "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", - "event.duration": 30000000000, - "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "event.severity": 6, - "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "connection", - "end" + "info" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13965, - "network.community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", - "network.iana_number": 6, - "network.transport": "tcp", - "observer.egress.interface.name": "outside", "observer.hostname": "localhost", - "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4635,14 +4423,7 @@ "related.hosts": [ "localhost" ], - "related.ip": [ - "100.66.98.44", - "172.31.98.44" - ], "service.type": "cisco", - "source.address": "172.31.98.44", - "source.ip": "172.31.98.44", - "source.port": 1460, "tags": [ "cisco-ftd", "forwarded" @@ -4682,7 +4463,6 @@ "log.level": "informational", "log.offset": 14135, "network.bytes": 575, - "network.community_id": "1:pux42VCSy7BX42P3cpyd4c/X1M8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4743,7 +4523,6 @@ "log.level": "informational", "log.offset": 14320, "network.bytes": 5391, - "network.community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4797,7 +4576,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 14509, - "network.community_id": "1:mWEQuMzgDppOFGfUpnRU2SOVLC4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4856,7 +4634,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 14660, - "network.community_id": "1:WPQ7PgW0xK/OsH/dwOA4osO4W+M=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4914,7 +4691,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 14855, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4971,7 +4747,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 15020, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5028,7 +4803,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 15185, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5085,7 +4859,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 15350, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5142,7 +4915,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 15515, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5199,7 +4971,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 15680, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5256,7 +5027,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 15845, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5313,7 +5083,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 16010, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5370,7 +5139,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 16175, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5427,7 +5195,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 16340, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5484,7 +5251,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 16505, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5541,7 +5307,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 16670, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5598,7 +5363,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 16835, - "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5652,7 +5416,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 17000, - "network.community_id": "1:ZuhnndzENnR8d8NKvStxJffM+XM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -5711,7 +5474,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 17150, - "network.community_id": "1:7t0ua2FV3S8YYwDwaXzw5Tm8M80=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -5766,7 +5528,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 17343, - "network.community_id": "1:ZhyIop0bR8c1qT9K7cSplqrW0ew=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -5825,7 +5586,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 17494, - "network.community_id": "1:vvawE2mM1hKl2WU/GmHBmMoI3G8=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index 900923811c3..ab324760e70 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -74,7 +74,6 @@ "log.level": "alert", "log.offset": 0, "network.application": "dns client", - "network.community_id": "1:yuD3M7UhwRSNitDpAnWcqzEC85c=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -186,7 +185,6 @@ "log.level": "alert", "log.offset": 658, "network.application": "dns client", - "network.community_id": "1:eDcIGG/W1UcwGWzaTgv5mgr2RDw=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -296,7 +294,6 @@ "log.level": "alert", "log.offset": 1371, "network.application": "dns client", - "network.community_id": "1:nTPeg7DUgB3rjeFwl+cm5VHEdXQ=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -408,7 +405,6 @@ "log.level": "alert", "log.offset": 2047, "network.application": "dns client", - "network.community_id": "1:F3IHQYMd3DO1p+rWBITDU1/XCgA=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -519,7 +515,6 @@ "log.level": "alert", "log.offset": 2766, "network.application": "dns client", - "network.community_id": "1:1SqTqSDG5492OiLhDUMOi+wnDYs=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -629,7 +624,6 @@ "log.level": "alert", "log.offset": 3449, "network.application": "dns client", - "network.community_id": "1:eXdHUOdHk5dGXusvMEGcWj9ywPM=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -742,7 +736,6 @@ "log.level": "alert", "log.offset": 4125, "network.application": "dns client", - "network.community_id": "1:rjxS8IH4jqdHiflcG+1txqEFP1M=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -852,7 +845,6 @@ "log.level": "alert", "log.offset": 4878, "network.application": "dns client", - "network.community_id": "1:R1FcZHFFvO0mHFfeVXH/CwTGCmU=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -963,7 +955,6 @@ "log.level": "alert", "log.offset": 5553, "network.application": "dns client", - "network.community_id": "1:0YJqKZXX7VN9W1Gx6txd8TFELHM=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1075,7 +1066,6 @@ "log.level": "alert", "log.offset": 6269, "network.application": "dns client", - "network.community_id": "1:jVTdIEwjG0Eb77jGrcDygrNq9jg=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1188,7 +1178,6 @@ "log.level": "alert", "log.offset": 6983, "network.application": "dns client", - "network.community_id": "1:ZllIE5YNb+12oKtX/tP/gysnSuE=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1294,7 +1283,6 @@ "log.level": "alert", "log.offset": 7672, "network.application": "dns client", - "network.community_id": "1:oGBN4YWsAncmtqDJ1onnQNRAEnw=", "network.iana_number": 6, "network.protocol": "dns", "network.transport": "tcp", @@ -1405,7 +1393,6 @@ "log.level": "alert", "log.offset": 8298, "network.application": "dns client", - "network.community_id": "1:+1CCqUYePM8bXFUXWVeSSjL3g58=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1515,7 +1502,6 @@ "log.level": "alert", "log.offset": 9010, "network.application": "dns client", - "network.community_id": "1:f5P/ntfU9KchCtCfWHT0mYDOHOw=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1626,7 +1612,6 @@ "log.level": "alert", "log.offset": 9683, "network.application": "dns client", - "network.community_id": "1:wrAm7MmrJHlBQ+ikcQmSwf2JnJM=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1738,7 +1723,6 @@ "log.level": "alert", "log.offset": 10403, "network.application": "dns client", - "network.community_id": "1:rjxS8IH4jqdHiflcG+1txqEFP1M=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1848,7 +1832,6 @@ "log.level": "alert", "log.offset": 11118, "network.application": "dns client", - "network.community_id": "1:0YJqKZXX7VN9W1Gx6txd8TFELHM=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1958,7 +1941,6 @@ "log.level": "alert", "log.offset": 11801, "network.application": "dns client", - "network.community_id": "1:nTPeg7DUgB3rjeFwl+cm5VHEdXQ=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -2068,7 +2050,6 @@ "log.level": "alert", "log.offset": 12477, "network.application": "dns client", - "network.community_id": "1:R1FcZHFFvO0mHFfeVXH/CwTGCmU=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -2176,7 +2157,6 @@ "log.level": "alert", "log.offset": 13152, "network.application": "dns client", - "network.community_id": "1:k5kQaEfpetJ7SxFkG7Ytzzz5ik0=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -2288,7 +2268,6 @@ "log.level": "alert", "log.offset": 13795, "network.application": "dns client", - "network.community_id": "1:jVTdIEwjG0Eb77jGrcDygrNq9jg=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index 709c0b6a9a2..8dcb7692215 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -53,7 +53,6 @@ "log.offset": 0, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", "network.application": "firefox", - "network.community_id": "1:aVBZLbVEijzexcqIhp/89fLm6Fw=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -141,7 +140,6 @@ "log.offset": 587, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", "network.application": "firefox", - "network.community_id": "1:T2FxxCvrJYccm7bcw2QZ9tWONIo=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -226,7 +224,6 @@ "log.level": "unknown", "log.offset": 1174, "message": "APP-DETECT failed FTP login attempt", - "network.community_id": "1:4Ze3PKactlddzol+s7PbEeCTTlk=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -310,7 +307,6 @@ "log.level": "unknown", "log.offset": 1662, "message": "APP-DETECT failed FTP login attempt", - "network.community_id": "1:yyUSZl65LfpqAPKtrjT9QRDUlfs=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index eb1a32afe4c..a1f9c037515 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -77,7 +77,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 201, - "network.community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "localhost", @@ -136,7 +135,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 360, - "network.community_id": "1:d9RGgqBro5rzu16MqJQFehDRaKY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "wan", diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 4d979868847..454f0f3141e 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -28,7 +28,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 0, - "network.community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -78,7 +77,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 139, - "network.community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -129,7 +127,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 294, - "network.community_id": "1:/AVpSqNe7QhujyFPgKMbMS9Ct44=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -180,7 +177,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 465, - "network.community_id": "1:462QRxMFThXYxhSyvR50cIDJegg=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -235,7 +231,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 632, - "network.community_id": "1:c8hH08+kxqP8+dYZZFCsPYYf0oo=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -286,7 +281,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 812, - "network.community_id": "1:oGT+RQ2PYVsSEX/LuKvEW6O6Jiw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -339,7 +333,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 938, - "network.community_id": "1:4NJbCZhuyrAJcj7S647C7IIhAM8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -387,7 +380,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 1106, - "network.community_id": "1:ay9S7HyVcpV47ArwMPDsxLg6wBU=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -440,7 +432,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 1233, - "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -490,7 +481,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 1401, - "network.community_id": "1:fZibb4nXPyoJv3pk+hIlafmMMMY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -544,7 +534,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 1527, - "network.community_id": "1:KAOD4KM9MUK44UkzQPDM20+aGPI=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -599,7 +588,6 @@ "log.level": "informational", "log.offset": 1692, "network.bytes": 140, - "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -631,7 +619,6 @@ "destination.address": "10.123.1.35", "destination.ip": "10.123.1.35", "destination.port": 52925, - "destination.user.name": "user2", "event.action": "flow-expiration", "event.category": [ "network" @@ -655,7 +642,6 @@ "log.level": "informational", "log.offset": 1844, "network.bytes": 9999999, - "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -667,20 +653,14 @@ "10.123.1.35", "192.0.2.222" ], - "related.user": [ - "user1", - "user2" - ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 53, - "source.user.name": "user1", "tags": [ "cisco-ftd", "forwarded" - ], - "user.name": "user2" + ] }, { "@timestamp": "2011-06-04T21:59:52.000-02:00", @@ -708,7 +688,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2008, - "network.community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "FJSG2NRFW01", @@ -756,7 +735,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2163, - "network.community_id": "1:EsAlPGwbpvnOIWG+1RbOLtWOWaI=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -810,7 +788,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 2289, - "network.community_id": "1:m/dSB7tetihSecuyjm6x4Rl/8I8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -859,7 +836,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 2454, - "network.community_id": "1:cjsjwTI1K/FNwJ9mwZX971rPjfo=", "network.direction": "inbound", "network.iana_number": 17, "network.protocol": "dns", @@ -909,7 +885,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 2563, - "network.community_id": "1:Zboag8BrI6OW/Oo2vWMZ2CJe4tM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -959,7 +934,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 2722, - "network.community_id": "1:Ne/QE55iCFiCg5J75DhSp3KZzQI=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1009,7 +983,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 2883, - "network.community_id": "1:nVqNkC3HBTw1Le7RJD28aYfCDTg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1059,7 +1032,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 3044, - "network.community_id": "1:c82bgYlFS2zsrs3He7w3jq7x6jY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1109,7 +1081,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 3205, - "network.community_id": "1:iQJvtLpa8CzCZimwacqAWJp9sZg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1159,7 +1130,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 3366, - "network.community_id": "1:CHFAR3iwADiL0sMiLhocbg8YF4o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1209,7 +1179,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 3527, - "network.community_id": "1:fW9fDNL4osH5ogPXIzh5huGyJLU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1259,7 +1228,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 3688, - "network.community_id": "1:VqbI7AJvRLmCOZAb2tHFFBTeRZ8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1309,7 +1277,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 3847, - "network.community_id": "1:TUJhCk7pGNvVhgiAnf4YJJaoCpo=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -1359,7 +1326,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 4004, - "network.community_id": "1:EItD1g2bG+b/iorMXbZ/3Bvjam8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1407,7 +1373,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 4163, - "network.community_id": "1:a6VFmKsjwlqdlhQIeSm95/lkWlY=", "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", @@ -1454,7 +1419,6 @@ "input.type": "log", "log.level": "critical", "log.offset": 4274, - "network.community_id": "1:96NZ3spb6QBXPZwoL7NadaqTMac=", "network.direction": "inbound", "network.iana_number": 17, "network.protocol": "dns", @@ -1504,7 +1468,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 4383, - "network.community_id": "1:DbXtTF7Tt+LJ0/omdap4K0RmodY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1554,7 +1517,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 4542, - "network.community_id": "1:8enMIE4IqhVXWyyRuJRvdyDxiBA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1604,7 +1566,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 4703, - "network.community_id": "1:3vGj3wfvZB2f5kZmDflH/qfkWYE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1654,7 +1615,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 4862, - "network.community_id": "1:Wjdn68t3gwpMPxbO1bBTBvMkQKE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1704,7 +1664,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 5018, - "network.community_id": "1:OHPCPPOkvDP3KMLJodW8pdmntUw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1754,7 +1713,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 5174, - "network.community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1804,7 +1762,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 5321, - "network.community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1854,7 +1811,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 5468, - "network.community_id": "1:IOafOGWxFLefP+hvoAc06Z1pBj8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1904,7 +1860,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 5631, - "network.community_id": "1:89qba0kw6T/uGNWcSzTTYvNoLeY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1955,7 +1910,6 @@ "input.type": "log", "log.level": "notification", "log.offset": 5792, - "network.community_id": "1:3EQcjAJCGY7yJRip464V5VZ2h00=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2008,7 +1962,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 5963, - "network.community_id": "1:xQpx+K3UkeF1wQfNjT+9cuVvkHo=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2064,7 +2017,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 6143, - "network.community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2119,7 +2071,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 6298, - "network.community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2292,7 +2243,6 @@ "log.level": "informational", "log.offset": 6803, "network.bytes": 14804, - "network.community_id": "1:tVS/eeyng4tH7pSAcq77I2cbedw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2351,7 +2301,6 @@ "log.level": "informational", "log.offset": 6973, "network.bytes": 134781, - "network.community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2410,7 +2359,6 @@ "log.level": "informational", "log.offset": 7144, "network.bytes": 134781, - "network.community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2463,7 +2411,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 7315, - "network.community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "127.0.0.1", @@ -2515,7 +2462,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 7462, - "network.community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "127.0.0.1", @@ -2569,7 +2515,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 7609, - "network.community_id": "1:BouUIZD+TqJZdYklL1aMrJfnbQ0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2626,7 +2571,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 7765, - "network.community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2684,7 +2628,6 @@ "input.type": "log", "log.level": "informational", "log.offset": 7944, - "network.community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2744,7 +2687,6 @@ "log.level": "informational", "log.offset": 8123, "network.bytes": 11420, - "network.community_id": "1:kugTIYv6tVeitQAN8XRNgUPvZiw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2801,7 +2743,6 @@ "log.level": "informational", "log.offset": 8293, "network.bytes": 1416, - "network.community_id": "1:n1IQHcbrWLb1u8dflqz8hfEElA0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3228,7 +3169,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 9405, - "network.community_id": "1:buRYH8vRkdq5apZqKHNDfmztnUo=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3328,7 +3268,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 9669, - "network.community_id": "1:XKWgpeop6LmXORBjS+D+pjammJ4=", "network.iana_number": 1, "network.transport": "icmp", "observer.ingress.interface.name": "inside", @@ -3381,7 +3320,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 9805, - "network.community_id": "1:ZWjuP5bJeA+f0NH342ubXOWI+Lc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3444,7 +3382,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 10056, - "network.community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outsidet", @@ -3504,7 +3441,6 @@ "input.type": "log", "log.level": "warning", "log.offset": 10355, - "network.community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outsidet", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index f5c9eb57649..fae2b463a49 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -56,7 +56,6 @@ "log.level": "alert", "log.offset": 0, "network.application": "icmp client", - "network.community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=", "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", @@ -151,7 +150,6 @@ "log.level": "alert", "log.offset": 579, "network.application": "icmp client", - "network.community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=", "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", @@ -255,7 +253,6 @@ "log.level": "alert", "log.offset": 1182, "network.application": "dns client", - "network.community_id": "1:LrHhMjRxI8XLokucnZO43cq3wJ0=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -366,7 +363,6 @@ "log.level": "alert", "log.offset": 1821, "network.application": "dns client", - "network.community_id": "1:/cLFaau3XcCC0NUtxHnt+rWlO6A=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -466,7 +462,6 @@ "input.type": "log", "log.level": "alert", "log.offset": 2515, - "network.community_id": "1:L+Ul/KflTuC9qM1HyJ2hOk2/NSM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -582,7 +577,6 @@ "advanced packaging tool", "ubuntu" ], - "network.community_id": "1:L+Ul/KflTuC9qM1HyJ2hOk2/NSM=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -688,7 +682,6 @@ "input.type": "log", "log.level": "alert", "log.offset": 3919, - "network.community_id": "1:TE/czajXLfyOntGRUMlWpOamN+I=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -800,7 +793,6 @@ "log.level": "alert", "log.offset": 4442, "network.application": "curl", - "network.community_id": "1:TE/czajXLfyOntGRUMlWpOamN+I=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -895,7 +887,6 @@ "input.type": "log", "log.level": "alert", "log.offset": 5177, - "network.community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "input", @@ -998,7 +989,6 @@ "log.level": "alert", "log.offset": 5719, "network.application": "curl", - "network.community_id": "1:EX7LDhHq0D9ez/OeVOOW5FWakkI=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index 3dcdb4f4219..367c559c2e6 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -44,7 +44,6 @@ "log.level": "alert", "log.offset": 0, "network.application": "curl", - "network.community_id": "1:ICpzATq4Q7ls9bAGqEmf+eAOtFc=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -124,7 +123,6 @@ "log.level": "alert", "log.offset": 450, "network.application": "curl", - "network.community_id": "1:1P/UJpeT0HuAQ0Zj36VUw3NWrms=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -204,7 +202,6 @@ "log.level": "alert", "log.offset": 900, "network.application": "curl", - "network.community_id": "1:k9jZpiIYklqnW5VrPKZ36zGCfpw=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -284,7 +281,6 @@ "log.level": "alert", "log.offset": 1348, "network.application": "curl", - "network.community_id": "1:1O6Tg+zlE975TFeaA0Qa6QBRfBs=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -370,7 +366,6 @@ "log.level": "alert", "log.offset": 1804, "network.application": "curl", - "network.community_id": "1:9k57JmGIU8Cd4FcndffJHSuGmHg=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -459,7 +454,6 @@ "log.level": "alert", "log.offset": 2372, "network.application": "curl", - "network.community_id": "1:eJqjWMIqoBPiagsWFCmeQAhxZaM=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -552,7 +546,6 @@ "log.level": "alert", "log.offset": 2940, "network.application": "curl", - "network.community_id": "1:EX7LDhHq0D9ez/OeVOOW5FWakkI=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -654,7 +647,6 @@ "log.level": "alert", "log.offset": 3639, "network.application": "curl", - "network.community_id": "1:idXjLwb9WD2+SkGKCxynJU8imAk=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -745,7 +737,6 @@ "log.level": "alert", "log.offset": 4397, "network.application": "curl", - "network.community_id": "1:nOd4Q0QVZ1CGu/nTE/uuQ/52Q3A=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -846,7 +837,6 @@ "log.level": "alert", "log.offset": 5211, "network.application": "curl", - "network.community_id": "1:NJVenFV6VTdZygfzWuC08PwZc84=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index eeb9024fdc4..a1146a75efc 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -77,7 +77,6 @@ "log.level": "unknown", "log.offset": 0, "network.application": "chrome", - "network.community_id": "1:IpM6MLWKXk42SgVki5Wy5/6cTfk=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index ee379156ce6..2c92b41648e 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -268,10 +268,7 @@ processors: field: "message" description: "106023" patterns: - - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" - pattern_definitions: - NOTCOLON: "[^:]*" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" - dissect: if: "ctx._temp_.cisco.message_id == '106027'" field: "message" @@ -332,37 +329,28 @@ processors: field: "message" description: "302013, 302015" patterns: - - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:destination.user.name}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} - pattern_definitions: - NOTCOLON: "[^:]*" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" - dissect: if: "ctx._temp_.cisco.message_id == '303002'" field: "message" description: "303002" pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - - grok: - if: "ctx._temp_.cisco.message_id == '305012'" + - dissect: + if: "ctx._temp_.cisco.message_id == '302012'" field: "message" - description: "305012" - patterns: - - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} - pattern_definitions: - NOTCOLON: "[^:]*" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - DURATION: "%{INT}:%{MINUTE}:%{SECOND}" + description: "302012" + pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" - grok: if: "ctx._temp_.cisco.message_id == '302020'" field: "message" description: "302020" patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '302022'" field: "message" @@ -378,7 +366,7 @@ processors: field: "message" description: "304001" patterns: - - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" + - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" @@ -663,14 +651,13 @@ processors: field: "message" description: "722051" patterns: - - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" - - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" - - grok: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" + - dissect: if: "ctx._temp_.cisco.message_id == '733100'" field: "message" description: "733100" - patterns: - - \[(%{SPACE})?%{DATA:_temp_.cisco.burst.object}\] drop %{NOTSPACE:_temp_.cisco.burst.id} exceeded. Current burst rate is %{INT:_temp_.cisco.burst.current_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_rate}; Current average rate is %{INT:_temp_.cisco.burst.avg_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{INT:_temp_.cisco.burst.cumulative_count} + pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" @@ -680,7 +667,7 @@ processors: if: "ctx._temp_.cisco.message_id == '805001'" field: "message" description: "805001" - pattern: "Offloaded %{network.transport} Flow for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - dissect: if: "ctx._temp_.cisco.message_id == '805002'" field: "message" @@ -709,7 +696,7 @@ processors: - dissect: if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." - dissect: if: "ctx._temp_.cisco.message_id == '750002'" field: "message" @@ -775,29 +762,27 @@ processors: # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # - set: - if: '["305012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' + if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' field: "event.action" value: "flow-expiration" - description: "305012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" + description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" - grok: field: "message" if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" patterns: - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{IPORHOST:_temp_.natsrcip}|%{HOSTNAME})" - DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" # # Decode FTD's Security Event Syslog Messages # @@ -1335,35 +1320,6 @@ processors: Instant.parse(end).minusNanos(nanos), ZoneOffset.UTC); # - # Parse Source/Dest Username/Domain - # - - set: - field: source.user.name - value: "{{{ _temp_.cisco.source_username }}}" - if: 'ctx?.source?.user?.name == null && ctx?._temp_?.cisco?.source_username != null' - - set: - field: destination.user.name - value: "{{{ _temp_.cisco.destination_username }}}" - if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null' - - grok: - field: "source.user.name" - if: 'ctx?.source?.user?.name != null' - ignore_failure: true - patterns: - - (%{CISCO_DOMAIN})?%{CISCO_USER:source.user.name} - pattern_definitions: - CISCO_USER: "%{USERNAME}(@%{HOSTNAME:source.user.domain})?" - CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)? - - grok: - field: "destination.user.name" - if: 'ctx?.destination?.user?.name != null' - ignore_failure: true - patterns: - - (%{CISCO_DOMAIN})?%{CISCO_USER:destination.user.name} - pattern_definitions: - CISCO_USER: "%{USERNAME}(@%{HOSTNAME:destination.user.domain})?" - CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)? - # # Normalize protocol names # - lowercase: @@ -1472,62 +1428,50 @@ processors: field: "source.port" type: integer ignore_failure: true - ignore_missing: true - convert: field: "destination.port" type: integer ignore_failure: true - ignore_missing: true - convert: field: "source.bytes" type: long ignore_failure: true - ignore_missing: true - convert: field: "destination.bytes" type: long ignore_failure: true - ignore_missing: true - convert: field: "network.bytes" type: long ignore_failure: true - ignore_missing: true - convert: field: "source.packets" type: integer ignore_failure: true - ignore_missing: true - convert: field: "destination.packets" type: integer ignore_failure: true - ignore_missing: true - convert: field: "_temp_.cisco.mapped_source_port" type: integer ignore_failure: true - ignore_missing: true - convert: field: "_temp_.cisco.mapped_destination_port" type: integer ignore_failure: true - ignore_missing: true - convert: field: "_temp_.cisco.icmp_code" type: integer ignore_failure: true - ignore_missing: true - convert: field: "_temp_.cisco.icmp_type" type: integer ignore_failure: true - ignore_missing: true - convert: field: "network.iana_number" type: integer ignore_failure: true - ignore_missing: true # # Assign ECS .ip fields from .address is a valid IP address is found, # otherwise set .domain field. @@ -1912,22 +1856,22 @@ processors: allow_duplicates: false - append: field: related.user - value: "{{{user.name}}}" + value: "{{user.name}}" if: ctx?.user?.name != null && ctx?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{{host.user.name}}}" + value: "{{host.user.name}}" if: ctx?.host?.user?.name != null && ctx?.host?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{{source.user.name}}}" + value: "{{source.user.name}}" if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{{destination.user.name}}}" + value: "{{destination.user.name}}" if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' allow_duplicates: false - append: @@ -1955,16 +1899,6 @@ processors: value: "{{source.domain}}" if: ctx.source?.domain != null && ctx.source?.domain != '' allow_duplicates: false - - append: - field: related.hosts - value: "{{source.user.domain}}" - if: ctx.source?.user?.domain != null && ctx.source?.user?.domain != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{destination.user.domain}}" - if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != '' - allow_duplicates: false - script: lang: painless description: This script processor iterates over the whole document to remove fields with null values. @@ -1989,9 +1923,6 @@ processors: } } handleMap(ctx); - - community_id: - ignore_missing: true - ignore_failure: true on_failure: # Copy any fields under _temp_.cisco to its final destination. Those can help # with diagnosing the failure. diff --git a/x-pack/filebeat/module/coredns/_meta/config.yml b/x-pack/filebeat/module/coredns/_meta/config.yml index 4cfd48edb1e..d9ef777bde5 100644 --- a/x-pack/filebeat/module/coredns/_meta/config.yml +++ b/x-pack/filebeat/module/coredns/_meta/config.yml @@ -1,7 +1,7 @@ - module: coredns # Fileset for native deployment log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/crowdstrike/_meta/config.yml b/x-pack/filebeat/module/crowdstrike/_meta/config.yml index 84901e8779b..04cf80889ba 100644 --- a/x-pack/filebeat/module/crowdstrike/_meta/config.yml +++ b/x-pack/filebeat/module/crowdstrike/_meta/config.yml @@ -1,7 +1,7 @@ - module: crowdstrike falcon: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/cyberark/README.md b/x-pack/filebeat/module/cyberark/README.md new file mode 100644 index 00000000000..80bba69debc --- /dev/null +++ b/x-pack/filebeat/module/cyberark/README.md @@ -0,0 +1,7 @@ +# cyberark module + +This is a module for Cyber-Ark logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML cyberark version 124 +at 2020-09-01 14:17:46.365057 +0000 UTC. + diff --git a/x-pack/filebeat/module/cyberark/_meta/config.yml b/x-pack/filebeat/module/cyberark/_meta/config.yml new file mode 100644 index 00000000000..d3a1f20ec6f --- /dev/null +++ b/x-pack/filebeat/module/cyberark/_meta/config.yml @@ -0,0 +1,21 @@ +# The cyberark module is deprecated and will be removed in future releases. +# Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. +- module: cyberark + corepas: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9527 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc b/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc new file mode 100644 index 00000000000..5d349be9bfe --- /dev/null +++ b/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: cyberark +:has-dashboards: false + +== Cyberark module + +deprecated::[7.13.0,"This module is deprecated. Use the <>"] + +This is a module for receiving Cyber-Ark logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: corepas + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `corepas` fileset settings + +deprecated::[7.13.0] + +NOTE: This was converted from RSA NetWitness log parser XML "cyberark" device revision 124. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9527` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/cyberark/_meta/fields.yml b/x-pack/filebeat/module/cyberark/_meta/fields.yml new file mode 100644 index 00000000000..ab0db4113c7 --- /dev/null +++ b/x-pack/filebeat/module/cyberark/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: cyberark + title: Cyber-Ark + description: > + cyberark fields. + fields: diff --git a/x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml b/x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cyberark/corepas/config/input.yml b/x-pack/filebeat/module/cyberark/corepas/config/input.yml new file mode 100644 index 00000000000..11724ce0b17 --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/config/input.yml @@ -0,0 +1,87 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Cyberark" + product: "Core" + type: "Access" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/cyberark/corepas/config/liblogparser.js + - ${path.home}/module/cyberark/corepas/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_fields: + target: '' + fields: + ecs.version: 1.11.0 diff --git a/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js b/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js new file mode 100644 index 00000000000..cec99a043e8 --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js @@ -0,0 +1,2514 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup2, +])); + +var dup153 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup4, + dup2, + dup3, +])); + +var dup154 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup4, + dup2, +])); + +var dup155 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, +])); + +var dup156 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, +])); + +var dup157 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + dup3, +])); + +var dup158 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, +])); + +var dup159 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup19, + dup2, + dup3, +])); + +var dup160 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup2, +])); + +var dup161 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup15, + dup2, + dup3, +])); + +var dup162 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup2, +])); + +var dup163 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup21, + dup2, + dup3, +])); + +var dup164 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup21, + dup2, +])); + +var dup165 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup23, + dup2, + dup3, +])); + +var dup166 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup23, + dup2, +])); + +var dup167 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup20, + dup2, + dup3, +])); + +var dup168 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup2, +])); + +var dup169 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup26, + dup2, + dup3, +])); + +var dup170 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup26, + dup2, +])); + +var dup171 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup26, + dup2, + dup3, + dup24, + dup25, +])); + +var dup172 = linear_select([ + dup32, + dup33, +]); + +var dup173 = linear_select([ + dup34, + dup35, +]); + +var dup174 = linear_select([ + dup36, + dup37, +]); + +var dup175 = linear_select([ + dup38, + dup39, +]); + +var dup176 = linear_select([ + dup40, + dup41, +]); + +var dup177 = linear_select([ + dup42, + dup43, +]); + +var dup178 = linear_select([ + dup44, + dup45, +]); + +var dup179 = linear_select([ + dup46, + dup47, +]); + +var dup180 = linear_select([ + dup48, + dup49, +]); + +var dup181 = linear_select([ + dup50, + dup51, +]); + +var dup182 = linear_select([ + dup52, + dup53, +]); + +var dup183 = linear_select([ + dup54, + dup55, +]); + +var dup184 = linear_select([ + dup56, + dup57, +]); + +var dup185 = linear_select([ + dup58, + dup59, +]); + +var dup186 = linear_select([ + dup60, + dup61, +]); + +var dup187 = linear_select([ + dup62, + dup63, +]); + +var dup188 = linear_select([ + dup64, + dup65, +]); + +var dup189 = linear_select([ + dup66, + dup67, +]); + +var dup190 = linear_select([ + dup68, + dup69, +]); + +var dup191 = linear_select([ + dup70, + dup71, +]); + +var dup192 = linear_select([ + dup72, + dup73, +]); + +var dup193 = linear_select([ + dup74, + dup75, +]); + +var dup194 = linear_select([ + dup76, + dup77, +]); + +var dup195 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup79, + dup80, + dup81, + dup2, + dup3, +])); + +var dup196 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup79, + dup80, + dup81, + dup2, +])); + +var dup197 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup82, + dup2, + dup3, +])); + +var dup198 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup82, + dup2, +])); + +var dup199 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup83, + dup2, + dup3, +])); + +var dup200 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup83, + dup2, +])); + +var dup201 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ + dup4, + dup2, + dup3, +])); + +var dup202 = linear_select([ + dup85, + dup86, +]); + +var dup203 = linear_select([ + dup88, + dup89, +]); + +var dup204 = linear_select([ + dup91, + dup92, +]); + +var dup205 = linear_select([ + dup94, + dup95, +]); + +var dup206 = linear_select([ + dup97, + dup98, +]); + +var dup207 = linear_select([ + dup100, + dup101, +]); + +var dup208 = linear_select([ + dup103, + dup104, +]); + +var dup209 = linear_select([ + dup106, + dup107, +]); + +var dup210 = linear_select([ + dup109, + dup110, +]); + +var dup211 = linear_select([ + dup112, + dup113, +]); + +var dup212 = linear_select([ + dup115, + dup116, + dup117, + dup118, +]); + +var dup213 = linear_select([ + dup120, + dup121, +]); + +var dup214 = linear_select([ + dup123, + dup124, +]); + +var dup215 = linear_select([ + dup126, + dup127, +]); + +var dup216 = linear_select([ + dup129, + dup130, +]); + +var dup217 = linear_select([ + dup132, + dup133, +]); + +var dup218 = linear_select([ + dup135, + dup136, +]); + +var dup219 = linear_select([ + dup138, + dup139, +]); + +var dup220 = linear_select([ + dup141, + dup142, +]); + +var dup221 = linear_select([ + dup144, + dup145, +]); + +var dup222 = linear_select([ + dup147, + dup148, +]); + +var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld1}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdevice"), + constant("\",ProductAccount=\""), + field("hfld1"), + constant("\",ProductProcess=\""), + field("process"), + constant("\",EventId=\""), + field("messageid"), + constant("\", "), + field("p0"), + ], + }), +])); + +var hdr2 = match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld4}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdevice"), + constant("\",ProductAccount=\""), + field("hfld4"), + constant("\",ProductProcess=\""), + field("process"), + constant("\",EventId=\""), + field("messageid"), + constant("\", "), + field("p0"), + ], + }), +])); + +var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var hdr4 = match("HEADER#3:0003", "message", "%{hfld1->} %{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr5 = match("HEADER#4:0004", "message", "%CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var hdr6 = match("HEADER#5:0006", "message", "%{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0006"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, +]); + +var msg1 = msg("1:01", dup151); + +var msg2 = msg("1", dup152); + +var select2 = linear_select([ + msg1, + msg2, +]); + +var msg3 = msg("2:01", dup153); + +var msg4 = msg("2", dup154); + +var select3 = linear_select([ + msg3, + msg4, +]); + +var msg5 = msg("3:01", dup151); + +var msg6 = msg("3", dup152); + +var select4 = linear_select([ + msg5, + msg6, +]); + +var msg7 = msg("4:01", dup155); + +var msg8 = msg("4", dup156); + +var select5 = linear_select([ + msg7, + msg8, +]); + +var part1 = tagval("MESSAGE#8:7:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup11, + dup2, + dup3, +])); + +var msg9 = msg("7:01", part1); + +var part2 = match("MESSAGE#9:7", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup11, + dup2, +])); + +var msg10 = msg("7", part2); + +var select6 = linear_select([ + msg9, + msg10, +]); + +var part3 = tagval("MESSAGE#10:8:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup12, + dup6, + dup13, + dup8, + dup11, + dup2, + dup3, +])); + +var msg11 = msg("8:01", part3); + +var part4 = match("MESSAGE#11:8", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup12, + dup6, + dup13, + dup8, + dup11, + dup2, +])); + +var msg12 = msg("8", part4); + +var select7 = linear_select([ + msg11, + msg12, +]); + +var part5 = tagval("MESSAGE#12:9:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup1, + dup14, + dup9, + dup2, + dup3, +])); + +var msg13 = msg("9:01", part5); + +var part6 = match("MESSAGE#13:9", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup14, + dup9, + dup2, +])); + +var msg14 = msg("9", part6); + +var select8 = linear_select([ + msg13, + msg14, +]); + +var msg15 = msg("10:01", dup151); + +var msg16 = msg("10", dup152); + +var select9 = linear_select([ + msg15, + msg16, +]); + +var msg17 = msg("11:01", dup151); + +var msg18 = msg("11", dup152); + +var select10 = linear_select([ + msg17, + msg18, +]); + +var msg19 = msg("12:01", dup151); + +var msg20 = msg("12", dup152); + +var select11 = linear_select([ + msg19, + msg20, +]); + +var msg21 = msg("13:01", dup157); + +var msg22 = msg("13", dup158); + +var select12 = linear_select([ + msg21, + msg22, +]); + +var msg23 = msg("14:01", dup157); + +var msg24 = msg("14", dup158); + +var select13 = linear_select([ + msg23, + msg24, +]); + +var part7 = tagval("MESSAGE#24:15:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup15, + dup18, + dup9, + dup2, + dup3, +])); + +var msg25 = msg("15:01", part7); + +var part8 = match("MESSAGE#25:15", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup18, + dup9, + dup2, +])); + +var msg26 = msg("15", part8); + +var select14 = linear_select([ + msg25, + msg26, +]); + +var msg27 = msg("16:01", dup159); + +var msg28 = msg("16", dup160); + +var select15 = linear_select([ + msg27, + msg28, +]); + +var msg29 = msg("17:01", dup151); + +var msg30 = msg("17", dup152); + +var select16 = linear_select([ + msg29, + msg30, +]); + +var msg31 = msg("18:01", dup161); + +var msg32 = msg("18", dup162); + +var select17 = linear_select([ + msg31, + msg32, +]); + +var part9 = tagval("MESSAGE#32:19:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup20, + dup16, + dup11, + dup2, + dup3, +])); + +var msg33 = msg("19:01", part9); + +var part10 = match("MESSAGE#33:19", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup16, + dup11, + dup2, +])); + +var msg34 = msg("19", part10); + +var select18 = linear_select([ + msg33, + msg34, +]); + +var part11 = tagval("MESSAGE#34:20:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup19, + dup16, + dup2, + dup3, +])); + +var msg35 = msg("20:01", part11); + +var part12 = match("MESSAGE#35:20", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup16, + dup2, +])); + +var msg36 = msg("20", part12); + +var select19 = linear_select([ + msg35, + msg36, +]); + +var part13 = tagval("MESSAGE#36:21:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup15, + dup16, + dup9, + dup2, + dup3, +])); + +var msg37 = msg("21:01", part13); + +var part14 = match("MESSAGE#37:21", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup9, + dup2, +])); + +var msg38 = msg("21", part14); + +var select20 = linear_select([ + msg37, + msg38, +]); + +var msg39 = msg("22:01", dup163); + +var msg40 = msg("22", dup164); + +var select21 = linear_select([ + msg39, + msg40, +]); + +var part15 = tagval("MESSAGE#40:23:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup22, + dup2, + dup3, +])); + +var msg41 = msg("23:01", part15); + +var part16 = match("MESSAGE#41:23", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup22, + dup2, +])); + +var msg42 = msg("23", part16); + +var select22 = linear_select([ + msg41, + msg42, +]); + +var msg43 = msg("24:01", dup163); + +var msg44 = msg("24", dup164); + +var select23 = linear_select([ + msg43, + msg44, +]); + +var msg45 = msg("25:01", dup151); + +var msg46 = msg("25", dup152); + +var select24 = linear_select([ + msg45, + msg46, +]); + +var msg47 = msg("26:01", dup151); + +var msg48 = msg("26", dup152); + +var select25 = linear_select([ + msg47, + msg48, +]); + +var msg49 = msg("27:01", dup151); + +var msg50 = msg("27", dup152); + +var select26 = linear_select([ + msg49, + msg50, +]); + +var msg51 = msg("28:01", dup163); + +var msg52 = msg("28", dup164); + +var select27 = linear_select([ + msg51, + msg52, +]); + +var msg53 = msg("29:01", dup151); + +var msg54 = msg("29", dup152); + +var select28 = linear_select([ + msg53, + msg54, +]); + +var msg55 = msg("30:01", dup151); + +var msg56 = msg("30", dup152); + +var select29 = linear_select([ + msg55, + msg56, +]); + +var msg57 = msg("31:01", dup163); + +var msg58 = msg("31", dup164); + +var select30 = linear_select([ + msg57, + msg58, +]); + +var msg59 = msg("32:01", dup163); + +var msg60 = msg("32", dup164); + +var select31 = linear_select([ + msg59, + msg60, +]); + +var msg61 = msg("33:01", dup163); + +var msg62 = msg("33", dup164); + +var select32 = linear_select([ + msg61, + msg62, +]); + +var msg63 = msg("34:01", dup151); + +var msg64 = msg("34", dup152); + +var select33 = linear_select([ + msg63, + msg64, +]); + +var msg65 = msg("35:01", dup151); + +var msg66 = msg("35", dup152); + +var select34 = linear_select([ + msg65, + msg66, +]); + +var msg67 = msg("36:01", dup163); + +var msg68 = msg("36", dup164); + +var select35 = linear_select([ + msg67, + msg68, +]); + +var msg69 = msg("37:01", dup163); + +var msg70 = msg("37", dup164); + +var select36 = linear_select([ + msg69, + msg70, +]); + +var msg71 = msg("38:01", dup165); + +var msg72 = msg("38", dup166); + +var select37 = linear_select([ + msg71, + msg72, +]); + +var msg73 = msg("39:01", dup163); + +var msg74 = msg("39", dup164); + +var select38 = linear_select([ + msg73, + msg74, +]); + +var msg75 = msg("40:01", dup151); + +var msg76 = msg("40", dup152); + +var select39 = linear_select([ + msg75, + msg76, +]); + +var msg77 = msg("41:01", dup151); + +var msg78 = msg("41", dup152); + +var select40 = linear_select([ + msg77, + msg78, +]); + +var msg79 = msg("42:01", dup151); + +var msg80 = msg("42", dup152); + +var select41 = linear_select([ + msg79, + msg80, +]); + +var msg81 = msg("43:01", dup151); + +var msg82 = msg("43", dup152); + +var select42 = linear_select([ + msg81, + msg82, +]); + +var msg83 = msg("44:01", dup151); + +var msg84 = msg("44", dup152); + +var select43 = linear_select([ + msg83, + msg84, +]); + +var msg85 = msg("45:01", dup151); + +var msg86 = msg("45", dup152); + +var select44 = linear_select([ + msg85, + msg86, +]); + +var msg87 = msg("46:01", dup151); + +var msg88 = msg("46", dup152); + +var select45 = linear_select([ + msg87, + msg88, +]); + +var msg89 = msg("47:01", dup151); + +var msg90 = msg("47", dup152); + +var select46 = linear_select([ + msg89, + msg90, +]); + +var msg91 = msg("48:01", dup151); + +var msg92 = msg("48", dup152); + +var select47 = linear_select([ + msg91, + msg92, +]); + +var msg93 = msg("49:01", dup151); + +var msg94 = msg("49", dup152); + +var select48 = linear_select([ + msg93, + msg94, +]); + +var part17 = tagval("MESSAGE#94:50:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup21, + dup2, + dup3, + dup24, + dup25, +])); + +var msg95 = msg("50:01", part17); + +var msg96 = msg("50", dup164); + +var select49 = linear_select([ + msg95, + msg96, +]); + +var msg97 = msg("51:01", dup163); + +var msg98 = msg("51", dup164); + +var select50 = linear_select([ + msg97, + msg98, +]); + +var msg99 = msg("52:01", dup163); + +var msg100 = msg("52", dup164); + +var select51 = linear_select([ + msg99, + msg100, +]); + +var msg101 = msg("53:01", dup151); + +var msg102 = msg("53", dup152); + +var select52 = linear_select([ + msg101, + msg102, +]); + +var msg103 = msg("54:01", dup151); + +var msg104 = msg("54", dup152); + +var select53 = linear_select([ + msg103, + msg104, +]); + +var msg105 = msg("55:01", dup151); + +var msg106 = msg("55", dup152); + +var select54 = linear_select([ + msg105, + msg106, +]); + +var msg107 = msg("56:01", dup151); + +var msg108 = msg("56", dup152); + +var select55 = linear_select([ + msg107, + msg108, +]); + +var msg109 = msg("57:01", dup165); + +var msg110 = msg("57", dup166); + +var select56 = linear_select([ + msg109, + msg110, +]); + +var msg111 = msg("58:01", dup163); + +var msg112 = msg("58", dup164); + +var select57 = linear_select([ + msg111, + msg112, +]); + +var msg113 = msg("59:01", dup163); + +var msg114 = msg("59", dup164); + +var select58 = linear_select([ + msg113, + msg114, +]); + +var msg115 = msg("60:01", dup165); + +var msg116 = msg("60", dup166); + +var select59 = linear_select([ + msg115, + msg116, +]); + +var msg117 = msg("61:01", dup167); + +var msg118 = msg("61", dup168); + +var select60 = linear_select([ + msg117, + msg118, +]); + +var msg119 = msg("62:01", dup163); + +var msg120 = msg("62", dup164); + +var select61 = linear_select([ + msg119, + msg120, +]); + +var msg121 = msg("63:01", dup151); + +var msg122 = msg("63", dup152); + +var select62 = linear_select([ + msg121, + msg122, +]); + +var msg123 = msg("64:01", dup167); + +var msg124 = msg("64", dup168); + +var select63 = linear_select([ + msg123, + msg124, +]); + +var msg125 = msg("65:01", dup151); + +var msg126 = msg("65", dup152); + +var select64 = linear_select([ + msg125, + msg126, +]); + +var msg127 = msg("66:01", dup169); + +var msg128 = msg("66", dup170); + +var select65 = linear_select([ + msg127, + msg128, +]); + +var msg129 = msg("67:01", dup169); + +var msg130 = msg("67", dup170); + +var select66 = linear_select([ + msg129, + msg130, +]); + +var msg131 = msg("68:01", dup169); + +var msg132 = msg("68", dup170); + +var select67 = linear_select([ + msg131, + msg132, +]); + +var msg133 = msg("69:01", dup169); + +var msg134 = msg("69", dup170); + +var select68 = linear_select([ + msg133, + msg134, +]); + +var msg135 = msg("70:01", dup151); + +var msg136 = msg("70", dup152); + +var select69 = linear_select([ + msg135, + msg136, +]); + +var msg137 = msg("71:01", dup169); + +var msg138 = msg("71", dup170); + +var select70 = linear_select([ + msg137, + msg138, +]); + +var msg139 = msg("72:01", dup151); + +var msg140 = msg("72", dup152); + +var select71 = linear_select([ + msg139, + msg140, +]); + +var msg141 = msg("73:01", dup169); + +var msg142 = msg("73", dup170); + +var select72 = linear_select([ + msg141, + msg142, +]); + +var msg143 = msg("74:01", dup151); + +var msg144 = msg("74", dup152); + +var select73 = linear_select([ + msg143, + msg144, +]); + +var msg145 = msg("75:01", dup169); + +var msg146 = msg("75", dup170); + +var select74 = linear_select([ + msg145, + msg146, +]); + +var msg147 = msg("76:01", dup151); + +var msg148 = msg("76", dup152); + +var select75 = linear_select([ + msg147, + msg148, +]); + +var msg149 = msg("77:01", dup151); + +var msg150 = msg("77", dup152); + +var select76 = linear_select([ + msg149, + msg150, +]); + +var msg151 = msg("78:01", dup151); + +var msg152 = msg("78", dup152); + +var select77 = linear_select([ + msg151, + msg152, +]); + +var msg153 = msg("79:01", dup169); + +var msg154 = msg("79", dup170); + +var select78 = linear_select([ + msg153, + msg154, +]); + +var msg155 = msg("80:01", dup169); + +var msg156 = msg("80", dup170); + +var select79 = linear_select([ + msg155, + msg156, +]); + +var msg157 = msg("81:01", dup167); + +var msg158 = msg("81", dup168); + +var select80 = linear_select([ + msg157, + msg158, +]); + +var msg159 = msg("82:01", dup151); + +var msg160 = msg("82", dup152); + +var select81 = linear_select([ + msg159, + msg160, +]); + +var msg161 = msg("83:01", dup169); + +var msg162 = msg("83", dup170); + +var select82 = linear_select([ + msg161, + msg162, +]); + +var msg163 = msg("84:01", dup169); + +var msg164 = msg("84", dup170); + +var select83 = linear_select([ + msg163, + msg164, +]); + +var msg165 = msg("85:01", dup151); + +var msg166 = msg("85", dup152); + +var select84 = linear_select([ + msg165, + msg166, +]); + +var msg167 = msg("86:01", dup159); + +var msg168 = msg("86", dup160); + +var select85 = linear_select([ + msg167, + msg168, +]); + +var msg169 = msg("87:01", dup151); + +var msg170 = msg("87", dup152); + +var select86 = linear_select([ + msg169, + msg170, +]); + +var msg171 = msg("88:01", dup169); + +var msg172 = msg("88", dup170); + +var select87 = linear_select([ + msg171, + msg172, +]); + +var msg173 = msg("89:01", dup151); + +var msg174 = msg("89", dup152); + +var select88 = linear_select([ + msg173, + msg174, +]); + +var msg175 = msg("90:01", dup151); + +var msg176 = msg("90", dup152); + +var select89 = linear_select([ + msg175, + msg176, +]); + +var msg177 = msg("91:01", dup151); + +var msg178 = msg("91", dup152); + +var select90 = linear_select([ + msg177, + msg178, +]); + +var msg179 = msg("92:01", dup151); + +var msg180 = msg("92", dup152); + +var select91 = linear_select([ + msg179, + msg180, +]); + +var msg181 = msg("93:01", dup151); + +var msg182 = msg("93", dup152); + +var select92 = linear_select([ + msg181, + msg182, +]); + +var msg183 = msg("94:01", dup169); + +var msg184 = msg("94", dup170); + +var select93 = linear_select([ + msg183, + msg184, +]); + +var msg185 = msg("95:01", dup169); + +var msg186 = msg("95", dup170); + +var select94 = linear_select([ + msg185, + msg186, +]); + +var msg187 = msg("96:01", dup151); + +var msg188 = msg("96", dup152); + +var select95 = linear_select([ + msg187, + msg188, +]); + +var msg189 = msg("97:01", dup151); + +var msg190 = msg("97", dup152); + +var select96 = linear_select([ + msg189, + msg190, +]); + +var msg191 = msg("98:01", dup171); + +var msg192 = msg("98", dup170); + +var select97 = linear_select([ + msg191, + msg192, +]); + +var msg193 = msg("99:01", dup171); + +var msg194 = msg("99", dup170); + +var select98 = linear_select([ + msg193, + msg194, +]); + +var msg195 = msg("100:01", dup151); + +var msg196 = msg("100", dup152); + +var select99 = linear_select([ + msg195, + msg196, +]); + +var msg197 = msg("101:01", dup151); + +var msg198 = msg("101", dup152); + +var select100 = linear_select([ + msg197, + msg198, +]); + +var msg199 = msg("102:01", dup155); + +var msg200 = msg("102", dup156); + +var select101 = linear_select([ + msg199, + msg200, +]); + +var part18 = tagval("MESSAGE#200:103:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup27, + dup6, + dup7, + dup8, + dup28, + dup2, + dup3, +])); + +var msg201 = msg("103:01", part18); + +var part19 = match("MESSAGE#201:103", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup27, + dup6, + dup7, + dup8, + dup28, + dup2, +])); + +var msg202 = msg("103", part19); + +var select102 = linear_select([ + msg201, + msg202, +]); + +var part20 = tagval("MESSAGE#202:104:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup27, + dup6, + dup29, + dup2, + dup3, +])); + +var msg203 = msg("104:01", part20); + +var part21 = match("MESSAGE#203:104", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup27, + dup6, + dup29, + dup2, +])); + +var msg204 = msg("104", part21); + +var select103 = linear_select([ + msg203, + msg204, +]); + +var msg205 = msg("105:01", dup169); + +var msg206 = msg("105", dup170); + +var select104 = linear_select([ + msg205, + msg206, +]); + +var msg207 = msg("106:01", dup169); + +var msg208 = msg("106", dup170); + +var select105 = linear_select([ + msg207, + msg208, +]); + +var msg209 = msg("107:01", dup169); + +var msg210 = msg("107", dup170); + +var select106 = linear_select([ + msg209, + msg210, +]); + +var msg211 = msg("108:01", dup169); + +var msg212 = msg("108", dup170); + +var select107 = linear_select([ + msg211, + msg212, +]); + +var msg213 = msg("109:01", dup169); + +var msg214 = msg("109", dup170); + +var select108 = linear_select([ + msg213, + msg214, +]); + +var msg215 = msg("110:01", dup151); + +var msg216 = msg("110", dup152); + +var select109 = linear_select([ + msg215, + msg216, +]); + +var msg217 = msg("111:01", dup169); + +var msg218 = msg("111", dup170); + +var select110 = linear_select([ + msg217, + msg218, +]); + +var msg219 = msg("112:01", dup169); + +var msg220 = msg("112", dup170); + +var select111 = linear_select([ + msg219, + msg220, +]); + +var msg221 = msg("114:01", dup169); + +var msg222 = msg("114", dup170); + +var select112 = linear_select([ + msg221, + msg222, +]); + +var msg223 = msg("115:01", dup169); + +var msg224 = msg("115", dup170); + +var select113 = linear_select([ + msg223, + msg224, +]); + +var msg225 = msg("116:01", dup151); + +var msg226 = msg("116", dup152); + +var select114 = linear_select([ + msg225, + msg226, +]); + +var msg227 = msg("117:01", dup151); + +var msg228 = msg("117", dup152); + +var select115 = linear_select([ + msg227, + msg228, +]); + +var msg229 = msg("118:01", dup169); + +var msg230 = msg("118", dup170); + +var select116 = linear_select([ + msg229, + msg230, +]); + +var msg231 = msg("119:01", dup169); + +var msg232 = msg("119", dup170); + +var select117 = linear_select([ + msg231, + msg232, +]); + +var msg233 = msg("120:01", dup169); + +var msg234 = msg("120", dup170); + +var select118 = linear_select([ + msg233, + msg234, +]); + +var msg235 = msg("121:01", dup169); + +var msg236 = msg("121", dup170); + +var select119 = linear_select([ + msg235, + msg236, +]); + +var msg237 = msg("122:01", dup169); + +var msg238 = msg("122", dup170); + +var select120 = linear_select([ + msg237, + msg238, +]); + +var msg239 = msg("123:01", dup169); + +var msg240 = msg("123", dup170); + +var select121 = linear_select([ + msg239, + msg240, +]); + +var msg241 = msg("124:01", dup169); + +var msg242 = msg("124", dup170); + +var select122 = linear_select([ + msg241, + msg242, +]); + +var msg243 = msg("125:01", dup169); + +var msg244 = msg("125", dup170); + +var select123 = linear_select([ + msg243, + msg244, +]); + +var msg245 = msg("126:01", dup169); + +var msg246 = msg("126", dup170); + +var select124 = linear_select([ + msg245, + msg246, +]); + +var msg247 = msg("127:01", dup169); + +var msg248 = msg("127", dup170); + +var select125 = linear_select([ + msg247, + msg248, +]); + +var msg249 = msg("128:01", dup169); + +var msg250 = msg("128", dup170); + +var select126 = linear_select([ + msg249, + msg250, +]); + +var msg251 = msg("129:01", dup169); + +var msg252 = msg("129", dup170); + +var select127 = linear_select([ + msg251, + msg252, +]); + +var msg253 = msg("130:01", dup169); + +var msg254 = msg("130", dup170); + +var select128 = linear_select([ + msg253, + msg254, +]); + +var msg255 = msg("131:01", dup151); + +var msg256 = msg("131", dup152); + +var select129 = linear_select([ + msg255, + msg256, +]); + +var msg257 = msg("132:01", dup151); + +var msg258 = msg("132", dup152); + +var select130 = linear_select([ + msg257, + msg258, +]); + +var msg259 = msg("133:01", dup151); + +var msg260 = msg("133", dup152); + +var select131 = linear_select([ + msg259, + msg260, +]); + +var part22 = tagval("MESSAGE#260:134:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup30, + dup2, + dup3, +])); + +var msg261 = msg("134:01", part22); + +var part23 = match("MESSAGE#261:134", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup30, + dup2, +])); + +var msg262 = msg("134", part23); + +var select132 = linear_select([ + msg261, + msg262, +]); + +var msg263 = msg("135:01", dup151); + +var msg264 = msg("135", dup152); + +var select133 = linear_select([ + msg263, + msg264, +]); + +var msg265 = msg("136:01", dup169); + +var msg266 = msg("136", dup170); + +var select134 = linear_select([ + msg265, + msg266, +]); + +var msg267 = msg("137:01", dup169); + +var msg268 = msg("137", dup170); + +var select135 = linear_select([ + msg267, + msg268, +]); + +var msg269 = msg("138:01", dup169); + +var msg270 = msg("138", dup170); + +var select136 = linear_select([ + msg269, + msg270, +]); + +var msg271 = msg("139:01", dup169); + +var msg272 = msg("139", dup170); + +var select137 = linear_select([ + msg271, + msg272, +]); + +var msg273 = msg("140:01", dup169); + +var msg274 = msg("140", dup170); + +var select138 = linear_select([ + msg273, + msg274, +]); + +var msg275 = msg("141:01", dup169); + +var msg276 = msg("141", dup170); + +var select139 = linear_select([ + msg275, + msg276, +]); + +var msg277 = msg("142:01", dup169); + +var msg278 = msg("142", dup170); + +var select140 = linear_select([ + msg277, + msg278, +]); + +var msg279 = msg("143:01", dup169); + +var msg280 = msg("143", dup170); + +var select141 = linear_select([ + msg279, + msg280, +]); + +var msg281 = msg("144:01", dup169); + +var msg282 = msg("144", dup170); + +var select142 = linear_select([ + msg281, + msg282, +]); + +var msg283 = msg("145:01", dup169); + +var msg284 = msg("145", dup170); + +var select143 = linear_select([ + msg283, + msg284, +]); + +var msg285 = msg("146:01", dup151); + +var msg286 = msg("146", dup152); + +var select144 = linear_select([ + msg285, + msg286, +]); + +var msg287 = msg("147:01", dup151); + +var msg288 = msg("147", dup152); + +var select145 = linear_select([ + msg287, + msg288, +]); + +var msg289 = msg("148:01", dup151); + +var msg290 = msg("148", dup152); + +var select146 = linear_select([ + msg289, + msg290, +]); + +var msg291 = msg("149:01", dup151); + +var msg292 = msg("149", dup152); + +var select147 = linear_select([ + msg291, + msg292, +]); + +var msg293 = msg("150:01", dup151); + +var msg294 = msg("150", dup152); + +var select148 = linear_select([ + msg293, + msg294, +]); + +var msg295 = msg("152:01", dup151); + +var msg296 = msg("152", dup152); + +var select149 = linear_select([ + msg295, + msg296, +]); + +var msg297 = msg("153:01", dup151); + +var msg298 = msg("153", dup152); + +var select150 = linear_select([ + msg297, + msg298, +]); + +var msg299 = msg("154:01", dup151); + +var msg300 = msg("154", dup152); + +var select151 = linear_select([ + msg299, + msg300, +]); + +var msg301 = msg("155:01", dup151); + +var msg302 = msg("155", dup152); + +var select152 = linear_select([ + msg301, + msg302, +]); + +var msg303 = msg("156:01", dup151); + +var msg304 = msg("156", dup152); + +var select153 = linear_select([ + msg303, + msg304, +]); + +var msg305 = msg("157:01", dup151); + +var msg306 = msg("157", dup152); + +var select154 = linear_select([ + msg305, + msg306, +]); + +var msg307 = msg("158:01", dup151); + +var msg308 = msg("158", dup152); + +var select155 = linear_select([ + msg307, + msg308, +]); + +var msg309 = msg("159:01", dup151); + +var msg310 = msg("159", dup152); + +var select156 = linear_select([ + msg309, + msg310, +]); + +var msg311 = msg("160:01", dup151); + +var msg312 = msg("160", dup152); + +var select157 = linear_select([ + msg311, + msg312, +]); + +var msg313 = msg("161:01", dup151); + +var msg314 = msg("161", dup152); + +var select158 = linear_select([ + msg313, + msg314, +]); + +var msg315 = msg("162:01", dup151); + +var msg316 = msg("162", dup152); + +var select159 = linear_select([ + msg315, + msg316, +]); + +var msg317 = msg("163:01", dup151); + +var msg318 = msg("163", dup152); + +var select160 = linear_select([ + msg317, + msg318, +]); + +var msg319 = msg("164:01", dup151); + +var msg320 = msg("164", dup152); + +var select161 = linear_select([ + msg319, + msg320, +]); + +var msg321 = msg("165:01", dup151); + +var msg322 = msg("165", dup152); + +var select162 = linear_select([ + msg321, + msg322, +]); + +var msg323 = msg("166:01", dup151); + +var msg324 = msg("166", dup152); + +var select163 = linear_select([ + msg323, + msg324, +]); + +var msg325 = msg("167:01", dup151); + +var msg326 = msg("167", dup152); + +var select164 = linear_select([ + msg325, + msg326, +]); + +var msg327 = msg("168:01", dup151); + +var msg328 = msg("168", dup152); + +var select165 = linear_select([ + msg327, + msg328, +]); + +var msg329 = msg("169:01", dup151); + +var msg330 = msg("169", dup152); + +var select166 = linear_select([ + msg329, + msg330, +]); + +var msg331 = msg("170:01", dup169); + +var msg332 = msg("170", dup170); + +var select167 = linear_select([ + msg331, + msg332, +]); + +var msg333 = msg("171:01", dup151); + +var msg334 = msg("171", dup152); + +var select168 = linear_select([ + msg333, + msg334, +]); + +var msg335 = msg("172:01", dup169); + +var msg336 = msg("172", dup170); + +var select169 = linear_select([ + msg335, + msg336, +]); + +var msg337 = msg("173:01", dup151); + +var msg338 = msg("173", dup152); + +var select170 = linear_select([ + msg337, + msg338, +]); + +var msg339 = msg("174:01", dup151); + +var msg340 = msg("174", dup152); + +var select171 = linear_select([ + msg339, + msg340, +]); + +var msg341 = msg("175:01", dup151); + +var msg342 = msg("175", dup152); + +var select172 = linear_select([ + msg341, + msg342, +]); + +var msg343 = msg("176:01", dup151); + +var msg344 = msg("176", dup152); + +var select173 = linear_select([ + msg343, + msg344, +]); + +var msg345 = msg("177:01", dup151); + +var msg346 = msg("177", dup152); + +var select174 = linear_select([ + msg345, + msg346, +]); + +var msg347 = msg("178:01", dup151); + +var msg348 = msg("178", dup152); + +var select175 = linear_select([ + msg347, + msg348, +]); + +var msg349 = msg("179:01", dup169); + +var msg350 = msg("179", dup170); + +var select176 = linear_select([ + msg349, + msg350, +]); + +var msg351 = msg("180:01", dup169); + +var msg352 = msg("180", dup170); + +var select177 = linear_select([ + msg351, + msg352, +]); + +var msg353 = msg("181:01", dup169); + +var msg354 = msg("181", dup170); + +var select178 = linear_select([ + msg353, + msg354, +]); + +var msg355 = msg("182:01", dup169); + +var msg356 = msg("182", dup170); + +var select179 = linear_select([ + msg355, + msg356, +]); + +var msg357 = msg("183:01", dup169); + +var msg358 = msg("183", dup170); + +var select180 = linear_select([ + msg357, + msg358, +]); + +var msg359 = msg("184:01", dup169); + +var msg360 = msg("184", dup170); + +var select181 = linear_select([ + msg359, + msg360, +]); + +var msg361 = msg("185:01", dup169); + +var msg362 = msg("185", dup170); + +var select182 = linear_select([ + msg361, + msg362, +]); + +var msg363 = msg("186:01", dup151); + +var msg364 = msg("186", dup152); + +var select183 = linear_select([ + msg363, + msg364, +]); + +var msg365 = msg("187:01", dup169); + +var msg366 = msg("187", dup170); + +var select184 = linear_select([ + msg365, + msg366, +]); + +var msg367 = msg("188:01", dup169); + +var msg368 = msg("188", dup170); + +var select185 = linear_select([ + msg367, + msg368, +]); + +var msg369 = msg("189:01", dup169); + +var msg370 = msg("189", dup170); + +var select186 = linear_select([ + msg369, + msg370, +]); + +var msg371 = msg("191:01", dup151); + +var msg372 = msg("191", dup152); + +var select187 = linear_select([ + msg371, + msg372, +]); + +var msg373 = msg("192:01", dup169); + +var msg374 = msg("192", dup170); + +var select188 = linear_select([ + msg373, + msg374, +]); + +var msg375 = msg("193:01", dup151); + +var msg376 = msg("193", dup152); + +var select189 = linear_select([ + msg375, + msg376, +]); + +var msg377 = msg("194:01", dup169); + +var msg378 = msg("194", dup170); + +var select190 = linear_select([ + msg377, + msg378, +]); + +var msg379 = msg("195:01", dup169); + +var msg380 = msg("195", dup170); + +var select191 = linear_select([ + msg379, + msg380, +]); + +var msg381 = msg("196:01", dup151); + +var msg382 = msg("196", dup152); + +var select192 = linear_select([ + msg381, + msg382, +]); + +var msg383 = msg("197:01", dup151); + +var msg384 = msg("197", dup152); + +var select193 = linear_select([ + msg383, + msg384, +]); + +var msg385 = msg("198:01", dup169); + +var msg386 = msg("198", dup170); + +var select194 = linear_select([ + msg385, + msg386, +]); + +var msg387 = msg("199:01", dup169); + +var msg388 = msg("199", dup170); + +var select195 = linear_select([ + msg387, + msg388, +]); + +var msg389 = msg("200:01", dup169); + +var msg390 = msg("200", dup170); + +var select196 = linear_select([ + msg389, + msg390, +]); + +var msg391 = msg("201:01", dup169); + +var msg392 = msg("201", dup170); + +var select197 = linear_select([ + msg391, + msg392, +]); + +var msg393 = msg("202:01", dup169); + +var msg394 = msg("202", dup170); + +var select198 = linear_select([ + msg393, + msg394, +]); + +var msg395 = msg("203:01", dup169); + +var msg396 = msg("203", dup170); + +var select199 = linear_select([ + msg395, + msg396, +]); + +var msg397 = msg("204:01", dup151); + +var msg398 = msg("204", dup152); + +var select200 = linear_select([ + msg397, + msg398, +]); + +var msg399 = msg("205:01", dup151); + +var msg400 = msg("205", dup152); + +var select201 = linear_select([ + msg399, + msg400, +]); + +var msg401 = msg("206:01", dup151); + +var msg402 = msg("206", dup152); + +var select202 = linear_select([ + msg401, + msg402, +]); + +var msg403 = msg("207:01", dup151); + +var msg404 = msg("207", dup152); + +var select203 = linear_select([ + msg403, + msg404, +]); + +var msg405 = msg("208:01", dup151); + +var msg406 = msg("208", dup152); + +var select204 = linear_select([ + msg405, + msg406, +]); + +var msg407 = msg("209:01", dup169); + +var msg408 = msg("209", dup170); + +var select205 = linear_select([ + msg407, + msg408, +]); + +var msg409 = msg("211:01", dup169); + +var msg410 = msg("211", dup170); + +var select206 = linear_select([ + msg409, + msg410, +]); + +var msg411 = msg("212:01", dup169); + +var msg412 = msg("212", dup170); + +var select207 = linear_select([ + msg411, + msg412, +]); + +var msg413 = msg("213:01", dup169); + +var msg414 = msg("213", dup170); + +var select208 = linear_select([ + msg413, + msg414, +]); + +var msg415 = msg("214:01", dup151); + +var msg416 = msg("214", dup152); + +var select209 = linear_select([ + msg415, + msg416, +]); + +var msg417 = msg("215:01", dup151); + +var msg418 = msg("215", dup152); + +var select210 = linear_select([ + msg417, + msg418, +]); + +var msg419 = msg("216:01", dup151); + +var msg420 = msg("216", dup152); + +var select211 = linear_select([ + msg419, + msg420, +]); + +var msg421 = msg("217:01", dup169); + +var msg422 = msg("217", dup170); + +var select212 = linear_select([ + msg421, + msg422, +]); + +var msg423 = msg("218:01", dup169); + +var msg424 = msg("218", dup170); + +var select213 = linear_select([ + msg423, + msg424, +]); + +var msg425 = msg("219:01", dup169); + +var msg426 = msg("219", dup170); + +var select214 = linear_select([ + msg425, + msg426, +]); + +var msg427 = msg("220:01", dup169); + +var msg428 = msg("220", dup170); + +var select215 = linear_select([ + msg427, + msg428, +]); + +var msg429 = msg("221:01", dup169); + +var msg430 = msg("221", dup170); + +var select216 = linear_select([ + msg429, + msg430, +]); + +var msg431 = msg("222:01", dup151); + +var msg432 = msg("222", dup152); + +var select217 = linear_select([ + msg431, + msg432, +]); + +var msg433 = msg("223:01", dup169); + +var msg434 = msg("223", dup170); + +var select218 = linear_select([ + msg433, + msg434, +]); + +var msg435 = msg("224:01", dup169); + +var msg436 = msg("224", dup170); + +var select219 = linear_select([ + msg435, + msg436, +]); + +var msg437 = msg("229:01", dup169); + +var msg438 = msg("229", dup170); + +var select220 = linear_select([ + msg437, + msg438, +]); + +var msg439 = msg("230:01", dup151); + +var msg440 = msg("230", dup152); + +var select221 = linear_select([ + msg439, + msg440, +]); + +var msg441 = msg("231:01", dup151); + +var msg442 = msg("231", dup152); + +var select222 = linear_select([ + msg441, + msg442, +]); + +var msg443 = msg("232:01", dup151); + +var msg444 = msg("232", dup152); + +var select223 = linear_select([ + msg443, + msg444, +]); + +var msg445 = msg("233:01", dup151); + +var msg446 = msg("233", dup152); + +var select224 = linear_select([ + msg445, + msg446, +]); + +var msg447 = msg("236:01", dup153); + +var msg448 = msg("236", dup154); + +var select225 = linear_select([ + msg447, + msg448, +]); + +var msg449 = msg("237:01", dup169); + +var msg450 = msg("237", dup170); + +var select226 = linear_select([ + msg449, + msg450, +]); + +var msg451 = msg("238:01", dup151); + +var msg452 = msg("238", dup152); + +var select227 = linear_select([ + msg451, + msg452, +]); + +var msg453 = msg("239:01", dup169); + +var msg454 = msg("239", dup170); + +var select228 = linear_select([ + msg453, + msg454, +]); + +var msg455 = msg("240:01", dup169); + +var msg456 = msg("240", dup170); + +var select229 = linear_select([ + msg455, + msg456, +]); + +var msg457 = msg("241:01", dup169); + +var msg458 = msg("241", dup170); + +var select230 = linear_select([ + msg457, + msg458, +]); + +var msg459 = msg("243:01", dup151); + +var msg460 = msg("243", dup152); + +var select231 = linear_select([ + msg459, + msg460, +]); + +var msg461 = msg("244:01", dup151); + +var msg462 = msg("244", dup152); + +var select232 = linear_select([ + msg461, + msg462, +]); + +var msg463 = msg("246:01", dup169); + +var msg464 = msg("246", dup170); + +var select233 = linear_select([ + msg463, + msg464, +]); + +var msg465 = msg("247:01", dup169); + +var msg466 = msg("247", dup170); + +var select234 = linear_select([ + msg465, + msg466, +]); + +var msg467 = msg("248:01", dup151); + +var msg468 = msg("248", dup152); + +var select235 = linear_select([ + msg467, + msg468, +]); + +var msg469 = msg("249:01", dup151); + +var msg470 = msg("249", dup152); + +var select236 = linear_select([ + msg469, + msg470, +]); + +var msg471 = msg("250:01", dup151); + +var msg472 = msg("250", dup152); + +var select237 = linear_select([ + msg471, + msg472, +]); + +var msg473 = msg("251:01", dup169); + +var msg474 = msg("251", dup170); + +var select238 = linear_select([ + msg473, + msg474, +]); + +var msg475 = msg("252:01", dup169); + +var msg476 = msg("252", dup170); + +var select239 = linear_select([ + msg475, + msg476, +]); + +var msg477 = msg("253:01", dup151); + +var msg478 = msg("253", dup152); + +var select240 = linear_select([ + msg477, + msg478, +]); + +var msg479 = msg("254:01", dup169); + +var msg480 = msg("254", dup170); + +var select241 = linear_select([ + msg479, + msg480, +]); + +var msg481 = msg("255:01", dup151); + +var msg482 = msg("255", dup152); + +var select242 = linear_select([ + msg481, + msg482, +]); + +var msg483 = msg("256:01", dup169); + +var msg484 = msg("256", dup170); + +var select243 = linear_select([ + msg483, + msg484, +]); + +var msg485 = msg("257:01", dup169); + +var msg486 = msg("257", dup170); + +var select244 = linear_select([ + msg485, + msg486, +]); + +var msg487 = msg("259:01", dup169); + +var msg488 = msg("259", dup170); + +var select245 = linear_select([ + msg487, + msg488, +]); + +var msg489 = msg("260:01", dup151); + +var msg490 = msg("260", dup152); + +var select246 = linear_select([ + msg489, + msg490, +]); + +var msg491 = msg("261:01", dup151); + +var msg492 = msg("261", dup152); + +var select247 = linear_select([ + msg491, + msg492, +]); + +var msg493 = msg("262:01", dup151); + +var msg494 = msg("262", dup152); + +var select248 = linear_select([ + msg493, + msg494, +]); + +var msg495 = msg("263:01", dup151); + +var msg496 = msg("263", dup152); + +var select249 = linear_select([ + msg495, + msg496, +]); + +var msg497 = msg("264:01", dup169); + +var msg498 = msg("264", dup170); + +var select250 = linear_select([ + msg497, + msg498, +]); + +var msg499 = msg("265:01", dup169); + +var msg500 = msg("265", dup170); + +var select251 = linear_select([ + msg499, + msg500, +]); + +var msg501 = msg("266:01", dup169); + +var msg502 = msg("266", dup170); + +var select252 = linear_select([ + msg501, + msg502, +]); + +var msg503 = msg("267:01", dup169); + +var msg504 = msg("267", dup170); + +var select253 = linear_select([ + msg503, + msg504, +]); + +var msg505 = msg("268:01", dup169); + +var msg506 = msg("268", dup170); + +var select254 = linear_select([ + msg505, + msg506, +]); + +var msg507 = msg("269:01", dup151); + +var msg508 = msg("269", dup152); + +var select255 = linear_select([ + msg507, + msg508, +]); + +var msg509 = msg("270:01", dup169); + +var msg510 = msg("270", dup170); + +var select256 = linear_select([ + msg509, + msg510, +]); + +var msg511 = msg("271:01", dup151); + +var msg512 = msg("271", dup152); + +var select257 = linear_select([ + msg511, + msg512, +]); + +var msg513 = msg("272:01", dup169); + +var msg514 = msg("272", dup170); + +var select258 = linear_select([ + msg513, + msg514, +]); + +var msg515 = msg("273:01", dup169); + +var msg516 = msg("273", dup170); + +var select259 = linear_select([ + msg515, + msg516, +]); + +var msg517 = msg("274:01", dup169); + +var msg518 = msg("274", dup170); + +var select260 = linear_select([ + msg517, + msg518, +]); + +var msg519 = msg("275:01", dup169); + +var msg520 = msg("275", dup170); + +var select261 = linear_select([ + msg519, + msg520, +]); + +var msg521 = msg("276:01", dup169); + +var msg522 = msg("276", dup170); + +var select262 = linear_select([ + msg521, + msg522, +]); + +var msg523 = msg("277:01", dup169); + +var msg524 = msg("277", dup170); + +var select263 = linear_select([ + msg523, + msg524, +]); + +var msg525 = msg("278:01", dup169); + +var msg526 = msg("278", dup170); + +var select264 = linear_select([ + msg525, + msg526, +]); + +var msg527 = msg("279:01", dup169); + +var msg528 = msg("279", dup170); + +var select265 = linear_select([ + msg527, + msg528, +]); + +var msg529 = msg("280:01", dup151); + +var msg530 = msg("280", dup152); + +var select266 = linear_select([ + msg529, + msg530, +]); + +var msg531 = msg("281:01", dup151); + +var msg532 = msg("281", dup152); + +var select267 = linear_select([ + msg531, + msg532, +]); + +var msg533 = msg("282:01", dup169); + +var msg534 = msg("282", dup170); + +var select268 = linear_select([ + msg533, + msg534, +]); + +var msg535 = msg("283:01", dup169); + +var msg536 = msg("283", dup170); + +var select269 = linear_select([ + msg535, + msg536, +]); + +var msg537 = msg("284:01", dup151); + +var msg538 = msg("284", dup152); + +var select270 = linear_select([ + msg537, + msg538, +]); + +var msg539 = msg("285:01", dup159); + +var msg540 = msg("285", dup160); + +var select271 = linear_select([ + msg539, + msg540, +]); + +var msg541 = msg("286:01", dup169); + +var msg542 = msg("286", dup170); + +var select272 = linear_select([ + msg541, + msg542, +]); + +var msg543 = msg("287:01", dup169); + +var msg544 = msg("287", dup170); + +var select273 = linear_select([ + msg543, + msg544, +]); + +var msg545 = msg("288:01", dup169); + +var msg546 = msg("288", dup170); + +var select274 = linear_select([ + msg545, + msg546, +]); + +var msg547 = msg("289:01", dup169); + +var msg548 = msg("289", dup170); + +var select275 = linear_select([ + msg547, + msg548, +]); + +var msg549 = msg("290:01", dup169); + +var msg550 = msg("290", dup170); + +var select276 = linear_select([ + msg549, + msg550, +]); + +var msg551 = msg("291:01", dup169); + +var msg552 = msg("291", dup170); + +var select277 = linear_select([ + msg551, + msg552, +]); + +var msg553 = msg("292:01", dup169); + +var msg554 = msg("292", dup170); + +var select278 = linear_select([ + msg553, + msg554, +]); + +var msg555 = msg("293:01", dup169); + +var msg556 = msg("293", dup170); + +var select279 = linear_select([ + msg555, + msg556, +]); + +var msg557 = msg("294:01", dup169); + +var msg558 = msg("294", dup170); + +var select280 = linear_select([ + msg557, + msg558, +]); + +var msg559 = msg("295:01", dup169); + +var msg560 = msg("295", dup170); + +var select281 = linear_select([ + msg559, + msg560, +]); + +var msg561 = msg("296:01", dup169); + +var msg562 = msg("296", dup170); + +var select282 = linear_select([ + msg561, + msg562, +]); + +var msg563 = msg("297:01", dup151); + +var msg564 = msg("297", dup152); + +var select283 = linear_select([ + msg563, + msg564, +]); + +var msg565 = msg("298:01", dup151); + +var msg566 = msg("298", dup152); + +var select284 = linear_select([ + msg565, + msg566, +]); + +var msg567 = msg("299:01", dup169); + +var msg568 = msg("299", dup170); + +var select285 = linear_select([ + msg567, + msg568, +]); + +var part24 = match("MESSAGE#568:300:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + +var all1 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + dup194, + part24, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + dup24, + ]), +}); + +var msg569 = msg("300:02", all1); + +var part25 = tagval("MESSAGE#569:300:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup4, + dup2, + dup3, + dup24, +])); + +var msg570 = msg("300:01", part25); + +var msg571 = msg("300", dup154); + +var select286 = linear_select([ + msg569, + msg570, + msg571, +]); + +var msg572 = msg("301:01", dup163); + +var msg573 = msg("301", dup164); + +var select287 = linear_select([ + msg572, + msg573, +]); + +var part26 = match("MESSAGE#573:302:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld12};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + +var all2 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + dup194, + part26, + ], + on_success: processor_chain([ + dup21, + dup2, + dup3, + dup24, + ]), +}); + +var msg574 = msg("302:02", all2); + +var msg575 = msg("302:01", dup163); + +var msg576 = msg("302", dup164); + +var select288 = linear_select([ + msg574, + msg575, + msg576, +]); + +var msg577 = msg("303:01", dup163); + +var msg578 = msg("303", dup164); + +var select289 = linear_select([ + msg577, + msg578, +]); + +var part27 = match("MESSAGE#578:304:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"DstHost=%{p0}"); + +var part28 = match("MESSAGE#578:304:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"DstHost=%{p0}"); + +var select290 = linear_select([ + part27, + part28, +]); + +var part29 = match("MESSAGE#578:304:02/24", "nwparser.p0", "%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + +var all3 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + select290, + part29, + ], + on_success: processor_chain([ + dup26, + dup2, + dup3, + dup24, + ]), +}); + +var msg579 = msg("304:02", all3); + +var msg580 = msg("304:01", dup169); + +var msg581 = msg("304", dup170); + +var select291 = linear_select([ + msg579, + msg580, + msg581, +]); + +var msg582 = msg("305:01", dup169); + +var msg583 = msg("305", dup170); + +var select292 = linear_select([ + msg582, + msg583, +]); + +var msg584 = msg("306:01", dup151); + +var msg585 = msg("306", dup152); + +var select293 = linear_select([ + msg584, + msg585, +]); + +var msg586 = msg("307:01", dup151); + +var msg587 = msg("307", dup152); + +var select294 = linear_select([ + msg586, + msg587, +]); + +var part30 = tagval("MESSAGE#587:308:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup78, + dup2, + dup3, +])); + +var msg588 = msg("308:01", part30); + +var part31 = match("MESSAGE#588:308", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup78, + dup2, +])); + +var msg589 = msg("308", part31); + +var select295 = linear_select([ + msg588, + msg589, +]); + +var part32 = tagval("MESSAGE#589:309:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, +])); + +var msg590 = msg("309:01", part32); + +var part33 = match("MESSAGE#590:309", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup9, + dup2, +])); + +var msg591 = msg("309", part33); + +var select296 = linear_select([ + msg590, + msg591, +]); + +var msg592 = msg("317:01", dup195); + +var msg593 = msg("317", dup196); + +var select297 = linear_select([ + msg592, + msg593, +]); + +var msg594 = msg("316:01", dup195); + +var msg595 = msg("316", dup196); + +var select298 = linear_select([ + msg594, + msg595, +]); + +var msg596 = msg("355:01", dup197); + +var msg597 = msg("355", dup198); + +var select299 = linear_select([ + msg596, + msg597, +]); + +var msg598 = msg("356:01", dup197); + +var msg599 = msg("356", dup198); + +var select300 = linear_select([ + msg598, + msg599, +]); + +var msg600 = msg("357:01", dup199); + +var msg601 = msg("357", dup200); + +var select301 = linear_select([ + msg600, + msg601, +]); + +var msg602 = msg("358:01", dup199); + +var msg603 = msg("358", dup200); + +var select302 = linear_select([ + msg602, + msg603, +]); + +var part34 = tagval("MESSAGE#603:190:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup84, + dup2, + dup3, +])); + +var msg604 = msg("190:01", part34); + +var part35 = match("MESSAGE#604:190", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup84, + dup2, +])); + +var msg605 = msg("190", part35); + +var select303 = linear_select([ + msg604, + msg605, +]); + +var msg606 = msg("5:01", dup161); + +var msg607 = msg("5", dup162); + +var select304 = linear_select([ + msg606, + msg607, +]); + +var msg608 = msg("310:01", dup153); + +var msg609 = msg("310", dup154); + +var select305 = linear_select([ + msg608, + msg609, +]); + +var msg610 = msg("311:01", dup153); + +var msg611 = msg("311", dup154); + +var select306 = linear_select([ + msg610, + msg611, +]); + +var msg612 = msg("312:01", dup153); + +var msg613 = msg("312", dup154); + +var select307 = linear_select([ + msg612, + msg613, +]); + +var msg614 = msg("313:01", dup153); + +var msg615 = msg("313", dup154); + +var select308 = linear_select([ + msg614, + msg615, +]); + +var msg616 = msg("359:01", dup153); + +var msg617 = msg("359", dup154); + +var select309 = linear_select([ + msg616, + msg617, +]); + +var msg618 = msg("372", dup201); + +var msg619 = msg("374", dup201); + +var msg620 = msg("376", dup201); + +var part36 = match("MESSAGE#620:411:01/17_0", "nwparser.p0", "\"%{fld89}\";LogonDomain=%{p0}"); + +var part37 = match("MESSAGE#620:411:01/17_1", "nwparser.p0", "%{fld89};LogonDomain=%{p0}"); + +var select310 = linear_select([ + part36, + part37, +]); + +var part38 = match("MESSAGE#620:411:01/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"Command=%{p0}"); + +var part39 = match("MESSAGE#620:411:01/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"Command=%{p0}"); + +var select311 = linear_select([ + part38, + part39, +]); + +var part40 = match("MESSAGE#620:411:01/24", "nwparser.p0", "%{param};ConnectionComponentId=%{fld67};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld11};RDPOffset=%{fld12};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};VIDOffset=%{fld13};"); + +var all4 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + select310, + dup189, + dup190, + dup191, + dup192, + dup193, + select311, + part40, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + dup24, + ]), +}); + +var msg621 = msg("411:01", all4); + +var part41 = match("MESSAGE#621:411/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};ProcessId=%{process_id};ProcessName=%{process};Protocol=%{protocol};PSMID=%{fld3};RDPOffset=%{fld4};SessionID=%{sessionid};SrcHost=%{shost};User=%{fld5};VIDOffset=%{fld6};\""); + +var select312 = linear_select([ + part41, + dup150, +]); + +var all5 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select312, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), +}); + +var msg622 = msg("411", all5); + +var select313 = linear_select([ + msg621, + msg622, +]); + +var part42 = match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=\"%{directory}\";Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info}", processor_chain([ + dup4, + dup2, + dup3, +])); + +var msg623 = msg("385", part42); + +var part43 = match("MESSAGE#623:361/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};SSHOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); + +var select314 = linear_select([ + part43, + dup150, +]); + +var all6 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select314, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), +}); + +var msg624 = msg("361", all6); + +var part44 = match("MESSAGE#624:412/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};TXTOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); + +var select315 = linear_select([ + part44, + dup150, +]); + +var all7 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select315, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), +}); + +var msg625 = msg("412", all7); + +var msg626 = msg("378", dup153); + +var msg627 = msg("321", dup153); + +var msg628 = msg("322", dup153); + +var msg629 = msg("323", dup153); + +var msg630 = msg("318", dup153); + +var msg631 = msg("380", dup153); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "1": select2, + "10": select9, + "100": select99, + "101": select100, + "102": select101, + "103": select102, + "104": select103, + "105": select104, + "106": select105, + "107": select106, + "108": select107, + "109": select108, + "11": select10, + "110": select109, + "111": select110, + "112": select111, + "114": select112, + "115": select113, + "116": select114, + "117": select115, + "118": select116, + "119": select117, + "12": select11, + "120": select118, + "121": select119, + "122": select120, + "123": select121, + "124": select122, + "125": select123, + "126": select124, + "127": select125, + "128": select126, + "129": select127, + "13": select12, + "130": select128, + "131": select129, + "132": select130, + "133": select131, + "134": select132, + "135": select133, + "136": select134, + "137": select135, + "138": select136, + "139": select137, + "14": select13, + "140": select138, + "141": select139, + "142": select140, + "143": select141, + "144": select142, + "145": select143, + "146": select144, + "147": select145, + "148": select146, + "149": select147, + "15": select14, + "150": select148, + "152": select149, + "153": select150, + "154": select151, + "155": select152, + "156": select153, + "157": select154, + "158": select155, + "159": select156, + "16": select15, + "160": select157, + "161": select158, + "162": select159, + "163": select160, + "164": select161, + "165": select162, + "166": select163, + "167": select164, + "168": select165, + "169": select166, + "17": select16, + "170": select167, + "171": select168, + "172": select169, + "173": select170, + "174": select171, + "175": select172, + "176": select173, + "177": select174, + "178": select175, + "179": select176, + "18": select17, + "180": select177, + "181": select178, + "182": select179, + "183": select180, + "184": select181, + "185": select182, + "186": select183, + "187": select184, + "188": select185, + "189": select186, + "19": select18, + "190": select303, + "191": select187, + "192": select188, + "193": select189, + "194": select190, + "195": select191, + "196": select192, + "197": select193, + "198": select194, + "199": select195, + "2": select3, + "20": select19, + "200": select196, + "201": select197, + "202": select198, + "203": select199, + "204": select200, + "205": select201, + "206": select202, + "207": select203, + "208": select204, + "209": select205, + "21": select20, + "211": select206, + "212": select207, + "213": select208, + "214": select209, + "215": select210, + "216": select211, + "217": select212, + "218": select213, + "219": select214, + "22": select21, + "220": select215, + "221": select216, + "222": select217, + "223": select218, + "224": select219, + "229": select220, + "23": select22, + "230": select221, + "231": select222, + "232": select223, + "233": select224, + "236": select225, + "237": select226, + "238": select227, + "239": select228, + "24": select23, + "240": select229, + "241": select230, + "243": select231, + "244": select232, + "246": select233, + "247": select234, + "248": select235, + "249": select236, + "25": select24, + "250": select237, + "251": select238, + "252": select239, + "253": select240, + "254": select241, + "255": select242, + "256": select243, + "257": select244, + "259": select245, + "26": select25, + "260": select246, + "261": select247, + "262": select248, + "263": select249, + "264": select250, + "265": select251, + "266": select252, + "267": select253, + "268": select254, + "269": select255, + "27": select26, + "270": select256, + "271": select257, + "272": select258, + "273": select259, + "274": select260, + "275": select261, + "276": select262, + "277": select263, + "278": select264, + "279": select265, + "28": select27, + "280": select266, + "281": select267, + "282": select268, + "283": select269, + "284": select270, + "285": select271, + "286": select272, + "287": select273, + "288": select274, + "289": select275, + "29": select28, + "290": select276, + "291": select277, + "292": select278, + "293": select279, + "294": select280, + "295": select281, + "296": select282, + "297": select283, + "298": select284, + "299": select285, + "3": select4, + "30": select29, + "300": select286, + "301": select287, + "302": select288, + "303": select289, + "304": select291, + "305": select292, + "306": select293, + "307": select294, + "308": select295, + "309": select296, + "31": select30, + "310": select305, + "311": select306, + "312": select307, + "313": select308, + "316": select298, + "317": select297, + "318": msg630, + "32": select31, + "321": msg627, + "322": msg628, + "323": msg629, + "33": select32, + "34": select33, + "35": select34, + "355": select299, + "356": select300, + "357": select301, + "358": select302, + "359": select309, + "36": select35, + "361": msg624, + "37": select36, + "372": msg618, + "374": msg619, + "376": msg620, + "378": msg626, + "38": select37, + "380": msg631, + "385": msg623, + "39": select38, + "4": select5, + "40": select39, + "41": select40, + "411": select313, + "412": msg625, + "42": select41, + "43": select42, + "44": select43, + "45": select44, + "46": select45, + "47": select46, + "48": select47, + "49": select48, + "5": select304, + "50": select49, + "51": select50, + "52": select51, + "53": select52, + "54": select53, + "55": select54, + "56": select55, + "57": select56, + "58": select57, + "59": select58, + "60": select59, + "61": select60, + "62": select61, + "63": select62, + "64": select63, + "65": select64, + "66": select65, + "67": select66, + "68": select67, + "69": select68, + "7": select6, + "70": select69, + "71": select70, + "72": select71, + "73": select72, + "74": select73, + "75": select74, + "76": select75, + "77": select76, + "78": select77, + "79": select78, + "8": select7, + "80": select79, + "81": select80, + "82": select81, + "83": select82, + "84": select83, + "85": select84, + "86": select85, + "87": select86, + "88": select87, + "89": select88, + "9": select8, + "90": select89, + "91": select90, + "92": select91, + "93": select92, + "94": select93, + "95": select94, + "96": select95, + "97": select96, + "98": select97, + "99": select98, + }), +]); + +var part45 = match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); + +var part46 = match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); + +var part47 = match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); + +var part48 = match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); + +var part49 = match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); + +var part50 = match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); + +var part51 = match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); + +var part52 = match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); + +var part53 = match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); + +var part54 = match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); + +var part55 = match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); + +var part56 = match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); + +var part57 = match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); + +var part58 = match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); + +var part59 = match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); + +var part60 = match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); + +var part61 = match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); + +var part62 = match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); + +var part63 = match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); + +var part64 = match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); + +var part65 = match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); + +var part66 = match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); + +var part67 = match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); + +var part68 = match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); + +var part69 = match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); + +var part70 = match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); + +var part71 = match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); + +var part72 = match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); + +var part73 = match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); + +var part74 = match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); + +var part75 = match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); + +var part76 = match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); + +var part77 = match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); + +var part78 = match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); + +var part79 = match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); + +var part80 = match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); + +var part81 = match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); + +var part82 = match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); + +var part83 = match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); + +var part84 = match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); + +var part85 = match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); + +var part86 = match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); + +var part87 = match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); + +var part88 = match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); + +var part89 = match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); + +var part90 = match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); + +var part91 = match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); + +var part92 = match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); + +var part93 = match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); + +var part94 = match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); + +var part95 = match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); + +var part96 = match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); + +var part97 = match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); + +var part98 = match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); + +var part99 = match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); + +var part100 = match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); + +var part101 = match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); + +var part102 = match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); + +var part103 = match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); + +var part104 = match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); + +var part105 = match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); + +var part106 = match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); + +var part107 = match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); + +var part108 = match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); + +var part109 = match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); + +var part110 = match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); + +var part111 = match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); + +var part112 = match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); + +var part113 = match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); + +var part114 = match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); + +var part115 = match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); + +var part116 = match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); + +var part117 = match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); + +var part118 = match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); + +var part119 = match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); + +var part120 = match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); + +var part121 = match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); + +var part122 = match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); + +var part123 = match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); + +var part124 = match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); + +var part125 = match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); + +var part126 = match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); + +var part127 = match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); + +var part128 = match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); + +var part129 = match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); + +var part130 = match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); + +var part131 = match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); + +var part132 = match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); + +var part133 = match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); + +var part134 = match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); + +var part135 = match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); + +var part136 = match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); + +var part137 = match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); + +var part138 = match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); + +var part139 = match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); + +var part140 = match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); + +var part141 = match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); + +var part142 = match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); + +var part143 = match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); + +var part144 = match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); + +var part145 = match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); + +var part146 = match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); + +var part147 = match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); + +var part148 = match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); + +var part149 = match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); + +var part150 = match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); + +var part151 = match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); + +var part152 = match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); + +var part153 = match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); + +var part154 = match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); + +var part155 = match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); + +var part156 = match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); + +var part157 = match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); + +var part158 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup1, + dup2, + dup3, +])); + +var part159 = match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup2, +])); + +var part160 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup4, + dup2, + dup3, +])); + +var part161 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup4, + dup2, +])); + +var part162 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, +])); + +var part163 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, +])); + +var part164 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + dup3, +])); + +var part165 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, +])); + +var part166 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup19, + dup2, + dup3, +])); + +var part167 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup2, +])); + +var part168 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup15, + dup2, + dup3, +])); + +var part169 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup2, +])); + +var part170 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup21, + dup2, + dup3, +])); + +var part171 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup21, + dup2, +])); + +var part172 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup23, + dup2, + dup3, +])); + +var part173 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup23, + dup2, +])); + +var part174 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup20, + dup2, + dup3, +])); + +var part175 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup2, +])); + +var part176 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup26, + dup2, + dup3, +])); + +var part177 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup26, + dup2, +])); + +var part178 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup26, + dup2, + dup3, + dup24, + dup25, +])); + +var select316 = linear_select([ + dup32, + dup33, +]); + +var select317 = linear_select([ + dup34, + dup35, +]); + +var select318 = linear_select([ + dup36, + dup37, +]); + +var select319 = linear_select([ + dup38, + dup39, +]); + +var select320 = linear_select([ + dup40, + dup41, +]); + +var select321 = linear_select([ + dup42, + dup43, +]); + +var select322 = linear_select([ + dup44, + dup45, +]); + +var select323 = linear_select([ + dup46, + dup47, +]); + +var select324 = linear_select([ + dup48, + dup49, +]); + +var select325 = linear_select([ + dup50, + dup51, +]); + +var select326 = linear_select([ + dup52, + dup53, +]); + +var select327 = linear_select([ + dup54, + dup55, +]); + +var select328 = linear_select([ + dup56, + dup57, +]); + +var select329 = linear_select([ + dup58, + dup59, +]); + +var select330 = linear_select([ + dup60, + dup61, +]); + +var select331 = linear_select([ + dup62, + dup63, +]); + +var select332 = linear_select([ + dup64, + dup65, +]); + +var select333 = linear_select([ + dup66, + dup67, +]); + +var select334 = linear_select([ + dup68, + dup69, +]); + +var select335 = linear_select([ + dup70, + dup71, +]); + +var select336 = linear_select([ + dup72, + dup73, +]); + +var select337 = linear_select([ + dup74, + dup75, +]); + +var select338 = linear_select([ + dup76, + dup77, +]); + +var part179 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup79, + dup80, + dup81, + dup2, + dup3, +])); + +var part180 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup79, + dup80, + dup81, + dup2, +])); + +var part181 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup82, + dup2, + dup3, +])); + +var part182 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup82, + dup2, +])); + +var part183 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup83, + dup2, + dup3, +])); + +var part184 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup83, + dup2, +])); + +var part185 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ + dup4, + dup2, + dup3, +])); + +var select339 = linear_select([ + dup85, + dup86, +]); + +var select340 = linear_select([ + dup88, + dup89, +]); + +var select341 = linear_select([ + dup91, + dup92, +]); + +var select342 = linear_select([ + dup94, + dup95, +]); + +var select343 = linear_select([ + dup97, + dup98, +]); + +var select344 = linear_select([ + dup100, + dup101, +]); + +var select345 = linear_select([ + dup103, + dup104, +]); + +var select346 = linear_select([ + dup106, + dup107, +]); + +var select347 = linear_select([ + dup109, + dup110, +]); + +var select348 = linear_select([ + dup112, + dup113, +]); + +var select349 = linear_select([ + dup115, + dup116, + dup117, + dup118, +]); + +var select350 = linear_select([ + dup120, + dup121, +]); + +var select351 = linear_select([ + dup123, + dup124, +]); + +var select352 = linear_select([ + dup126, + dup127, +]); + +var select353 = linear_select([ + dup129, + dup130, +]); + +var select354 = linear_select([ + dup132, + dup133, +]); + +var select355 = linear_select([ + dup135, + dup136, +]); + +var select356 = linear_select([ + dup138, + dup139, +]); + +var select357 = linear_select([ + dup141, + dup142, +]); + +var select358 = linear_select([ + dup144, + dup145, +]); + +var select359 = linear_select([ + dup147, + dup148, +]); diff --git a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml new file mode 100644 index 00000000000..c0e79ff34d6 --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml @@ -0,0 +1,64 @@ +--- +description: Pipeline for Cyber-Ark + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cyberark/corepas/manifest.yml b/x-pack/filebeat/module/cyberark/corepas/manifest.yml new file mode 100644 index 00000000000..068553fbee9 --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["cyberark.corepas", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9543 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log b/x-pack/filebeat/module/cyberark/corepas/test/generated.log new file mode 100644 index 00000000000..29dd49e5dab --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log @@ -0,0 +1,100 @@ +2016-01-29 06:09:59.732538723 +0000 UTC eacommod1428.lan %CYBERARK: MessageID="188";exercita 1.1332",ProductAccount="itv",ProductProcess="odoco",EventId="ria",EventClass="min",EventSeverity="low",EventMessage="allow",ActingUserName="utl",ActingAddress="10.208.15.216",ActionSourceUser="tation",ActionTargetUser="quasiarc",ActionObject="liqua",ActionSafe="ciade",ActionLocation="turadipi",ActionCategory="aeca",ActionRequestId="idi",ActionReason="pexe",ActionExtraDetails="nes" +%CYBERARK: MessageID="168";Version=1.259;Message=block;Issuer=dolore;Station=10.92.136.230;File=ritquiin;Safe=umqui;Location=reeufugi;Category=mdolo;RequestId=mqui;Reason=nci;Severity=very-high;SourceUser=litesse;TargetUser=orev;GatewayStation=10.175.75.18;TicketID=deF;PolicyID=sist;UserName=nnumqu;LogonDomain=iatnu3810.mail.localdomain;Address=volup208.invalid;CPMStatus=eosquir;Port=5191;Database=umdo;DeviceType=itessequ;ExtraDetails=vol; +nibus 2016-02-26 20:15:08.252538723 +0000 UTC mipsumq3879.internal.localdomain %CYBERARK: MessageID="26";Version=1.7269;Message=accept;Issuer=incid;Station=10.51.132.10;File=utper;Safe=squame;Location=ntex;Category=eius;RequestId=luptat;Reason=emape;Severity=low;SourceUser=incidi;TargetUser=nse;GatewayStation=10.46.185.46;TicketID=temvel;PolicyID=iatu;UserName=serror;LogonDomain=anti4454.api.example;Address=tetu5280.www5.invalid;CPMStatus=tionulam;Port=2548;Database=byC;DeviceType=tinculp;ExtraDetails=tur; +2016-03-12 03:17:42.512538723 +0000 UTC minim7868.www5.localdomain %CYBERARK: MessageID="184";Version=1.6713;Message=deny;Issuer=psumquia;Station=10.53.192.140;File=con;Safe=uia;Location=quiavo;Category=issusci;RequestId=mol;Reason=taspe;Severity=high;SourceUser=psumq;TargetUser=atcup;GatewayStation=10.155.236.240;TicketID=tatno;PolicyID=dquiac;UserName=ptass;LogonDomain=uam6303.api.lan;Address=llu4762.mail.localdomain;CPMStatus=scivel;Port=5695;Database=aperi;DeviceType=iveli;ExtraDetails=llumd; +%CYBERARK: MessageID="161";emaper 1.2638",ProductAccount="eos",ProductProcess="enimad",EventId="rmagni",EventClass="sit",EventSeverity="medium",EventMessage="cancel",ActingUserName="oremips",ActingAddress="10.81.199.122",ActionSourceUser="aquaeabi",ActionTargetUser="giatq",ActionObject="quid",ActionSafe="fug",ActionLocation="uatDuis",ActionCategory="ude",ActionRequestId="maveniam",ActionReason="uian",ActionExtraDetails="tempo" +eetd 2016-04-09 17:22:51.032538723 +0000 UTC eip1448.internal.local %CYBERARK: MessageID="139";Version=1.3491;Message=deny;Issuer=tcupida;Station=10.139.186.201;File=ect;Safe=reetdolo;Location=nrepreh;Category=obeataev;RequestId=lor;Reason=uidexea;Severity=medium;SourceUser=natura;TargetUser=aboris;GatewayStation=10.172.14.142;TicketID=ssitaspe;PolicyID=gitsedqu;UserName=uam;LogonDomain=temq1198.internal.example;Address=aquaeab2275.www5.domain;CPMStatus=ehend;Port=4091;Database=isiu;DeviceType=nimadmi;ExtraDetails=iatisu; +%CYBERARK: MessageID="106";Version=1.6875;Message=accept;Issuer=ipis;Station=10.47.76.251;File=eataevit;Safe=uptatev;Location=uovol;Category=dmi;RequestId=olab;Reason=mquisnos;Severity=medium;SourceUser=ore;TargetUser=etconsec;GatewayStation=10.104.111.129;TicketID=mUt;PolicyID=usmodte;UserName=ele;LogonDomain=tenbyCic5882.api.home;Address=amquisno3338.www5.lan;CPMStatus=nonnu;Port=776;Database=riat;DeviceType=luptatem;ExtraDetails=umdolor; +inB 2016-05-08 07:27:59.552538723 +0000 UTC deomni124.www.example %CYBERARK: MessageID="74";tae 1.1382",ProductAccount="animi",ProductProcess="oluptate",EventId="ofdeF",EventClass="tion",EventSeverity="very-high",EventMessage="deny",ActingUserName="quiratio",ActingAddress="10.116.120.216",ActionSourceUser="qua",ActionTargetUser="umdo",ActionObject="sed",ActionSafe="apariat",ActionLocation="mol",ActionCategory="pteursi",ActionRequestId="onse",ActionReason="rumet",ActionExtraDetails="oll" +Ciceroi 2016-05-22 14:30:33.812538723 +0000 UTC aveniam1436.www.test %CYBERARK: MessageID="144";Version=1.5529;Message=cancel;Issuer=taevi;Station=10.62.54.220;File=ehenderi;Safe=pidatat;Location=gni;Category=tquiinea;RequestId=mquaera;Reason=dun;Severity=medium;SourceUser=Duisau;TargetUser=psum;GatewayStation=10.57.40.29;TicketID=undeo;PolicyID=loremip;UserName=rnatura;LogonDomain=isqu7224.localdomain;Address=idolores3839.localdomain;CPMStatus=metcon;Port=2424;Database=emeumfug;DeviceType=upta;ExtraDetails=omn; +ons 2016-06-05 21:33:08.072538723 +0000 UTC tessec3539.home %CYBERARK: MessageID="240";nsect 1.6476",ProductAccount="tnon",ProductProcess="ionul",EventId="nibus",EventClass="edquiano",EventSeverity="medium",EventMessage="cancel",ActingUserName="ema",ActingAddress="10.74.237.180",ActionSourceUser="nsequu",ActionTargetUser="cup",ActionObject="boNemoen",ActionSafe="uid",ActionLocation="rors",ActionCategory="onofd",ActionRequestId="taed",ActionReason="lup",ActionExtraDetails="remeumf" +2016-06-20 04:35:42.332538723 +0000 UTC sectetur3333.mail.example %CYBERARK: MessageID="61";edqui 1.7780",ProductAccount="lor",ProductProcess="fugit",EventId="ido",EventClass="paqu",EventSeverity="high",EventMessage="allow",ActingUserName="remeum",ActingAddress="10.18.165.35",ActionSourceUser="admi",ActionTargetUser="modocons",ActionObject="elaudant",ActionSafe="tinvol",ActionLocation="dolore",ActionCategory="abor",ActionRequestId="iqui",ActionReason="etc",ActionExtraDetails="etM" +2016-07-04 11:38:16.592538723 +0000 UTC xercitat4824.local %CYBERARK: MessageID="90";ostr 1.4979",ProductAccount="onproide",ProductProcess="luptat",EventId="itaut",EventClass="imaven",EventSeverity="high",EventMessage="deny",ActingUserName="tema",ActingAddress="10.74.253.127",ActionSourceUser="tfug",ActionTargetUser="icab",ActionObject="mwr",ActionSafe="fugi",ActionLocation="inculpaq",ActionCategory="agna",ActionRequestId="tionemu",ActionReason="eomnisis",ActionExtraDetails="mqui" +errorsi 2016-07-18 18:40:50.852538723 +0000 UTC des5377.lan %CYBERARK: MessageID="385";Version=1.1697;Message=block;Issuer=ono;Station=10.189.109.245;File=emaperi;Safe=tame;Location="tinvol";Category=tectobe;RequestId=colabor;Reason=iusmodt;Severity=medium;GatewayStation=10.92.8.15;TicketID=agnaali;PolicyID=llitani;UserName=inima;LogonDomain=tlabo6088.www.localdomain;Address=Lor5841.internal.example;CPMStatus=sunt;Port="3075";Database=uines;DeviceType=nsec;ExtraDetails=onse +August 2 01:43:25 tat %CYBERARK: MessageID="190";tion 1.1761",ProductAccount="upt",ProductProcess="uiineavo",EventId="tisetq",EventClass="irati",EventSeverity="low",EventMessage="accept",ActingUserName="giatquov",ActingAddress="10.21.78.128",ActionSourceUser="riat",ActionTargetUser="taut",ActionObject="oreseos",ActionSafe="uames",ActionLocation="tati",ActionCategory="utaliqu",ActionRequestId="oriosamn",ActionReason="deFinibu",ActionExtraDetails="iadese" +%CYBERARK: MessageID="256";eporroqu 1.4200",ProductAccount="hil",ProductProcess="atquovo",EventId="suntinc",EventClass="xeac",EventSeverity="medium",EventMessage="deny",ActingUserName="tatn",ActingAddress="10.18.109.121",ActionSourceUser="ents",ActionTargetUser="pida",ActionObject="nse",ActionSafe="sinto",ActionLocation="emoeni",ActionCategory="oenimips",ActionRequestId="utlabore",ActionReason="ecillu",ActionExtraDetails="quip" +%CYBERARK: MessageID="105";Version=1.3727;Message=cancel;Issuer=iunt;Station=10.63.37.192;File=tio;Safe=orinrepr;Location=conse;Category=rumetM;RequestId=equi;Reason=agnaali;Severity=medium;SourceUser=sitvolup;TargetUser=reetd;GatewayStation=10.225.115.13;TicketID=maccusa;PolicyID=uptat;UserName=equep;LogonDomain=iavolu5352.localhost;Address=rpo79.mail.example;CPMStatus=siarchi;Port=2289;Database=aliqu;DeviceType=olupta;ExtraDetails=mipsumd; +remi 2016-09-13 22:51:07.892538723 +0000 UTC saute7154.internal.lan %CYBERARK: MessageID="105";Version=1.3219;Message=deny;Issuer=run;Station=10.47.202.102;File=quirat;Safe=llu;Location=licab;Category=eirure;RequestId=conseq;Reason=oidentsu;Severity=medium;SourceUser=aaliquaU;TargetUser=ntor;GatewayStation=10.95.64.124;TicketID=psaquae;PolicyID=ationemu;UserName=ice;LogonDomain=estiae3750.api.corp;Address=tionof7613.domain;CPMStatus=lapari;Port=2335;Database=ite;DeviceType=ationul;ExtraDetails=iquipex; +adol 2016-09-28 05:53:42.152538723 +0000 UTC doloremi7402.www.test %CYBERARK: MessageID="376";Version=1.6371;Message=block;Issuer=itquiin;Station=10.106.239.55;File=taevit;Safe=rinrepre;Location=etconse;Category=tincu;RequestId=ari;Reason=exercit;Severity=low;GatewayStation=10.244.114.61;TicketID=oluptate;PolicyID=onseq;UserName=serunt;LogonDomain=aquaeabi7735.internal.lan;Address=acc7692.home;CPMStatus=amest;Port="4147";Database=itame;DeviceType=intoc;ExtraDetails=oluptas; +2016-10-12 12:56:16.412538723 +0000 UTC luptasn2126.mail.home %CYBERARK: MessageID="24";Version=1.821;Message=allow;Issuer=ione;Station=10.125.160.129;File=suntexp;Safe=duntut;Location=magni;Category=pisciv;RequestId=iquidex;Reason=radipisc;Severity=low;SourceUser=nti;TargetUser=abi;GatewayStation=10.53.168.235;TicketID=fugitse;PolicyID=veniamq;UserName=one;LogonDomain=etMalor4236.www5.host;Address=quatD4191.local;CPMStatus=tenima;Port=5685;Database=sperna;DeviceType=eabilloi;ExtraDetails=estia; +orem 2016-10-26 19:58:50.672538723 +0000 UTC beata6448.mail.test %CYBERARK: MessageID="197";Version=1.1123;Message=allow;Issuer=tasuntex;Station=10.227.177.121;File=boN;Safe=eprehend;Location=aevit;Category=aboN;RequestId=ihilmo;Reason=radi;Severity=low;SourceUser=uames;TargetUser=iduntu;GatewayStation=10.33.245.220;TicketID=giatnu;PolicyID=ulapa;UserName=liqui;LogonDomain=quioffi1359.internal.lan;Address=eturadi6608.mail.host;CPMStatus=aera;Port=3366;Database=rvel;DeviceType=uid;ExtraDetails=onsecte; +November 10 03:01:24 edo %CYBERARK: MessageID="411";Version=1.5071;Message=allow;Issuer=econs;Station="10.98.182.220";File="untex";Safe="quiratio";Location="boree";Category="eco";RequestId=Utenimad;Reason=orpor;Severity="low";GatewayStation="10.167.85.181";TicketID=emvel;PolicyID="tmollita";UserName=fde;LogonDomain="nsecte3304.mail.corp";Address="eroi176.example";CPMStatus="non";Port="3341";Database=equat;DeviceType=derit;ExtraDetails="Command=dexea;ConnectionComponentId=atcu;DstHost=labor;ProcessId=6501;ProcessName=laboree.exe;Protocol=tcp;PSMID=intocc;RDPOffset=liqu;SessionID=eporr;SrcHost=xeacomm6855.api.corp;User=utlabor;VIDOffset=rau;" +November 24 10:03:59 aeabi %CYBERARK: MessageID="111";eiu 1.4456",ProductAccount="iciadese",ProductProcess="quidolor",EventId="tessec",EventClass="olupta",EventSeverity="high",EventMessage="block",ActingUserName="icabo",ActingAddress="10.89.208.95",ActionSourceUser="eleum",ActionTargetUser="sintoc",ActionObject="volupt",ActionSafe="siste",ActionLocation="uiinea",ActionCategory="Utenima",ActionRequestId="volupta",ActionReason="rcitati",ActionExtraDetails="eni" +Ute 2016-12-08 17:06:33.452538723 +0000 UTC sperna5368.mail.invalid %CYBERARK: MessageID="81";Version=1.509;Message=accept;Issuer=tDuisaut;Station=10.214.191.180;File=imvenia;Safe=spi;Location=stquido;Category=ommodico;RequestId=ptas;Reason=pta;Severity=medium;SourceUser=ptatemq;TargetUser=luptatev;GatewayStation=10.72.148.32;TicketID=ipsumd;PolicyID=ntocc;UserName=uteirure;LogonDomain=nevo4284.internal.local;Address=reetdolo6852.www.test;CPMStatus=nnum;Port=5428;Database=uamest;DeviceType=tco;ExtraDetails=uae; +%CYBERARK: MessageID="168";Version=1.3599;Message=block;Issuer=ipsumd;Station=10.136.190.236;File=evolu;Safe=ersp;Location=tquov;Category=diconseq;RequestId=inven;Reason=osquira;Severity=low;SourceUser=ataevi;TargetUser=com;GatewayStation=10.252.124.150;TicketID=trud;PolicyID=eriti;UserName=litessec;LogonDomain=itas981.mail.domain;Address=mporin6932.api.localdomain;CPMStatus=roid;Port=6604;Database=tasn;DeviceType=Nemoenim;ExtraDetails=squirati; +nbyCic 2017-01-06 07:11:41.972538723 +0000 UTC utlabor6305.internal.corp %CYBERARK: MessageID="90";Version=1.5649;Message=accept;Issuer=iquipe;Station=10.192.34.76;File=modtemp;Safe=quovol;Location=nve;Category=remag;RequestId=uredol;Reason=ccaecat;Severity=medium;SourceUser=onsequ;TargetUser=temqu;GatewayStation=10.213.144.249;TicketID=udexerci;PolicyID=naal;UserName=lore;LogonDomain=tnonpro7635.localdomain;Address=illoin2914.mail.lan;CPMStatus=uamni;Port=6895;Database=gnamal;DeviceType=metMalo;ExtraDetails=ntexplic; +%CYBERARK: MessageID="376";Version=1.2217;Message=accept;Issuer=untu;Station=10.154.4.197;File=con;Safe=nisist;Location=usmodte;Category=msequi;RequestId=tau;Reason=exercita;Severity=low;GatewayStation=10.216.84.30;TicketID=orumSe;PolicyID=boree;UserName=intoc;LogonDomain=rQuisau5300.www5.example;Address=evit5780.www.corp;CPMStatus=onev;Port="725";Database=oditem;DeviceType=gitsedqu;ExtraDetails=borios; +2017-02-03 21:16:50.492538723 +0000 UTC temUt631.www5.example %CYBERARK: MessageID="3";npr 1.4414",ProductAccount="niamqui",ProductProcess="boNem",EventId="ess",EventClass="ipisci",EventSeverity="medium",EventMessage="deny",ActingUserName="tqu",ActingAddress="10.143.193.199",ActionSourceUser="quam",ActionTargetUser="quid",ActionObject="fugiat",ActionSafe="atisun",ActionLocation="esci",ActionCategory="epre",ActionRequestId="tobeata",ActionReason="eroinBCS",ActionExtraDetails="inci" +February 18 04:19:24 rnatur %CYBERARK: MessageID="140";Version=1.5632;Message=deny;Issuer=essequam;Station=10.193.83.81;File=isisten;Safe=cusant;Location=atemq;Category=rinre;RequestId=naal;Reason=borios;Severity=high;SourceUser=isnostr;TargetUser=umqu;GatewayStation=10.65.175.9;TicketID=inesci;PolicyID=isnisi;UserName=ritatise;LogonDomain=uamei2389.internal.example;Address=uisa5736.internal.local;CPMStatus=cusant;Port=302;Database=ender;DeviceType=riamea;ExtraDetails=entorev; +%CYBERARK: MessageID="87";tutlab 1.792",ProductAccount="tatn",ProductProcess="dolorsit",EventId="sau",EventClass="aperia",EventSeverity="very-high",EventMessage="accept",ActingUserName="umdolo",ActingAddress="10.205.72.243",ActionSourceUser="stenatu",ActionTargetUser="isiuta",ActionObject="orsitam",ActionSafe="siutaliq",ActionLocation="dutp",ActionCategory="psaquaea",ActionRequestId="taevita",ActionReason="ameiusm",ActionExtraDetails="proide" +2017-03-18 18:24:33.272538723 +0000 UTC velitess7586.mail.example %CYBERARK: MessageID="45";nre 1.7231",ProductAccount="sit",ProductProcess="olab",EventId="eumiure",EventClass="ersp",EventSeverity="medium",EventMessage="allow",ActingUserName="mquisno",ActingAddress="10.107.9.163",ActionSourceUser="uptate",ActionTargetUser="mac",ActionObject="iumdol",ActionSafe="tpersp",ActionLocation="stla",ActionCategory="uptatema",ActionRequestId="oeni",ActionReason="tdol",ActionExtraDetails="sit" +April 2 01:27:07 psum %CYBERARK: MessageID="132";tasnulap 1.7220",ProductAccount="umSe",ProductProcess="xeacomm",EventId="cinge",EventClass="itla",EventSeverity="high",EventMessage="deny",ActingUserName="asiarc",ActingAddress="10.80.101.72",ActionSourceUser="uptate",ActionTargetUser="quidexea",ActionObject="ect",ActionSafe="modocons",ActionLocation="gitsed",ActionCategory="fugia",ActionRequestId="oditautf",ActionReason="quatu",ActionExtraDetails="veli" +April 16 08:29:41 labo %CYBERARK: MessageID="200";Version=1.267;Message=accept;Issuer=aboreetd;Station=10.235.136.109;File=lorin;Safe=pitl;Location=por;Category=quidexea;RequestId=nimid;Reason=runtmol;Severity=very-high;SourceUser=odi;TargetUser=ptass;GatewayStation=10.39.10.155;TicketID=dol;PolicyID=proiden;UserName=urExcept;LogonDomain=miurerep1152.internal.domain;Address=utlab3706.api.host;CPMStatus=dantium;Port=246;Database=teirured;DeviceType=onemulla;ExtraDetails=dolorem; +April 30 15:32:16 ationev %CYBERARK: MessageID="233";umdolor 1.4389",ProductAccount="itation",ProductProcess="paquioff",EventId="nci",EventClass="isau",EventSeverity="low",EventMessage="cancel",ActingUserName="ibusBon",ActingAddress="10.96.224.19",ActionSourceUser="nsequat",ActionTargetUser="doloreme",ActionObject="dun",ActionSafe="reprehe",ActionLocation="tincu",ActionCategory="suntin",ActionRequestId="itse",ActionReason="umexerc",ActionExtraDetails="oremipsu" +2017-05-14 22:34:50.312538723 +0000 UTC ntsunt4826.mail.corp %CYBERARK: MessageID="170";olo 1.237",ProductAccount="aec",ProductProcess="fdeF",EventId="iquidexe",EventClass="diconse",EventSeverity="medium",EventMessage="cancel",ActingUserName="reseo",ActingAddress="10.71.238.250",ActionSourceUser="consequa",ActionTargetUser="moenimi",ActionObject="olupt",ActionSafe="oconsequ",ActionLocation="edquiac",ActionCategory="urerepr",ActionRequestId="eseru",ActionReason="quamest",ActionExtraDetails="mac" +%CYBERARK: MessageID="294";Version=1.3804;Message=deny;Issuer=rationev;Station=10.226.20.199;File=tatem;Safe=untutlab;Location=amcor;Category=ica;RequestId=lillum;Reason=remips;Severity=low;SourceUser=taedicta;TargetUser=ritt;GatewayStation=10.226.101.180;TicketID=itesseq;PolicyID=dictasun;UserName=veniamqu;LogonDomain=rum5798.home;Address=mvel1188.internal.localdomain;CPMStatus=tetur;Port=2694;Database=conse;DeviceType=ipi;ExtraDetails=imveniam; +June 12 12:39:58 licabo %CYBERARK: MessageID="13";Version=1.1493;Message=cancel;Issuer=utaliqu;Station=10.86.22.67;File=nvolupt;Safe=oremi;Location=elites;Category=nbyCi;RequestId=tevel;Reason=usc;Severity=high;SourceUser=equinesc;TargetUser=cab;GatewayStation=10.134.65.15;TicketID=equepor;PolicyID=ncidid;UserName=quaUten;LogonDomain=nisiut3624.api.example;Address=perspici5680.domain;CPMStatus=iconseq;Port=2039;Database=isciv;DeviceType=rroqu;ExtraDetails=nofd; +%CYBERARK: MessageID="358";ilmol 1.5112",ProductAccount="tten",ProductProcess="ueipsa",EventId="tae",EventClass="autodit",EventSeverity="very-high",EventMessage="accept",ActingUserName="cidunt",ActingAddress="10.70.147.120",ActionSourceUser="exeaco",ActionTargetUser="emqu",ActionObject="nderi",ActionSafe="acommod",ActionLocation="itsedd",ActionCategory="leumiur",ActionRequestId="eratvol",ActionReason="quidol",ActionExtraDetails="eaqu" +luptatem 2017-07-11 02:45:07.352538723 +0000 UTC uaeratv3432.invalid %CYBERARK: MessageID="160";Version=1.6255;Message=cancel;Issuer=dqu;Station=10.178.242.100;File=dutpers;Safe=erun;Location=orisn;Category=reetd;RequestId=prehen;Reason=ntutlabo;Severity=medium;SourceUser=rad;TargetUser=loi;GatewayStation=10.24.111.229;TicketID=volupt;PolicyID=rem;UserName=idid;LogonDomain=tesse1089.www.host;Address=ptateve6909.www5.lan;CPMStatus=toccaec;Port=7645;Database=tenatuse;DeviceType=psaqua;ExtraDetails=ullamcor; +2017-07-25 09:47:41.612538723 +0000 UTC cupi1867.www5.test %CYBERARK: MessageID="67";orroq 1.6677",ProductAccount="ritati",ProductProcess="orisni",EventId="ons",EventClass="remagn",EventSeverity="very-high",EventMessage="deny",ActingUserName="mmodoc",ActingAddress="10.211.179.168",ActionSourceUser="atu",ActionTargetUser="untincul",ActionObject="ssecil",ActionSafe="commodi",ActionLocation="emporain",ActionCategory="ntiumto",ActionRequestId="umetMalo",ActionReason="oluptas",ActionExtraDetails="emvele" +Sedut 2017-08-08 16:50:15.872538723 +0000 UTC yCiceroi2786.www.test %CYBERARK: MessageID="141";iquamqua 1.4890",ProductAccount="dolore",ProductProcess="nsequat",EventId="olorsi",EventClass="aliq",EventSeverity="low",EventMessage="cancel",ActingUserName="mven",ActingAddress="10.30.243.163",ActionSourceUser="oremag",ActionTargetUser="illu",ActionObject="ruredo",ActionSafe="mac",ActionLocation="temUt",ActionCategory="ptassita",ActionRequestId="its",ActionReason="lore",ActionExtraDetails="idol" +2017-08-22 23:52:50.132538723 +0000 UTC urmag7650.api.invalid %CYBERARK: MessageID="26";Version=1.1844;Message=cancel;Issuer=amvo;Station=10.6.79.159;File=ommodo;Safe=uptat;Location=idex;Category=ptateve;RequestId=cons;Reason=olorese;Severity=high;SourceUser=ore;TargetUser=quid;GatewayStation=10.212.214.4;TicketID=ddoeius;PolicyID=ugiatn;UserName=midestl;LogonDomain=dictasun3878.internal.localhost;Address=modocon5089.mail.example;CPMStatus=lupta;Port=5112;Database=urExce;DeviceType=asi;ExtraDetails=ectiono; +onu 2017-09-06 06:55:24.392538723 +0000 UTC liquaUte6729.api.localhost %CYBERARK: MessageID="150";Version=1.3546;Message=deny;Issuer=atDu;Station=10.237.170.202;File=maperi;Safe=agnaaliq;Location=tlaboree;Category=norumet;RequestId=dtempo;Reason=tin;Severity=low;SourceUser=mve;TargetUser=liquide;GatewayStation=10.70.147.46;TicketID=inv;PolicyID=rroq;UserName=rcit;LogonDomain=aecatcup2241.www5.test;Address=tempor1282.www5.localhost;CPMStatus=incidid;Port=7699;Database=taedict;DeviceType=edquian;ExtraDetails=loremeu; +dmi 2017-09-20 13:57:58.652538723 +0000 UTC untexpl2847.www5.local %CYBERARK: MessageID="292";Version=1.4282;Message=allow;Issuer=emoe;Station=10.179.50.138;File=ehende;Safe=eaqueip;Location=eum;Category=lamc;RequestId=umetMal;Reason=asper;Severity=high;SourceUser=metcons;TargetUser=itasper;GatewayStation=10.228.118.81;TicketID=temquiav;PolicyID=obeata;UserName=tatemU;LogonDomain=mad5185.www5.localhost;Address=mipsum2964.invalid;CPMStatus=doei;Port=6825;Database=toditaut;DeviceType=voluptat;ExtraDetails=ugit; +October 4 21:00:32 asnu %CYBERARK: MessageID="38";Version=1.3806;Message=cancel;Issuer=henderit;Station=10.49.71.118;File=ationul;Safe=mquisn;Location=queips;Category=midest;RequestId=dex;Reason=ccae;Severity=medium;SourceUser=eavolup;TargetUser=emip;GatewayStation=10.234.165.130;TicketID=ntexplic;PolicyID=uto;UserName=iuntNequ;LogonDomain=esseq7889.www.invalid;Address=veniamq1236.invalid;CPMStatus=emo;Port=1458;Database=veniamqu;DeviceType=licaboN;ExtraDetails=atquo; +udan 2017-10-19 04:03:07.172538723 +0000 UTC yCic5749.www.localhost %CYBERARK: MessageID="119";itanim 1.4024",ProductAccount="olorema",ProductProcess="mollita",EventId="tatem",EventClass="iae",EventSeverity="low",EventMessage="allow",ActingUserName="emip",ActingAddress="10.199.5.49",ActionSourceUser="stquid",ActionTargetUser="turadipi",ActionObject="usmodi",ActionSafe="ree",ActionLocation="saquaea",ActionCategory="ation",ActionRequestId="luptas",ActionReason="minim",ActionExtraDetails="ataevi" +%CYBERARK: MessageID="156";plic 1.7053",ProductAccount="utlabo",ProductProcess="tetur",EventId="tionula",EventClass="ritqu",EventSeverity="very-high",EventMessage="allow",ActingUserName="uamei",ActingAddress="10.193.219.34",ActionSourceUser="onse",ActionTargetUser="olorem",ActionObject="turvel",ActionSafe="eratv",ActionLocation="ipsa",ActionCategory="asuntexp",ActionRequestId="adminim",ActionReason="orisni",ActionExtraDetails="nse" +November 16 18:08:15 nderi %CYBERARK: MessageID="202";Version=1.7083;Message=allow;Issuer=animid;Station=10.120.167.217;File=atuse;Safe=ueipsa;Location=scipitl;Category=eumi;RequestId=quasiarc;Reason=olli;Severity=low;SourceUser=tetura;TargetUser=rsp;GatewayStation=10.174.185.109;TicketID=roquisqu;PolicyID=edolorin;UserName=dolorem;LogonDomain=tem6815.home;Address=taliqui5348.mail.localdomain;CPMStatus=loremag;Port=6816;Database=tsuntinc;DeviceType=inrepreh;ExtraDetails=quovo; +%CYBERARK: MessageID="133";Version=1.1432;Message=cancel;Issuer=atev;Station=10.117.137.159;File=acommodi;Safe=essecill;Location=billoi;Category=moles;RequestId=dipiscin;Reason=olup;Severity=high;SourceUser=undeomni;TargetUser=accusa;GatewayStation=10.141.213.219;TicketID=itat;PolicyID=stlaboru;UserName=ate;LogonDomain=mporainc2064.home;Address=atnulapa3548.www.domain;CPMStatus=radipisc;Port=5347;Database=nibus;DeviceType=vitaed;ExtraDetails=ser; +2017-12-15 08:13:24.212538723 +0000 UTC ill6772.www.invalid %CYBERARK: MessageID="104";Version=1.4043;Message=cancel;Issuer=rem;Station=10.166.90.130;File=mdolore;Safe=eosquira;Location=pta;Category=snos;RequestId=orsi;Reason=tetura;Severity=very-high;SourceUser=lorsita;TargetUser=eavol;GatewayStation=10.94.224.229;TicketID=lupta;PolicyID=npr;UserName=etconsec;LogonDomain=caboNem1043.internal.home;Address=litesseq6785.host;CPMStatus=tob;Port=7390;Database=oditempo;DeviceType=doeiu;ExtraDetails=deF; +rcitat 2017-12-29 15:15:58.472538723 +0000 UTC dolorema2984.www.home %CYBERARK: MessageID="316";Version=1.2456;Message=deny;Issuer=tiumto;Station=10.38.28.151;File=nrepreh;Safe=ratv;Location=alorum;Category=mquisn;RequestId=atq;Reason=erspi;Severity=low;SourceUser=ugiatquo;TargetUser=incidid;GatewayStation=10.201.81.46;TicketID=sBonor;PolicyID=fugits;UserName=mipsumqu;LogonDomain=tatio6513.www.invalid;Address=onnu2272.mail.corp;CPMStatus=atatnon;Port=6064;Database=abor;DeviceType=magnid;ExtraDetails=adol; +January 12 22:18:32 niam %CYBERARK: MessageID="266";Version=1.2721;Message=deny;Issuer=rerepre;Station=10.214.245.95;File=quiineav;Safe=billoinv;Location=sci;Category=col;RequestId=obea;Reason=emp;Severity=medium;SourceUser=luptas;TargetUser=uptatem;GatewayStation=10.255.28.56;TicketID=inrepr;PolicyID=mol;UserName=umdolors;LogonDomain=dolori6232.api.invalid;Address=llit958.www.domain;CPMStatus=tat;Port=2957;Database=odt;DeviceType=cillumd;ExtraDetails=riosa; +January 27 05:21:06 lapar %CYBERARK: MessageID="311";ritati 1.3219",ProductAccount="qui",ProductProcess="otamr",EventId="nim",EventClass="ame",EventSeverity="very-high",EventMessage="cancel",ActingUserName="mip",ActingAddress="10.45.35.180",ActionSourceUser="mvolupta",ActionTargetUser="Utenima",ActionObject="iqua",ActionSafe="luptat",ActionLocation="deriti",ActionCategory="sintocc",ActionRequestId="cididu",ActionReason="uteir",ActionExtraDetails="boree" +February 10 12:23:41 diduntu %CYBERARK: MessageID="285";eiusmod 1.7546",ProductAccount="ess",ProductProcess="uide",EventId="scivel",EventClass="henderi",EventSeverity="low",EventMessage="accept",ActingUserName="enim",ActingAddress="10.141.200.133",ActionSourceUser="ersp",ActionTargetUser="iame",ActionObject="orroquis",ActionSafe="aquio",ActionLocation="riatu",ActionCategory="loinve",ActionRequestId="tanimid",ActionReason="isnostru",ActionExtraDetails="nofdeFi" +%CYBERARK: MessageID="155";ulap 1.3765",ProductAccount="illoi",ProductProcess="reetdolo",EventId="rationev",EventClass="ehender",EventSeverity="medium",EventMessage="accept",ActingUserName="ugi",ActingAddress="10.83.238.145",ActionSourceUser="ptatems",ActionTargetUser="runtmo",ActionObject="ore",ActionSafe="isund",ActionLocation="exerci",ActionCategory="tas",ActionRequestId="oraincid",ActionReason="quaer",ActionExtraDetails="eetdo" +2018-03-11 02:28:49.772538723 +0000 UTC aali6869.api.localdomain %CYBERARK: MessageID="48";Version=1.3147;Message=block;Issuer=sedquiac;Station=10.39.143.155;File=ipsaqu;Safe=nisiut;Location=rumwri;Category=velill;RequestId=ore;Reason=tation;Severity=very-high;SourceUser=porincid;TargetUser=tperspic;GatewayStation=10.41.89.217;TicketID=ict;PolicyID=squirati;UserName=tem;LogonDomain=mestq2106.api.host;Address=llamc6724.www.lan;CPMStatus=tesseci;Port=4020;Database=radipis;DeviceType=cive;ExtraDetails=nse; +isnisiu 2018-03-25 09:31:24.032538723 +0000 UTC suntincu2940.www5.domain %CYBERARK: MessageID="378";Version=1.6382;Message=accept;Issuer=minim;Station=10.5.5.1;File=reseosq;Safe=gna;Location=isiutali;Category=lumqu;RequestId=onulamco;Reason=ons;Severity=low;SourceUser=uptat;TargetUser=unt;GatewayStation=10.153.123.20;TicketID=tla;PolicyID=mquiad;UserName=CSe;LogonDomain=lors7553.api.local;Address=reseosqu1629.mail.lan;CPMStatus=utemvel;Port=5325;Database=atu;DeviceType=iusm;ExtraDetails=roi; +2018-04-08 16:33:58.292538723 +0000 UTC rere5274.mail.domain %CYBERARK: MessageID="269";Version=1.3193;Message=deny;Issuer=iamea;Station=10.210.61.109;File=tiumto;Safe=cor;Location=odoco;Category=oin;RequestId=itseddoe;Reason=elites;Severity=low;SourceUser=uamei;TargetUser=eursinto;GatewayStation=10.168.132.175;TicketID=licaboNe;PolicyID=tautfug;UserName=giatquov;LogonDomain=olu5333.www.domain;Address=orumSe4514.www.corp;CPMStatus=umquam;Port=80;Database=ici;DeviceType=nisiuta;ExtraDetails=iquaUt; +%CYBERARK: MessageID="176";atnula 1.5038",ProductAccount="lmo",ProductProcess="iquidex",EventId="olup",EventClass="remipsu",EventSeverity="low",EventMessage="accept",ActingUserName="quiac",ActingAddress="10.123.154.17",ActionSourceUser="etdol",ActionTargetUser="dolorsi",ActionObject="nturmag",ActionSafe="tura",ActionLocation="osquirat",ActionCategory="equat",ActionRequestId="aliquid",ActionReason="usantiu",ActionExtraDetails="idunt" +%CYBERARK: MessageID="4";min 1.136",ProductAccount="xplic",ProductProcess="eseruntm",EventId="lpaquiof",EventClass="oloreeu",EventSeverity="very-high",EventMessage="deny",ActingUserName="etquasia",ActingAddress="10.169.123.103",ActionSourceUser="riatur",ActionTargetUser="oeni",ActionObject="dol",ActionSafe="dol",ActionLocation="atur",ActionCategory="issu",ActionRequestId="identsu",ActionReason="piscivel",ActionExtraDetails="hend" +%CYBERARK: MessageID="276";aer 1.7744",ProductAccount="iati",ProductProcess="minim",EventId="scipi",EventClass="tur",EventSeverity="very-high",EventMessage="cancel",ActingUserName="Nemoenim",ActingAddress="10.126.205.76",ActionSourceUser="etur",ActionTargetUser="rsitvol",ActionObject="utali",ActionSafe="sed",ActionLocation="xeac",ActionCategory="umdolors",ActionRequestId="lumdo",ActionReason="acom",ActionExtraDetails="eFini" +June 4 20:44:15 uovol %CYBERARK: MessageID="38";Version=1.3184;Message=accept;Issuer=eufug;Station=10.164.66.154;File=est;Safe=civelits;Location=ici;Category=snulap;RequestId=enimadm;Reason=stenatu;Severity=very-high;SourceUser=sitvo;TargetUser=ine;GatewayStation=10.169.101.161;TicketID=itessequ;PolicyID=iusmodit;UserName=orissu;LogonDomain=fic5107.home;Address=mmodoco2581.www5.host;CPMStatus=isiutali;Port=3575;Database=stquidol;DeviceType=Nemoenim;ExtraDetails=imadmini; +amvo 2018-06-19 03:46:49.592538723 +0000 UTC tnul6235.www5.lan %CYBERARK: MessageID="79";isau 1.1480",ProductAccount="ihilmole",ProductProcess="saquaea",EventId="ons",EventClass="orsitam",EventSeverity="medium",EventMessage="block",ActingUserName="metco",ActingAddress="10.70.83.200",ActionSourceUser="riame",ActionTargetUser="riat",ActionObject="sseq",ActionSafe="eriam",ActionLocation="pernat",ActionCategory="udan",ActionRequestId="archi",ActionReason="iutaliq",ActionExtraDetails="urQuis" +July 3 10:49:23 orum %CYBERARK: MessageID="53";Version=1.4887;Message=block;Issuer=madminim;Station=10.207.97.192;File=quio;Safe=eom;Location=teni;Category=ipiscive;RequestId=dant;Reason=etdolor;Severity=high;SourceUser=paria;TargetUser=mmod;GatewayStation=10.134.55.11;TicketID=amqu;PolicyID=lorsitam;UserName=tanimid;LogonDomain=onpr47.api.home;Address=oremqu7663.local;CPMStatus=llumq;Port=5816;Database=tetura;DeviceType=rumet;ExtraDetails=uptasnul; +2018-07-17 17:51:58.112538723 +0000 UTC nde2358.mail.corp %CYBERARK: MessageID="75";Version=1.3601;Message=cancel;Issuer=texplica;Station=10.52.150.104;File=esse;Safe=veniam;Location=edquian;Category=sus;RequestId=imavenia;Reason=expli;Severity=low;SourceUser=orum;TargetUser=oinBCSed;GatewayStation=10.31.187.19;TicketID=ilm;PolicyID=mvel;UserName=eritq;LogonDomain=rehen4859.api.host;Address=eve234.www5.local;CPMStatus=nula;Port=2783;Database=lit;DeviceType=santi;ExtraDetails=ritati; +dip 2018-08-01 00:54:32.372538723 +0000 UTC idolo5292.local %CYBERARK: MessageID="89";Version=1.3175;Message=allow;Issuer=runtm;Station=10.41.232.147;File=psumd;Safe=oloree;Location=seos;Category=rios;RequestId=labo;Reason=lpaquiof;Severity=high;SourceUser=mcorpo;TargetUser=ntexpl;GatewayStation=10.61.175.217;TicketID=enbyCi;PolicyID=reetdo;UserName=tat;LogonDomain=eufugia4481.corp;Address=fficia2304.www5.home;CPMStatus=vel;Port=2396;Database=rere;DeviceType=pta;ExtraDetails=nonn; +August 15 07:57:06 volup %CYBERARK: MessageID="261";ptate 1.3830",ProductAccount="uisnos",ProductProcess="quamqua",EventId="ntut",EventClass="mag",EventSeverity="very-high",EventMessage="deny",ActingUserName="mini",ActingAddress="10.150.30.95",ActionSourceUser="tur",ActionTargetUser="atnonpr",ActionObject="ita",ActionSafe="amquaer",ActionLocation="aqui",ActionCategory="enby",ActionRequestId="lpa",ActionReason="isn",ActionExtraDetails="smod" +August 29 14:59:40 siuta %CYBERARK: MessageID="66";atev 1.6626",ProductAccount="CSe",ProductProcess="exerci",EventId="inesciu",EventClass="quid",EventSeverity="high",EventMessage="deny",ActingUserName="onse",ActingAddress="10.98.71.45",ActionSourceUser="destla",ActionTargetUser="fugitse",ActionObject="minimve",ActionSafe="serrorsi",ActionLocation="tametco",ActionCategory="mquisnos",ActionRequestId="lore",ActionReason="isci",ActionExtraDetails="Dui" +lup 2018-09-12 22:02:15.152538723 +0000 UTC iumtotam1010.www5.corp %CYBERARK: MessageID="168";userror 1.5986",ProductAccount="nonn",ProductProcess="hite",EventId="ianonnum",EventClass="nofdeFi",EventSeverity="medium",EventMessage="deny",ActingUserName="remq",ActingAddress="10.252.251.143",ActionSourceUser="velill",ActionTargetUser="rspic",ActionObject="orinrepr",ActionSafe="ror",ActionLocation="onsecte",ActionCategory="doei",ActionRequestId="nvolupta",ActionReason="tev",ActionExtraDetails="nre" +%CYBERARK: MessageID="274";lumdolor 1.4706",ProductAccount="eserun",ProductProcess="rvelill",EventId="lupta",EventClass="byC",EventSeverity="high",EventMessage="accept",ActingUserName="uta",ActingAddress="10.197.203.167",ActionSourceUser="ulapa",ActionTargetUser="iumdo",ActionObject="iusmodit",ActionSafe="aturv",ActionLocation="ectetura",ActionCategory="obeataev",ActionRequestId="umf",ActionReason="olesti",ActionExtraDetails="smo" +tDuis 2018-10-11 12:07:23.672538723 +0000 UTC iqu1643.www.host %CYBERARK: MessageID="96";inim 1.6806",ProductAccount="ibusBo",ProductProcess="untincu",EventId="tten",EventClass="etur",EventSeverity="low",EventMessage="accept",ActingUserName="enima",ActingAddress="10.187.170.23",ActionSourceUser="sequ",ActionTargetUser="sectetu",ActionObject="evi",ActionSafe="tionula",ActionLocation="accus",ActionCategory="uatu",ActionRequestId="mquis",ActionReason="lab",ActionExtraDetails="uido" +2018-10-25 19:09:57.932538723 +0000 UTC nimadmin5577.corp %CYBERARK: MessageID="61";Version=1.3824;Message=allow;Issuer=tinculpa;Station=10.123.62.215;File=rumSecti;Safe=riamea;Location=eca;Category=oluptate;RequestId=Duisa;Reason=consequa;Severity=low;SourceUser=iaecon;TargetUser=aevitaed;GatewayStation=10.250.248.215;TicketID=remap;PolicyID=deri;UserName=quaeratv;LogonDomain=involu1450.www.localhost;Address=udexerc2708.api.test;CPMStatus=odic;Port=505;Database=lica;DeviceType=secil;ExtraDetails=uisnos; +scipit 2018-11-09 02:12:32.192538723 +0000 UTC lloinve551.internal.local %CYBERARK: MessageID="372";Version=1.3759;Message=block;Issuer=isiutali;Station=10.146.57.23;File=evit;Safe=tno;Location=iss;Category=taspe;RequestId=lum;Reason=xerc;Severity=high;GatewayStation=10.147.154.118;TicketID=nvol;PolicyID=enimadmi;UserName=tateveli;LogonDomain=osa3211.www5.example;Address=temvele5776.www.test;CPMStatus=inimve;Port="864";Database=cin;DeviceType=tmo;ExtraDetails=onofdeF; +its 2018-11-23 09:15:06.452538723 +0000 UTC uptasnul2751.www5.corp %CYBERARK: MessageID="232";ostrudex 1.4542",ProductAccount="niamqui",ProductProcess="usmodite",EventId="tlabo",EventClass="tatemse",EventSeverity="very-high",EventMessage="cancel",ActingUserName="uamestqu",ActingAddress="10.193.33.201",ActionSourceUser="hender",ActionTargetUser="ptatemU",ActionObject="seq",ActionSafe="rumSe",ActionLocation="tatnonp",ActionCategory="ommo",ActionRequestId="adeser",ActionReason="uasiarc",ActionExtraDetails="doeiu" +2018-12-07 16:17:40.712538723 +0000 UTC atuserro6791.internal.host %CYBERARK: MessageID="24";upta 1.313",ProductAccount="onnumqua",ProductProcess="quioff",EventId="iuntN",EventClass="ipis",EventSeverity="low",EventMessage="block",ActingUserName="nesci",ActingAddress="10.154.172.82",ActionSourceUser="lorsi",ActionTargetUser="tetura",ActionObject="eeufug",ActionSafe="edutper",ActionLocation="tevelite",ActionCategory="tocca",ActionRequestId="orsitvol",ActionReason="ntor",ActionExtraDetails="oinBCSed" +%CYBERARK: MessageID="79";obeatae 1.1886",ProductAccount="midestl",ProductProcess="quatu",EventId="avolu",EventClass="teturad",EventSeverity="very-high",EventMessage="allow",ActingUserName="expl",ActingAddress="10.47.63.70",ActionSourceUser="lup",ActionTargetUser="tpers",ActionObject="orsitv",ActionSafe="temseq",ActionLocation="uisaute",ActionCategory="uun",ActionRequestId="end",ActionReason="odocons",ActionExtraDetails="olu" +January 5 06:22:49 amn %CYBERARK: MessageID="312";itessequ 1.5170",ProductAccount="fdeFinib",ProductProcess="uip",EventId="ectobea",EventClass="dat",EventSeverity="very-high",EventMessage="block",ActingUserName="turQuis",ActingAddress="10.178.160.245",ActionSourceUser="deomnisi",ActionTargetUser="olupta",ActionObject="oll",ActionSafe="laboree",ActionLocation="udantiu",ActionCategory="itametco",ActionRequestId="iav",ActionReason="odico",ActionExtraDetails="rsint" +January 19 13:25:23 quiav %CYBERARK: MessageID="77";Version=1.6648;Message=block;Issuer=Nem;Station=10.85.13.237;File=oluptat;Safe=enimad;Location=tis;Category=qua;RequestId=con;Reason=tore;Severity=high;SourceUser=quelaud;TargetUser=luptat;GatewayStation=10.89.154.115;TicketID=oeiusmo;PolicyID=nimv;UserName=emeu;LogonDomain=tatemac5192.www5.test;Address=teursint1321.www5.example;CPMStatus=lamcolab;Port=7024;Database=nturmag;DeviceType=uredol;ExtraDetails=maliqua; +2019-02-02 20:27:57.752538723 +0000 UTC omnisi5530.mail.example %CYBERARK: MessageID="308";Version=1.3387;Message=allow;Issuer=itame;Station=10.222.32.183;File=yCiceroi;Safe=nostrum;Location=orroquis;Category=eumi;RequestId=tvo;Reason=aea;Severity=low;SourceUser=mmo;TargetUser=eve;GatewayStation=10.65.207.234;TicketID=ciad;PolicyID=ugiatqu;UserName=eruntmo;LogonDomain=nimve2787.mail.test;Address=boreet2051.internal.localdomain;CPMStatus=iavo;Port=1644;Database=udexerc;DeviceType=ovolupta;ExtraDetails=volup; +rro 2019-02-17 03:30:32.012538723 +0000 UTC tuser6944.local %CYBERARK: MessageID="54";iarchite 1.1612",ProductAccount="oinven",ProductProcess="natu",EventId="edqu",EventClass="tationu",EventSeverity="high",EventMessage="cancel",ActingUserName="olore",ActingAddress="10.16.181.60",ActionSourceUser="ameaquei",ActionTargetUser="gnama",ActionObject="esciun",ActionSafe="tesse",ActionLocation="olupta",ActionCategory="isno",ActionRequestId="oluptas",ActionReason="nderiti",ActionExtraDetails="uatu" +orem 2019-03-03 10:33:06.272538723 +0000 UTC giatqu1484.internal.corp %CYBERARK: MessageID="208";oreseosq 1.2275",ProductAccount="uianon",ProductProcess="nul",EventId="onse",EventClass="sitam",EventSeverity="very-high",EventMessage="deny",ActingUserName="illoin",ActingAddress="10.91.213.82",ActionSourceUser="uid",ActionTargetUser="amnis",ActionObject="rvelil",ActionSafe="adese",ActionLocation="olorsi",ActionCategory="caboNemo",ActionRequestId="uptas",ActionReason="temaccus",ActionExtraDetails="ons" +2019-03-17 17:35:40.532538723 +0000 UTC oreeu3666.invalid %CYBERARK: MessageID="48";tis 1.6724",ProductAccount="eprehe",ProductProcess="tinvolup",EventId="iaeconse",EventClass="uisa",EventSeverity="medium",EventMessage="allow",ActingUserName="tdolo",ActingAddress="10.204.214.98",ActionSourceUser="iumt",ActionTargetUser="porissus",ActionObject="imip",ActionSafe="tsunt",ActionLocation="rnat",ActionCategory="oremi",ActionRequestId="ectobeat",ActionReason="ecte",ActionExtraDetails="abo" +%CYBERARK: MessageID="219";snos 1.5910",ProductAccount="moenimip",ProductProcess="uames",EventId="tium",EventClass="ianonn",EventSeverity="very-high",EventMessage="accept",ActingUserName="etc",ActingAddress="10.223.178.192",ActionSourceUser="atquovol",ActionTargetUser="evel",ActionObject="edol",ActionSafe="sequuntu",ActionLocation="quameius",ActionCategory="litse",ActionRequestId="san",ActionReason="apari",ActionExtraDetails="iarchit" +2019-04-15 07:40:49.052538723 +0000 UTC nsequat6724.www.invalid %CYBERARK: MessageID="183";Version=1.801;Message=cancel;Issuer=ati;Station=10.26.137.126;File=dolor;Safe=Mal;Location=ametcons;Category=tconse;RequestId=eumf;Reason=roquisq;Severity=medium;SourceUser=doconse;TargetUser=audant;GatewayStation=10.26.33.181;TicketID=remeum;PolicyID=mmod;UserName=taevit;LogonDomain=ama6820.mail.example;Address=umto3015.mail.lan;CPMStatus=sitv;Port=4667;Database=com;DeviceType=rep;ExtraDetails=mveni; +April 29 14:43:23 num %CYBERARK: MessageID="41";Version=1.10;Message=accept;Issuer=quaerat;Station=10.148.195.208;File=amnih;Safe=tper;Location=pisciv;Category=tconsect;RequestId=pariat;Reason=iutal;Severity=low;SourceUser=ctobeat;TargetUser=isi;GatewayStation=10.142.161.116;TicketID=eca;PolicyID=ctionofd;UserName=mpori;LogonDomain=olupt966.www5.corp;Address=etquasia1800.www.host;CPMStatus=nimip;Port=7612;Database=squamest;DeviceType=quisn;ExtraDetails=pteu; +velillum 2019-05-13 21:45:57.572538723 +0000 UTC ntNequ7639.internal.localdomain %CYBERARK: MessageID="270";Version=1.1026;Message=block;Issuer=itinvo;Station=10.107.24.54;File=emipsumq;Safe=culpaq;Location=quamq;Category=usan;RequestId=tdolo;Reason=ident;Severity=medium;SourceUser=itaedi;TargetUser=hend;GatewayStation=10.10.174.253;TicketID=esciun;PolicyID=tasnul;UserName=uptasn;LogonDomain=lit4112.www.localhost;Address=quisquam2153.mail.host;CPMStatus=dit;Port=2717;Database=lup;DeviceType=aeca;ExtraDetails=isau; +May 28 04:48:31 boreetd %CYBERARK: MessageID="309";tNe 1.2566",ProductAccount="eeufug",ProductProcess="ntin",EventId="iades",EventClass="radipis",EventSeverity="very-high",EventMessage="deny",ActingUserName="luptate",ActingAddress="10.87.92.17",ActionSourceUser="utlabore",ActionTargetUser="tamr",ActionObject="serr",ActionSafe="usci",ActionLocation="unturmag",ActionCategory="dexeaco",ActionRequestId="lupta",ActionReason="ura",ActionExtraDetails="oreeufug" +June 11 11:51:06 dolo %CYBERARK: MessageID="295";Version=1.5649;Message=deny;Issuer=Finibus;Station=10.161.51.135;File=porin;Safe=metMal;Location=ciati;Category=ecillum;RequestId=olor;Reason=amei;Severity=medium;SourceUser=quid;TargetUser=accus;GatewayStation=10.231.51.136;TicketID=ctobeat;PolicyID=upta;UserName=asper;LogonDomain=dictasun3408.internal.invalid;Address=secte1774.localhost;CPMStatus=iqui;Port=5200;Database=litani;DeviceType=emp;ExtraDetails=arch; +June 25 18:53:40 dipisciv %CYBERARK: MessageID="148";uam 1.2575",ProductAccount="llum",ProductProcess="mwr",EventId="cia",EventClass="idolo",EventSeverity="low",EventMessage="allow",ActingUserName="mquido",ActingAddress="10.51.17.32",ActionSourceUser="ree",ActionTargetUser="itten",ActionObject="quipexea",ActionSafe="orsitv",ActionLocation="dunt",ActionCategory="int",ActionRequestId="ionevo",ActionReason="llitani",ActionExtraDetails="uscipit" +etco 2019-07-10 01:56:14.612538723 +0000 UTC iuntN4077.www.invalid %CYBERARK: MessageID="260";isnostru 1.270",ProductAccount="mmodicon",ProductProcess="eetdo",EventId="mquisno",EventClass="atvolup",EventSeverity="medium",EventMessage="deny",ActingUserName="ollita",ActingAddress="10.108.123.148",ActionSourceUser="cto",ActionTargetUser="cusa",ActionObject="nderi",ActionSafe="tem",ActionLocation="tcu",ActionCategory="eumiu",ActionRequestId="nim",ActionReason="pteurs",ActionExtraDetails="ercitati" +July 24 08:58:48 eturadip %CYBERARK: MessageID="8";Version=1.425;Message=accept;Issuer=rsitamet;Station=10.114.0.148;File=utod;Safe=olesti;Location=edquia;Category=ihi;RequestId=undeomn;Reason=ape;Severity=medium;SourceUser=amco;TargetUser=ons;GatewayStation=10.198.187.144;TicketID=atquo;PolicyID=borio;UserName=equatD;LogonDomain=uidol6868.mail.localdomain;Address=uido2773.www5.test;CPMStatus=acons;Port=3820;Database=periam;DeviceType=ain;ExtraDetails=umiurer; +onorume 2019-08-07 16:01:23.132538723 +0000 UTC abill5290.lan %CYBERARK: MessageID="89";mini 1.7224",ProductAccount="loru",ProductProcess="iadeser",EventId="litess",EventClass="qui",EventSeverity="low",EventMessage="allow",ActingUserName="equa",ActingAddress="10.61.140.120",ActionSourceUser="olorsit",ActionTargetUser="naaliq",ActionObject="plica",ActionSafe="asiarc",ActionLocation="lor",ActionCategory="nvolupt",ActionRequestId="dquia",ActionReason="ora",ActionExtraDetails="umfugiat" +%CYBERARK: MessageID="36";Version=1.6988;Message=deny;Issuer=ite;Station=10.93.24.151;File=Duis;Safe=lupt;Location=quatur;Category=dminim;RequestId=ptatevel;Reason=aperiame;Severity=very-high;SourceUser=eirured;TargetUser=sequamn;GatewayStation=10.149.238.108;TicketID=ciatisun;PolicyID=duntutl;UserName=nven;LogonDomain=ptat4878.lan;Address=quame1852.www.test;CPMStatus=deomni;Port=4512;Database=fugi;DeviceType=nse;ExtraDetails=nesciu; +September 5 06:06:31 inrepreh %CYBERARK: MessageID="39";rit 1.6107",ProductAccount="cipitla",ProductProcess="tlab",EventId="vel",EventClass="ionevo",EventSeverity="high",EventMessage="accept",ActingUserName="uinesc",ActingAddress="10.101.45.225",ActionSourceUser="utla",ActionTargetUser="emi",ActionObject="uaerat",ActionSafe="iduntu",ActionLocation="samvol",ActionCategory="equa",ActionRequestId="apari",ActionReason="tsunt",ActionExtraDetails="caecat" +qui 2019-09-19 13:09:05.912538723 +0000 UTC caboN3124.mail.home %CYBERARK: MessageID="8";catcupid 1.3167",ProductAccount="quela",ProductProcess="uamquaer",EventId="texplica",EventClass="enimi",EventSeverity="low",EventMessage="cancel",ActingUserName="ore",ActingAddress="10.2.204.161",ActionSourceUser="iquamqu",ActionTargetUser="eumfugia",ActionObject="reeufugi",ActionSafe="sequines",ActionLocation="minimve",ActionCategory="texplica",ActionRequestId="entorev",ActionReason="quuntur",ActionExtraDetails="olup" +les 2019-10-03 20:11:40.172538723 +0000 UTC norumet2571.internal.example %CYBERARK: MessageID="89";temp 1.6971",ProductAccount="aliqu",ProductProcess="sequine",EventId="utaliqui",EventClass="isciv",EventSeverity="very-high",EventMessage="cancel",ActingUserName="ptatemse",ActingAddress="10.33.112.100",ActionSourceUser="catcup",ActionTargetUser="enimad",ActionObject="magnaali",ActionSafe="velillum",ActionLocation="ionev",ActionCategory="vitaedi",ActionRequestId="rna",ActionReason="cons",ActionExtraDetails="Except" +%CYBERARK: MessageID="95";Version=1.3175;Message=block;Issuer=neavol;Station=10.94.152.238;File=rporiss;Safe=billoinv;Location=etconse;Category=nesciu;RequestId=mali;Reason=roinBCSe;Severity=very-high;SourceUser=uames;TargetUser=tla;GatewayStation=10.151.110.250;TicketID=psa;PolicyID=nreprehe;UserName=pidatatn;LogonDomain=isno4595.local;Address=lla5407.lan;CPMStatus=upt;Port=4762;Database=itaedict;DeviceType=eroi;ExtraDetails=onemull; +mporain 2019-11-01 10:16:48.692538723 +0000 UTC eratvo7756.localdomain %CYBERARK: MessageID="179";Version=1.4965;Message=allow;Issuer=alorumwr;Station=10.146.61.5;File=tvolu;Safe=imve;Location=ollitan;Category=temseq;RequestId=vol;Reason=loremips;Severity=high;SourceUser=eturadi;TargetUser=umS;GatewayStation=10.77.9.17;TicketID=henderi;PolicyID=taevitae;UserName=tevel;LogonDomain=tatemse5403.home;Address=iquipexe4708.api.localhost;CPMStatus=quuntur;Port=5473;Database=amremap;DeviceType=oremagna;ExtraDetails=aqu; +%CYBERARK: MessageID="83";tvolu 1.2244",ProductAccount="ore",ProductProcess="lors",EventId="saute",EventClass="ecillumd",EventSeverity="high",EventMessage="allow",ActingUserName="sequatu",ActingAddress="10.128.102.130",ActionSourceUser="mdoloree",ActionTargetUser="que",ActionObject="inBCSed",ActionSafe="cteturad",ActionLocation="umq",ActionCategory="ita",ActionRequestId="ipsaquae",ActionReason="olu",ActionExtraDetails="exerci" +2019-11-30 00:21:57.212538723 +0000 UTC moen6809.internal.example %CYBERARK: MessageID="150";Version=1.7701;Message=cancel;Issuer=reseo;Station=10.31.86.83;File=pariat;Safe=icaboNe;Location=boreetd;Category=uir;RequestId=rumex;Reason=ectobea;Severity=medium;SourceUser=tamrem;TargetUser=doloremi;GatewayStation=10.200.162.248;TicketID=uptate;PolicyID=giatquo;UserName=onnu;LogonDomain=reprehe650.www.corp;Address=oremip4070.www5.invalid;CPMStatus=turad;Port=1704;Database=billo;DeviceType=doloremi;ExtraDetails=ectetura; +%CYBERARK: MessageID="166";cul 1.3325",ProductAccount="atatn",ProductProcess="ipisc",EventId="iatnulap",EventClass="roi",EventSeverity="high",EventMessage="allow",ActingUserName="volup",ActingAddress="10.103.215.159",ActionSourceUser="ddoeiusm",ActionTargetUser="apa",ActionObject="archite",ActionSafe="tur",ActionLocation="ddo",ActionCategory="emp",ActionRequestId="inBC",ActionReason="did",ActionExtraDetails="atcupi" diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json new file mode 100644 index 00000000000..6df370af4bb --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json @@ -0,0 +1,5584 @@ +[ + { + "event.action": "allow", + "event.code": "ria", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2016-01-29 06:09:59.732538723 +0000 UTC eacommod1428.lan %CYBERARK: MessageID=\"188\";exercita 1.1332\",ProductAccount=\"itv\",ProductProcess=\"odoco\",EventId=\"ria\",EventClass=\"min\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"utl\",ActingAddress=\"10.208.15.216\",ActionSourceUser=\"tation\",ActionTargetUser=\"quasiarc\",ActionObject=\"liqua\",ActionSafe=\"ciade\",ActionLocation=\"turadipi\",ActionCategory=\"aeca\",ActionRequestId=\"idi\",ActionReason=\"pexe\",ActionExtraDetails=\"nes\"", + "file.directory": "turadipi", + "file.name": "liqua", + "fileset.name": "corepas", + "host.ip": "10.208.15.216", + "input.type": "log", + "log.level": "low", + "log.offset": 0, + "observer.product": "exercita", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1332", + "related.ip": [ + "10.208.15.216" + ], + "related.user": [ + "itv", + "quasiarc", + "utl" + ], + "rsa.db.index": "nes", + "rsa.internal.event_desc": "pexe", + "rsa.internal.messageid": "188", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "aeca", + "rsa.misc.group_object": "ciade", + "rsa.misc.reference_id": "ria", + "rsa.misc.reference_id1": "idi", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.1332", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "utl" + }, + { + "destination.address": "volup208.invalid", + "destination.port": 5191, + "event.action": "block", + "event.code": "168", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"168\";Version=1.259;Message=block;Issuer=dolore;Station=10.92.136.230;File=ritquiin;Safe=umqui;Location=reeufugi;Category=mdolo;RequestId=mqui;Reason=nci;Severity=very-high;SourceUser=litesse;TargetUser=orev;GatewayStation=10.175.75.18;TicketID=deF;PolicyID=sist;UserName=nnumqu;LogonDomain=iatnu3810.mail.localdomain;Address=volup208.invalid;CPMStatus=eosquir;Port=5191;Database=umdo;DeviceType=itessequ;ExtraDetails=vol;", + "file.directory": "reeufugi", + "file.name": "ritquiin", + "fileset.name": "corepas", + "group.name": "litesse", + "host.ip": "10.92.136.230", + "input.type": "log", + "log.level": "very-high", + "log.offset": 477, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.259", + "related.hosts": [ + "iatnu3810.mail.localdomain", + "volup208.invalid" + ], + "related.ip": [ + "10.175.75.18", + "10.92.136.230" + ], + "related.user": [ + "dolore", + "nnumqu", + "orev" + ], + "rsa.db.database": "umdo", + "rsa.db.index": "vol", + "rsa.internal.event_desc": "nci", + "rsa.internal.messageid": "168", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "mdolo", + "rsa.misc.disposition": "eosquir", + "rsa.misc.group": "litesse", + "rsa.misc.group_object": "umqui", + "rsa.misc.obj_type": "itessequ", + "rsa.misc.operation_id": "deF", + "rsa.misc.policy_name": "sist", + "rsa.misc.reference_id": "168", + "rsa.misc.reference_id1": "mqui", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.259", + "rsa.network.domain": "iatnu3810.mail.localdomain", + "rsa.network.host_dst": "volup208.invalid", + "server.domain": "iatnu3810.mail.localdomain", + "server.registered_domain": "mail.localdomain", + "server.subdomain": "iatnu3810", + "server.top_level_domain": "localdomain", + "service.type": "cyberark", + "source.ip": [ + "10.175.75.18" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "dolore" + }, + { + "destination.address": "tetu5280.www5.invalid", + "destination.port": 2548, + "event.action": "accept", + "event.code": "26", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "nibus 2016-02-26 20:15:08.252538723 +0000 UTC mipsumq3879.internal.localdomain %CYBERARK: MessageID=\"26\";Version=1.7269;Message=accept;Issuer=incid;Station=10.51.132.10;File=utper;Safe=squame;Location=ntex;Category=eius;RequestId=luptat;Reason=emape;Severity=low;SourceUser=incidi;TargetUser=nse;GatewayStation=10.46.185.46;TicketID=temvel;PolicyID=iatu;UserName=serror;LogonDomain=anti4454.api.example;Address=tetu5280.www5.invalid;CPMStatus=tionulam;Port=2548;Database=byC;DeviceType=tinculp;ExtraDetails=tur;", + "file.directory": "ntex", + "file.name": "utper", + "fileset.name": "corepas", + "group.name": "incidi", + "host.ip": "10.51.132.10", + "input.type": "log", + "log.level": "low", + "log.offset": 921, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7269", + "related.hosts": [ + "anti4454.api.example", + "tetu5280.www5.invalid" + ], + "related.ip": [ + "10.46.185.46", + "10.51.132.10" + ], + "related.user": [ + "incid", + "nse", + "serror" + ], + "rsa.db.database": "byC", + "rsa.db.index": "tur", + "rsa.internal.event_desc": "emape", + "rsa.internal.messageid": "26", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "eius", + "rsa.misc.disposition": "tionulam", + "rsa.misc.group": "incidi", + "rsa.misc.group_object": "squame", + "rsa.misc.obj_type": "tinculp", + "rsa.misc.operation_id": "temvel", + "rsa.misc.policy_name": "iatu", + "rsa.misc.reference_id": "26", + "rsa.misc.reference_id1": "luptat", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7269", + "rsa.network.domain": "anti4454.api.example", + "rsa.network.host_dst": "tetu5280.www5.invalid", + "server.domain": "anti4454.api.example", + "server.registered_domain": "api.example", + "server.subdomain": "anti4454", + "server.top_level_domain": "example", + "service.type": "cyberark", + "source.ip": [ + "10.46.185.46" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "incid" + }, + { + "destination.address": "llu4762.mail.localdomain", + "destination.port": 5695, + "event.action": "deny", + "event.code": "184", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2016-03-12 03:17:42.512538723 +0000 UTC minim7868.www5.localdomain %CYBERARK: MessageID=\"184\";Version=1.6713;Message=deny;Issuer=psumquia;Station=10.53.192.140;File=con;Safe=uia;Location=quiavo;Category=issusci;RequestId=mol;Reason=taspe;Severity=high;SourceUser=psumq;TargetUser=atcup;GatewayStation=10.155.236.240;TicketID=tatno;PolicyID=dquiac;UserName=ptass;LogonDomain=uam6303.api.lan;Address=llu4762.mail.localdomain;CPMStatus=scivel;Port=5695;Database=aperi;DeviceType=iveli;ExtraDetails=llumd;", + "file.directory": "quiavo", + "file.name": "con", + "fileset.name": "corepas", + "group.name": "psumq", + "host.ip": "10.53.192.140", + "input.type": "log", + "log.level": "high", + "log.offset": 1433, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6713", + "related.hosts": [ + "llu4762.mail.localdomain", + "uam6303.api.lan" + ], + "related.ip": [ + "10.155.236.240", + "10.53.192.140" + ], + "related.user": [ + "atcup", + "psumquia", + "ptass" + ], + "rsa.db.database": "aperi", + "rsa.db.index": "llumd", + "rsa.internal.event_desc": "taspe", + "rsa.internal.messageid": "184", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "issusci", + "rsa.misc.disposition": "scivel", + "rsa.misc.group": "psumq", + "rsa.misc.group_object": "uia", + "rsa.misc.obj_type": "iveli", + "rsa.misc.operation_id": "tatno", + "rsa.misc.policy_name": "dquiac", + "rsa.misc.reference_id": "184", + "rsa.misc.reference_id1": "mol", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.6713", + "rsa.network.domain": "uam6303.api.lan", + "rsa.network.host_dst": "llu4762.mail.localdomain", + "server.domain": "uam6303.api.lan", + "server.registered_domain": "api.lan", + "server.subdomain": "uam6303", + "server.top_level_domain": "lan", + "service.type": "cyberark", + "source.ip": [ + "10.155.236.240" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "psumquia" + }, + { + "event.action": "cancel", + "event.code": "rmagni", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"161\";emaper 1.2638\",ProductAccount=\"eos\",ProductProcess=\"enimad\",EventId=\"rmagni\",EventClass=\"sit\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"oremips\",ActingAddress=\"10.81.199.122\",ActionSourceUser=\"aquaeabi\",ActionTargetUser=\"giatq\",ActionObject=\"quid\",ActionSafe=\"fug\",ActionLocation=\"uatDuis\",ActionCategory=\"ude\",ActionRequestId=\"maveniam\",ActionReason=\"uian\",ActionExtraDetails=\"tempo\"", + "file.directory": "uatDuis", + "file.name": "quid", + "fileset.name": "corepas", + "host.ip": "10.81.199.122", + "input.type": "log", + "log.level": "medium", + "log.offset": 1935, + "observer.product": "emaper", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2638", + "related.ip": [ + "10.81.199.122" + ], + "related.user": [ + "eos", + "giatq", + "oremips" + ], + "rsa.db.index": "tempo", + "rsa.internal.event_desc": "uian", + "rsa.internal.messageid": "161", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "ude", + "rsa.misc.group_object": "fug", + "rsa.misc.reference_id": "rmagni", + "rsa.misc.reference_id1": "maveniam", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.2638", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "oremips" + }, + { + "destination.address": "aquaeab2275.www5.domain", + "destination.port": 4091, + "event.action": "deny", + "event.code": "139", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "eetd 2016-04-09 17:22:51.032538723 +0000 UTC eip1448.internal.local %CYBERARK: MessageID=\"139\";Version=1.3491;Message=deny;Issuer=tcupida;Station=10.139.186.201;File=ect;Safe=reetdolo;Location=nrepreh;Category=obeataev;RequestId=lor;Reason=uidexea;Severity=medium;SourceUser=natura;TargetUser=aboris;GatewayStation=10.172.14.142;TicketID=ssitaspe;PolicyID=gitsedqu;UserName=uam;LogonDomain=temq1198.internal.example;Address=aquaeab2275.www5.domain;CPMStatus=ehend;Port=4091;Database=isiu;DeviceType=nimadmi;ExtraDetails=iatisu;", + "file.directory": "nrepreh", + "file.name": "ect", + "fileset.name": "corepas", + "group.name": "natura", + "host.ip": "10.139.186.201", + "input.type": "log", + "log.level": "medium", + "log.offset": 2366, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3491", + "related.hosts": [ + "aquaeab2275.www5.domain", + "temq1198.internal.example" + ], + "related.ip": [ + "10.139.186.201", + "10.172.14.142" + ], + "related.user": [ + "aboris", + "tcupida", + "uam" + ], + "rsa.db.database": "isiu", + "rsa.db.index": "iatisu", + "rsa.internal.event_desc": "uidexea", + "rsa.internal.messageid": "139", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "obeataev", + "rsa.misc.disposition": "ehend", + "rsa.misc.group": "natura", + "rsa.misc.group_object": "reetdolo", + "rsa.misc.obj_type": "nimadmi", + "rsa.misc.operation_id": "ssitaspe", + "rsa.misc.policy_name": "gitsedqu", + "rsa.misc.reference_id": "139", + "rsa.misc.reference_id1": "lor", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3491", + "rsa.network.domain": "temq1198.internal.example", + "rsa.network.host_dst": "aquaeab2275.www5.domain", + "server.domain": "temq1198.internal.example", + "server.registered_domain": "internal.example", + "server.subdomain": "temq1198", + "server.top_level_domain": "example", + "service.type": "cyberark", + "source.ip": [ + "10.172.14.142" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tcupida" + }, + { + "destination.address": "amquisno3338.www5.lan", + "destination.port": 776, + "event.action": "accept", + "event.code": "106", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"106\";Version=1.6875;Message=accept;Issuer=ipis;Station=10.47.76.251;File=eataevit;Safe=uptatev;Location=uovol;Category=dmi;RequestId=olab;Reason=mquisnos;Severity=medium;SourceUser=ore;TargetUser=etconsec;GatewayStation=10.104.111.129;TicketID=mUt;PolicyID=usmodte;UserName=ele;LogonDomain=tenbyCic5882.api.home;Address=amquisno3338.www5.lan;CPMStatus=nonnu;Port=776;Database=riat;DeviceType=luptatem;ExtraDetails=umdolor;", + "file.directory": "uovol", + "file.name": "eataevit", + "fileset.name": "corepas", + "group.name": "ore", + "host.ip": "10.47.76.251", + "input.type": "log", + "log.level": "medium", + "log.offset": 2894, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6875", + "related.hosts": [ + "amquisno3338.www5.lan", + "tenbyCic5882.api.home" + ], + "related.ip": [ + "10.104.111.129", + "10.47.76.251" + ], + "related.user": [ + "ele", + "etconsec", + "ipis" + ], + "rsa.db.database": "riat", + "rsa.db.index": "umdolor", + "rsa.internal.event_desc": "mquisnos", + "rsa.internal.messageid": "106", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "dmi", + "rsa.misc.disposition": "nonnu", + "rsa.misc.group": "ore", + "rsa.misc.group_object": "uptatev", + "rsa.misc.obj_type": "luptatem", + "rsa.misc.operation_id": "mUt", + "rsa.misc.policy_name": "usmodte", + "rsa.misc.reference_id": "106", + "rsa.misc.reference_id1": "olab", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6875", + "rsa.network.domain": "tenbyCic5882.api.home", + "rsa.network.host_dst": "amquisno3338.www5.lan", + "server.domain": "tenbyCic5882.api.home", + "server.registered_domain": "api.home", + "server.subdomain": "tenbyCic5882", + "server.top_level_domain": "home", + "service.type": "cyberark", + "source.ip": [ + "10.104.111.129" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ipis" + }, + { + "event.action": "deny", + "event.code": "ofdeF", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "inB 2016-05-08 07:27:59.552538723 +0000 UTC deomni124.www.example %CYBERARK: MessageID=\"74\";tae 1.1382\",ProductAccount=\"animi\",ProductProcess=\"oluptate\",EventId=\"ofdeF\",EventClass=\"tion\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"quiratio\",ActingAddress=\"10.116.120.216\",ActionSourceUser=\"qua\",ActionTargetUser=\"umdo\",ActionObject=\"sed\",ActionSafe=\"apariat\",ActionLocation=\"mol\",ActionCategory=\"pteursi\",ActionRequestId=\"onse\",ActionReason=\"rumet\",ActionExtraDetails=\"oll\"", + "file.directory": "mol", + "file.name": "sed", + "fileset.name": "corepas", + "host.ip": "10.116.120.216", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3339, + "observer.product": "tae", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1382", + "related.ip": [ + "10.116.120.216" + ], + "related.user": [ + "animi", + "quiratio", + "umdo" + ], + "rsa.db.index": "oll", + "rsa.internal.event_desc": "rumet", + "rsa.internal.messageid": "74", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "pteursi", + "rsa.misc.group_object": "apariat", + "rsa.misc.reference_id": "ofdeF", + "rsa.misc.reference_id1": "onse", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.1382", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "quiratio" + }, + { + "destination.address": "idolores3839.localdomain", + "destination.port": 2424, + "event.action": "cancel", + "event.code": "144", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "Ciceroi 2016-05-22 14:30:33.812538723 +0000 UTC aveniam1436.www.test %CYBERARK: MessageID=\"144\";Version=1.5529;Message=cancel;Issuer=taevi;Station=10.62.54.220;File=ehenderi;Safe=pidatat;Location=gni;Category=tquiinea;RequestId=mquaera;Reason=dun;Severity=medium;SourceUser=Duisau;TargetUser=psum;GatewayStation=10.57.40.29;TicketID=undeo;PolicyID=loremip;UserName=rnatura;LogonDomain=isqu7224.localdomain;Address=idolores3839.localdomain;CPMStatus=metcon;Port=2424;Database=emeumfug;DeviceType=upta;ExtraDetails=omn;", + "file.directory": "gni", + "file.name": "ehenderi", + "fileset.name": "corepas", + "group.name": "Duisau", + "host.ip": "10.62.54.220", + "input.type": "log", + "log.level": "medium", + "log.offset": 3831, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5529", + "related.hosts": [ + "idolores3839.localdomain", + "isqu7224.localdomain" + ], + "related.ip": [ + "10.57.40.29", + "10.62.54.220" + ], + "related.user": [ + "psum", + "rnatura", + "taevi" + ], + "rsa.db.database": "emeumfug", + "rsa.db.index": "omn", + "rsa.internal.event_desc": "dun", + "rsa.internal.messageid": "144", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "tquiinea", + "rsa.misc.disposition": "metcon", + "rsa.misc.group": "Duisau", + "rsa.misc.group_object": "pidatat", + "rsa.misc.obj_type": "upta", + "rsa.misc.operation_id": "undeo", + "rsa.misc.policy_name": "loremip", + "rsa.misc.reference_id": "144", + "rsa.misc.reference_id1": "mquaera", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5529", + "rsa.network.domain": "isqu7224.localdomain", + "rsa.network.host_dst": "idolores3839.localdomain", + "server.domain": "isqu7224.localdomain", + "server.registered_domain": "isqu7224.localdomain", + "server.top_level_domain": "localdomain", + "service.type": "cyberark", + "source.ip": [ + "10.57.40.29" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "taevi" + }, + { + "event.action": "cancel", + "event.code": "nibus", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "ons 2016-06-05 21:33:08.072538723 +0000 UTC tessec3539.home %CYBERARK: MessageID=\"240\";nsect 1.6476\",ProductAccount=\"tnon\",ProductProcess=\"ionul\",EventId=\"nibus\",EventClass=\"edquiano\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"ema\",ActingAddress=\"10.74.237.180\",ActionSourceUser=\"nsequu\",ActionTargetUser=\"cup\",ActionObject=\"boNemoen\",ActionSafe=\"uid\",ActionLocation=\"rors\",ActionCategory=\"onofd\",ActionRequestId=\"taed\",ActionReason=\"lup\",ActionExtraDetails=\"remeumf\"", + "file.directory": "rors", + "file.name": "boNemoen", + "fileset.name": "corepas", + "host.ip": "10.74.237.180", + "input.type": "log", + "log.level": "medium", + "log.offset": 4349, + "observer.product": "nsect", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6476", + "related.ip": [ + "10.74.237.180" + ], + "related.user": [ + "cup", + "ema", + "tnon" + ], + "rsa.db.index": "remeumf", + "rsa.internal.event_desc": "lup", + "rsa.internal.messageid": "240", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "onofd", + "rsa.misc.group_object": "uid", + "rsa.misc.reference_id": "nibus", + "rsa.misc.reference_id1": "taed", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6476", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ema" + }, + { + "event.action": "allow", + "event.code": "ido", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2016-06-20 04:35:42.332538723 +0000 UTC sectetur3333.mail.example %CYBERARK: MessageID=\"61\";edqui 1.7780\",ProductAccount=\"lor\",ProductProcess=\"fugit\",EventId=\"ido\",EventClass=\"paqu\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"remeum\",ActingAddress=\"10.18.165.35\",ActionSourceUser=\"admi\",ActionTargetUser=\"modocons\",ActionObject=\"elaudant\",ActionSafe=\"tinvol\",ActionLocation=\"dolore\",ActionCategory=\"abor\",ActionRequestId=\"iqui\",ActionReason=\"etc\",ActionExtraDetails=\"etM\"", + "file.directory": "dolore", + "file.name": "elaudant", + "fileset.name": "corepas", + "host.ip": "10.18.165.35", + "input.type": "log", + "log.level": "high", + "log.offset": 4835, + "observer.product": "edqui", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7780", + "related.ip": [ + "10.18.165.35" + ], + "related.user": [ + "lor", + "modocons", + "remeum" + ], + "rsa.db.index": "etM", + "rsa.internal.event_desc": "etc", + "rsa.internal.messageid": "61", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "abor", + "rsa.misc.group_object": "tinvol", + "rsa.misc.reference_id": "ido", + "rsa.misc.reference_id1": "iqui", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.7780", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "remeum" + }, + { + "event.action": "deny", + "event.code": "itaut", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2016-07-04 11:38:16.592538723 +0000 UTC xercitat4824.local %CYBERARK: MessageID=\"90\";ostr 1.4979\",ProductAccount=\"onproide\",ProductProcess=\"luptat\",EventId=\"itaut\",EventClass=\"imaven\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"tema\",ActingAddress=\"10.74.253.127\",ActionSourceUser=\"tfug\",ActionTargetUser=\"icab\",ActionObject=\"mwr\",ActionSafe=\"fugi\",ActionLocation=\"inculpaq\",ActionCategory=\"agna\",ActionRequestId=\"tionemu\",ActionReason=\"eomnisis\",ActionExtraDetails=\"mqui\"", + "file.directory": "inculpaq", + "file.name": "mwr", + "fileset.name": "corepas", + "host.ip": "10.74.253.127", + "input.type": "log", + "log.level": "high", + "log.offset": 5321, + "observer.product": "ostr", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4979", + "related.ip": [ + "10.74.253.127" + ], + "related.user": [ + "icab", + "onproide", + "tema" + ], + "rsa.db.index": "mqui", + "rsa.internal.event_desc": "eomnisis", + "rsa.internal.messageid": "90", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "agna", + "rsa.misc.group_object": "fugi", + "rsa.misc.reference_id": "itaut", + "rsa.misc.reference_id1": "tionemu", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4979", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tema" + }, + { + "destination.address": "Lor5841.internal.example", + "destination.port": 3075, + "event.action": "block", + "event.code": "385", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "errorsi 2016-07-18 18:40:50.852538723 +0000 UTC des5377.lan %CYBERARK: MessageID=\"385\";Version=1.1697;Message=block;Issuer=ono;Station=10.189.109.245;File=emaperi;Safe=tame;Location=\"tinvol\";Category=tectobe;RequestId=colabor;Reason=iusmodt;Severity=medium;GatewayStation=10.92.8.15;TicketID=agnaali;PolicyID=llitani;UserName=inima;LogonDomain=tlabo6088.www.localdomain;Address=Lor5841.internal.example;CPMStatus=sunt;Port=\"3075\";Database=uines;DeviceType=nsec;ExtraDetails=onse", + "file.directory": "tinvol", + "file.name": "emaperi", + "fileset.name": "corepas", + "host.ip": "10.189.109.245", + "input.type": "log", + "log.level": "medium", + "log.offset": 5807, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1697", + "related.hosts": [ + "Lor5841.internal.example", + "tlabo6088.www.localdomain" + ], + "related.ip": [ + "10.189.109.245", + "10.92.8.15" + ], + "related.user": [ + "inima", + "ono" + ], + "rsa.db.database": "uines", + "rsa.db.index": "onse", + "rsa.internal.event_desc": "iusmodt", + "rsa.internal.messageid": "385", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "tectobe", + "rsa.misc.disposition": "sunt", + "rsa.misc.group_object": "tame", + "rsa.misc.obj_type": "nsec", + "rsa.misc.operation_id": "agnaali", + "rsa.misc.policy_name": "llitani", + "rsa.misc.reference_id": "385", + "rsa.misc.reference_id1": "colabor", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.1697", + "rsa.network.domain": "tlabo6088.www.localdomain", + "rsa.network.host_dst": "Lor5841.internal.example", + "server.domain": "tlabo6088.www.localdomain", + "server.registered_domain": "www.localdomain", + "server.subdomain": "tlabo6088", + "server.top_level_domain": "localdomain", + "service.type": "cyberark", + "source.ip": [ + "10.92.8.15" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ono" + }, + { + "event.action": "accept", + "event.code": "tisetq", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "August 2 01:43:25 tat %CYBERARK: MessageID=\"190\";tion 1.1761\",ProductAccount=\"upt\",ProductProcess=\"uiineavo\",EventId=\"tisetq\",EventClass=\"irati\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"giatquov\",ActingAddress=\"10.21.78.128\",ActionSourceUser=\"riat\",ActionTargetUser=\"taut\",ActionObject=\"oreseos\",ActionSafe=\"uames\",ActionLocation=\"tati\",ActionCategory=\"utaliqu\",ActionRequestId=\"oriosamn\",ActionReason=\"deFinibu\",ActionExtraDetails=\"iadese\"", + "file.directory": "tati", + "file.name": "oreseos", + "fileset.name": "corepas", + "host.ip": "10.21.78.128", + "input.type": "log", + "log.level": "low", + "log.offset": 6286, + "observer.product": "tion", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1761", + "related.ip": [ + "10.21.78.128" + ], + "related.user": [ + "giatquov", + "taut", + "upt" + ], + "rsa.db.index": "iadese", + "rsa.internal.event_desc": "deFinibu", + "rsa.internal.messageid": "190", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "utaliqu", + "rsa.misc.group_object": "uames", + "rsa.misc.reference_id": "tisetq", + "rsa.misc.reference_id1": "oriosamn", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.1761", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "giatquov" + }, + { + "event.action": "deny", + "event.code": "suntinc", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"256\";eporroqu 1.4200\",ProductAccount=\"hil\",ProductProcess=\"atquovo\",EventId=\"suntinc\",EventClass=\"xeac\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"tatn\",ActingAddress=\"10.18.109.121\",ActionSourceUser=\"ents\",ActionTargetUser=\"pida\",ActionObject=\"nse\",ActionSafe=\"sinto\",ActionLocation=\"emoeni\",ActionCategory=\"oenimips\",ActionRequestId=\"utlabore\",ActionReason=\"ecillu\",ActionExtraDetails=\"quip\"", + "file.directory": "emoeni", + "file.name": "nse", + "fileset.name": "corepas", + "host.ip": "10.18.109.121", + "input.type": "log", + "log.level": "medium", + "log.offset": 6744, + "observer.product": "eporroqu", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4200", + "related.ip": [ + "10.18.109.121" + ], + "related.user": [ + "hil", + "pida", + "tatn" + ], + "rsa.db.index": "quip", + "rsa.internal.event_desc": "ecillu", + "rsa.internal.messageid": "256", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "oenimips", + "rsa.misc.group_object": "sinto", + "rsa.misc.reference_id": "suntinc", + "rsa.misc.reference_id1": "utlabore", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.4200", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tatn" + }, + { + "destination.address": "rpo79.mail.example", + "destination.port": 2289, + "event.action": "cancel", + "event.code": "105", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"105\";Version=1.3727;Message=cancel;Issuer=iunt;Station=10.63.37.192;File=tio;Safe=orinrepr;Location=conse;Category=rumetM;RequestId=equi;Reason=agnaali;Severity=medium;SourceUser=sitvolup;TargetUser=reetd;GatewayStation=10.225.115.13;TicketID=maccusa;PolicyID=uptat;UserName=equep;LogonDomain=iavolu5352.localhost;Address=rpo79.mail.example;CPMStatus=siarchi;Port=2289;Database=aliqu;DeviceType=olupta;ExtraDetails=mipsumd;", + "file.directory": "conse", + "file.name": "tio", + "fileset.name": "corepas", + "group.name": "sitvolup", + "host.ip": "10.63.37.192", + "input.type": "log", + "log.level": "medium", + "log.offset": 7176, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3727", + "related.hosts": [ + "iavolu5352.localhost", + "rpo79.mail.example" + ], + "related.ip": [ + "10.225.115.13", + "10.63.37.192" + ], + "related.user": [ + "equep", + "iunt", + "reetd" + ], + "rsa.db.database": "aliqu", + "rsa.db.index": "mipsumd", + "rsa.internal.event_desc": "agnaali", + "rsa.internal.messageid": "105", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "rumetM", + "rsa.misc.disposition": "siarchi", + "rsa.misc.group": "sitvolup", + "rsa.misc.group_object": "orinrepr", + "rsa.misc.obj_type": "olupta", + "rsa.misc.operation_id": "maccusa", + "rsa.misc.policy_name": "uptat", + "rsa.misc.reference_id": "105", + "rsa.misc.reference_id1": "equi", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3727", + "rsa.network.domain": "iavolu5352.localhost", + "rsa.network.host_dst": "rpo79.mail.example", + "server.domain": "iavolu5352.localhost", + "server.registered_domain": "iavolu5352.localhost", + "server.top_level_domain": "localhost", + "service.type": "cyberark", + "source.ip": [ + "10.225.115.13" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "iunt" + }, + { + "destination.address": "tionof7613.domain", + "destination.port": 2335, + "event.action": "deny", + "event.code": "105", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "remi 2016-09-13 22:51:07.892538723 +0000 UTC saute7154.internal.lan %CYBERARK: MessageID=\"105\";Version=1.3219;Message=deny;Issuer=run;Station=10.47.202.102;File=quirat;Safe=llu;Location=licab;Category=eirure;RequestId=conseq;Reason=oidentsu;Severity=medium;SourceUser=aaliquaU;TargetUser=ntor;GatewayStation=10.95.64.124;TicketID=psaquae;PolicyID=ationemu;UserName=ice;LogonDomain=estiae3750.api.corp;Address=tionof7613.domain;CPMStatus=lapari;Port=2335;Database=ite;DeviceType=ationul;ExtraDetails=iquipex;", + "file.directory": "licab", + "file.name": "quirat", + "fileset.name": "corepas", + "group.name": "aaliquaU", + "host.ip": "10.47.202.102", + "input.type": "log", + "log.level": "medium", + "log.offset": 7622, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3219", + "related.hosts": [ + "estiae3750.api.corp", + "tionof7613.domain" + ], + "related.ip": [ + "10.47.202.102", + "10.95.64.124" + ], + "related.user": [ + "ice", + "ntor", + "run" + ], + "rsa.db.database": "ite", + "rsa.db.index": "iquipex", + "rsa.internal.event_desc": "oidentsu", + "rsa.internal.messageid": "105", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "eirure", + "rsa.misc.disposition": "lapari", + "rsa.misc.group": "aaliquaU", + "rsa.misc.group_object": "llu", + "rsa.misc.obj_type": "ationul", + "rsa.misc.operation_id": "psaquae", + "rsa.misc.policy_name": "ationemu", + "rsa.misc.reference_id": "105", + "rsa.misc.reference_id1": "conseq", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3219", + "rsa.network.domain": "estiae3750.api.corp", + "rsa.network.host_dst": "tionof7613.domain", + "server.domain": "estiae3750.api.corp", + "server.registered_domain": "api.corp", + "server.subdomain": "estiae3750", + "server.top_level_domain": "corp", + "service.type": "cyberark", + "source.ip": [ + "10.95.64.124" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "run" + }, + { + "destination.address": "acc7692.home", + "destination.port": 4147, + "event.action": "block", + "event.code": "376", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "adol 2016-09-28 05:53:42.152538723 +0000 UTC doloremi7402.www.test %CYBERARK: MessageID=\"376\";Version=1.6371;Message=block;Issuer=itquiin;Station=10.106.239.55;File=taevit;Safe=rinrepre;Location=etconse;Category=tincu;RequestId=ari;Reason=exercit;Severity=low;GatewayStation=10.244.114.61;TicketID=oluptate;PolicyID=onseq;UserName=serunt;LogonDomain=aquaeabi7735.internal.lan;Address=acc7692.home;CPMStatus=amest;Port=\"4147\";Database=itame;DeviceType=intoc;ExtraDetails=oluptas;", + "file.directory": "etconse", + "file.name": "taevit", + "fileset.name": "corepas", + "host.ip": "10.106.239.55", + "input.type": "log", + "log.level": "low", + "log.offset": 8130, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6371", + "related.hosts": [ + "acc7692.home", + "aquaeabi7735.internal.lan" + ], + "related.ip": [ + "10.106.239.55", + "10.244.114.61" + ], + "related.user": [ + "itquiin", + "serunt" + ], + "rsa.db.database": "itame", + "rsa.db.index": "oluptas", + "rsa.internal.event_desc": "exercit", + "rsa.internal.messageid": "376", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "tincu", + "rsa.misc.disposition": "amest", + "rsa.misc.group_object": "rinrepre", + "rsa.misc.obj_type": "intoc", + "rsa.misc.operation_id": "oluptate", + "rsa.misc.policy_name": "onseq", + "rsa.misc.reference_id": "376", + "rsa.misc.reference_id1": "ari", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.6371", + "rsa.network.domain": "aquaeabi7735.internal.lan", + "rsa.network.host_dst": "acc7692.home", + "server.domain": "aquaeabi7735.internal.lan", + "server.registered_domain": "internal.lan", + "server.subdomain": "aquaeabi7735", + "server.top_level_domain": "lan", + "service.type": "cyberark", + "source.ip": [ + "10.244.114.61" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "itquiin" + }, + { + "destination.address": "quatD4191.local", + "destination.port": 5685, + "event.action": "allow", + "event.code": "24", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2016-10-12 12:56:16.412538723 +0000 UTC luptasn2126.mail.home %CYBERARK: MessageID=\"24\";Version=1.821;Message=allow;Issuer=ione;Station=10.125.160.129;File=suntexp;Safe=duntut;Location=magni;Category=pisciv;RequestId=iquidex;Reason=radipisc;Severity=low;SourceUser=nti;TargetUser=abi;GatewayStation=10.53.168.235;TicketID=fugitse;PolicyID=veniamq;UserName=one;LogonDomain=etMalor4236.www5.host;Address=quatD4191.local;CPMStatus=tenima;Port=5685;Database=sperna;DeviceType=eabilloi;ExtraDetails=estia;", + "file.directory": "magni", + "file.name": "suntexp", + "fileset.name": "corepas", + "group.name": "nti", + "host.ip": "10.125.160.129", + "input.type": "log", + "log.level": "low", + "log.offset": 8609, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.821", + "related.hosts": [ + "etMalor4236.www5.host", + "quatD4191.local" + ], + "related.ip": [ + "10.125.160.129", + "10.53.168.235" + ], + "related.user": [ + "abi", + "ione", + "one" + ], + "rsa.db.database": "sperna", + "rsa.db.index": "estia", + "rsa.internal.event_desc": "radipisc", + "rsa.internal.messageid": "24", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "pisciv", + "rsa.misc.disposition": "tenima", + "rsa.misc.group": "nti", + "rsa.misc.group_object": "duntut", + "rsa.misc.obj_type": "eabilloi", + "rsa.misc.operation_id": "fugitse", + "rsa.misc.policy_name": "veniamq", + "rsa.misc.reference_id": "24", + "rsa.misc.reference_id1": "iquidex", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.821", + "rsa.network.domain": "etMalor4236.www5.host", + "rsa.network.host_dst": "quatD4191.local", + "server.domain": "etMalor4236.www5.host", + "server.registered_domain": "www5.host", + "server.subdomain": "etMalor4236", + "server.top_level_domain": "host", + "service.type": "cyberark", + "source.ip": [ + "10.53.168.235" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ione" + }, + { + "destination.address": "eturadi6608.mail.host", + "destination.port": 3366, + "event.action": "allow", + "event.code": "197", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "orem 2016-10-26 19:58:50.672538723 +0000 UTC beata6448.mail.test %CYBERARK: MessageID=\"197\";Version=1.1123;Message=allow;Issuer=tasuntex;Station=10.227.177.121;File=boN;Safe=eprehend;Location=aevit;Category=aboN;RequestId=ihilmo;Reason=radi;Severity=low;SourceUser=uames;TargetUser=iduntu;GatewayStation=10.33.245.220;TicketID=giatnu;PolicyID=ulapa;UserName=liqui;LogonDomain=quioffi1359.internal.lan;Address=eturadi6608.mail.host;CPMStatus=aera;Port=3366;Database=rvel;DeviceType=uid;ExtraDetails=onsecte;", + "file.directory": "aevit", + "file.name": "boN", + "fileset.name": "corepas", + "group.name": "uames", + "host.ip": "10.227.177.121", + "input.type": "log", + "log.level": "low", + "log.offset": 9110, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1123", + "related.hosts": [ + "eturadi6608.mail.host", + "quioffi1359.internal.lan" + ], + "related.ip": [ + "10.227.177.121", + "10.33.245.220" + ], + "related.user": [ + "iduntu", + "liqui", + "tasuntex" + ], + "rsa.db.database": "rvel", + "rsa.db.index": "onsecte", + "rsa.internal.event_desc": "radi", + "rsa.internal.messageid": "197", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "aboN", + "rsa.misc.disposition": "aera", + "rsa.misc.group": "uames", + "rsa.misc.group_object": "eprehend", + "rsa.misc.obj_type": "uid", + "rsa.misc.operation_id": "giatnu", + "rsa.misc.policy_name": "ulapa", + "rsa.misc.reference_id": "197", + "rsa.misc.reference_id1": "ihilmo", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.1123", + "rsa.network.domain": "quioffi1359.internal.lan", + "rsa.network.host_dst": "eturadi6608.mail.host", + "server.domain": "quioffi1359.internal.lan", + "server.registered_domain": "internal.lan", + "server.subdomain": "quioffi1359", + "server.top_level_domain": "lan", + "service.type": "cyberark", + "source.ip": [ + "10.33.245.220" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tasuntex" + }, + { + "destination.address": "eroi176.example", + "destination.port": 3341, + "event.action": "allow", + "event.code": "411", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "November 10 03:01:24 edo %CYBERARK: MessageID=\"411\";Version=1.5071;Message=allow;Issuer=econs;Station=\"10.98.182.220\";File=\"untex\";Safe=\"quiratio\";Location=\"boree\";Category=\"eco\";RequestId=Utenimad;Reason=orpor;Severity=\"low\";GatewayStation=\"10.167.85.181\";TicketID=emvel;PolicyID=\"tmollita\";UserName=fde;LogonDomain=\"nsecte3304.mail.corp\";Address=\"eroi176.example\";CPMStatus=\"non\";Port=\"3341\";Database=equat;DeviceType=derit;ExtraDetails=\"Command=dexea;ConnectionComponentId=atcu;DstHost=labor;ProcessId=6501;ProcessName=laboree.exe;Protocol=tcp;PSMID=intocc;RDPOffset=liqu;SessionID=eporr;SrcHost=xeacomm6855.api.corp;User=utlabor;VIDOffset=rau;\"", + "file.directory": "boree", + "file.name": "untex", + "fileset.name": "corepas", + "host.hostname": "xeacomm6855.api.corp", + "host.ip": "10.98.182.220", + "input.type": "log", + "log.level": "low", + "log.offset": 9617, + "network.protocol": "tcp", + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5071", + "process.name": "laboree.exe", + "process.pid": 6501, + "related.hosts": [ + "eroi176.example", + "nsecte3304.mail.corp", + "xeacomm6855.api.corp" + ], + "related.ip": [ + "10.167.85.181", + "10.98.182.220" + ], + "related.user": [ + "econs", + "fde" + ], + "rsa.db.database": "equat", + "rsa.internal.event_desc": "orpor", + "rsa.internal.messageid": "411", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "eco", + "rsa.misc.disposition": "non", + "rsa.misc.group_object": "quiratio", + "rsa.misc.log_session_id": "eporr", + "rsa.misc.obj_type": "derit", + "rsa.misc.operation_id": "emvel", + "rsa.misc.param": "dexea", + "rsa.misc.policy_name": "tmollita", + "rsa.misc.reference_id": "411", + "rsa.misc.reference_id1": "Utenimad", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.5071", + "rsa.network.domain": "nsecte3304.mail.corp", + "rsa.network.host_dst": "eroi176.example", + "server.domain": "nsecte3304.mail.corp", + "server.registered_domain": "mail.corp", + "server.subdomain": "nsecte3304", + "server.top_level_domain": "corp", + "service.type": "cyberark", + "source.address": "xeacomm6855.api.corp", + "source.ip": [ + "10.167.85.181" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "econs" + }, + { + "event.action": "block", + "event.code": "tessec", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "November 24 10:03:59 aeabi %CYBERARK: MessageID=\"111\";eiu 1.4456\",ProductAccount=\"iciadese\",ProductProcess=\"quidolor\",EventId=\"tessec\",EventClass=\"olupta\",EventSeverity=\"high\",EventMessage=\"block\",ActingUserName=\"icabo\",ActingAddress=\"10.89.208.95\",ActionSourceUser=\"eleum\",ActionTargetUser=\"sintoc\",ActionObject=\"volupt\",ActionSafe=\"siste\",ActionLocation=\"uiinea\",ActionCategory=\"Utenima\",ActionRequestId=\"volupta\",ActionReason=\"rcitati\",ActionExtraDetails=\"eni\"", + "file.directory": "uiinea", + "file.name": "volupt", + "fileset.name": "corepas", + "host.ip": "10.89.208.95", + "input.type": "log", + "log.level": "high", + "log.offset": 10266, + "observer.product": "eiu", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4456", + "related.ip": [ + "10.89.208.95" + ], + "related.user": [ + "icabo", + "iciadese", + "sintoc" + ], + "rsa.db.index": "eni", + "rsa.internal.event_desc": "rcitati", + "rsa.internal.messageid": "111", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "Utenima", + "rsa.misc.group_object": "siste", + "rsa.misc.reference_id": "tessec", + "rsa.misc.reference_id1": "volupta", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4456", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "icabo" + }, + { + "destination.address": "reetdolo6852.www.test", + "destination.port": 5428, + "event.action": "accept", + "event.code": "81", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "Ute 2016-12-08 17:06:33.452538723 +0000 UTC sperna5368.mail.invalid %CYBERARK: MessageID=\"81\";Version=1.509;Message=accept;Issuer=tDuisaut;Station=10.214.191.180;File=imvenia;Safe=spi;Location=stquido;Category=ommodico;RequestId=ptas;Reason=pta;Severity=medium;SourceUser=ptatemq;TargetUser=luptatev;GatewayStation=10.72.148.32;TicketID=ipsumd;PolicyID=ntocc;UserName=uteirure;LogonDomain=nevo4284.internal.local;Address=reetdolo6852.www.test;CPMStatus=nnum;Port=5428;Database=uamest;DeviceType=tco;ExtraDetails=uae;", + "file.directory": "stquido", + "file.name": "imvenia", + "fileset.name": "corepas", + "group.name": "ptatemq", + "host.ip": "10.214.191.180", + "input.type": "log", + "log.level": "medium", + "log.offset": 10730, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.509", + "related.hosts": [ + "nevo4284.internal.local", + "reetdolo6852.www.test" + ], + "related.ip": [ + "10.214.191.180", + "10.72.148.32" + ], + "related.user": [ + "luptatev", + "tDuisaut", + "uteirure" + ], + "rsa.db.database": "uamest", + "rsa.db.index": "uae", + "rsa.internal.event_desc": "pta", + "rsa.internal.messageid": "81", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "ommodico", + "rsa.misc.disposition": "nnum", + "rsa.misc.group": "ptatemq", + "rsa.misc.group_object": "spi", + "rsa.misc.obj_type": "tco", + "rsa.misc.operation_id": "ipsumd", + "rsa.misc.policy_name": "ntocc", + "rsa.misc.reference_id": "81", + "rsa.misc.reference_id1": "ptas", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.509", + "rsa.network.domain": "nevo4284.internal.local", + "rsa.network.host_dst": "reetdolo6852.www.test", + "server.domain": "nevo4284.internal.local", + "server.registered_domain": "internal.local", + "server.subdomain": "nevo4284", + "server.top_level_domain": "local", + "service.type": "cyberark", + "source.ip": [ + "10.72.148.32" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tDuisaut" + }, + { + "destination.address": "mporin6932.api.localdomain", + "destination.port": 6604, + "event.action": "block", + "event.code": "168", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"168\";Version=1.3599;Message=block;Issuer=ipsumd;Station=10.136.190.236;File=evolu;Safe=ersp;Location=tquov;Category=diconseq;RequestId=inven;Reason=osquira;Severity=low;SourceUser=ataevi;TargetUser=com;GatewayStation=10.252.124.150;TicketID=trud;PolicyID=eriti;UserName=litessec;LogonDomain=itas981.mail.domain;Address=mporin6932.api.localdomain;CPMStatus=roid;Port=6604;Database=tasn;DeviceType=Nemoenim;ExtraDetails=squirati;", + "file.directory": "tquov", + "file.name": "evolu", + "fileset.name": "corepas", + "group.name": "ataevi", + "host.ip": "10.136.190.236", + "input.type": "log", + "log.level": "low", + "log.offset": 11247, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3599", + "related.hosts": [ + "itas981.mail.domain", + "mporin6932.api.localdomain" + ], + "related.ip": [ + "10.136.190.236", + "10.252.124.150" + ], + "related.user": [ + "com", + "ipsumd", + "litessec" + ], + "rsa.db.database": "tasn", + "rsa.db.index": "squirati", + "rsa.internal.event_desc": "osquira", + "rsa.internal.messageid": "168", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "diconseq", + "rsa.misc.disposition": "roid", + "rsa.misc.group": "ataevi", + "rsa.misc.group_object": "ersp", + "rsa.misc.obj_type": "Nemoenim", + "rsa.misc.operation_id": "trud", + "rsa.misc.policy_name": "eriti", + "rsa.misc.reference_id": "168", + "rsa.misc.reference_id1": "inven", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3599", + "rsa.network.domain": "itas981.mail.domain", + "rsa.network.host_dst": "mporin6932.api.localdomain", + "server.domain": "itas981.mail.domain", + "server.registered_domain": "mail.domain", + "server.subdomain": "itas981", + "server.top_level_domain": "domain", + "service.type": "cyberark", + "source.ip": [ + "10.252.124.150" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ipsumd" + }, + { + "destination.address": "illoin2914.mail.lan", + "destination.port": 6895, + "event.action": "accept", + "event.code": "90", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "nbyCic 2017-01-06 07:11:41.972538723 +0000 UTC utlabor6305.internal.corp %CYBERARK: MessageID=\"90\";Version=1.5649;Message=accept;Issuer=iquipe;Station=10.192.34.76;File=modtemp;Safe=quovol;Location=nve;Category=remag;RequestId=uredol;Reason=ccaecat;Severity=medium;SourceUser=onsequ;TargetUser=temqu;GatewayStation=10.213.144.249;TicketID=udexerci;PolicyID=naal;UserName=lore;LogonDomain=tnonpro7635.localdomain;Address=illoin2914.mail.lan;CPMStatus=uamni;Port=6895;Database=gnamal;DeviceType=metMalo;ExtraDetails=ntexplic;", + "file.directory": "nve", + "file.name": "modtemp", + "fileset.name": "corepas", + "group.name": "onsequ", + "host.ip": "10.192.34.76", + "input.type": "log", + "log.level": "medium", + "log.offset": 11697, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5649", + "related.hosts": [ + "illoin2914.mail.lan", + "tnonpro7635.localdomain" + ], + "related.ip": [ + "10.192.34.76", + "10.213.144.249" + ], + "related.user": [ + "iquipe", + "lore", + "temqu" + ], + "rsa.db.database": "gnamal", + "rsa.db.index": "ntexplic", + "rsa.internal.event_desc": "ccaecat", + "rsa.internal.messageid": "90", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "remag", + "rsa.misc.disposition": "uamni", + "rsa.misc.group": "onsequ", + "rsa.misc.group_object": "quovol", + "rsa.misc.obj_type": "metMalo", + "rsa.misc.operation_id": "udexerci", + "rsa.misc.policy_name": "naal", + "rsa.misc.reference_id": "90", + "rsa.misc.reference_id1": "uredol", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5649", + "rsa.network.domain": "tnonpro7635.localdomain", + "rsa.network.host_dst": "illoin2914.mail.lan", + "server.domain": "tnonpro7635.localdomain", + "server.registered_domain": "tnonpro7635.localdomain", + "server.top_level_domain": "localdomain", + "service.type": "cyberark", + "source.ip": [ + "10.213.144.249" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "iquipe" + }, + { + "destination.address": "evit5780.www.corp", + "destination.port": 725, + "event.action": "accept", + "event.code": "376", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"376\";Version=1.2217;Message=accept;Issuer=untu;Station=10.154.4.197;File=con;Safe=nisist;Location=usmodte;Category=msequi;RequestId=tau;Reason=exercita;Severity=low;GatewayStation=10.216.84.30;TicketID=orumSe;PolicyID=boree;UserName=intoc;LogonDomain=rQuisau5300.www5.example;Address=evit5780.www.corp;CPMStatus=onev;Port=\"725\";Database=oditem;DeviceType=gitsedqu;ExtraDetails=borios;", + "file.directory": "usmodte", + "file.name": "con", + "fileset.name": "corepas", + "host.ip": "10.154.4.197", + "input.type": "log", + "log.level": "low", + "log.offset": 12221, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2217", + "related.hosts": [ + "evit5780.www.corp", + "rQuisau5300.www5.example" + ], + "related.ip": [ + "10.154.4.197", + "10.216.84.30" + ], + "related.user": [ + "intoc", + "untu" + ], + "rsa.db.database": "oditem", + "rsa.db.index": "borios", + "rsa.internal.event_desc": "exercita", + "rsa.internal.messageid": "376", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "msequi", + "rsa.misc.disposition": "onev", + "rsa.misc.group_object": "nisist", + "rsa.misc.obj_type": "gitsedqu", + "rsa.misc.operation_id": "orumSe", + "rsa.misc.policy_name": "boree", + "rsa.misc.reference_id": "376", + "rsa.misc.reference_id1": "tau", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.2217", + "rsa.network.domain": "rQuisau5300.www5.example", + "rsa.network.host_dst": "evit5780.www.corp", + "server.domain": "rQuisau5300.www5.example", + "server.registered_domain": "www5.example", + "server.subdomain": "rQuisau5300", + "server.top_level_domain": "example", + "service.type": "cyberark", + "source.ip": [ + "10.216.84.30" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "untu" + }, + { + "event.action": "deny", + "event.code": "ess", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2017-02-03 21:16:50.492538723 +0000 UTC temUt631.www5.example %CYBERARK: MessageID=\"3\";npr 1.4414\",ProductAccount=\"niamqui\",ProductProcess=\"boNem\",EventId=\"ess\",EventClass=\"ipisci\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"tqu\",ActingAddress=\"10.143.193.199\",ActionSourceUser=\"quam\",ActionTargetUser=\"quid\",ActionObject=\"fugiat\",ActionSafe=\"atisun\",ActionLocation=\"esci\",ActionCategory=\"epre\",ActionRequestId=\"tobeata\",ActionReason=\"eroinBCS\",ActionExtraDetails=\"inci\"", + "file.directory": "esci", + "file.name": "fugiat", + "fileset.name": "corepas", + "host.ip": "10.143.193.199", + "input.type": "log", + "log.level": "medium", + "log.offset": 12628, + "observer.product": "npr", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4414", + "related.ip": [ + "10.143.193.199" + ], + "related.user": [ + "niamqui", + "quid", + "tqu" + ], + "rsa.db.index": "inci", + "rsa.internal.event_desc": "eroinBCS", + "rsa.internal.messageid": "3", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "epre", + "rsa.misc.group_object": "atisun", + "rsa.misc.reference_id": "ess", + "rsa.misc.reference_id1": "tobeata", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.4414", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tqu" + }, + { + "destination.address": "uisa5736.internal.local", + "destination.port": 302, + "event.action": "deny", + "event.code": "140", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "February 18 04:19:24 rnatur %CYBERARK: MessageID=\"140\";Version=1.5632;Message=deny;Issuer=essequam;Station=10.193.83.81;File=isisten;Safe=cusant;Location=atemq;Category=rinre;RequestId=naal;Reason=borios;Severity=high;SourceUser=isnostr;TargetUser=umqu;GatewayStation=10.65.175.9;TicketID=inesci;PolicyID=isnisi;UserName=ritatise;LogonDomain=uamei2389.internal.example;Address=uisa5736.internal.local;CPMStatus=cusant;Port=302;Database=ender;DeviceType=riamea;ExtraDetails=entorev;", + "file.directory": "atemq", + "file.name": "isisten", + "fileset.name": "corepas", + "group.name": "isnostr", + "host.ip": "10.193.83.81", + "input.type": "log", + "log.level": "high", + "log.offset": 13114, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5632", + "related.hosts": [ + "uamei2389.internal.example", + "uisa5736.internal.local" + ], + "related.ip": [ + "10.193.83.81", + "10.65.175.9" + ], + "related.user": [ + "essequam", + "ritatise", + "umqu" + ], + "rsa.db.database": "ender", + "rsa.db.index": "entorev", + "rsa.internal.event_desc": "borios", + "rsa.internal.messageid": "140", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "rinre", + "rsa.misc.disposition": "cusant", + "rsa.misc.group": "isnostr", + "rsa.misc.group_object": "cusant", + "rsa.misc.obj_type": "riamea", + "rsa.misc.operation_id": "inesci", + "rsa.misc.policy_name": "isnisi", + "rsa.misc.reference_id": "140", + "rsa.misc.reference_id1": "naal", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.5632", + "rsa.network.domain": "uamei2389.internal.example", + "rsa.network.host_dst": "uisa5736.internal.local", + "server.domain": "uamei2389.internal.example", + "server.registered_domain": "internal.example", + "server.subdomain": "uamei2389", + "server.top_level_domain": "example", + "service.type": "cyberark", + "source.ip": [ + "10.65.175.9" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "essequam" + }, + { + "event.action": "accept", + "event.code": "sau", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"87\";tutlab 1.792\",ProductAccount=\"tatn\",ProductProcess=\"dolorsit\",EventId=\"sau\",EventClass=\"aperia\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"umdolo\",ActingAddress=\"10.205.72.243\",ActionSourceUser=\"stenatu\",ActionTargetUser=\"isiuta\",ActionObject=\"orsitam\",ActionSafe=\"siutaliq\",ActionLocation=\"dutp\",ActionCategory=\"psaquaea\",ActionRequestId=\"taevita\",ActionReason=\"ameiusm\",ActionExtraDetails=\"proide\"", + "file.directory": "dutp", + "file.name": "orsitam", + "fileset.name": "corepas", + "host.ip": "10.205.72.243", + "input.type": "log", + "log.level": "very-high", + "log.offset": 13596, + "observer.product": "tutlab", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.792", + "related.ip": [ + "10.205.72.243" + ], + "related.user": [ + "isiuta", + "tatn", + "umdolo" + ], + "rsa.db.index": "proide", + "rsa.internal.event_desc": "ameiusm", + "rsa.internal.messageid": "87", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "psaquaea", + "rsa.misc.group_object": "siutaliq", + "rsa.misc.reference_id": "sau", + "rsa.misc.reference_id1": "taevita", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.792", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "umdolo" + }, + { + "event.action": "allow", + "event.code": "eumiure", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2017-03-18 18:24:33.272538723 +0000 UTC velitess7586.mail.example %CYBERARK: MessageID=\"45\";nre 1.7231\",ProductAccount=\"sit\",ProductProcess=\"olab\",EventId=\"eumiure\",EventClass=\"ersp\",EventSeverity=\"medium\",EventMessage=\"allow\",ActingUserName=\"mquisno\",ActingAddress=\"10.107.9.163\",ActionSourceUser=\"uptate\",ActionTargetUser=\"mac\",ActionObject=\"iumdol\",ActionSafe=\"tpersp\",ActionLocation=\"stla\",ActionCategory=\"uptatema\",ActionRequestId=\"oeni\",ActionReason=\"tdol\",ActionExtraDetails=\"sit\"", + "file.directory": "stla", + "file.name": "iumdol", + "fileset.name": "corepas", + "host.ip": "10.107.9.163", + "input.type": "log", + "log.level": "medium", + "log.offset": 14043, + "observer.product": "nre", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7231", + "related.ip": [ + "10.107.9.163" + ], + "related.user": [ + "mac", + "mquisno", + "sit" + ], + "rsa.db.index": "sit", + "rsa.internal.event_desc": "tdol", + "rsa.internal.messageid": "45", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "uptatema", + "rsa.misc.group_object": "tpersp", + "rsa.misc.reference_id": "eumiure", + "rsa.misc.reference_id1": "oeni", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.7231", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "mquisno" + }, + { + "event.action": "deny", + "event.code": "cinge", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "April 2 01:27:07 psum %CYBERARK: MessageID=\"132\";tasnulap 1.7220\",ProductAccount=\"umSe\",ProductProcess=\"xeacomm\",EventId=\"cinge\",EventClass=\"itla\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"asiarc\",ActingAddress=\"10.80.101.72\",ActionSourceUser=\"uptate\",ActionTargetUser=\"quidexea\",ActionObject=\"ect\",ActionSafe=\"modocons\",ActionLocation=\"gitsed\",ActionCategory=\"fugia\",ActionRequestId=\"oditautf\",ActionReason=\"quatu\",ActionExtraDetails=\"veli\"", + "file.directory": "gitsed", + "file.name": "ect", + "fileset.name": "corepas", + "host.ip": "10.80.101.72", + "input.type": "log", + "log.level": "high", + "log.offset": 14531, + "observer.product": "tasnulap", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7220", + "related.ip": [ + "10.80.101.72" + ], + "related.user": [ + "asiarc", + "quidexea", + "umSe" + ], + "rsa.db.index": "veli", + "rsa.internal.event_desc": "quatu", + "rsa.internal.messageid": "132", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "fugia", + "rsa.misc.group_object": "modocons", + "rsa.misc.reference_id": "cinge", + "rsa.misc.reference_id1": "oditautf", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.7220", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "asiarc" + }, + { + "destination.address": "utlab3706.api.host", + "destination.port": 246, + "event.action": "accept", + "event.code": "200", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "April 16 08:29:41 labo %CYBERARK: MessageID=\"200\";Version=1.267;Message=accept;Issuer=aboreetd;Station=10.235.136.109;File=lorin;Safe=pitl;Location=por;Category=quidexea;RequestId=nimid;Reason=runtmol;Severity=very-high;SourceUser=odi;TargetUser=ptass;GatewayStation=10.39.10.155;TicketID=dol;PolicyID=proiden;UserName=urExcept;LogonDomain=miurerep1152.internal.domain;Address=utlab3706.api.host;CPMStatus=dantium;Port=246;Database=teirured;DeviceType=onemulla;ExtraDetails=dolorem;", + "file.directory": "por", + "file.name": "lorin", + "fileset.name": "corepas", + "group.name": "odi", + "host.ip": "10.235.136.109", + "input.type": "log", + "log.level": "very-high", + "log.offset": 14988, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.267", + "related.hosts": [ + "miurerep1152.internal.domain", + "utlab3706.api.host" + ], + "related.ip": [ + "10.235.136.109", + "10.39.10.155" + ], + "related.user": [ + "aboreetd", + "ptass", + "urExcept" + ], + "rsa.db.database": "teirured", + "rsa.db.index": "dolorem", + "rsa.internal.event_desc": "runtmol", + "rsa.internal.messageid": "200", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "quidexea", + "rsa.misc.disposition": "dantium", + "rsa.misc.group": "odi", + "rsa.misc.group_object": "pitl", + "rsa.misc.obj_type": "onemulla", + "rsa.misc.operation_id": "dol", + "rsa.misc.policy_name": "proiden", + "rsa.misc.reference_id": "200", + "rsa.misc.reference_id1": "nimid", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.267", + "rsa.network.domain": "miurerep1152.internal.domain", + "rsa.network.host_dst": "utlab3706.api.host", + "server.domain": "miurerep1152.internal.domain", + "server.registered_domain": "internal.domain", + "server.subdomain": "miurerep1152", + "server.top_level_domain": "domain", + "service.type": "cyberark", + "source.ip": [ + "10.39.10.155" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "aboreetd" + }, + { + "event.action": "cancel", + "event.code": "nci", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "April 30 15:32:16 ationev %CYBERARK: MessageID=\"233\";umdolor 1.4389\",ProductAccount=\"itation\",ProductProcess=\"paquioff\",EventId=\"nci\",EventClass=\"isau\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"ibusBon\",ActingAddress=\"10.96.224.19\",ActionSourceUser=\"nsequat\",ActionTargetUser=\"doloreme\",ActionObject=\"dun\",ActionSafe=\"reprehe\",ActionLocation=\"tincu\",ActionCategory=\"suntin\",ActionRequestId=\"itse\",ActionReason=\"umexerc\",ActionExtraDetails=\"oremipsu\"", + "file.directory": "tincu", + "file.name": "dun", + "fileset.name": "corepas", + "host.ip": "10.96.224.19", + "input.type": "log", + "log.level": "low", + "log.offset": 15471, + "observer.product": "umdolor", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4389", + "related.ip": [ + "10.96.224.19" + ], + "related.user": [ + "doloreme", + "ibusBon", + "itation" + ], + "rsa.db.index": "oremipsu", + "rsa.internal.event_desc": "umexerc", + "rsa.internal.messageid": "233", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "suntin", + "rsa.misc.group_object": "reprehe", + "rsa.misc.reference_id": "nci", + "rsa.misc.reference_id1": "itse", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.4389", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ibusBon" + }, + { + "event.action": "cancel", + "event.code": "iquidexe", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2017-05-14 22:34:50.312538723 +0000 UTC ntsunt4826.mail.corp %CYBERARK: MessageID=\"170\";olo 1.237\",ProductAccount=\"aec\",ProductProcess=\"fdeF\",EventId=\"iquidexe\",EventClass=\"diconse\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"reseo\",ActingAddress=\"10.71.238.250\",ActionSourceUser=\"consequa\",ActionTargetUser=\"moenimi\",ActionObject=\"olupt\",ActionSafe=\"oconsequ\",ActionLocation=\"edquiac\",ActionCategory=\"urerepr\",ActionRequestId=\"eseru\",ActionReason=\"quamest\",ActionExtraDetails=\"mac\"", + "file.directory": "edquiac", + "file.name": "olupt", + "fileset.name": "corepas", + "host.ip": "10.71.238.250", + "input.type": "log", + "log.level": "medium", + "log.offset": 15937, + "observer.product": "olo", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.237", + "related.ip": [ + "10.71.238.250" + ], + "related.user": [ + "aec", + "moenimi", + "reseo" + ], + "rsa.db.index": "mac", + "rsa.internal.event_desc": "quamest", + "rsa.internal.messageid": "170", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "urerepr", + "rsa.misc.group_object": "oconsequ", + "rsa.misc.reference_id": "iquidexe", + "rsa.misc.reference_id1": "eseru", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.237", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "reseo" + }, + { + "destination.address": "mvel1188.internal.localdomain", + "destination.port": 2694, + "event.action": "deny", + "event.code": "294", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"294\";Version=1.3804;Message=deny;Issuer=rationev;Station=10.226.20.199;File=tatem;Safe=untutlab;Location=amcor;Category=ica;RequestId=lillum;Reason=remips;Severity=low;SourceUser=taedicta;TargetUser=ritt;GatewayStation=10.226.101.180;TicketID=itesseq;PolicyID=dictasun;UserName=veniamqu;LogonDomain=rum5798.home;Address=mvel1188.internal.localdomain;CPMStatus=tetur;Port=2694;Database=conse;DeviceType=ipi;ExtraDetails=imveniam;", + "file.directory": "amcor", + "file.name": "tatem", + "fileset.name": "corepas", + "group.name": "taedicta", + "host.ip": "10.226.20.199", + "input.type": "log", + "log.level": "low", + "log.offset": 16437, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3804", + "related.hosts": [ + "mvel1188.internal.localdomain", + "rum5798.home" + ], + "related.ip": [ + "10.226.101.180", + "10.226.20.199" + ], + "related.user": [ + "rationev", + "ritt", + "veniamqu" + ], + "rsa.db.database": "conse", + "rsa.db.index": "imveniam", + "rsa.internal.event_desc": "remips", + "rsa.internal.messageid": "294", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "ica", + "rsa.misc.disposition": "tetur", + "rsa.misc.group": "taedicta", + "rsa.misc.group_object": "untutlab", + "rsa.misc.obj_type": "ipi", + "rsa.misc.operation_id": "itesseq", + "rsa.misc.policy_name": "dictasun", + "rsa.misc.reference_id": "294", + "rsa.misc.reference_id1": "lillum", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3804", + "rsa.network.domain": "rum5798.home", + "rsa.network.host_dst": "mvel1188.internal.localdomain", + "server.domain": "rum5798.home", + "server.registered_domain": "rum5798.home", + "server.top_level_domain": "home", + "service.type": "cyberark", + "source.ip": [ + "10.226.101.180" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "rationev" + }, + { + "destination.address": "perspici5680.domain", + "destination.port": 2039, + "event.action": "cancel", + "event.code": "13", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "June 12 12:39:58 licabo %CYBERARK: MessageID=\"13\";Version=1.1493;Message=cancel;Issuer=utaliqu;Station=10.86.22.67;File=nvolupt;Safe=oremi;Location=elites;Category=nbyCi;RequestId=tevel;Reason=usc;Severity=high;SourceUser=equinesc;TargetUser=cab;GatewayStation=10.134.65.15;TicketID=equepor;PolicyID=ncidid;UserName=quaUten;LogonDomain=nisiut3624.api.example;Address=perspici5680.domain;CPMStatus=iconseq;Port=2039;Database=isciv;DeviceType=rroqu;ExtraDetails=nofd;", + "event.outcome": "failure", + "file.directory": "elites", + "file.name": "nvolupt", + "fileset.name": "corepas", + "group.name": "equinesc", + "host.ip": "10.86.22.67", + "input.type": "log", + "log.level": "high", + "log.offset": 16888, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1493", + "related.hosts": [ + "nisiut3624.api.example", + "perspici5680.domain" + ], + "related.ip": [ + "10.134.65.15", + "10.86.22.67" + ], + "related.user": [ + "cab", + "quaUten", + "utaliqu" + ], + "rsa.db.database": "isciv", + "rsa.db.index": "nofd", + "rsa.internal.event_desc": "usc", + "rsa.internal.messageid": "13", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "nbyCi", + "rsa.misc.disposition": "iconseq", + "rsa.misc.group": "equinesc", + "rsa.misc.group_object": "oremi", + "rsa.misc.obj_type": "rroqu", + "rsa.misc.operation_id": "equepor", + "rsa.misc.policy_name": "ncidid", + "rsa.misc.reference_id": "13", + "rsa.misc.reference_id1": "tevel", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.1493", + "rsa.network.domain": "nisiut3624.api.example", + "rsa.network.host_dst": "perspici5680.domain", + "server.domain": "nisiut3624.api.example", + "server.registered_domain": "api.example", + "server.subdomain": "nisiut3624", + "server.top_level_domain": "example", + "service.type": "cyberark", + "source.ip": [ + "10.134.65.15" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "utaliqu" + }, + { + "event.action": "accept", + "event.code": "tae", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"358\";ilmol 1.5112\",ProductAccount=\"tten\",ProductProcess=\"ueipsa\",EventId=\"tae\",EventClass=\"autodit\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"cidunt\",ActingAddress=\"10.70.147.120\",ActionSourceUser=\"exeaco\",ActionTargetUser=\"emqu\",ActionObject=\"nderi\",ActionSafe=\"acommod\",ActionLocation=\"itsedd\",ActionCategory=\"leumiur\",ActionRequestId=\"eratvol\",ActionReason=\"quidol\",ActionExtraDetails=\"eaqu\"", + "file.directory": "itsedd", + "file.name": "nderi", + "fileset.name": "corepas", + "host.ip": "10.70.147.120", + "input.type": "log", + "log.level": "very-high", + "log.offset": 17354, + "observer.product": "ilmol", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5112", + "related.ip": [ + "10.70.147.120" + ], + "related.user": [ + "cidunt", + "emqu", + "tten" + ], + "rsa.db.index": "eaqu", + "rsa.internal.event_desc": "quidol", + "rsa.internal.messageid": "358", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "leumiur", + "rsa.misc.group_object": "acommod", + "rsa.misc.reference_id": "tae", + "rsa.misc.reference_id1": "eratvol", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.5112", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "cidunt" + }, + { + "destination.address": "ptateve6909.www5.lan", + "destination.port": 7645, + "event.action": "cancel", + "event.code": "160", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "luptatem 2017-07-11 02:45:07.352538723 +0000 UTC uaeratv3432.invalid %CYBERARK: MessageID=\"160\";Version=1.6255;Message=cancel;Issuer=dqu;Station=10.178.242.100;File=dutpers;Safe=erun;Location=orisn;Category=reetd;RequestId=prehen;Reason=ntutlabo;Severity=medium;SourceUser=rad;TargetUser=loi;GatewayStation=10.24.111.229;TicketID=volupt;PolicyID=rem;UserName=idid;LogonDomain=tesse1089.www.host;Address=ptateve6909.www5.lan;CPMStatus=toccaec;Port=7645;Database=tenatuse;DeviceType=psaqua;ExtraDetails=ullamcor;", + "file.directory": "orisn", + "file.name": "dutpers", + "fileset.name": "corepas", + "group.name": "rad", + "host.ip": "10.178.242.100", + "input.type": "log", + "log.level": "medium", + "log.offset": 17793, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6255", + "related.hosts": [ + "ptateve6909.www5.lan", + "tesse1089.www.host" + ], + "related.ip": [ + "10.178.242.100", + "10.24.111.229" + ], + "related.user": [ + "dqu", + "idid", + "loi" + ], + "rsa.db.database": "tenatuse", + "rsa.db.index": "ullamcor", + "rsa.internal.event_desc": "ntutlabo", + "rsa.internal.messageid": "160", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "reetd", + "rsa.misc.disposition": "toccaec", + "rsa.misc.group": "rad", + "rsa.misc.group_object": "erun", + "rsa.misc.obj_type": "psaqua", + "rsa.misc.operation_id": "volupt", + "rsa.misc.policy_name": "rem", + "rsa.misc.reference_id": "160", + "rsa.misc.reference_id1": "prehen", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6255", + "rsa.network.domain": "tesse1089.www.host", + "rsa.network.host_dst": "ptateve6909.www5.lan", + "server.domain": "tesse1089.www.host", + "server.registered_domain": "www.host", + "server.subdomain": "tesse1089", + "server.top_level_domain": "host", + "service.type": "cyberark", + "source.ip": [ + "10.24.111.229" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "dqu" + }, + { + "event.action": "deny", + "event.code": "ons", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2017-07-25 09:47:41.612538723 +0000 UTC cupi1867.www5.test %CYBERARK: MessageID=\"67\";orroq 1.6677\",ProductAccount=\"ritati\",ProductProcess=\"orisni\",EventId=\"ons\",EventClass=\"remagn\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"mmodoc\",ActingAddress=\"10.211.179.168\",ActionSourceUser=\"atu\",ActionTargetUser=\"untincul\",ActionObject=\"ssecil\",ActionSafe=\"commodi\",ActionLocation=\"emporain\",ActionCategory=\"ntiumto\",ActionRequestId=\"umetMalo\",ActionReason=\"oluptas\",ActionExtraDetails=\"emvele\"", + "file.directory": "emporain", + "file.name": "ssecil", + "fileset.name": "corepas", + "host.ip": "10.211.179.168", + "input.type": "log", + "log.level": "very-high", + "log.offset": 18304, + "observer.product": "orroq", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6677", + "related.ip": [ + "10.211.179.168" + ], + "related.user": [ + "mmodoc", + "ritati", + "untincul" + ], + "rsa.db.index": "emvele", + "rsa.internal.event_desc": "oluptas", + "rsa.internal.messageid": "67", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "ntiumto", + "rsa.misc.group_object": "commodi", + "rsa.misc.reference_id": "ons", + "rsa.misc.reference_id1": "umetMalo", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.6677", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "mmodoc" + }, + { + "event.action": "cancel", + "event.code": "olorsi", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "Sedut 2017-08-08 16:50:15.872538723 +0000 UTC yCiceroi2786.www.test %CYBERARK: MessageID=\"141\";iquamqua 1.4890\",ProductAccount=\"dolore\",ProductProcess=\"nsequat\",EventId=\"olorsi\",EventClass=\"aliq\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"mven\",ActingAddress=\"10.30.243.163\",ActionSourceUser=\"oremag\",ActionTargetUser=\"illu\",ActionObject=\"ruredo\",ActionSafe=\"mac\",ActionLocation=\"temUt\",ActionCategory=\"ptassita\",ActionRequestId=\"its\",ActionReason=\"lore\",ActionExtraDetails=\"idol\"", + "file.directory": "temUt", + "file.name": "ruredo", + "fileset.name": "corepas", + "host.ip": "10.30.243.163", + "input.type": "log", + "log.level": "low", + "log.offset": 18809, + "observer.product": "iquamqua", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4890", + "related.ip": [ + "10.30.243.163" + ], + "related.user": [ + "dolore", + "illu", + "mven" + ], + "rsa.db.index": "idol", + "rsa.internal.event_desc": "lore", + "rsa.internal.messageid": "141", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "ptassita", + "rsa.misc.group_object": "mac", + "rsa.misc.reference_id": "olorsi", + "rsa.misc.reference_id1": "its", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.4890", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "mven" + }, + { + "destination.address": "modocon5089.mail.example", + "destination.port": 5112, + "event.action": "cancel", + "event.code": "26", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2017-08-22 23:52:50.132538723 +0000 UTC urmag7650.api.invalid %CYBERARK: MessageID=\"26\";Version=1.1844;Message=cancel;Issuer=amvo;Station=10.6.79.159;File=ommodo;Safe=uptat;Location=idex;Category=ptateve;RequestId=cons;Reason=olorese;Severity=high;SourceUser=ore;TargetUser=quid;GatewayStation=10.212.214.4;TicketID=ddoeius;PolicyID=ugiatn;UserName=midestl;LogonDomain=dictasun3878.internal.localhost;Address=modocon5089.mail.example;CPMStatus=lupta;Port=5112;Database=urExce;DeviceType=asi;ExtraDetails=ectiono;", + "file.directory": "idex", + "file.name": "ommodo", + "fileset.name": "corepas", + "group.name": "ore", + "host.ip": "10.6.79.159", + "input.type": "log", + "log.level": "high", + "log.offset": 19305, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1844", + "related.hosts": [ + "dictasun3878.internal.localhost", + "modocon5089.mail.example" + ], + "related.ip": [ + "10.212.214.4", + "10.6.79.159" + ], + "related.user": [ + "amvo", + "midestl", + "quid" + ], + "rsa.db.database": "urExce", + "rsa.db.index": "ectiono", + "rsa.internal.event_desc": "olorese", + "rsa.internal.messageid": "26", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "ptateve", + "rsa.misc.disposition": "lupta", + "rsa.misc.group": "ore", + "rsa.misc.group_object": "uptat", + "rsa.misc.obj_type": "asi", + "rsa.misc.operation_id": "ddoeius", + "rsa.misc.policy_name": "ugiatn", + "rsa.misc.reference_id": "26", + "rsa.misc.reference_id1": "cons", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.1844", + "rsa.network.domain": "dictasun3878.internal.localhost", + "rsa.network.host_dst": "modocon5089.mail.example", + "server.domain": "dictasun3878.internal.localhost", + "server.registered_domain": "internal.localhost", + "server.subdomain": "dictasun3878", + "server.top_level_domain": "localhost", + "service.type": "cyberark", + "source.ip": [ + "10.212.214.4" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "amvo" + }, + { + "destination.address": "tempor1282.www5.localhost", + "destination.port": 7699, + "event.action": "deny", + "event.code": "150", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "onu 2017-09-06 06:55:24.392538723 +0000 UTC liquaUte6729.api.localhost %CYBERARK: MessageID=\"150\";Version=1.3546;Message=deny;Issuer=atDu;Station=10.237.170.202;File=maperi;Safe=agnaaliq;Location=tlaboree;Category=norumet;RequestId=dtempo;Reason=tin;Severity=low;SourceUser=mve;TargetUser=liquide;GatewayStation=10.70.147.46;TicketID=inv;PolicyID=rroq;UserName=rcit;LogonDomain=aecatcup2241.www5.test;Address=tempor1282.www5.localhost;CPMStatus=incidid;Port=7699;Database=taedict;DeviceType=edquian;ExtraDetails=loremeu;", + "file.directory": "tlaboree", + "file.name": "maperi", + "fileset.name": "corepas", + "group.name": "mve", + "host.ip": "10.237.170.202", + "input.type": "log", + "log.level": "low", + "log.offset": 19818, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3546", + "related.hosts": [ + "aecatcup2241.www5.test", + "tempor1282.www5.localhost" + ], + "related.ip": [ + "10.237.170.202", + "10.70.147.46" + ], + "related.user": [ + "atDu", + "liquide", + "rcit" + ], + "rsa.db.database": "taedict", + "rsa.db.index": "loremeu", + "rsa.internal.event_desc": "tin", + "rsa.internal.messageid": "150", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "norumet", + "rsa.misc.disposition": "incidid", + "rsa.misc.group": "mve", + "rsa.misc.group_object": "agnaaliq", + "rsa.misc.obj_type": "edquian", + "rsa.misc.operation_id": "inv", + "rsa.misc.policy_name": "rroq", + "rsa.misc.reference_id": "150", + "rsa.misc.reference_id1": "dtempo", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3546", + "rsa.network.domain": "aecatcup2241.www5.test", + "rsa.network.host_dst": "tempor1282.www5.localhost", + "server.domain": "aecatcup2241.www5.test", + "server.registered_domain": "www5.test", + "server.subdomain": "aecatcup2241", + "server.top_level_domain": "test", + "service.type": "cyberark", + "source.ip": [ + "10.70.147.46" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "atDu" + }, + { + "destination.address": "mipsum2964.invalid", + "destination.port": 6825, + "event.action": "allow", + "event.code": "292", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "dmi 2017-09-20 13:57:58.652538723 +0000 UTC untexpl2847.www5.local %CYBERARK: MessageID=\"292\";Version=1.4282;Message=allow;Issuer=emoe;Station=10.179.50.138;File=ehende;Safe=eaqueip;Location=eum;Category=lamc;RequestId=umetMal;Reason=asper;Severity=high;SourceUser=metcons;TargetUser=itasper;GatewayStation=10.228.118.81;TicketID=temquiav;PolicyID=obeata;UserName=tatemU;LogonDomain=mad5185.www5.localhost;Address=mipsum2964.invalid;CPMStatus=doei;Port=6825;Database=toditaut;DeviceType=voluptat;ExtraDetails=ugit;", + "file.directory": "eum", + "file.name": "ehende", + "fileset.name": "corepas", + "group.name": "metcons", + "host.ip": "10.179.50.138", + "input.type": "log", + "log.level": "high", + "log.offset": 20339, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4282", + "related.hosts": [ + "mad5185.www5.localhost", + "mipsum2964.invalid" + ], + "related.ip": [ + "10.179.50.138", + "10.228.118.81" + ], + "related.user": [ + "emoe", + "itasper", + "tatemU" + ], + "rsa.db.database": "toditaut", + "rsa.db.index": "ugit", + "rsa.internal.event_desc": "asper", + "rsa.internal.messageid": "292", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "lamc", + "rsa.misc.disposition": "doei", + "rsa.misc.group": "metcons", + "rsa.misc.group_object": "eaqueip", + "rsa.misc.obj_type": "voluptat", + "rsa.misc.operation_id": "temquiav", + "rsa.misc.policy_name": "obeata", + "rsa.misc.reference_id": "292", + "rsa.misc.reference_id1": "umetMal", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4282", + "rsa.network.domain": "mad5185.www5.localhost", + "rsa.network.host_dst": "mipsum2964.invalid", + "server.domain": "mad5185.www5.localhost", + "server.registered_domain": "www5.localhost", + "server.subdomain": "mad5185", + "server.top_level_domain": "localhost", + "service.type": "cyberark", + "source.ip": [ + "10.228.118.81" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "emoe" + }, + { + "destination.address": "veniamq1236.invalid", + "destination.port": 1458, + "event.action": "cancel", + "event.code": "38", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "October 4 21:00:32 asnu %CYBERARK: MessageID=\"38\";Version=1.3806;Message=cancel;Issuer=henderit;Station=10.49.71.118;File=ationul;Safe=mquisn;Location=queips;Category=midest;RequestId=dex;Reason=ccae;Severity=medium;SourceUser=eavolup;TargetUser=emip;GatewayStation=10.234.165.130;TicketID=ntexplic;PolicyID=uto;UserName=iuntNequ;LogonDomain=esseq7889.www.invalid;Address=veniamq1236.invalid;CPMStatus=emo;Port=1458;Database=veniamqu;DeviceType=licaboN;ExtraDetails=atquo;", + "file.directory": "queips", + "file.name": "ationul", + "fileset.name": "corepas", + "group.name": "eavolup", + "host.ip": "10.49.71.118", + "input.type": "log", + "log.level": "medium", + "log.offset": 20854, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3806", + "related.hosts": [ + "esseq7889.www.invalid", + "veniamq1236.invalid" + ], + "related.ip": [ + "10.234.165.130", + "10.49.71.118" + ], + "related.user": [ + "emip", + "henderit", + "iuntNequ" + ], + "rsa.db.database": "veniamqu", + "rsa.db.index": "atquo", + "rsa.internal.event_desc": "ccae", + "rsa.internal.messageid": "38", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "midest", + "rsa.misc.disposition": "emo", + "rsa.misc.group": "eavolup", + "rsa.misc.group_object": "mquisn", + "rsa.misc.obj_type": "licaboN", + "rsa.misc.operation_id": "ntexplic", + "rsa.misc.policy_name": "uto", + "rsa.misc.reference_id": "38", + "rsa.misc.reference_id1": "dex", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3806", + "rsa.network.domain": "esseq7889.www.invalid", + "rsa.network.host_dst": "veniamq1236.invalid", + "server.domain": "esseq7889.www.invalid", + "server.registered_domain": "www.invalid", + "server.subdomain": "esseq7889", + "server.top_level_domain": "invalid", + "service.type": "cyberark", + "source.ip": [ + "10.234.165.130" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "henderit" + }, + { + "event.action": "allow", + "event.code": "tatem", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "udan 2017-10-19 04:03:07.172538723 +0000 UTC yCic5749.www.localhost %CYBERARK: MessageID=\"119\";itanim 1.4024\",ProductAccount=\"olorema\",ProductProcess=\"mollita\",EventId=\"tatem\",EventClass=\"iae\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"emip\",ActingAddress=\"10.199.5.49\",ActionSourceUser=\"stquid\",ActionTargetUser=\"turadipi\",ActionObject=\"usmodi\",ActionSafe=\"ree\",ActionLocation=\"saquaea\",ActionCategory=\"ation\",ActionRequestId=\"luptas\",ActionReason=\"minim\",ActionExtraDetails=\"ataevi\"", + "file.directory": "saquaea", + "file.name": "usmodi", + "fileset.name": "corepas", + "host.ip": "10.199.5.49", + "input.type": "log", + "log.level": "low", + "log.offset": 21327, + "observer.product": "itanim", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4024", + "related.ip": [ + "10.199.5.49" + ], + "related.user": [ + "emip", + "olorema", + "turadipi" + ], + "rsa.db.index": "ataevi", + "rsa.internal.event_desc": "minim", + "rsa.internal.messageid": "119", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "ation", + "rsa.misc.group_object": "ree", + "rsa.misc.reference_id": "tatem", + "rsa.misc.reference_id1": "luptas", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.4024", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "emip" + }, + { + "event.action": "allow", + "event.code": "tionula", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"156\";plic 1.7053\",ProductAccount=\"utlabo\",ProductProcess=\"tetur\",EventId=\"tionula\",EventClass=\"ritqu\",EventSeverity=\"very-high\",EventMessage=\"allow\",ActingUserName=\"uamei\",ActingAddress=\"10.193.219.34\",ActionSourceUser=\"onse\",ActionTargetUser=\"olorem\",ActionObject=\"turvel\",ActionSafe=\"eratv\",ActionLocation=\"ipsa\",ActionCategory=\"asuntexp\",ActionRequestId=\"adminim\",ActionReason=\"orisni\",ActionExtraDetails=\"nse\"", + "file.directory": "ipsa", + "file.name": "turvel", + "fileset.name": "corepas", + "host.ip": "10.193.219.34", + "input.type": "log", + "log.level": "very-high", + "log.offset": 21826, + "observer.product": "plic", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7053", + "related.ip": [ + "10.193.219.34" + ], + "related.user": [ + "olorem", + "uamei", + "utlabo" + ], + "rsa.db.index": "nse", + "rsa.internal.event_desc": "orisni", + "rsa.internal.messageid": "156", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "asuntexp", + "rsa.misc.group_object": "eratv", + "rsa.misc.reference_id": "tionula", + "rsa.misc.reference_id1": "adminim", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.7053", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "uamei" + }, + { + "destination.address": "taliqui5348.mail.localdomain", + "destination.port": 6816, + "event.action": "allow", + "event.code": "202", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "November 16 18:08:15 nderi %CYBERARK: MessageID=\"202\";Version=1.7083;Message=allow;Issuer=animid;Station=10.120.167.217;File=atuse;Safe=ueipsa;Location=scipitl;Category=eumi;RequestId=quasiarc;Reason=olli;Severity=low;SourceUser=tetura;TargetUser=rsp;GatewayStation=10.174.185.109;TicketID=roquisqu;PolicyID=edolorin;UserName=dolorem;LogonDomain=tem6815.home;Address=taliqui5348.mail.localdomain;CPMStatus=loremag;Port=6816;Database=tsuntinc;DeviceType=inrepreh;ExtraDetails=quovo;", + "file.directory": "scipitl", + "file.name": "atuse", + "fileset.name": "corepas", + "group.name": "tetura", + "host.ip": "10.120.167.217", + "input.type": "log", + "log.level": "low", + "log.offset": 22262, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7083", + "related.hosts": [ + "taliqui5348.mail.localdomain", + "tem6815.home" + ], + "related.ip": [ + "10.120.167.217", + "10.174.185.109" + ], + "related.user": [ + "animid", + "dolorem", + "rsp" + ], + "rsa.db.database": "tsuntinc", + "rsa.db.index": "quovo", + "rsa.internal.event_desc": "olli", + "rsa.internal.messageid": "202", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "eumi", + "rsa.misc.disposition": "loremag", + "rsa.misc.group": "tetura", + "rsa.misc.group_object": "ueipsa", + "rsa.misc.obj_type": "inrepreh", + "rsa.misc.operation_id": "roquisqu", + "rsa.misc.policy_name": "edolorin", + "rsa.misc.reference_id": "202", + "rsa.misc.reference_id1": "quasiarc", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7083", + "rsa.network.domain": "tem6815.home", + "rsa.network.host_dst": "taliqui5348.mail.localdomain", + "server.domain": "tem6815.home", + "server.registered_domain": "tem6815.home", + "server.top_level_domain": "home", + "service.type": "cyberark", + "source.ip": [ + "10.174.185.109" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "animid" + }, + { + "destination.address": "atnulapa3548.www.domain", + "destination.port": 5347, + "event.action": "cancel", + "event.code": "133", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"133\";Version=1.1432;Message=cancel;Issuer=atev;Station=10.117.137.159;File=acommodi;Safe=essecill;Location=billoi;Category=moles;RequestId=dipiscin;Reason=olup;Severity=high;SourceUser=undeomni;TargetUser=accusa;GatewayStation=10.141.213.219;TicketID=itat;PolicyID=stlaboru;UserName=ate;LogonDomain=mporainc2064.home;Address=atnulapa3548.www.domain;CPMStatus=radipisc;Port=5347;Database=nibus;DeviceType=vitaed;ExtraDetails=ser;", + "file.directory": "billoi", + "file.name": "acommodi", + "fileset.name": "corepas", + "group.name": "undeomni", + "host.ip": "10.117.137.159", + "input.type": "log", + "log.level": "high", + "log.offset": 22744, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1432", + "related.hosts": [ + "atnulapa3548.www.domain", + "mporainc2064.home" + ], + "related.ip": [ + "10.117.137.159", + "10.141.213.219" + ], + "related.user": [ + "accusa", + "ate", + "atev" + ], + "rsa.db.database": "nibus", + "rsa.db.index": "ser", + "rsa.internal.event_desc": "olup", + "rsa.internal.messageid": "133", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "moles", + "rsa.misc.disposition": "radipisc", + "rsa.misc.group": "undeomni", + "rsa.misc.group_object": "essecill", + "rsa.misc.obj_type": "vitaed", + "rsa.misc.operation_id": "itat", + "rsa.misc.policy_name": "stlaboru", + "rsa.misc.reference_id": "133", + "rsa.misc.reference_id1": "dipiscin", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.1432", + "rsa.network.domain": "mporainc2064.home", + "rsa.network.host_dst": "atnulapa3548.www.domain", + "server.domain": "mporainc2064.home", + "server.registered_domain": "mporainc2064.home", + "server.top_level_domain": "home", + "service.type": "cyberark", + "source.ip": [ + "10.141.213.219" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "atev" + }, + { + "destination.address": "litesseq6785.host", + "destination.port": 7390, + "event.action": "cancel", + "event.code": "104", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2017-12-15 08:13:24.212538723 +0000 UTC ill6772.www.invalid %CYBERARK: MessageID=\"104\";Version=1.4043;Message=cancel;Issuer=rem;Station=10.166.90.130;File=mdolore;Safe=eosquira;Location=pta;Category=snos;RequestId=orsi;Reason=tetura;Severity=very-high;SourceUser=lorsita;TargetUser=eavol;GatewayStation=10.94.224.229;TicketID=lupta;PolicyID=npr;UserName=etconsec;LogonDomain=caboNem1043.internal.home;Address=litesseq6785.host;CPMStatus=tob;Port=7390;Database=oditempo;DeviceType=doeiu;ExtraDetails=deF;", + "file.directory": "pta", + "file.name": "mdolore", + "fileset.name": "corepas", + "group.name": "lorsita", + "host.ip": "10.166.90.130", + "input.type": "log", + "log.level": "very-high", + "log.offset": 23195, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4043", + "related.hosts": [ + "caboNem1043.internal.home", + "litesseq6785.host" + ], + "related.ip": [ + "10.166.90.130", + "10.94.224.229" + ], + "related.user": [ + "eavol", + "etconsec", + "rem" + ], + "rsa.db.database": "oditempo", + "rsa.db.index": "deF", + "rsa.internal.event_desc": "tetura", + "rsa.internal.messageid": "104", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "User", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "snos", + "rsa.misc.disposition": "tob", + "rsa.misc.group": "lorsita", + "rsa.misc.group_object": "eosquira", + "rsa.misc.obj_type": "doeiu", + "rsa.misc.operation_id": "lupta", + "rsa.misc.policy_name": "npr", + "rsa.misc.reference_id": "104", + "rsa.misc.reference_id1": "orsi", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.4043", + "rsa.network.domain": "caboNem1043.internal.home", + "rsa.network.host_dst": "litesseq6785.host", + "server.domain": "caboNem1043.internal.home", + "server.registered_domain": "internal.home", + "server.subdomain": "caboNem1043", + "server.top_level_domain": "home", + "service.type": "cyberark", + "source.ip": [ + "10.94.224.229" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "rem" + }, + { + "destination.address": "onnu2272.mail.corp", + "destination.port": 6064, + "event.action": "deny", + "event.code": "316", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "rcitat 2017-12-29 15:15:58.472538723 +0000 UTC dolorema2984.www.home %CYBERARK: MessageID=\"316\";Version=1.2456;Message=deny;Issuer=tiumto;Station=10.38.28.151;File=nrepreh;Safe=ratv;Location=alorum;Category=mquisn;RequestId=atq;Reason=erspi;Severity=low;SourceUser=ugiatquo;TargetUser=incidid;GatewayStation=10.201.81.46;TicketID=sBonor;PolicyID=fugits;UserName=mipsumqu;LogonDomain=tatio6513.www.invalid;Address=onnu2272.mail.corp;CPMStatus=atatnon;Port=6064;Database=abor;DeviceType=magnid;ExtraDetails=adol;", + "file.directory": "alorum", + "file.name": "nrepreh", + "fileset.name": "corepas", + "group.name": "ugiatquo", + "host.ip": "10.38.28.151", + "input.type": "log", + "log.level": "low", + "log.offset": 23699, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2456", + "related.hosts": [ + "onnu2272.mail.corp", + "tatio6513.www.invalid" + ], + "related.ip": [ + "10.201.81.46", + "10.38.28.151" + ], + "related.user": [ + "incidid", + "mipsumqu", + "tiumto" + ], + "rsa.db.database": "abor", + "rsa.db.index": "adol", + "rsa.internal.event_desc": "erspi", + "rsa.internal.messageid": "316", + "rsa.investigations.ec_activity": "Modify", + "rsa.investigations.ec_theme": "Password", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "mquisn", + "rsa.misc.disposition": "atatnon", + "rsa.misc.group": "ugiatquo", + "rsa.misc.group_object": "ratv", + "rsa.misc.obj_type": "magnid", + "rsa.misc.operation_id": "sBonor", + "rsa.misc.policy_name": "fugits", + "rsa.misc.reference_id": "316", + "rsa.misc.reference_id1": "atq", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.2456", + "rsa.network.domain": "tatio6513.www.invalid", + "rsa.network.host_dst": "onnu2272.mail.corp", + "server.domain": "tatio6513.www.invalid", + "server.registered_domain": "www.invalid", + "server.subdomain": "tatio6513", + "server.top_level_domain": "invalid", + "service.type": "cyberark", + "source.ip": [ + "10.201.81.46" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tiumto" + }, + { + "destination.address": "llit958.www.domain", + "destination.port": 2957, + "event.action": "deny", + "event.code": "266", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "January 12 22:18:32 niam %CYBERARK: MessageID=\"266\";Version=1.2721;Message=deny;Issuer=rerepre;Station=10.214.245.95;File=quiineav;Safe=billoinv;Location=sci;Category=col;RequestId=obea;Reason=emp;Severity=medium;SourceUser=luptas;TargetUser=uptatem;GatewayStation=10.255.28.56;TicketID=inrepr;PolicyID=mol;UserName=umdolors;LogonDomain=dolori6232.api.invalid;Address=llit958.www.domain;CPMStatus=tat;Port=2957;Database=odt;DeviceType=cillumd;ExtraDetails=riosa;", + "file.directory": "sci", + "file.name": "quiineav", + "fileset.name": "corepas", + "group.name": "luptas", + "host.ip": "10.214.245.95", + "input.type": "log", + "log.level": "medium", + "log.offset": 24210, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2721", + "related.hosts": [ + "dolori6232.api.invalid", + "llit958.www.domain" + ], + "related.ip": [ + "10.214.245.95", + "10.255.28.56" + ], + "related.user": [ + "rerepre", + "umdolors", + "uptatem" + ], + "rsa.db.database": "odt", + "rsa.db.index": "riosa", + "rsa.internal.event_desc": "emp", + "rsa.internal.messageid": "266", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "col", + "rsa.misc.disposition": "tat", + "rsa.misc.group": "luptas", + "rsa.misc.group_object": "billoinv", + "rsa.misc.obj_type": "cillumd", + "rsa.misc.operation_id": "inrepr", + "rsa.misc.policy_name": "mol", + "rsa.misc.reference_id": "266", + "rsa.misc.reference_id1": "obea", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.2721", + "rsa.network.domain": "dolori6232.api.invalid", + "rsa.network.host_dst": "llit958.www.domain", + "server.domain": "dolori6232.api.invalid", + "server.registered_domain": "api.invalid", + "server.subdomain": "dolori6232", + "server.top_level_domain": "invalid", + "service.type": "cyberark", + "source.ip": [ + "10.255.28.56" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "rerepre" + }, + { + "event.action": "cancel", + "event.code": "nim", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "January 27 05:21:06 lapar %CYBERARK: MessageID=\"311\";ritati 1.3219\",ProductAccount=\"qui\",ProductProcess=\"otamr\",EventId=\"nim\",EventClass=\"ame\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"mip\",ActingAddress=\"10.45.35.180\",ActionSourceUser=\"mvolupta\",ActionTargetUser=\"Utenima\",ActionObject=\"iqua\",ActionSafe=\"luptat\",ActionLocation=\"deriti\",ActionCategory=\"sintocc\",ActionRequestId=\"cididu\",ActionReason=\"uteir\",ActionExtraDetails=\"boree\"", + "file.directory": "deriti", + "file.name": "iqua", + "fileset.name": "corepas", + "host.ip": "10.45.35.180", + "input.type": "log", + "log.level": "very-high", + "log.offset": 24673, + "observer.product": "ritati", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3219", + "related.ip": [ + "10.45.35.180" + ], + "related.user": [ + "Utenima", + "mip", + "qui" + ], + "rsa.db.index": "boree", + "rsa.internal.event_desc": "uteir", + "rsa.internal.messageid": "311", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "sintocc", + "rsa.misc.group_object": "luptat", + "rsa.misc.reference_id": "nim", + "rsa.misc.reference_id1": "cididu", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3219", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "mip" + }, + { + "event.action": "accept", + "event.code": "scivel", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "February 10 12:23:41 diduntu %CYBERARK: MessageID=\"285\";eiusmod 1.7546\",ProductAccount=\"ess\",ProductProcess=\"uide\",EventId=\"scivel\",EventClass=\"henderi\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"enim\",ActingAddress=\"10.141.200.133\",ActionSourceUser=\"ersp\",ActionTargetUser=\"iame\",ActionObject=\"orroquis\",ActionSafe=\"aquio\",ActionLocation=\"riatu\",ActionCategory=\"loinve\",ActionRequestId=\"tanimid\",ActionReason=\"isnostru\",ActionExtraDetails=\"nofdeFi\"", + "file.directory": "riatu", + "file.name": "orroquis", + "fileset.name": "corepas", + "host.ip": "10.141.200.133", + "input.type": "log", + "log.level": "low", + "log.offset": 25131, + "observer.product": "eiusmod", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7546", + "related.ip": [ + "10.141.200.133" + ], + "related.user": [ + "enim", + "ess", + "iame" + ], + "rsa.db.index": "nofdeFi", + "rsa.internal.event_desc": "isnostru", + "rsa.internal.messageid": "285", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "loinve", + "rsa.misc.group_object": "aquio", + "rsa.misc.reference_id": "scivel", + "rsa.misc.reference_id1": "tanimid", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7546", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "enim" + }, + { + "event.action": "accept", + "event.code": "rationev", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"155\";ulap 1.3765\",ProductAccount=\"illoi\",ProductProcess=\"reetdolo\",EventId=\"rationev\",EventClass=\"ehender\",EventSeverity=\"medium\",EventMessage=\"accept\",ActingUserName=\"ugi\",ActingAddress=\"10.83.238.145\",ActionSourceUser=\"ptatems\",ActionTargetUser=\"runtmo\",ActionObject=\"ore\",ActionSafe=\"isund\",ActionLocation=\"exerci\",ActionCategory=\"tas\",ActionRequestId=\"oraincid\",ActionReason=\"quaer\",ActionExtraDetails=\"eetdo\"", + "file.directory": "exerci", + "file.name": "ore", + "fileset.name": "corepas", + "host.ip": "10.83.238.145", + "input.type": "log", + "log.level": "medium", + "log.offset": 25596, + "observer.product": "ulap", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3765", + "related.ip": [ + "10.83.238.145" + ], + "related.user": [ + "illoi", + "runtmo", + "ugi" + ], + "rsa.db.index": "eetdo", + "rsa.internal.event_desc": "quaer", + "rsa.internal.messageid": "155", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "tas", + "rsa.misc.group_object": "isund", + "rsa.misc.reference_id": "rationev", + "rsa.misc.reference_id1": "oraincid", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3765", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ugi" + }, + { + "destination.address": "llamc6724.www.lan", + "destination.port": 4020, + "event.action": "block", + "event.code": "48", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2018-03-11 02:28:49.772538723 +0000 UTC aali6869.api.localdomain %CYBERARK: MessageID=\"48\";Version=1.3147;Message=block;Issuer=sedquiac;Station=10.39.143.155;File=ipsaqu;Safe=nisiut;Location=rumwri;Category=velill;RequestId=ore;Reason=tation;Severity=very-high;SourceUser=porincid;TargetUser=tperspic;GatewayStation=10.41.89.217;TicketID=ict;PolicyID=squirati;UserName=tem;LogonDomain=mestq2106.api.host;Address=llamc6724.www.lan;CPMStatus=tesseci;Port=4020;Database=radipis;DeviceType=cive;ExtraDetails=nse;", + "file.directory": "rumwri", + "file.name": "ipsaqu", + "fileset.name": "corepas", + "group.name": "porincid", + "host.ip": "10.39.143.155", + "input.type": "log", + "log.level": "very-high", + "log.offset": 26032, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3147", + "related.hosts": [ + "llamc6724.www.lan", + "mestq2106.api.host" + ], + "related.ip": [ + "10.39.143.155", + "10.41.89.217" + ], + "related.user": [ + "sedquiac", + "tem", + "tperspic" + ], + "rsa.db.database": "radipis", + "rsa.db.index": "nse", + "rsa.internal.event_desc": "tation", + "rsa.internal.messageid": "48", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "velill", + "rsa.misc.disposition": "tesseci", + "rsa.misc.group": "porincid", + "rsa.misc.group_object": "nisiut", + "rsa.misc.obj_type": "cive", + "rsa.misc.operation_id": "ict", + "rsa.misc.policy_name": "squirati", + "rsa.misc.reference_id": "48", + "rsa.misc.reference_id1": "ore", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3147", + "rsa.network.domain": "mestq2106.api.host", + "rsa.network.host_dst": "llamc6724.www.lan", + "server.domain": "mestq2106.api.host", + "server.registered_domain": "api.host", + "server.subdomain": "mestq2106", + "server.top_level_domain": "host", + "service.type": "cyberark", + "source.ip": [ + "10.41.89.217" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "sedquiac" + }, + { + "destination.address": "reseosqu1629.mail.lan", + "destination.port": 5325, + "event.action": "accept", + "event.code": "378", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "isnisiu 2018-03-25 09:31:24.032538723 +0000 UTC suntincu2940.www5.domain %CYBERARK: MessageID=\"378\";Version=1.6382;Message=accept;Issuer=minim;Station=10.5.5.1;File=reseosq;Safe=gna;Location=isiutali;Category=lumqu;RequestId=onulamco;Reason=ons;Severity=low;SourceUser=uptat;TargetUser=unt;GatewayStation=10.153.123.20;TicketID=tla;PolicyID=mquiad;UserName=CSe;LogonDomain=lors7553.api.local;Address=reseosqu1629.mail.lan;CPMStatus=utemvel;Port=5325;Database=atu;DeviceType=iusm;ExtraDetails=roi;", + "file.directory": "isiutali", + "file.name": "reseosq", + "fileset.name": "corepas", + "group.name": "uptat", + "host.ip": "10.5.5.1", + "input.type": "log", + "log.level": "low", + "log.offset": 26541, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6382", + "related.hosts": [ + "lors7553.api.local", + "reseosqu1629.mail.lan" + ], + "related.ip": [ + "10.153.123.20", + "10.5.5.1" + ], + "related.user": [ + "CSe", + "minim", + "unt" + ], + "rsa.db.database": "atu", + "rsa.db.index": "roi", + "rsa.internal.event_desc": "ons", + "rsa.internal.messageid": "378", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "lumqu", + "rsa.misc.disposition": "utemvel", + "rsa.misc.group": "uptat", + "rsa.misc.group_object": "gna", + "rsa.misc.obj_type": "iusm", + "rsa.misc.operation_id": "tla", + "rsa.misc.policy_name": "mquiad", + "rsa.misc.reference_id": "378", + "rsa.misc.reference_id1": "onulamco", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.6382", + "rsa.network.domain": "lors7553.api.local", + "rsa.network.host_dst": "reseosqu1629.mail.lan", + "server.domain": "lors7553.api.local", + "server.registered_domain": "api.local", + "server.subdomain": "lors7553", + "server.top_level_domain": "local", + "service.type": "cyberark", + "source.ip": [ + "10.153.123.20" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "minim" + }, + { + "destination.address": "orumSe4514.www.corp", + "destination.port": 80, + "event.action": "deny", + "event.code": "269", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2018-04-08 16:33:58.292538723 +0000 UTC rere5274.mail.domain %CYBERARK: MessageID=\"269\";Version=1.3193;Message=deny;Issuer=iamea;Station=10.210.61.109;File=tiumto;Safe=cor;Location=odoco;Category=oin;RequestId=itseddoe;Reason=elites;Severity=low;SourceUser=uamei;TargetUser=eursinto;GatewayStation=10.168.132.175;TicketID=licaboNe;PolicyID=tautfug;UserName=giatquov;LogonDomain=olu5333.www.domain;Address=orumSe4514.www.corp;CPMStatus=umquam;Port=80;Database=ici;DeviceType=nisiuta;ExtraDetails=iquaUt;", + "file.directory": "odoco", + "file.name": "tiumto", + "fileset.name": "corepas", + "group.name": "uamei", + "host.ip": "10.210.61.109", + "input.type": "log", + "log.level": "low", + "log.offset": 27038, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3193", + "related.hosts": [ + "olu5333.www.domain", + "orumSe4514.www.corp" + ], + "related.ip": [ + "10.168.132.175", + "10.210.61.109" + ], + "related.user": [ + "eursinto", + "giatquov", + "iamea" + ], + "rsa.db.database": "ici", + "rsa.db.index": "iquaUt", + "rsa.internal.event_desc": "elites", + "rsa.internal.messageid": "269", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "oin", + "rsa.misc.disposition": "umquam", + "rsa.misc.group": "uamei", + "rsa.misc.group_object": "cor", + "rsa.misc.obj_type": "nisiuta", + "rsa.misc.operation_id": "licaboNe", + "rsa.misc.policy_name": "tautfug", + "rsa.misc.reference_id": "269", + "rsa.misc.reference_id1": "itseddoe", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3193", + "rsa.network.domain": "olu5333.www.domain", + "rsa.network.host_dst": "orumSe4514.www.corp", + "server.domain": "olu5333.www.domain", + "server.registered_domain": "www.domain", + "server.subdomain": "olu5333", + "server.top_level_domain": "domain", + "service.type": "cyberark", + "source.ip": [ + "10.168.132.175" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "iamea" + }, + { + "event.action": "accept", + "event.code": "olup", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"176\";atnula 1.5038\",ProductAccount=\"lmo\",ProductProcess=\"iquidex\",EventId=\"olup\",EventClass=\"remipsu\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"quiac\",ActingAddress=\"10.123.154.17\",ActionSourceUser=\"etdol\",ActionTargetUser=\"dolorsi\",ActionObject=\"nturmag\",ActionSafe=\"tura\",ActionLocation=\"osquirat\",ActionCategory=\"equat\",ActionRequestId=\"aliquid\",ActionReason=\"usantiu\",ActionExtraDetails=\"idunt\"", + "file.directory": "osquirat", + "file.name": "nturmag", + "fileset.name": "corepas", + "host.ip": "10.123.154.17", + "input.type": "log", + "log.level": "low", + "log.offset": 27541, + "observer.product": "atnula", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5038", + "related.ip": [ + "10.123.154.17" + ], + "related.user": [ + "dolorsi", + "lmo", + "quiac" + ], + "rsa.db.index": "idunt", + "rsa.internal.event_desc": "usantiu", + "rsa.internal.messageid": "176", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "equat", + "rsa.misc.group_object": "tura", + "rsa.misc.reference_id": "olup", + "rsa.misc.reference_id1": "aliquid", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.5038", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "quiac" + }, + { + "event.action": "deny", + "event.code": "lpaquiof", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"4\";min 1.136\",ProductAccount=\"xplic\",ProductProcess=\"eseruntm\",EventId=\"lpaquiof\",EventClass=\"oloreeu\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"etquasia\",ActingAddress=\"10.169.123.103\",ActionSourceUser=\"riatur\",ActionTargetUser=\"oeni\",ActionObject=\"dol\",ActionSafe=\"dol\",ActionLocation=\"atur\",ActionCategory=\"issu\",ActionRequestId=\"identsu\",ActionReason=\"piscivel\",ActionExtraDetails=\"hend\"", + "event.outcome": "failure", + "file.directory": "atur", + "file.name": "dol", + "fileset.name": "corepas", + "host.ip": "10.169.123.103", + "input.type": "log", + "log.level": "very-high", + "log.offset": 27978, + "observer.product": "min", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.136", + "related.ip": [ + "10.169.123.103" + ], + "related.user": [ + "etquasia", + "oeni", + "xplic" + ], + "rsa.db.index": "hend", + "rsa.internal.event_desc": "piscivel", + "rsa.internal.messageid": "4", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "issu", + "rsa.misc.group_object": "dol", + "rsa.misc.reference_id": "lpaquiof", + "rsa.misc.reference_id1": "identsu", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.136", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "etquasia" + }, + { + "event.action": "cancel", + "event.code": "scipi", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"276\";aer 1.7744\",ProductAccount=\"iati\",ProductProcess=\"minim\",EventId=\"scipi\",EventClass=\"tur\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"Nemoenim\",ActingAddress=\"10.126.205.76\",ActionSourceUser=\"etur\",ActionTargetUser=\"rsitvol\",ActionObject=\"utali\",ActionSafe=\"sed\",ActionLocation=\"xeac\",ActionCategory=\"umdolors\",ActionRequestId=\"lumdo\",ActionReason=\"acom\",ActionExtraDetails=\"eFini\"", + "file.directory": "xeac", + "file.name": "utali", + "fileset.name": "corepas", + "host.ip": "10.126.205.76", + "input.type": "log", + "log.level": "very-high", + "log.offset": 28412, + "observer.product": "aer", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7744", + "related.ip": [ + "10.126.205.76" + ], + "related.user": [ + "Nemoenim", + "iati", + "rsitvol" + ], + "rsa.db.index": "eFini", + "rsa.internal.event_desc": "acom", + "rsa.internal.messageid": "276", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "umdolors", + "rsa.misc.group_object": "sed", + "rsa.misc.reference_id": "scipi", + "rsa.misc.reference_id1": "lumdo", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.7744", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "Nemoenim" + }, + { + "destination.address": "mmodoco2581.www5.host", + "destination.port": 3575, + "event.action": "accept", + "event.code": "38", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "June 4 20:44:15 uovol %CYBERARK: MessageID=\"38\";Version=1.3184;Message=accept;Issuer=eufug;Station=10.164.66.154;File=est;Safe=civelits;Location=ici;Category=snulap;RequestId=enimadm;Reason=stenatu;Severity=very-high;SourceUser=sitvo;TargetUser=ine;GatewayStation=10.169.101.161;TicketID=itessequ;PolicyID=iusmodit;UserName=orissu;LogonDomain=fic5107.home;Address=mmodoco2581.www5.host;CPMStatus=isiutali;Port=3575;Database=stquidol;DeviceType=Nemoenim;ExtraDetails=imadmini;", + "file.directory": "ici", + "file.name": "est", + "fileset.name": "corepas", + "group.name": "sitvo", + "host.ip": "10.164.66.154", + "input.type": "log", + "log.level": "very-high", + "log.offset": 28841, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3184", + "related.hosts": [ + "fic5107.home", + "mmodoco2581.www5.host" + ], + "related.ip": [ + "10.164.66.154", + "10.169.101.161" + ], + "related.user": [ + "eufug", + "ine", + "orissu" + ], + "rsa.db.database": "stquidol", + "rsa.db.index": "imadmini", + "rsa.internal.event_desc": "stenatu", + "rsa.internal.messageid": "38", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "snulap", + "rsa.misc.disposition": "isiutali", + "rsa.misc.group": "sitvo", + "rsa.misc.group_object": "civelits", + "rsa.misc.obj_type": "Nemoenim", + "rsa.misc.operation_id": "itessequ", + "rsa.misc.policy_name": "iusmodit", + "rsa.misc.reference_id": "38", + "rsa.misc.reference_id1": "enimadm", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3184", + "rsa.network.domain": "fic5107.home", + "rsa.network.host_dst": "mmodoco2581.www5.host", + "server.domain": "fic5107.home", + "server.registered_domain": "fic5107.home", + "server.top_level_domain": "home", + "service.type": "cyberark", + "source.ip": [ + "10.169.101.161" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "eufug" + }, + { + "event.action": "block", + "event.code": "ons", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "amvo 2018-06-19 03:46:49.592538723 +0000 UTC tnul6235.www5.lan %CYBERARK: MessageID=\"79\";isau 1.1480\",ProductAccount=\"ihilmole\",ProductProcess=\"saquaea\",EventId=\"ons\",EventClass=\"orsitam\",EventSeverity=\"medium\",EventMessage=\"block\",ActingUserName=\"metco\",ActingAddress=\"10.70.83.200\",ActionSourceUser=\"riame\",ActionTargetUser=\"riat\",ActionObject=\"sseq\",ActionSafe=\"eriam\",ActionLocation=\"pernat\",ActionCategory=\"udan\",ActionRequestId=\"archi\",ActionReason=\"iutaliq\",ActionExtraDetails=\"urQuis\"", + "file.directory": "pernat", + "file.name": "sseq", + "fileset.name": "corepas", + "host.ip": "10.70.83.200", + "input.type": "log", + "log.level": "medium", + "log.offset": 29317, + "observer.product": "isau", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1480", + "related.ip": [ + "10.70.83.200" + ], + "related.user": [ + "ihilmole", + "metco", + "riat" + ], + "rsa.db.index": "urQuis", + "rsa.internal.event_desc": "iutaliq", + "rsa.internal.messageid": "79", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "udan", + "rsa.misc.group_object": "eriam", + "rsa.misc.reference_id": "ons", + "rsa.misc.reference_id1": "archi", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.1480", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "metco" + }, + { + "destination.address": "oremqu7663.local", + "destination.port": 5816, + "event.action": "block", + "event.code": "53", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "July 3 10:49:23 orum %CYBERARK: MessageID=\"53\";Version=1.4887;Message=block;Issuer=madminim;Station=10.207.97.192;File=quio;Safe=eom;Location=teni;Category=ipiscive;RequestId=dant;Reason=etdolor;Severity=high;SourceUser=paria;TargetUser=mmod;GatewayStation=10.134.55.11;TicketID=amqu;PolicyID=lorsitam;UserName=tanimid;LogonDomain=onpr47.api.home;Address=oremqu7663.local;CPMStatus=llumq;Port=5816;Database=tetura;DeviceType=rumet;ExtraDetails=uptasnul;", + "file.directory": "teni", + "file.name": "quio", + "fileset.name": "corepas", + "group.name": "paria", + "host.ip": "10.207.97.192", + "input.type": "log", + "log.level": "high", + "log.offset": 29810, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4887", + "related.hosts": [ + "onpr47.api.home", + "oremqu7663.local" + ], + "related.ip": [ + "10.134.55.11", + "10.207.97.192" + ], + "related.user": [ + "madminim", + "mmod", + "tanimid" + ], + "rsa.db.database": "tetura", + "rsa.db.index": "uptasnul", + "rsa.internal.event_desc": "etdolor", + "rsa.internal.messageid": "53", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "ipiscive", + "rsa.misc.disposition": "llumq", + "rsa.misc.group": "paria", + "rsa.misc.group_object": "eom", + "rsa.misc.obj_type": "rumet", + "rsa.misc.operation_id": "amqu", + "rsa.misc.policy_name": "lorsitam", + "rsa.misc.reference_id": "53", + "rsa.misc.reference_id1": "dant", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4887", + "rsa.network.domain": "onpr47.api.home", + "rsa.network.host_dst": "oremqu7663.local", + "server.domain": "onpr47.api.home", + "server.registered_domain": "api.home", + "server.subdomain": "onpr47", + "server.top_level_domain": "home", + "service.type": "cyberark", + "source.ip": [ + "10.134.55.11" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "madminim" + }, + { + "destination.address": "eve234.www5.local", + "destination.port": 2783, + "event.action": "cancel", + "event.code": "75", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2018-07-17 17:51:58.112538723 +0000 UTC nde2358.mail.corp %CYBERARK: MessageID=\"75\";Version=1.3601;Message=cancel;Issuer=texplica;Station=10.52.150.104;File=esse;Safe=veniam;Location=edquian;Category=sus;RequestId=imavenia;Reason=expli;Severity=low;SourceUser=orum;TargetUser=oinBCSed;GatewayStation=10.31.187.19;TicketID=ilm;PolicyID=mvel;UserName=eritq;LogonDomain=rehen4859.api.host;Address=eve234.www5.local;CPMStatus=nula;Port=2783;Database=lit;DeviceType=santi;ExtraDetails=ritati;", + "file.directory": "edquian", + "file.name": "esse", + "fileset.name": "corepas", + "group.name": "orum", + "host.ip": "10.52.150.104", + "input.type": "log", + "log.level": "low", + "log.offset": 30264, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3601", + "related.hosts": [ + "eve234.www5.local", + "rehen4859.api.host" + ], + "related.ip": [ + "10.31.187.19", + "10.52.150.104" + ], + "related.user": [ + "eritq", + "oinBCSed", + "texplica" + ], + "rsa.db.database": "lit", + "rsa.db.index": "ritati", + "rsa.internal.event_desc": "expli", + "rsa.internal.messageid": "75", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "sus", + "rsa.misc.disposition": "nula", + "rsa.misc.group": "orum", + "rsa.misc.group_object": "veniam", + "rsa.misc.obj_type": "santi", + "rsa.misc.operation_id": "ilm", + "rsa.misc.policy_name": "mvel", + "rsa.misc.reference_id": "75", + "rsa.misc.reference_id1": "imavenia", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3601", + "rsa.network.domain": "rehen4859.api.host", + "rsa.network.host_dst": "eve234.www5.local", + "server.domain": "rehen4859.api.host", + "server.registered_domain": "api.host", + "server.subdomain": "rehen4859", + "server.top_level_domain": "host", + "service.type": "cyberark", + "source.ip": [ + "10.31.187.19" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "texplica" + }, + { + "destination.address": "fficia2304.www5.home", + "destination.port": 2396, + "event.action": "allow", + "event.code": "89", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "dip 2018-08-01 00:54:32.372538723 +0000 UTC idolo5292.local %CYBERARK: MessageID=\"89\";Version=1.3175;Message=allow;Issuer=runtm;Station=10.41.232.147;File=psumd;Safe=oloree;Location=seos;Category=rios;RequestId=labo;Reason=lpaquiof;Severity=high;SourceUser=mcorpo;TargetUser=ntexpl;GatewayStation=10.61.175.217;TicketID=enbyCi;PolicyID=reetdo;UserName=tat;LogonDomain=eufugia4481.corp;Address=fficia2304.www5.home;CPMStatus=vel;Port=2396;Database=rere;DeviceType=pta;ExtraDetails=nonn;", + "file.directory": "seos", + "file.name": "psumd", + "fileset.name": "corepas", + "group.name": "mcorpo", + "host.ip": "10.41.232.147", + "input.type": "log", + "log.level": "high", + "log.offset": 30752, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3175", + "related.hosts": [ + "eufugia4481.corp", + "fficia2304.www5.home" + ], + "related.ip": [ + "10.41.232.147", + "10.61.175.217" + ], + "related.user": [ + "ntexpl", + "runtm", + "tat" + ], + "rsa.db.database": "rere", + "rsa.db.index": "nonn", + "rsa.internal.event_desc": "lpaquiof", + "rsa.internal.messageid": "89", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "rios", + "rsa.misc.disposition": "vel", + "rsa.misc.group": "mcorpo", + "rsa.misc.group_object": "oloree", + "rsa.misc.obj_type": "pta", + "rsa.misc.operation_id": "enbyCi", + "rsa.misc.policy_name": "reetdo", + "rsa.misc.reference_id": "89", + "rsa.misc.reference_id1": "labo", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.3175", + "rsa.network.domain": "eufugia4481.corp", + "rsa.network.host_dst": "fficia2304.www5.home", + "server.domain": "eufugia4481.corp", + "server.registered_domain": "eufugia4481.corp", + "server.top_level_domain": "corp", + "service.type": "cyberark", + "source.ip": [ + "10.61.175.217" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "runtm" + }, + { + "event.action": "deny", + "event.code": "ntut", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "August 15 07:57:06 volup %CYBERARK: MessageID=\"261\";ptate 1.3830\",ProductAccount=\"uisnos\",ProductProcess=\"quamqua\",EventId=\"ntut\",EventClass=\"mag\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"mini\",ActingAddress=\"10.150.30.95\",ActionSourceUser=\"tur\",ActionTargetUser=\"atnonpr\",ActionObject=\"ita\",ActionSafe=\"amquaer\",ActionLocation=\"aqui\",ActionCategory=\"enby\",ActionRequestId=\"lpa\",ActionReason=\"isn\",ActionExtraDetails=\"smod\"", + "file.directory": "aqui", + "file.name": "ita", + "fileset.name": "corepas", + "host.ip": "10.150.30.95", + "input.type": "log", + "log.level": "very-high", + "log.offset": 31238, + "observer.product": "ptate", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3830", + "related.ip": [ + "10.150.30.95" + ], + "related.user": [ + "atnonpr", + "mini", + "uisnos" + ], + "rsa.db.index": "smod", + "rsa.internal.event_desc": "isn", + "rsa.internal.messageid": "261", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "enby", + "rsa.misc.group_object": "amquaer", + "rsa.misc.reference_id": "ntut", + "rsa.misc.reference_id1": "lpa", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3830", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "mini" + }, + { + "event.action": "deny", + "event.code": "inesciu", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "August 29 14:59:40 siuta %CYBERARK: MessageID=\"66\";atev 1.6626\",ProductAccount=\"CSe\",ProductProcess=\"exerci\",EventId=\"inesciu\",EventClass=\"quid\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"onse\",ActingAddress=\"10.98.71.45\",ActionSourceUser=\"destla\",ActionTargetUser=\"fugitse\",ActionObject=\"minimve\",ActionSafe=\"serrorsi\",ActionLocation=\"tametco\",ActionCategory=\"mquisnos\",ActionRequestId=\"lore\",ActionReason=\"isci\",ActionExtraDetails=\"Dui\"", + "file.directory": "tametco", + "file.name": "minimve", + "fileset.name": "corepas", + "host.ip": "10.98.71.45", + "input.type": "log", + "log.level": "high", + "log.offset": 31683, + "observer.product": "atev", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6626", + "related.ip": [ + "10.98.71.45" + ], + "related.user": [ + "CSe", + "fugitse", + "onse" + ], + "rsa.db.index": "Dui", + "rsa.internal.event_desc": "isci", + "rsa.internal.messageid": "66", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "mquisnos", + "rsa.misc.group_object": "serrorsi", + "rsa.misc.reference_id": "inesciu", + "rsa.misc.reference_id1": "lore", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.6626", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "onse" + }, + { + "event.action": "deny", + "event.code": "ianonnum", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "lup 2018-09-12 22:02:15.152538723 +0000 UTC iumtotam1010.www5.corp %CYBERARK: MessageID=\"168\";userror 1.5986\",ProductAccount=\"nonn\",ProductProcess=\"hite\",EventId=\"ianonnum\",EventClass=\"nofdeFi\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"remq\",ActingAddress=\"10.252.251.143\",ActionSourceUser=\"velill\",ActionTargetUser=\"rspic\",ActionObject=\"orinrepr\",ActionSafe=\"ror\",ActionLocation=\"onsecte\",ActionCategory=\"doei\",ActionRequestId=\"nvolupta\",ActionReason=\"tev\",ActionExtraDetails=\"nre\"", + "file.directory": "onsecte", + "file.name": "orinrepr", + "fileset.name": "corepas", + "host.ip": "10.252.251.143", + "input.type": "log", + "log.level": "medium", + "log.offset": 32136, + "observer.product": "userror", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5986", + "related.ip": [ + "10.252.251.143" + ], + "related.user": [ + "nonn", + "remq", + "rspic" + ], + "rsa.db.index": "nre", + "rsa.internal.event_desc": "tev", + "rsa.internal.messageid": "168", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "doei", + "rsa.misc.group_object": "ror", + "rsa.misc.reference_id": "ianonnum", + "rsa.misc.reference_id1": "nvolupta", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5986", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "remq" + }, + { + "event.action": "accept", + "event.code": "lupta", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"274\";lumdolor 1.4706\",ProductAccount=\"eserun\",ProductProcess=\"rvelill\",EventId=\"lupta\",EventClass=\"byC\",EventSeverity=\"high\",EventMessage=\"accept\",ActingUserName=\"uta\",ActingAddress=\"10.197.203.167\",ActionSourceUser=\"ulapa\",ActionTargetUser=\"iumdo\",ActionObject=\"iusmodit\",ActionSafe=\"aturv\",ActionLocation=\"ectetura\",ActionCategory=\"obeataev\",ActionRequestId=\"umf\",ActionReason=\"olesti\",ActionExtraDetails=\"smo\"", + "file.directory": "ectetura", + "file.name": "iusmodit", + "fileset.name": "corepas", + "host.ip": "10.197.203.167", + "input.type": "log", + "log.level": "high", + "log.offset": 32636, + "observer.product": "lumdolor", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4706", + "related.ip": [ + "10.197.203.167" + ], + "related.user": [ + "eserun", + "iumdo", + "uta" + ], + "rsa.db.index": "smo", + "rsa.internal.event_desc": "olesti", + "rsa.internal.messageid": "274", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "obeataev", + "rsa.misc.group_object": "aturv", + "rsa.misc.reference_id": "lupta", + "rsa.misc.reference_id1": "umf", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4706", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "uta" + }, + { + "event.action": "accept", + "event.code": "tten", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "tDuis 2018-10-11 12:07:23.672538723 +0000 UTC iqu1643.www.host %CYBERARK: MessageID=\"96\";inim 1.6806\",ProductAccount=\"ibusBo\",ProductProcess=\"untincu\",EventId=\"tten\",EventClass=\"etur\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"enima\",ActingAddress=\"10.187.170.23\",ActionSourceUser=\"sequ\",ActionTargetUser=\"sectetu\",ActionObject=\"evi\",ActionSafe=\"tionula\",ActionLocation=\"accus\",ActionCategory=\"uatu\",ActionRequestId=\"mquis\",ActionReason=\"lab\",ActionExtraDetails=\"uido\"", + "file.directory": "accus", + "file.name": "evi", + "fileset.name": "corepas", + "host.ip": "10.187.170.23", + "input.type": "log", + "log.level": "low", + "log.offset": 33071, + "observer.product": "inim", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6806", + "related.ip": [ + "10.187.170.23" + ], + "related.user": [ + "enima", + "ibusBo", + "sectetu" + ], + "rsa.db.index": "uido", + "rsa.internal.event_desc": "lab", + "rsa.internal.messageid": "96", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "uatu", + "rsa.misc.group_object": "tionula", + "rsa.misc.reference_id": "tten", + "rsa.misc.reference_id1": "mquis", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.6806", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "enima" + }, + { + "destination.address": "udexerc2708.api.test", + "destination.port": 505, + "event.action": "allow", + "event.code": "61", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2018-10-25 19:09:57.932538723 +0000 UTC nimadmin5577.corp %CYBERARK: MessageID=\"61\";Version=1.3824;Message=allow;Issuer=tinculpa;Station=10.123.62.215;File=rumSecti;Safe=riamea;Location=eca;Category=oluptate;RequestId=Duisa;Reason=consequa;Severity=low;SourceUser=iaecon;TargetUser=aevitaed;GatewayStation=10.250.248.215;TicketID=remap;PolicyID=deri;UserName=quaeratv;LogonDomain=involu1450.www.localhost;Address=udexerc2708.api.test;CPMStatus=odic;Port=505;Database=lica;DeviceType=secil;ExtraDetails=uisnos;", + "file.directory": "eca", + "file.name": "rumSecti", + "fileset.name": "corepas", + "group.name": "iaecon", + "host.ip": "10.123.62.215", + "input.type": "log", + "log.level": "low", + "log.offset": 33555, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3824", + "related.hosts": [ + "involu1450.www.localhost", + "udexerc2708.api.test" + ], + "related.ip": [ + "10.123.62.215", + "10.250.248.215" + ], + "related.user": [ + "aevitaed", + "quaeratv", + "tinculpa" + ], + "rsa.db.database": "lica", + "rsa.db.index": "uisnos", + "rsa.internal.event_desc": "consequa", + "rsa.internal.messageid": "61", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "oluptate", + "rsa.misc.disposition": "odic", + "rsa.misc.group": "iaecon", + "rsa.misc.group_object": "riamea", + "rsa.misc.obj_type": "secil", + "rsa.misc.operation_id": "remap", + "rsa.misc.policy_name": "deri", + "rsa.misc.reference_id": "61", + "rsa.misc.reference_id1": "Duisa", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3824", + "rsa.network.domain": "involu1450.www.localhost", + "rsa.network.host_dst": "udexerc2708.api.test", + "server.domain": "involu1450.www.localhost", + "server.registered_domain": "www.localhost", + "server.subdomain": "involu1450", + "server.top_level_domain": "localhost", + "service.type": "cyberark", + "source.ip": [ + "10.250.248.215" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tinculpa" + }, + { + "destination.address": "temvele5776.www.test", + "destination.port": 864, + "event.action": "block", + "event.code": "372", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "scipit 2018-11-09 02:12:32.192538723 +0000 UTC lloinve551.internal.local %CYBERARK: MessageID=\"372\";Version=1.3759;Message=block;Issuer=isiutali;Station=10.146.57.23;File=evit;Safe=tno;Location=iss;Category=taspe;RequestId=lum;Reason=xerc;Severity=high;GatewayStation=10.147.154.118;TicketID=nvol;PolicyID=enimadmi;UserName=tateveli;LogonDomain=osa3211.www5.example;Address=temvele5776.www.test;CPMStatus=inimve;Port=\"864\";Database=cin;DeviceType=tmo;ExtraDetails=onofdeF;", + "file.directory": "iss", + "file.name": "evit", + "fileset.name": "corepas", + "host.ip": "10.146.57.23", + "input.type": "log", + "log.level": "high", + "log.offset": 34065, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3759", + "related.hosts": [ + "osa3211.www5.example", + "temvele5776.www.test" + ], + "related.ip": [ + "10.146.57.23", + "10.147.154.118" + ], + "related.user": [ + "isiutali", + "tateveli" + ], + "rsa.db.database": "cin", + "rsa.db.index": "onofdeF", + "rsa.internal.event_desc": "xerc", + "rsa.internal.messageid": "372", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "taspe", + "rsa.misc.disposition": "inimve", + "rsa.misc.group_object": "tno", + "rsa.misc.obj_type": "tmo", + "rsa.misc.operation_id": "nvol", + "rsa.misc.policy_name": "enimadmi", + "rsa.misc.reference_id": "372", + "rsa.misc.reference_id1": "lum", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.3759", + "rsa.network.domain": "osa3211.www5.example", + "rsa.network.host_dst": "temvele5776.www.test", + "server.domain": "osa3211.www5.example", + "server.registered_domain": "www5.example", + "server.subdomain": "osa3211", + "server.top_level_domain": "example", + "service.type": "cyberark", + "source.ip": [ + "10.147.154.118" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "isiutali" + }, + { + "event.action": "cancel", + "event.code": "tlabo", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "its 2018-11-23 09:15:06.452538723 +0000 UTC uptasnul2751.www5.corp %CYBERARK: MessageID=\"232\";ostrudex 1.4542\",ProductAccount=\"niamqui\",ProductProcess=\"usmodite\",EventId=\"tlabo\",EventClass=\"tatemse\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"uamestqu\",ActingAddress=\"10.193.33.201\",ActionSourceUser=\"hender\",ActionTargetUser=\"ptatemU\",ActionObject=\"seq\",ActionSafe=\"rumSe\",ActionLocation=\"tatnonp\",ActionCategory=\"ommo\",ActionRequestId=\"adeser\",ActionReason=\"uasiarc\",ActionExtraDetails=\"doeiu\"", + "file.directory": "tatnonp", + "file.name": "seq", + "fileset.name": "corepas", + "host.ip": "10.193.33.201", + "input.type": "log", + "log.level": "very-high", + "log.offset": 34538, + "observer.product": "ostrudex", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4542", + "related.ip": [ + "10.193.33.201" + ], + "related.user": [ + "niamqui", + "ptatemU", + "uamestqu" + ], + "rsa.db.index": "doeiu", + "rsa.internal.event_desc": "uasiarc", + "rsa.internal.messageid": "232", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "ommo", + "rsa.misc.group_object": "rumSe", + "rsa.misc.reference_id": "tlabo", + "rsa.misc.reference_id1": "adeser", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.4542", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "uamestqu" + }, + { + "event.action": "block", + "event.code": "iuntN", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2018-12-07 16:17:40.712538723 +0000 UTC atuserro6791.internal.host %CYBERARK: MessageID=\"24\";upta 1.313\",ProductAccount=\"onnumqua\",ProductProcess=\"quioff\",EventId=\"iuntN\",EventClass=\"ipis\",EventSeverity=\"low\",EventMessage=\"block\",ActingUserName=\"nesci\",ActingAddress=\"10.154.172.82\",ActionSourceUser=\"lorsi\",ActionTargetUser=\"tetura\",ActionObject=\"eeufug\",ActionSafe=\"edutper\",ActionLocation=\"tevelite\",ActionCategory=\"tocca\",ActionRequestId=\"orsitvol\",ActionReason=\"ntor\",ActionExtraDetails=\"oinBCSed\"", + "file.directory": "tevelite", + "file.name": "eeufug", + "fileset.name": "corepas", + "host.ip": "10.154.172.82", + "input.type": "log", + "log.level": "low", + "log.offset": 35054, + "observer.product": "upta", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.313", + "related.ip": [ + "10.154.172.82" + ], + "related.user": [ + "nesci", + "onnumqua", + "tetura" + ], + "rsa.db.index": "oinBCSed", + "rsa.internal.event_desc": "ntor", + "rsa.internal.messageid": "24", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "tocca", + "rsa.misc.group_object": "edutper", + "rsa.misc.reference_id": "iuntN", + "rsa.misc.reference_id1": "orsitvol", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.313", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "nesci" + }, + { + "event.action": "allow", + "event.code": "avolu", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"79\";obeatae 1.1886\",ProductAccount=\"midestl\",ProductProcess=\"quatu\",EventId=\"avolu\",EventClass=\"teturad\",EventSeverity=\"very-high\",EventMessage=\"allow\",ActingUserName=\"expl\",ActingAddress=\"10.47.63.70\",ActionSourceUser=\"lup\",ActionTargetUser=\"tpers\",ActionObject=\"orsitv\",ActionSafe=\"temseq\",ActionLocation=\"uisaute\",ActionCategory=\"uun\",ActionRequestId=\"end\",ActionReason=\"odocons\",ActionExtraDetails=\"olu\"", + "file.directory": "uisaute", + "file.name": "orsitv", + "fileset.name": "corepas", + "host.ip": "10.47.63.70", + "input.type": "log", + "log.level": "very-high", + "log.offset": 35557, + "observer.product": "obeatae", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1886", + "related.ip": [ + "10.47.63.70" + ], + "related.user": [ + "expl", + "midestl", + "tpers" + ], + "rsa.db.index": "olu", + "rsa.internal.event_desc": "odocons", + "rsa.internal.messageid": "79", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "uun", + "rsa.misc.group_object": "temseq", + "rsa.misc.reference_id": "avolu", + "rsa.misc.reference_id1": "end", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.1886", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "expl" + }, + { + "event.action": "block", + "event.code": "ectobea", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "January 5 06:22:49 amn %CYBERARK: MessageID=\"312\";itessequ 1.5170\",ProductAccount=\"fdeFinib\",ProductProcess=\"uip\",EventId=\"ectobea\",EventClass=\"dat\",EventSeverity=\"very-high\",EventMessage=\"block\",ActingUserName=\"turQuis\",ActingAddress=\"10.178.160.245\",ActionSourceUser=\"deomnisi\",ActionTargetUser=\"olupta\",ActionObject=\"oll\",ActionSafe=\"laboree\",ActionLocation=\"udantiu\",ActionCategory=\"itametco\",ActionRequestId=\"iav\",ActionReason=\"odico\",ActionExtraDetails=\"rsint\"", + "file.directory": "udantiu", + "file.name": "oll", + "fileset.name": "corepas", + "host.ip": "10.178.160.245", + "input.type": "log", + "log.level": "very-high", + "log.offset": 35987, + "observer.product": "itessequ", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5170", + "related.ip": [ + "10.178.160.245" + ], + "related.user": [ + "fdeFinib", + "olupta", + "turQuis" + ], + "rsa.db.index": "rsint", + "rsa.internal.event_desc": "odico", + "rsa.internal.messageid": "312", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "itametco", + "rsa.misc.group_object": "laboree", + "rsa.misc.reference_id": "ectobea", + "rsa.misc.reference_id1": "iav", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.5170", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "turQuis" + }, + { + "destination.address": "teursint1321.www5.example", + "destination.port": 7024, + "event.action": "block", + "event.code": "77", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "January 19 13:25:23 quiav %CYBERARK: MessageID=\"77\";Version=1.6648;Message=block;Issuer=Nem;Station=10.85.13.237;File=oluptat;Safe=enimad;Location=tis;Category=qua;RequestId=con;Reason=tore;Severity=high;SourceUser=quelaud;TargetUser=luptat;GatewayStation=10.89.154.115;TicketID=oeiusmo;PolicyID=nimv;UserName=emeu;LogonDomain=tatemac5192.www5.test;Address=teursint1321.www5.example;CPMStatus=lamcolab;Port=7024;Database=nturmag;DeviceType=uredol;ExtraDetails=maliqua;", + "file.directory": "tis", + "file.name": "oluptat", + "fileset.name": "corepas", + "group.name": "quelaud", + "host.ip": "10.85.13.237", + "input.type": "log", + "log.level": "high", + "log.offset": 36454, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6648", + "related.hosts": [ + "tatemac5192.www5.test", + "teursint1321.www5.example" + ], + "related.ip": [ + "10.85.13.237", + "10.89.154.115" + ], + "related.user": [ + "Nem", + "emeu", + "luptat" + ], + "rsa.db.database": "nturmag", + "rsa.db.index": "maliqua", + "rsa.internal.event_desc": "tore", + "rsa.internal.messageid": "77", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "qua", + "rsa.misc.disposition": "lamcolab", + "rsa.misc.group": "quelaud", + "rsa.misc.group_object": "enimad", + "rsa.misc.obj_type": "uredol", + "rsa.misc.operation_id": "oeiusmo", + "rsa.misc.policy_name": "nimv", + "rsa.misc.reference_id": "77", + "rsa.misc.reference_id1": "con", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.6648", + "rsa.network.domain": "tatemac5192.www5.test", + "rsa.network.host_dst": "teursint1321.www5.example", + "server.domain": "tatemac5192.www5.test", + "server.registered_domain": "www5.test", + "server.subdomain": "tatemac5192", + "server.top_level_domain": "test", + "service.type": "cyberark", + "source.ip": [ + "10.89.154.115" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "Nem" + }, + { + "destination.address": "boreet2051.internal.localdomain", + "destination.port": 1644, + "event.action": "allow", + "event.code": "308", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2019-02-02 20:27:57.752538723 +0000 UTC omnisi5530.mail.example %CYBERARK: MessageID=\"308\";Version=1.3387;Message=allow;Issuer=itame;Station=10.222.32.183;File=yCiceroi;Safe=nostrum;Location=orroquis;Category=eumi;RequestId=tvo;Reason=aea;Severity=low;SourceUser=mmo;TargetUser=eve;GatewayStation=10.65.207.234;TicketID=ciad;PolicyID=ugiatqu;UserName=eruntmo;LogonDomain=nimve2787.mail.test;Address=boreet2051.internal.localdomain;CPMStatus=iavo;Port=1644;Database=udexerc;DeviceType=ovolupta;ExtraDetails=volup;", + "file.directory": "orroquis", + "file.name": "yCiceroi", + "fileset.name": "corepas", + "group.name": "mmo", + "host.ip": "10.222.32.183", + "input.type": "log", + "log.level": "low", + "log.offset": 36923, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3387", + "related.hosts": [ + "boreet2051.internal.localdomain", + "nimve2787.mail.test" + ], + "related.ip": [ + "10.222.32.183", + "10.65.207.234" + ], + "related.user": [ + "eruntmo", + "eve", + "itame" + ], + "rsa.db.database": "udexerc", + "rsa.db.index": "volup", + "rsa.internal.event_desc": "aea", + "rsa.internal.messageid": "308", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "eumi", + "rsa.misc.disposition": "iavo", + "rsa.misc.group": "mmo", + "rsa.misc.group_object": "nostrum", + "rsa.misc.obj_type": "ovolupta", + "rsa.misc.operation_id": "ciad", + "rsa.misc.policy_name": "ugiatqu", + "rsa.misc.reference_id": "308", + "rsa.misc.reference_id1": "tvo", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3387", + "rsa.network.domain": "nimve2787.mail.test", + "rsa.network.host_dst": "boreet2051.internal.localdomain", + "server.domain": "nimve2787.mail.test", + "server.registered_domain": "mail.test", + "server.subdomain": "nimve2787", + "server.top_level_domain": "test", + "service.type": "cyberark", + "source.ip": [ + "10.65.207.234" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "itame" + }, + { + "event.action": "cancel", + "event.code": "edqu", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "rro 2019-02-17 03:30:32.012538723 +0000 UTC tuser6944.local %CYBERARK: MessageID=\"54\";iarchite 1.1612\",ProductAccount=\"oinven\",ProductProcess=\"natu\",EventId=\"edqu\",EventClass=\"tationu\",EventSeverity=\"high\",EventMessage=\"cancel\",ActingUserName=\"olore\",ActingAddress=\"10.16.181.60\",ActionSourceUser=\"ameaquei\",ActionTargetUser=\"gnama\",ActionObject=\"esciun\",ActionSafe=\"tesse\",ActionLocation=\"olupta\",ActionCategory=\"isno\",ActionRequestId=\"oluptas\",ActionReason=\"nderiti\",ActionExtraDetails=\"uatu\"", + "file.directory": "olupta", + "file.name": "esciun", + "fileset.name": "corepas", + "host.ip": "10.16.181.60", + "input.type": "log", + "log.level": "high", + "log.offset": 37436, + "observer.product": "iarchite", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1612", + "related.ip": [ + "10.16.181.60" + ], + "related.user": [ + "gnama", + "oinven", + "olore" + ], + "rsa.db.index": "uatu", + "rsa.internal.event_desc": "nderiti", + "rsa.internal.messageid": "54", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "isno", + "rsa.misc.group_object": "tesse", + "rsa.misc.reference_id": "edqu", + "rsa.misc.reference_id1": "oluptas", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.1612", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "olore" + }, + { + "event.action": "deny", + "event.code": "onse", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "orem 2019-03-03 10:33:06.272538723 +0000 UTC giatqu1484.internal.corp %CYBERARK: MessageID=\"208\";oreseosq 1.2275\",ProductAccount=\"uianon\",ProductProcess=\"nul\",EventId=\"onse\",EventClass=\"sitam\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"illoin\",ActingAddress=\"10.91.213.82\",ActionSourceUser=\"uid\",ActionTargetUser=\"amnis\",ActionObject=\"rvelil\",ActionSafe=\"adese\",ActionLocation=\"olorsi\",ActionCategory=\"caboNemo\",ActionRequestId=\"uptas\",ActionReason=\"temaccus\",ActionExtraDetails=\"ons\"", + "file.directory": "olorsi", + "file.name": "rvelil", + "fileset.name": "corepas", + "host.ip": "10.91.213.82", + "input.type": "log", + "log.level": "very-high", + "log.offset": 37931, + "observer.product": "oreseosq", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2275", + "related.ip": [ + "10.91.213.82" + ], + "related.user": [ + "amnis", + "illoin", + "uianon" + ], + "rsa.db.index": "ons", + "rsa.internal.event_desc": "temaccus", + "rsa.internal.messageid": "208", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "caboNemo", + "rsa.misc.group_object": "adese", + "rsa.misc.reference_id": "onse", + "rsa.misc.reference_id1": "uptas", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.2275", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "illoin" + }, + { + "event.action": "allow", + "event.code": "iaeconse", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2019-03-17 17:35:40.532538723 +0000 UTC oreeu3666.invalid %CYBERARK: MessageID=\"48\";tis 1.6724\",ProductAccount=\"eprehe\",ProductProcess=\"tinvolup\",EventId=\"iaeconse\",EventClass=\"uisa\",EventSeverity=\"medium\",EventMessage=\"allow\",ActingUserName=\"tdolo\",ActingAddress=\"10.204.214.98\",ActionSourceUser=\"iumt\",ActionTargetUser=\"porissus\",ActionObject=\"imip\",ActionSafe=\"tsunt\",ActionLocation=\"rnat\",ActionCategory=\"oremi\",ActionRequestId=\"ectobeat\",ActionReason=\"ecte\",ActionExtraDetails=\"abo\"", + "file.directory": "rnat", + "file.name": "imip", + "fileset.name": "corepas", + "host.ip": "10.204.214.98", + "input.type": "log", + "log.level": "medium", + "log.offset": 38435, + "observer.product": "tis", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6724", + "related.ip": [ + "10.204.214.98" + ], + "related.user": [ + "eprehe", + "porissus", + "tdolo" + ], + "rsa.db.index": "abo", + "rsa.internal.event_desc": "ecte", + "rsa.internal.messageid": "48", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "oremi", + "rsa.misc.group_object": "tsunt", + "rsa.misc.reference_id": "iaeconse", + "rsa.misc.reference_id1": "ectobeat", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6724", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tdolo" + }, + { + "event.action": "accept", + "event.code": "tium", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"219\";snos 1.5910\",ProductAccount=\"moenimip\",ProductProcess=\"uames\",EventId=\"tium\",EventClass=\"ianonn\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"etc\",ActingAddress=\"10.223.178.192\",ActionSourceUser=\"atquovol\",ActionTargetUser=\"evel\",ActionObject=\"edol\",ActionSafe=\"sequuntu\",ActionLocation=\"quameius\",ActionCategory=\"litse\",ActionRequestId=\"san\",ActionReason=\"apari\",ActionExtraDetails=\"iarchit\"", + "file.directory": "quameius", + "file.name": "edol", + "fileset.name": "corepas", + "host.ip": "10.223.178.192", + "input.type": "log", + "log.level": "very-high", + "log.offset": 38923, + "observer.product": "snos", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5910", + "related.ip": [ + "10.223.178.192" + ], + "related.user": [ + "etc", + "evel", + "moenimip" + ], + "rsa.db.index": "iarchit", + "rsa.internal.event_desc": "apari", + "rsa.internal.messageid": "219", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "litse", + "rsa.misc.group_object": "sequuntu", + "rsa.misc.reference_id": "tium", + "rsa.misc.reference_id1": "san", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.5910", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "etc" + }, + { + "destination.address": "umto3015.mail.lan", + "destination.port": 4667, + "event.action": "cancel", + "event.code": "183", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2019-04-15 07:40:49.052538723 +0000 UTC nsequat6724.www.invalid %CYBERARK: MessageID=\"183\";Version=1.801;Message=cancel;Issuer=ati;Station=10.26.137.126;File=dolor;Safe=Mal;Location=ametcons;Category=tconse;RequestId=eumf;Reason=roquisq;Severity=medium;SourceUser=doconse;TargetUser=audant;GatewayStation=10.26.33.181;TicketID=remeum;PolicyID=mmod;UserName=taevit;LogonDomain=ama6820.mail.example;Address=umto3015.mail.lan;CPMStatus=sitv;Port=4667;Database=com;DeviceType=rep;ExtraDetails=mveni;", + "file.directory": "ametcons", + "file.name": "dolor", + "fileset.name": "corepas", + "group.name": "doconse", + "host.ip": "10.26.137.126", + "input.type": "log", + "log.level": "medium", + "log.offset": 39362, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.801", + "related.hosts": [ + "ama6820.mail.example", + "umto3015.mail.lan" + ], + "related.ip": [ + "10.26.137.126", + "10.26.33.181" + ], + "related.user": [ + "ati", + "audant", + "taevit" + ], + "rsa.db.database": "com", + "rsa.db.index": "mveni", + "rsa.internal.event_desc": "roquisq", + "rsa.internal.messageid": "183", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "tconse", + "rsa.misc.disposition": "sitv", + "rsa.misc.group": "doconse", + "rsa.misc.group_object": "Mal", + "rsa.misc.obj_type": "rep", + "rsa.misc.operation_id": "remeum", + "rsa.misc.policy_name": "mmod", + "rsa.misc.reference_id": "183", + "rsa.misc.reference_id1": "eumf", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.801", + "rsa.network.domain": "ama6820.mail.example", + "rsa.network.host_dst": "umto3015.mail.lan", + "server.domain": "ama6820.mail.example", + "server.registered_domain": "mail.example", + "server.subdomain": "ama6820", + "server.top_level_domain": "example", + "service.type": "cyberark", + "source.ip": [ + "10.26.33.181" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ati" + }, + { + "destination.address": "etquasia1800.www.host", + "destination.port": 7612, + "event.action": "accept", + "event.code": "41", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "April 29 14:43:23 num %CYBERARK: MessageID=\"41\";Version=1.10;Message=accept;Issuer=quaerat;Station=10.148.195.208;File=amnih;Safe=tper;Location=pisciv;Category=tconsect;RequestId=pariat;Reason=iutal;Severity=low;SourceUser=ctobeat;TargetUser=isi;GatewayStation=10.142.161.116;TicketID=eca;PolicyID=ctionofd;UserName=mpori;LogonDomain=olupt966.www5.corp;Address=etquasia1800.www.host;CPMStatus=nimip;Port=7612;Database=squamest;DeviceType=quisn;ExtraDetails=pteu;", + "file.directory": "pisciv", + "file.name": "amnih", + "fileset.name": "corepas", + "group.name": "ctobeat", + "host.ip": "10.148.195.208", + "input.type": "log", + "log.level": "low", + "log.offset": 39858, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.10", + "related.hosts": [ + "etquasia1800.www.host", + "olupt966.www5.corp" + ], + "related.ip": [ + "10.142.161.116", + "10.148.195.208" + ], + "related.user": [ + "isi", + "mpori", + "quaerat" + ], + "rsa.db.database": "squamest", + "rsa.db.index": "pteu", + "rsa.internal.event_desc": "iutal", + "rsa.internal.messageid": "41", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "tconsect", + "rsa.misc.disposition": "nimip", + "rsa.misc.group": "ctobeat", + "rsa.misc.group_object": "tper", + "rsa.misc.obj_type": "quisn", + "rsa.misc.operation_id": "eca", + "rsa.misc.policy_name": "ctionofd", + "rsa.misc.reference_id": "41", + "rsa.misc.reference_id1": "pariat", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.10", + "rsa.network.domain": "olupt966.www5.corp", + "rsa.network.host_dst": "etquasia1800.www.host", + "server.domain": "olupt966.www5.corp", + "server.registered_domain": "www5.corp", + "server.subdomain": "olupt966", + "server.top_level_domain": "corp", + "service.type": "cyberark", + "source.ip": [ + "10.142.161.116" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "quaerat" + }, + { + "destination.address": "quisquam2153.mail.host", + "destination.port": 2717, + "event.action": "block", + "event.code": "270", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "velillum 2019-05-13 21:45:57.572538723 +0000 UTC ntNequ7639.internal.localdomain %CYBERARK: MessageID=\"270\";Version=1.1026;Message=block;Issuer=itinvo;Station=10.107.24.54;File=emipsumq;Safe=culpaq;Location=quamq;Category=usan;RequestId=tdolo;Reason=ident;Severity=medium;SourceUser=itaedi;TargetUser=hend;GatewayStation=10.10.174.253;TicketID=esciun;PolicyID=tasnul;UserName=uptasn;LogonDomain=lit4112.www.localhost;Address=quisquam2153.mail.host;CPMStatus=dit;Port=2717;Database=lup;DeviceType=aeca;ExtraDetails=isau;", + "file.directory": "quamq", + "file.name": "emipsumq", + "fileset.name": "corepas", + "group.name": "itaedi", + "host.ip": "10.107.24.54", + "input.type": "log", + "log.level": "medium", + "log.offset": 40321, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1026", + "related.hosts": [ + "lit4112.www.localhost", + "quisquam2153.mail.host" + ], + "related.ip": [ + "10.10.174.253", + "10.107.24.54" + ], + "related.user": [ + "hend", + "itinvo", + "uptasn" + ], + "rsa.db.database": "lup", + "rsa.db.index": "isau", + "rsa.internal.event_desc": "ident", + "rsa.internal.messageid": "270", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "usan", + "rsa.misc.disposition": "dit", + "rsa.misc.group": "itaedi", + "rsa.misc.group_object": "culpaq", + "rsa.misc.obj_type": "aeca", + "rsa.misc.operation_id": "esciun", + "rsa.misc.policy_name": "tasnul", + "rsa.misc.reference_id": "270", + "rsa.misc.reference_id1": "tdolo", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.1026", + "rsa.network.domain": "lit4112.www.localhost", + "rsa.network.host_dst": "quisquam2153.mail.host", + "server.domain": "lit4112.www.localhost", + "server.registered_domain": "www.localhost", + "server.subdomain": "lit4112", + "server.top_level_domain": "localhost", + "service.type": "cyberark", + "source.ip": [ + "10.10.174.253" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "itinvo" + }, + { + "event.action": "deny", + "event.code": "iades", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "May 28 04:48:31 boreetd %CYBERARK: MessageID=\"309\";tNe 1.2566\",ProductAccount=\"eeufug\",ProductProcess=\"ntin\",EventId=\"iades\",EventClass=\"radipis\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"luptate\",ActingAddress=\"10.87.92.17\",ActionSourceUser=\"utlabore\",ActionTargetUser=\"tamr\",ActionObject=\"serr\",ActionSafe=\"usci\",ActionLocation=\"unturmag\",ActionCategory=\"dexeaco\",ActionRequestId=\"lupta\",ActionReason=\"ura\",ActionExtraDetails=\"oreeufug\"", + "event.outcome": "failure", + "file.directory": "unturmag", + "file.name": "serr", + "fileset.name": "corepas", + "host.ip": "10.87.92.17", + "input.type": "log", + "log.level": "very-high", + "log.offset": 40841, + "observer.product": "tNe", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2566", + "related.ip": [ + "10.87.92.17" + ], + "related.user": [ + "eeufug", + "luptate", + "tamr" + ], + "rsa.db.index": "oreeufug", + "rsa.internal.event_desc": "ura", + "rsa.internal.messageid": "309", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "dexeaco", + "rsa.misc.group_object": "usci", + "rsa.misc.reference_id": "iades", + "rsa.misc.reference_id1": "lupta", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.2566", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "luptate" + }, + { + "destination.address": "secte1774.localhost", + "destination.port": 5200, + "event.action": "deny", + "event.code": "295", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "June 11 11:51:06 dolo %CYBERARK: MessageID=\"295\";Version=1.5649;Message=deny;Issuer=Finibus;Station=10.161.51.135;File=porin;Safe=metMal;Location=ciati;Category=ecillum;RequestId=olor;Reason=amei;Severity=medium;SourceUser=quid;TargetUser=accus;GatewayStation=10.231.51.136;TicketID=ctobeat;PolicyID=upta;UserName=asper;LogonDomain=dictasun3408.internal.invalid;Address=secte1774.localhost;CPMStatus=iqui;Port=5200;Database=litani;DeviceType=emp;ExtraDetails=arch;", + "file.directory": "ciati", + "file.name": "porin", + "fileset.name": "corepas", + "group.name": "quid", + "host.ip": "10.161.51.135", + "input.type": "log", + "log.level": "medium", + "log.offset": 41300, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5649", + "related.hosts": [ + "dictasun3408.internal.invalid", + "secte1774.localhost" + ], + "related.ip": [ + "10.161.51.135", + "10.231.51.136" + ], + "related.user": [ + "Finibus", + "accus", + "asper" + ], + "rsa.db.database": "litani", + "rsa.db.index": "arch", + "rsa.internal.event_desc": "amei", + "rsa.internal.messageid": "295", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "ecillum", + "rsa.misc.disposition": "iqui", + "rsa.misc.group": "quid", + "rsa.misc.group_object": "metMal", + "rsa.misc.obj_type": "emp", + "rsa.misc.operation_id": "ctobeat", + "rsa.misc.policy_name": "upta", + "rsa.misc.reference_id": "295", + "rsa.misc.reference_id1": "olor", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5649", + "rsa.network.domain": "dictasun3408.internal.invalid", + "rsa.network.host_dst": "secte1774.localhost", + "server.domain": "dictasun3408.internal.invalid", + "server.registered_domain": "internal.invalid", + "server.subdomain": "dictasun3408", + "server.top_level_domain": "invalid", + "service.type": "cyberark", + "source.ip": [ + "10.231.51.136" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "Finibus" + }, + { + "event.action": "allow", + "event.code": "cia", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "June 25 18:53:40 dipisciv %CYBERARK: MessageID=\"148\";uam 1.2575\",ProductAccount=\"llum\",ProductProcess=\"mwr\",EventId=\"cia\",EventClass=\"idolo\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"mquido\",ActingAddress=\"10.51.17.32\",ActionSourceUser=\"ree\",ActionTargetUser=\"itten\",ActionObject=\"quipexea\",ActionSafe=\"orsitv\",ActionLocation=\"dunt\",ActionCategory=\"int\",ActionRequestId=\"ionevo\",ActionReason=\"llitani\",ActionExtraDetails=\"uscipit\"", + "file.directory": "dunt", + "file.name": "quipexea", + "fileset.name": "corepas", + "host.ip": "10.51.17.32", + "input.type": "log", + "log.level": "low", + "log.offset": 41765, + "observer.product": "uam", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2575", + "related.ip": [ + "10.51.17.32" + ], + "related.user": [ + "itten", + "llum", + "mquido" + ], + "rsa.db.index": "uscipit", + "rsa.internal.event_desc": "llitani", + "rsa.internal.messageid": "148", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "int", + "rsa.misc.group_object": "orsitv", + "rsa.misc.reference_id": "cia", + "rsa.misc.reference_id1": "ionevo", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.2575", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "mquido" + }, + { + "event.action": "deny", + "event.code": "mquisno", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "etco 2019-07-10 01:56:14.612538723 +0000 UTC iuntN4077.www.invalid %CYBERARK: MessageID=\"260\";isnostru 1.270\",ProductAccount=\"mmodicon\",ProductProcess=\"eetdo\",EventId=\"mquisno\",EventClass=\"atvolup\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"ollita\",ActingAddress=\"10.108.123.148\",ActionSourceUser=\"cto\",ActionTargetUser=\"cusa\",ActionObject=\"nderi\",ActionSafe=\"tem\",ActionLocation=\"tcu\",ActionCategory=\"eumiu\",ActionRequestId=\"nim\",ActionReason=\"pteurs\",ActionExtraDetails=\"ercitati\"", + "file.directory": "tcu", + "file.name": "nderi", + "fileset.name": "corepas", + "host.ip": "10.108.123.148", + "input.type": "log", + "log.level": "medium", + "log.offset": 42211, + "observer.product": "isnostru", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.270", + "related.ip": [ + "10.108.123.148" + ], + "related.user": [ + "cusa", + "mmodicon", + "ollita" + ], + "rsa.db.index": "ercitati", + "rsa.internal.event_desc": "pteurs", + "rsa.internal.messageid": "260", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "eumiu", + "rsa.misc.group_object": "tem", + "rsa.misc.reference_id": "mquisno", + "rsa.misc.reference_id1": "nim", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.270", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ollita" + }, + { + "destination.address": "uido2773.www5.test", + "destination.port": 3820, + "event.action": "accept", + "event.code": "8", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "July 24 08:58:48 eturadip %CYBERARK: MessageID=\"8\";Version=1.425;Message=accept;Issuer=rsitamet;Station=10.114.0.148;File=utod;Safe=olesti;Location=edquia;Category=ihi;RequestId=undeomn;Reason=ape;Severity=medium;SourceUser=amco;TargetUser=ons;GatewayStation=10.198.187.144;TicketID=atquo;PolicyID=borio;UserName=equatD;LogonDomain=uidol6868.mail.localdomain;Address=uido2773.www5.test;CPMStatus=acons;Port=3820;Database=periam;DeviceType=ain;ExtraDetails=umiurer;", + "event.outcome": "success", + "file.directory": "edquia", + "file.name": "utod", + "fileset.name": "corepas", + "group.name": "amco", + "host.ip": "10.114.0.148", + "input.type": "log", + "log.level": "medium", + "log.offset": 42710, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.425", + "related.hosts": [ + "uido2773.www5.test", + "uidol6868.mail.localdomain" + ], + "related.ip": [ + "10.114.0.148", + "10.198.187.144" + ], + "related.user": [ + "equatD", + "ons", + "rsitamet" + ], + "rsa.db.database": "periam", + "rsa.db.index": "umiurer", + "rsa.internal.event_desc": "ape", + "rsa.internal.messageid": "8", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "ihi", + "rsa.misc.disposition": "acons", + "rsa.misc.group": "amco", + "rsa.misc.group_object": "olesti", + "rsa.misc.obj_type": "ain", + "rsa.misc.operation_id": "atquo", + "rsa.misc.policy_name": "borio", + "rsa.misc.reference_id": "8", + "rsa.misc.reference_id1": "undeomn", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.425", + "rsa.network.domain": "uidol6868.mail.localdomain", + "rsa.network.host_dst": "uido2773.www5.test", + "server.domain": "uidol6868.mail.localdomain", + "server.registered_domain": "mail.localdomain", + "server.subdomain": "uidol6868", + "server.top_level_domain": "localdomain", + "service.type": "cyberark", + "source.ip": [ + "10.198.187.144" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "rsitamet" + }, + { + "event.action": "allow", + "event.code": "litess", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "onorume 2019-08-07 16:01:23.132538723 +0000 UTC abill5290.lan %CYBERARK: MessageID=\"89\";mini 1.7224\",ProductAccount=\"loru\",ProductProcess=\"iadeser\",EventId=\"litess\",EventClass=\"qui\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"equa\",ActingAddress=\"10.61.140.120\",ActionSourceUser=\"olorsit\",ActionTargetUser=\"naaliq\",ActionObject=\"plica\",ActionSafe=\"asiarc\",ActionLocation=\"lor\",ActionCategory=\"nvolupt\",ActionRequestId=\"dquia\",ActionReason=\"ora\",ActionExtraDetails=\"umfugiat\"", + "file.directory": "lor", + "file.name": "plica", + "fileset.name": "corepas", + "host.ip": "10.61.140.120", + "input.type": "log", + "log.level": "low", + "log.offset": 43175, + "observer.product": "mini", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7224", + "related.ip": [ + "10.61.140.120" + ], + "related.user": [ + "equa", + "loru", + "naaliq" + ], + "rsa.db.index": "umfugiat", + "rsa.internal.event_desc": "ora", + "rsa.internal.messageid": "89", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "nvolupt", + "rsa.misc.group_object": "asiarc", + "rsa.misc.reference_id": "litess", + "rsa.misc.reference_id1": "dquia", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7224", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "equa" + }, + { + "destination.address": "quame1852.www.test", + "destination.port": 4512, + "event.action": "deny", + "event.code": "36", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"36\";Version=1.6988;Message=deny;Issuer=ite;Station=10.93.24.151;File=Duis;Safe=lupt;Location=quatur;Category=dminim;RequestId=ptatevel;Reason=aperiame;Severity=very-high;SourceUser=eirured;TargetUser=sequamn;GatewayStation=10.149.238.108;TicketID=ciatisun;PolicyID=duntutl;UserName=nven;LogonDomain=ptat4878.lan;Address=quame1852.www.test;CPMStatus=deomni;Port=4512;Database=fugi;DeviceType=nse;ExtraDetails=nesciu;", + "file.directory": "quatur", + "file.name": "Duis", + "fileset.name": "corepas", + "group.name": "eirured", + "host.ip": "10.93.24.151", + "input.type": "log", + "log.level": "very-high", + "log.offset": 43663, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6988", + "related.hosts": [ + "ptat4878.lan", + "quame1852.www.test" + ], + "related.ip": [ + "10.149.238.108", + "10.93.24.151" + ], + "related.user": [ + "ite", + "nven", + "sequamn" + ], + "rsa.db.database": "fugi", + "rsa.db.index": "nesciu", + "rsa.internal.event_desc": "aperiame", + "rsa.internal.messageid": "36", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "dminim", + "rsa.misc.disposition": "deomni", + "rsa.misc.group": "eirured", + "rsa.misc.group_object": "lupt", + "rsa.misc.obj_type": "nse", + "rsa.misc.operation_id": "ciatisun", + "rsa.misc.policy_name": "duntutl", + "rsa.misc.reference_id": "36", + "rsa.misc.reference_id1": "ptatevel", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.6988", + "rsa.network.domain": "ptat4878.lan", + "rsa.network.host_dst": "quame1852.www.test", + "server.domain": "ptat4878.lan", + "server.registered_domain": "ptat4878.lan", + "server.top_level_domain": "lan", + "service.type": "cyberark", + "source.ip": [ + "10.149.238.108" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ite" + }, + { + "event.action": "accept", + "event.code": "vel", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "September 5 06:06:31 inrepreh %CYBERARK: MessageID=\"39\";rit 1.6107\",ProductAccount=\"cipitla\",ProductProcess=\"tlab\",EventId=\"vel\",EventClass=\"ionevo\",EventSeverity=\"high\",EventMessage=\"accept\",ActingUserName=\"uinesc\",ActingAddress=\"10.101.45.225\",ActionSourceUser=\"utla\",ActionTargetUser=\"emi\",ActionObject=\"uaerat\",ActionSafe=\"iduntu\",ActionLocation=\"samvol\",ActionCategory=\"equa\",ActionRequestId=\"apari\",ActionReason=\"tsunt\",ActionExtraDetails=\"caecat\"", + "file.directory": "samvol", + "file.name": "uaerat", + "fileset.name": "corepas", + "host.ip": "10.101.45.225", + "input.type": "log", + "log.level": "high", + "log.offset": 44101, + "observer.product": "rit", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6107", + "related.ip": [ + "10.101.45.225" + ], + "related.user": [ + "cipitla", + "emi", + "uinesc" + ], + "rsa.db.index": "caecat", + "rsa.internal.event_desc": "tsunt", + "rsa.internal.messageid": "39", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "equa", + "rsa.misc.group_object": "iduntu", + "rsa.misc.reference_id": "vel", + "rsa.misc.reference_id1": "apari", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.6107", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "uinesc" + }, + { + "event.action": "cancel", + "event.code": "texplica", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "qui 2019-09-19 13:09:05.912538723 +0000 UTC caboN3124.mail.home %CYBERARK: MessageID=\"8\";catcupid 1.3167\",ProductAccount=\"quela\",ProductProcess=\"uamquaer\",EventId=\"texplica\",EventClass=\"enimi\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"ore\",ActingAddress=\"10.2.204.161\",ActionSourceUser=\"iquamqu\",ActionTargetUser=\"eumfugia\",ActionObject=\"reeufugi\",ActionSafe=\"sequines\",ActionLocation=\"minimve\",ActionCategory=\"texplica\",ActionRequestId=\"entorev\",ActionReason=\"quuntur\",ActionExtraDetails=\"olup\"", + "event.outcome": "success", + "file.directory": "minimve", + "file.name": "reeufugi", + "fileset.name": "corepas", + "host.ip": "10.2.204.161", + "input.type": "log", + "log.level": "low", + "log.offset": 44555, + "observer.product": "catcupid", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3167", + "related.ip": [ + "10.2.204.161" + ], + "related.user": [ + "eumfugia", + "ore", + "quela" + ], + "rsa.db.index": "olup", + "rsa.internal.event_desc": "quuntur", + "rsa.internal.messageid": "8", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "texplica", + "rsa.misc.group_object": "sequines", + "rsa.misc.reference_id": "texplica", + "rsa.misc.reference_id1": "entorev", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3167", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ore" + }, + { + "event.action": "cancel", + "event.code": "utaliqui", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "les 2019-10-03 20:11:40.172538723 +0000 UTC norumet2571.internal.example %CYBERARK: MessageID=\"89\";temp 1.6971\",ProductAccount=\"aliqu\",ProductProcess=\"sequine\",EventId=\"utaliqui\",EventClass=\"isciv\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"ptatemse\",ActingAddress=\"10.33.112.100\",ActionSourceUser=\"catcup\",ActionTargetUser=\"enimad\",ActionObject=\"magnaali\",ActionSafe=\"velillum\",ActionLocation=\"ionev\",ActionCategory=\"vitaedi\",ActionRequestId=\"rna\",ActionReason=\"cons\",ActionExtraDetails=\"Except\"", + "file.directory": "ionev", + "file.name": "magnaali", + "fileset.name": "corepas", + "host.ip": "10.33.112.100", + "input.type": "log", + "log.level": "very-high", + "log.offset": 45067, + "observer.product": "temp", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6971", + "related.ip": [ + "10.33.112.100" + ], + "related.user": [ + "aliqu", + "enimad", + "ptatemse" + ], + "rsa.db.index": "Except", + "rsa.internal.event_desc": "cons", + "rsa.internal.messageid": "89", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "vitaedi", + "rsa.misc.group_object": "velillum", + "rsa.misc.reference_id": "utaliqui", + "rsa.misc.reference_id1": "rna", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.6971", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ptatemse" + }, + { + "destination.address": "lla5407.lan", + "destination.port": 4762, + "event.action": "block", + "event.code": "95", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"95\";Version=1.3175;Message=block;Issuer=neavol;Station=10.94.152.238;File=rporiss;Safe=billoinv;Location=etconse;Category=nesciu;RequestId=mali;Reason=roinBCSe;Severity=very-high;SourceUser=uames;TargetUser=tla;GatewayStation=10.151.110.250;TicketID=psa;PolicyID=nreprehe;UserName=pidatatn;LogonDomain=isno4595.local;Address=lla5407.lan;CPMStatus=upt;Port=4762;Database=itaedict;DeviceType=eroi;ExtraDetails=onemull;", + "file.directory": "etconse", + "file.name": "rporiss", + "fileset.name": "corepas", + "group.name": "uames", + "host.ip": "10.94.152.238", + "input.type": "log", + "log.level": "very-high", + "log.offset": 45585, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3175", + "related.hosts": [ + "isno4595.local", + "lla5407.lan" + ], + "related.ip": [ + "10.151.110.250", + "10.94.152.238" + ], + "related.user": [ + "neavol", + "pidatatn", + "tla" + ], + "rsa.db.database": "itaedict", + "rsa.db.index": "onemull", + "rsa.internal.event_desc": "roinBCSe", + "rsa.internal.messageid": "95", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "nesciu", + "rsa.misc.disposition": "upt", + "rsa.misc.group": "uames", + "rsa.misc.group_object": "billoinv", + "rsa.misc.obj_type": "eroi", + "rsa.misc.operation_id": "psa", + "rsa.misc.policy_name": "nreprehe", + "rsa.misc.reference_id": "95", + "rsa.misc.reference_id1": "mali", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3175", + "rsa.network.domain": "isno4595.local", + "rsa.network.host_dst": "lla5407.lan", + "server.domain": "isno4595.local", + "server.registered_domain": "isno4595.local", + "server.top_level_domain": "local", + "service.type": "cyberark", + "source.ip": [ + "10.151.110.250" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "neavol" + }, + { + "destination.address": "iquipexe4708.api.localhost", + "destination.port": 5473, + "event.action": "allow", + "event.code": "179", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "mporain 2019-11-01 10:16:48.692538723 +0000 UTC eratvo7756.localdomain %CYBERARK: MessageID=\"179\";Version=1.4965;Message=allow;Issuer=alorumwr;Station=10.146.61.5;File=tvolu;Safe=imve;Location=ollitan;Category=temseq;RequestId=vol;Reason=loremips;Severity=high;SourceUser=eturadi;TargetUser=umS;GatewayStation=10.77.9.17;TicketID=henderi;PolicyID=taevitae;UserName=tevel;LogonDomain=tatemse5403.home;Address=iquipexe4708.api.localhost;CPMStatus=quuntur;Port=5473;Database=amremap;DeviceType=oremagna;ExtraDetails=aqu;", + "file.directory": "ollitan", + "file.name": "tvolu", + "fileset.name": "corepas", + "group.name": "eturadi", + "host.ip": "10.146.61.5", + "input.type": "log", + "log.level": "high", + "log.offset": 46024, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4965", + "related.hosts": [ + "iquipexe4708.api.localhost", + "tatemse5403.home" + ], + "related.ip": [ + "10.146.61.5", + "10.77.9.17" + ], + "related.user": [ + "alorumwr", + "tevel", + "umS" + ], + "rsa.db.database": "amremap", + "rsa.db.index": "aqu", + "rsa.internal.event_desc": "loremips", + "rsa.internal.messageid": "179", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "temseq", + "rsa.misc.disposition": "quuntur", + "rsa.misc.group": "eturadi", + "rsa.misc.group_object": "imve", + "rsa.misc.obj_type": "oremagna", + "rsa.misc.operation_id": "henderi", + "rsa.misc.policy_name": "taevitae", + "rsa.misc.reference_id": "179", + "rsa.misc.reference_id1": "vol", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4965", + "rsa.network.domain": "tatemse5403.home", + "rsa.network.host_dst": "iquipexe4708.api.localhost", + "server.domain": "tatemse5403.home", + "server.registered_domain": "tatemse5403.home", + "server.top_level_domain": "home", + "service.type": "cyberark", + "source.ip": [ + "10.77.9.17" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "alorumwr" + }, + { + "event.action": "allow", + "event.code": "saute", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"83\";tvolu 1.2244\",ProductAccount=\"ore\",ProductProcess=\"lors\",EventId=\"saute\",EventClass=\"ecillumd\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"sequatu\",ActingAddress=\"10.128.102.130\",ActionSourceUser=\"mdoloree\",ActionTargetUser=\"que\",ActionObject=\"inBCSed\",ActionSafe=\"cteturad\",ActionLocation=\"umq\",ActionCategory=\"ita\",ActionRequestId=\"ipsaquae\",ActionReason=\"olu\",ActionExtraDetails=\"exerci\"", + "file.directory": "umq", + "file.name": "inBCSed", + "fileset.name": "corepas", + "host.ip": "10.128.102.130", + "input.type": "log", + "log.level": "high", + "log.offset": 46542, + "observer.product": "tvolu", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2244", + "related.ip": [ + "10.128.102.130" + ], + "related.user": [ + "ore", + "que", + "sequatu" + ], + "rsa.db.index": "exerci", + "rsa.internal.event_desc": "olu", + "rsa.internal.messageid": "83", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "ita", + "rsa.misc.group_object": "cteturad", + "rsa.misc.reference_id": "saute", + "rsa.misc.reference_id1": "ipsaquae", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.2244", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "sequatu" + }, + { + "destination.address": "oremip4070.www5.invalid", + "destination.port": 1704, + "event.action": "cancel", + "event.code": "150", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2019-11-30 00:21:57.212538723 +0000 UTC moen6809.internal.example %CYBERARK: MessageID=\"150\";Version=1.7701;Message=cancel;Issuer=reseo;Station=10.31.86.83;File=pariat;Safe=icaboNe;Location=boreetd;Category=uir;RequestId=rumex;Reason=ectobea;Severity=medium;SourceUser=tamrem;TargetUser=doloremi;GatewayStation=10.200.162.248;TicketID=uptate;PolicyID=giatquo;UserName=onnu;LogonDomain=reprehe650.www.corp;Address=oremip4070.www5.invalid;CPMStatus=turad;Port=1704;Database=billo;DeviceType=doloremi;ExtraDetails=ectetura;", + "file.directory": "boreetd", + "file.name": "pariat", + "fileset.name": "corepas", + "group.name": "tamrem", + "host.ip": "10.31.86.83", + "input.type": "log", + "log.level": "medium", + "log.offset": 46973, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7701", + "related.hosts": [ + "oremip4070.www5.invalid", + "reprehe650.www.corp" + ], + "related.ip": [ + "10.200.162.248", + "10.31.86.83" + ], + "related.user": [ + "doloremi", + "onnu", + "reseo" + ], + "rsa.db.database": "billo", + "rsa.db.index": "ectetura", + "rsa.internal.event_desc": "ectobea", + "rsa.internal.messageid": "150", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "uir", + "rsa.misc.disposition": "turad", + "rsa.misc.group": "tamrem", + "rsa.misc.group_object": "icaboNe", + "rsa.misc.obj_type": "doloremi", + "rsa.misc.operation_id": "uptate", + "rsa.misc.policy_name": "giatquo", + "rsa.misc.reference_id": "150", + "rsa.misc.reference_id1": "rumex", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.7701", + "rsa.network.domain": "reprehe650.www.corp", + "rsa.network.host_dst": "oremip4070.www5.invalid", + "server.domain": "reprehe650.www.corp", + "server.registered_domain": "www.corp", + "server.subdomain": "reprehe650", + "server.top_level_domain": "corp", + "service.type": "cyberark", + "source.ip": [ + "10.200.162.248" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "reseo" + }, + { + "event.action": "allow", + "event.code": "iatnulap", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"166\";cul 1.3325\",ProductAccount=\"atatn\",ProductProcess=\"ipisc\",EventId=\"iatnulap\",EventClass=\"roi\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"volup\",ActingAddress=\"10.103.215.159\",ActionSourceUser=\"ddoeiusm\",ActionTargetUser=\"apa\",ActionObject=\"archite\",ActionSafe=\"tur\",ActionLocation=\"ddo\",ActionCategory=\"emp\",ActionRequestId=\"inBC\",ActionReason=\"did\",ActionExtraDetails=\"atcupi\"", + "file.directory": "ddo", + "file.name": "archite", + "fileset.name": "corepas", + "host.ip": "10.103.215.159", + "input.type": "log", + "log.level": "high", + "log.offset": 47494, + "observer.product": "cul", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3325", + "related.ip": [ + "10.103.215.159" + ], + "related.user": [ + "apa", + "atatn", + "volup" + ], + "rsa.db.index": "atcupi", + "rsa.internal.event_desc": "did", + "rsa.internal.messageid": "166", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "emp", + "rsa.misc.group_object": "tur", + "rsa.misc.reference_id": "iatnulap", + "rsa.misc.reference_id1": "inBC", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.3325", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "volup" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberark/fields.go b/x-pack/filebeat/module/cyberark/fields.go new file mode 100644 index 00000000000..92881453766 --- /dev/null +++ b/x-pack/filebeat/module/cyberark/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package cyberark + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "cyberark", asset.ModuleFieldsPri, AssetCyberark); err != nil { + panic(err) + } +} + +// AssetCyberark returns asset data. +// This is the base64 encoded zlib format compressed contents of module/cyberark. +func AssetCyberark() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8JW09BU331F0IstwJekxP3l+/e4J9KMEzz2nIlX5N/+wshpPsBmXEQpZn8hYT/eo0fu/99RySt4DWRYFdKX024tKBnlMHE/b37GiFqCXqluYXXxOqm/4ld1/DaYbhSuuz9vYQZbYQtcMnXZEaFga2PB/i2/3tPKyBqRuwCWsRIhxhZLUADfmY1nc04IwtqyBRAEjU1oJdQTgb0aUPvQMxcq6a+PSm7TN0si1hLKrbIG199bP3YEptFKjPf+vv+FcY3bLArHxfcuO8RbkhjoCRWEUZr2wT+a7oiFRhD5+7f1BKmKjCOaOU+3wFNyFs1J6fAVAk6ToiHxXeROpScFi4sQdrCkZYYcEA4M/cDyw3ynClpQVrj7geXxlJpWzRMFEfLq0MQLKnd/WCIHfc4uSUItWS14GxBKDFgDFeSLLg1hJL3YH/nVoIx7e5PBkejI9YsVCNKImEJmkyhO3c11QbIO7DUoUbJTKuqt9TTt2puXlxQdgXWPBuAP+UamBXr58QGvCn5AF5Y+BMue2hOoowUsARxACeFkrv3c4uTp1BrYNQGTEqYcQklUVIgWpZOBZCK1nGsKjMvkl2YPXv8Ltzz89MfyJKKJtx4XoK0fMbD6YRryiwRau73Sw82AqnjDnw4Lfg9tx011ZazRlCNvw8bOxk9GQPQB52U2MkYQB4/KaNbsjzunrz8/3uyf0/cqnk25H7XV03/KJCQ3W15NNgt6SFCLztqGoxqNMv09t6fbbnu//0wM5ZaqEDax4gcbUpuCybozh1+JOiBtHr9GBFbOJ3qMSLG5WGI5dWYWsnxeE9aCfQQ6ZGXbTOAMqUNNaLXxOzM3hdbt4DDZqCHDJSE+1kRO3rIAPoNVsQ4F3dcK0fioux5VaLs8+wakJmIfSTCwTuzjx1DrW4k/9LARo3WHf3hT+tto/ZESeYeB2rVY7dsR8TNkucVh33unrhl+Iwz2r/Pb9WcnC1BWnKJwpk0sgTtTBANQVANSJ/xayiJAeuAbP14ew0zbrC0mzCAfW+DpduEAeg7bcrQE5jev3TYwRzQdQee3I0HC2Uy6av9c/mrMrYvIsXuiTQgSy7n7Ycmdmx6PqSvh7/8kAM2+NEoY88vlj8RWpbaycqx677L3AH1Vn2tzF2+ys3eV//vstdxK79s2JUL3pHW95aVhJI5X4LsnGRfryLgWHSY/yKvBVI+RuXv64hojDo0VL0uNHzJsNf94CFuMNI9XSOXz/zS5AIv0vPgzbaUfFzXQBgdSpApEOB2AZp8Opf2h1dEafKLUNT++JJMqcFT1AbIZnzeaFT9bqD7EHX3K6Ybw6D5jM8E/gX367nK5WbbZx23K3/1DgalV1SX2ZS6nkTrkd3n5PnF5y19jxINgu5uKSFmbSxU4RENaDtoC/An1XjmuX8rzedcUtH+ZltbuYEPufSvPYkR5xefX0VYENAfcOL+LOgwGnI5xeuzOahDxfHQ12cBtAR9lNj1r7gUOT+9T5TU49sPliKYw2Klj9rJJliR3c9GW0XrfKNo4UVxpsuJEgKYVfprFMCOew+Qc+POHDeEedZB6TDdUlTfql21hexh9CO0+Co2fSyqaqUMJrtVSpLperBphGj40oCxDqDhVS3WYZ/cl52gJ0DZghheAnn6PbEL3ZCXP//8jKyoIQZAdqvs4cSjUF5vwQlTK2kgHyvYV3MqmGqk7XwKTTX1Qs9dZROFQJ7SqVpCjxlcRjMrW/FmrAZajd4f9tUcmwdmFZS82dXTUjDqm5jm2DkW+Ixw+8/m5fc//NV4kf6iRgHaIv3PATX/dPbgW7oGTV6SM8lobRrhIyvOpLyTXI9Bv2fwI5JbGVvlx5fkXx25z8mPP5J/JUxppy8jFWHR5+S/C/s/3Re5IdtM+Sa6hVKV8GhtXbmCglEhppRd5dWAPXJSWbw21Hq7wjERZFkrLi2aJhbiCc54OArQWmXKT9vog6YGxqlAjBFTY5V2mrVce63DfbCkgpf+YMSQImSmGlm6F0YAIs/lPChHNyYvbt+IAeQUscBwHfaEjUZ2YS0ULR/LOxfQIYb/CaQCqzmLWB3BFO5/GW1h/9y3Qtg9+9RuNFo1a7dtQn5VK7c1Q5uTS6K0M8asIlcA9Q1MexQv3lfCNK0YGFMseVmUuaKuZ63kmYMETS1e8tJxsGcXLrm2DRXOaN/yvcuIi4NX3JndGCtHZngqwlU/PyXaSWuDDhVkGtVzsN3XbuSE0ZmSnh6cEz4Tbj8ndJZQ0FDwn5+2vtcPUCkL5DKcd6YBH9rpekxQuv+1gZivIPASVipMLXjOzIZHbc4bPlD7H4Vu5mRuxvOOt869AeGst6eutVrCE/JfI8LoxcuMiweI0btVnXF0cfLmIui+jErHHl7VSu9qvASfyK8uDaJ5HO6PT/6pQkMcTfeYK3XblG82P9kY7F7PQct8Ql7+/IqskO8VUEmoEHFfATr1UU3a+I/ICjR4sNQSAdRYouROucg2Ex9cTfy6mRi5qznCtoF3vytdIuMwqwnYQiqh5uvdQNyM64EWS8jPhC2opsx6JrpLvUb80WkuSSNDTo/Y8pmPVtSmLuj2gfqcQYQ9sUu0KCqnZCrZhhE0XY3KNJSsO2olZaix+hiFDD4HxVijW4jGUllSXRKpdEUF/zOW36t0FeVPGbIcDmaRaqaDJ+lOTNpg3SHzQvAZIMURA98AU7IcUbA3210Ym9PPsocgLpmqagE2egBGnagUFXir+Y4Y7NWbaftAB/nSrR09zmNHeftkjh6/Skm7SLRNm/rUVDkvmyyn8oEYfybLHGx3IP9UMne3hT1i0a3eqpg+vfbjLocHIirbjX5DLFzbcPnIErTplVOU+/LAIvt738O2BpqKzE2ZHlO6hDLfOxiSbMIzZboVWx2jzbTpvtiPrw9fK62qCUJtsCjfMJBUc+XV+qoRln9nOWhC61q01S+bXjYVlXQeK80lRGB4p7UXPVIeV0O4fWKIWkkfGbO0qnc9gwFjt5pDcXj7rCFswZ11o0owE/KuMRbNpD5QdyupHcnLpRYO3KS9Amw2c3gv4RiaEG5yu6DnnYYZaJDMHwjqVOuSL3npNBs8D3FBdtkKso87zIsTeV1zfTQKN/vpY0HX7iRyK9aeWOOEntPXHFJ4QPf7RhNu+qgL57mTxp08mwyW7NLJVJNaAlUDRe6+EDv+p74qqEF+aaA52lFyp9ufoo18XFFDEIly5Nwgcj+kZmpCpWCLoRlk2ryyGV7feZUD17rIgGpd5NCe65SiaBvoy+RQM+hKvVfkYUzIHfMx+sYMnss7vTmHis2b5NohwYLNA7HTDSG1I4iygRKfQrE2jcgddhqxolRjmarghcehM14wK1vNBieEysCCLQNy5IDAEjS3OUtH9hDWrh6KAHuRnX0un7zFi4Pegf6V7ipdHDSMO9XA+IxvDJ+4duuDOWM9VYKunD+bKbIBnYuRl5uCidZFVYYgSxTvYDYfaxM+b1vpfUtQafLbZUiN5aZNCNj1q+H67Q6NVUmaWhmeUHDc6myhOS1L32EKU/nbuzvahacRtsjXuuiOokg2FWjO7iqLorQdoYptD2H9SrbuZnix5O/3gLQlyFLpkDC7lzI1/eMBute0oV01/QNY3I52iOWvBR+w20nQ/Yh5SZ+zV903wwsZqv6DmAlergXtcoulsoSSReh4EU+gFWpetIkqDyLU24N4Z6F+jJ4pW7Lv75huhV2rUXzEFX8lOFvnvj175MIFIhCaa0uxHpHLjciZNx1n4IdGACIWF6dKWrjOrbF2CJ1L76/b9EOlZWnc/+GjSkWLUKwBzA2PM1tQOYdCwiq3LBgLXMKqF+pHJcRazaeNhZ6EGOboG4+609b7z19cdJiaJhN2HecEz9a2ch/T0BDczS/yyPT1t4hxixVgjmFtw0GzyfnSS9ATcgl+UxoDekLngK28Q6b7TOkWhwHsFozX2xn+nvjf9/pWKE2mWq3cZ+1fg67pza7RftLn5QXVNrWbrgOc2qMS7pQaVIce604pUXZqY64rpWoIAcVcb/EbSagAbbvsIr1ZNPzNh7eC+Og1AcAkpIjCXBKp5HcaakBLZl/2A5oNx3xyWKO1uzCdvYI7iXrcC+4jbG34Z0DZittFUJa9rCenuOAUq00kUfK7uXL/veclQCWliCiOGemmvWDgC0TAIalmxEkHy8FMyOVGpuwONuhXVuXB+MSX8zXGGTG+ZNQn25RB/AbGU8JEY2x7IMM/BtuEP+HG7WSoiQ7+Daf44qfjKtDRtR9/w+IWvW/LlE8pe3KT4eWwPEUsCDVGMY7+UrcbUXsSN+wtv4LXhJJ6sTacUUFKbq6ek1rjTJTnBCx7EleUqaaH1F7e8aH3dTaaVmBBG1JTg128DDZy8L0ImKoqJ8XUVtB+WFoDlu1V9/x78FAaX28PMzxMXnwzVdXN8A5m2DZKVlyWahXyaZmSDGr7vMukGGXGgMxZI8SafGmo8M7PUlWUyyA1ZG8hoUaerr7XM5W6tId0pxK+5fIKylAL1CaiU4PeqWCguE++6VCb8HLfxolBV4isoq4/2cm7JXYRaNH77fKh8PqtDp5Xcjls19MFnUFXfHewU24Xa1gTsfXnf7+m/WNiTXvGRf473pH8C67WXWMNZcOAtJEjiLvbDGhORRF5TbM9Ipe4ZKs2776PvQfQvTCjfgFgV+aglgMpPMZhdffQLahZdDfUqYWRKsOGLXzmb1tj05UZnrSQdlqEOUK6ZSZGM/er7t/DSlPi5LkkHHPuGskEUO3+hI3wNqiFAsLg7dRtYefN0Qcv/Jphn6dH/WIxVU257Ppm9x+sUDaq7/B6LbluzLE9fX1tBBEY9/gdJ0AauRInfnXfk3HcU+otuOyu8Y593st8fkree0nzNDRuIH7aXij6dbg9i+vV3gH9EL78nvv5/BRZGkreOjEx9B5sR+R8GqAnYeIPkZMFK27iRurSrHP2st+O6oYCba8u7PVjS298H/HUONafdAuT89MbNdlU/rkbNFmH2EtZbjTaCTnx9Zmh36nwH+zXZhFBvf2NH74J7rhpY7vKTWW7x6iRAoznjPIPykqRJdWcTsWgCtA3ZeCS1IKOCAID0mTtj7K1oX1V1a88cZLKaRhtfSF3+3z54vxiV4cmoWWs9yiM1WUfOFDw1rWQm0iLR5KcS0su+VxSFBYjR7RWOmfz2icD+eUO6UWruyns6oj/6RDp3WU8ZaWKHJz3v30kXDLRlODEWRhk634+IU/PrmlVC3hNLrxDxINF6T2J+0UwMnf02CY6pzZPSxwzbq6cyn0AXncoxeu5Md+Hp+EDN1d7Qq5W8/kcdL4RdnGWfe7HAgIOqJ0uNJiFEqU7Pd5WH5k0uhV6P4JnYRh7D1L56QevYzzrmnGcn8bLSG4dnWeqqosj513hroTcKxzj6v17ppl+59BREutTZzhuRpUNG7PSglr6QFljfcw7aak0dh5wcr3Fb2RKHNXliuqHydAbdtV30pWGh8gRMdIa+akTopS8o6ztpxxXbp0IOqodo+R3rYKq90shb2smH2qtgZrkucHGUtukUpw7fxTl4sHMDrf4VF0TXr4Yf7/cy9ocA0OH0adB42N/FxwW8avbvmOZp+8NDvnpcO7eIc8Zl6pJFePs1ZGYefI75SRpSqfDwCP7U2LAuTszbh2JN0I4uUdMwxgYM2sEOXPrE6ZKMO5ItM1+45YFlyVcJ2aA4MYepnneU7bgwmiK6RaJKWiMb1ZUc4EZPBEPno+/yzmhyMTv3G+jlMkM51BNfXOhB9KIw+rkaZfPWYM2dSi69RJmwLKgImwS4tsOT89Gigy9m2v4HudOKPHKV5fkFXxV/tvuQ8qlISVYykXEyTBVje39boQ0JY6em9l6bGmXx4Z4jD+kFqpaZMvmeUNKmNEQAgqdL9sYfsjWdFrxErSgayzksio8ruRp5Ea6D9DqDr+GWVsF7n31xnLbYGNGEiVsYxsMGzbd97omjWL1/DuMpsY0g6xiqqrcfcpzjE48dMJ7yb61Vkteev9Z20WuAjOaCFUqdnig8e7esl+42GiNrJ+XF1cNrmtMenoYWd+unlfW/6GmB/qdDibvf6tpCMDEb1fN8zXOPcWEYr/zlxfn5HygUPXRyNa1NlSX7McgYWFXVw07T2pI38UfFnKr48q9FxHFVJW5K74GFXe7SkfAhThcRtSjRfpuCT5kcITK854LOJQO+wTaLh7C57zsQjkjTrwqtdU4KANP8PKnU/I6uusm5zPVTve++OS757SBKEzWuAbW9L0IPvVrCrHy1rYL077EjSM4QqJe8XLbIdJVV9Il5YIOAxmkc4UTrK+cgdYjkxb8HTrE158u7haMlSo0gPIB2AFJId3A8PlkRCLyqpg2ZblO7p/hVZG0DqgHtzFwWKPzvV6q9BA1Vwm7HOyU2BWmOUZBAjf97FXfc5U2JbddZd2mL1rAKDbYblOx4UXJJrywn0ifJZaag8ujWeUnn8/I01Ar8bkRTleecoEFHJgHdnZdK+O++Yx8N3Q0yN0ozJVUK7llCBlgDTazWG5DH5m0yegRXHC7aaEnbZX7+1Ca9BbmlK3Jp1FzTfCppg9RlB8W3mIxl6SiXM40rWBvOkZNNU7tzd8nYUu5vMBlyXtV+uToTVvAXtZZBClyg/aFqQKOEbkspO2+ce9hRX5tJJqS71QJgjzlcjn59jnhij0nU/d/4P6PSirWhpvJt/H4omV1MRN0MDk/tQ61reGfXBBcFH1dKCfX7fArNdvbqMGqrJj6v04Dnm0bBAPaHeQoQssqrdzdwezzu9+pBvLRJwB/++3nd7+/+XD27bc+53ZJNeWjZ3Kl9FXKkuUbL9jv7YL9CNuoE4zK1EpEqNlJ26Wkew4oc8/FOoMJM1MapOEspQDpuZIyYFyl94JE4gOpgBYryofDie/tHcDe56mBuuuTukTdNNNMl8JOS2N16sp3rNfO5hDrv6XJ3tG25iOfk/TQYpfNYLCBShOKTTZ1L6HexYGY8VFHU0tqNkfsoaRGuxFFyNwt74kL5YP7Cd7dceGQD/r/h+GqG5XZT/57kCNW9nz0AZG9SD7I4WjjuPvwU+oISVtbO9uzS5/aLqO9zbLDPpnP0O02OLk3R6bbltX8GPEwLPqaUS4cr9tmLhdBZpyf9mvbsBOXMwctzCMtDMazCtuc68KpiAfQc0jiNaZbh+qjE1VVjdz1RA2wk4c1brovdu/h2v4d4jp1h5s5TLO+L26XVJb/ruJRsw1ullp+iGS4N3bDhbeQM42pOeMqWZbosSx4xH5FtRwGHR476kZWdaFyCePL9+8uyG/ej7pJSo0j8uWoqQSX//GWfGlAj/RubYQsNOx26syb3NBziK7Jh7boLJrW1WnpLOFD2geqUo8RcEDrgxxHN0G1keDYveGW6Qc0UEF1lWG3HNgM7gVaJyxA7oA2ZbKptFsw03a72gJdUrurFd4X7hQkW1RUpyor6eCuazoYX3zv6BNlg3SqJDCLRfKzwGCWtoCqAzybY6ulDGDV9I8MUGuafBKG7ziV/Hhh0L3gqR+c0LmtAqd6JkdaFpThYJT05ScOtpEJjfce4Om8Xv4kr+0i+fvOZMGsLkqTtO96D7qDfFjk6RaAl4ImlxiyADnnMmFR5BB0jtxoWcwKs+KWJZcfspgJtTK0Sp+70oct7TIf9AxRFyYLLnOKEy5r0NV0nSzhfQC7Zld5gC+pyHFWeF3UWllVpA9JIfTlTwV6HNPDFtnuplDzoszBbAc4ff4bk0VFrwtrU7kNtgG7Ey0gw6NQcZkJaS7zIV0LU4ipKFKHRbdgf58RePLO4D3YqXsh9mGnrurtw/45I+xXGWH/S0bY/yMj7L/mgW1VLegUcoiUDnp680wWVSNQ+Z6uM7yTLfD6KoNeUjWCz6s6j/bttEwq5qmTkAJknkMpMfCFpfeNyML4hMQMO2g0y2NNOsB5rEmzNk2dYRYpk11ZdRZT1SrrTA+4ziBCrLLOMMsFG82aLMAbya8llcoAy3AIl68cVzI9CstXqrYLoGUGt5qq6oKJDD5sBzhDkATh6unapneLOsgmC+S6KTLENJjmljMqMhQQmYLOQbJ1wqyrPmxJxfpPKKc58F4W2AY0C2TfDiYP1j6xNgv06bxevsrjgzbFlNu/Zmk0xkyRdlbcDmCtkotqk+WaI1RgOn2Vm/E+/mSztnqAwS68nz+9c8QDR7UvC3DfTT5dB7ke7BkXkMOGMcUsxybyWcri7G3AOXQDU/AakxSLLKKO18ufSmPrQTP/RLCNZllgCz6DHGaMQUdzBSVPVjC6DZvLPKekUmUjwDCVg9sBOJ9nkE2qNitqk87870GPZZAnAaxhzo3VNL0nZAM7g8anoc7Fap2N1wY7ketM8tVn5vsjngG61UCrDIqkLwXKhXY+5Xq1UNwUfsJseuhrqmmWA16OFMKmgLz08+1Tw+XGUpl8znFp7LTRqYYFtlDBzwrKAbVJjmt6PbqtSU4NFic3zNIPuz6008A+mHNalqnvAC9Th1Xb1kEZ3iJeFUwrVWXpSuQAZzDTeFXkSY4MHY9ysLm+St6eqTbpW5by2tSaJwYqqOW2SZ59JriEdC12NlBN0ok6HVwsvk3v1hLKdz0tZkIlf8474BlS/p3Nm1zqOKAZJI6zoTOgmjw3Qah5lqMr51kucK10agFWTZt5jmtWccNyiIXKZDmwOeZASLDYXCk53OQy3DeATp3x56GmTseTq1VqCyRLRZnyA6CTW6IqvWakNJ8XkXlc94a7kqDTv1l14YfyJgebdDL1Bqwf8ZrlkGUo3AwzcVILgwA2tTSoC+9ISo4uNcZ9WLBFqjr/AWi4rnnyQEANupprKu2g524KyKssgNM/vb4T2adPO1NAEwDWal5QUyccGNAHrWlqqBqoyKHfaWDIB991NBPw9Ex2kNO2cO1BVrrMgHF6R6bJ4Bs23jecIR/AQOpEAD/wOINxYuBL+gMQa9CaDGoGU8rweQbBa+rUXjajWY57oFmZXJE2msW64iYAbNON2OrDbEzyrppLJlMXSkSnxd4XqG/SmZp8O7fpj5UHmj6i1830TA13XSfv1tqU0yx56I0WGd7CxoAuSp666j3L2Io2MpSDDZYZS6vU3uBlwaWxdJZBM1hybXOo4ctaZmjdZJVuZEo3a6wtWqSj6JvGKvKhkWSwdJc9knFY3mcqeElONJTckhOqy9DN0GD79zg6fnJWRi6NTQhFMDhEn2B/A6YEiZXqdPkQXObj3FlVC7WGwWDBG/k3U02ypt63PGOOh95nhPPONMzhmlR0t9HCJhYr583uMJDsSApucDhDu3rYemygRExT10pbMmw8SshqQS3hltQaZmNH4R5puXcZQhFjfLA6OhQIl6Gz+0hfaMFl7on8PVTdan08DbFqDnYBerL5vlmoZvCiESJhCbobR2QVqak2QN6BpTgR3N9V2rHg6Vs1Ny8ufNnrM3IaRnw9J3YRmVKEzYA/QBh9jGhL8h7s79xKMPF9Hh7qLMyb4cju7hbh4p5YA1SzxYRLHsUPZ+4eob/2jvjEWRiYDPFC0EbirN95g3Nc2ybu8QbuO/3a99CUvx13R1PXhDvMLx4x9t1GFAlrmm7XeRWXJR/h2uKtGHMXHGMa9YhA2gyue48TqqUYmXiJ3XMzjgPH/rkGLNHwpQFj9zTtPjxb+e698r3KgGN5/KpeYu96pLq80213yj6cPEYYG9v6O3ZoN6+jlKec/X/zfEO32PlpKxRw7fjZQKshXRLvHY+we1ym1ADx6dodNmRwq7pdCr94GHxlNwq+w1xp374+ykZCqCEGAMed0f3zqjSVhrIjjPcddJj2S0tUezeHhjUaJ6DtQ7oGXXGvbhwL6c2SfjAHX3IBcyACliAINYbPpd+4zbz++NHHlswPKL9x/T0nffogk54dZo3kXxrYHZNI45evh+9hHRMPm4LSajS89BeSKSkBcyvIitvFmKAgJFIZ0mnsGg4qL7qzaeHYifKke6KEmnNGBXEYjJg+iMXDYodLjYxpfDje1Yu1iaPXS2dbqZ2s1tQPPBWcmmKhstsE3ojrzDWcpbIZauSkYn8ET7wfAPGXxmGLb1oYxMIEUD15I4xyhvjWfTvFYDn5NfxiQt7IdfevAXSLtryRltBywlRVNxZ0XAxnceM7wvKZZ9/s7gXOWNzaEG7/2bz8/oe/Otv3tLcdLce+iaIdzmmRNmJ2W8cNXYMm/9L55MyLgAYiF7/1qet/8p95ucF569Tv3Y8Dk5dvkm1PdgemuHUm5P1vH88c7aDBO0/QX1pywzTUVLK10yqDeiZ2c0EIcug5+fjuNTmX9seXz8n5+9Oz/3xNPp1L++on8nS1WBMJ3C5AE7ZQJoxKU1oDs/itH179r//27EmUI2AXGWXcLj9Qpk4qGh/HYzKfvjte80t/Fs9bpOJXvHxcSPdl0w2YH9gw7tYPfAzfHcV0Y5185to2VJC3b95Hkf1TScjnyzrsZPwfJWES561D96sRoUjIzcITt+AxvsF79mFOLazoA4xIx9N9Qd6UpUY/rT/lMXS6p5dV9aFxzvvGQs5P3l34V2k0PFZRc8Tox5ZTyWuq4e0m5xcOlRHvl+PhgZMgkvDQrT3Ow1YTK/x0reMKiB66tCy5+zIVm4Btb5Z//J074gFwJiFecBVu+On2ERigssm1zqLX3fZJo+R9wPBCaduJ5IHQLTHAhhvA7fpmyWuOzHtPD5fz9jFpyXo3xngJMbvxWF7cgB1avtQYxbhTOb3faKDjECeXNZVzmHSmE1NyxueNhpJM1wgTZIlZQ3E5Ux/YemBQNDqiLUcXnWXodyAS6v79Eq7kDgANlbJQhMzu9HlG6VlbSlPQwqfiZwBdW50H+CzDkZhlqBYWOa5Drv4ndQam0rJoPXH51PJdC97RMdldre9MeAAN9swuQEuw5OO6hufkU/uMvUUH2I/konWADV6C38Y0tXZUzxGUiRHTuEU6+MWfEypEVJmoN1/EBDeqMTFvCdq9gVxaRYzFx5xL8ul8VKAwTJDNJq+Si2wHVNUZxr45wBpM6oxeBzZDiYt/EVOnoqO/PQO2frRCIUDOk0+KRJyd8pFRCx3RQL3KQ0UvACMJw3SCGaHkF6VXVJfDOd2EvJljspcm1N34a8ylm4JdAci46pm4a+JdY9zKUtEP1XlkCLaMx8yIAYVchjxXTEuouHViKYzYiJO4FFQeI45/CwdlmyDSc1EOCNx2WW4iKUtnwc7RgN1+eVJHKoFhF4Jlun5wt4vYU205awTVBPtFkxaJp2fXr9+quZrN4tPfgRV2Adm3dwvZj25Bfxt7eJ85vB26bxq7AGlDsvgo2qZJ2Tnhdgk9fslx1D8Z0KMIq8YydVxOhyXHEb5sGANjRnDGzuOHNUc7LPEE8SJOxZ0rvSaRwoQBbscQTls4wg6OTiphgM/USrp3xcmtmHLY/ZAMFKVtqpbp+tGNvJuU+K6lWDMgOJQdPcEPs6MPc0kMt01EfhIsLoAgogPUBTWElqp2r4tdANdEreRmyzzjLL1WUlUjebU4k8Nw36L+uEqEU+65LJ38Udp0DKDkFy6AvAmITQZsuI2zV3aE+Ts5mjDe0f8g6QqjLLgMWQtpuRCjMcKIlPXu92CEz9e7DPUaqTkxnhA6VTmrByLET2FBl1w1qF0yVdVaVXwkQxGOjdyZpFOBRWQzcrIfNy6XndjJiOQuhltaJ4kisIVh0uEyByAYWb/DL/fu9l7ZzX0bPXabMstG2t1yttQafYll4AU7xKy/lRaE7/EcJGjOWpKQIZjot5tawO0Cn9rYbDcSkJ2wHybG6vHgZ0vTIW23Hoyml/tpCuqFXysjXVHTtDPCLa/AOLnutT0NNYwGkcIuJGsKceNGYOPBe26DvuXROqR394MdrR9vR9MPhUk25PTWpAWH8U0UDmhDijcC4RbC4Oul7uWN1Omj7p2/aElo0zfvXLJeqscRIDfI8U6AfL3H8cebtyzVaIPjbNnt5KM+qgRJecduIT+OehxT0jY4jJ1SjyVoO37q5JU7jV0UFdiFeoAoCd3yJBOPRvja6IZjLyWtsnqd9kR1PigR/LUOkT3nMpMn5D8nP3//PXn69vTNxTNyyo3lct5ws4ASS+GjuAg1V9n7Au2LhGG27MzjEbYZvziSMaZVZq/ivvpPt6sxDLobgx75ZEOf73JdGKb9d3W/Pccf4hSLmVIZa5O+yRSjIlV3uh1CPtCSN8avQJQmhldcUO3FkxOb7g4xfNfj5VV4zw0vj9lppJ8p/8kdhNaLuNMXc3PJ89VZvJH77jqGNUKlYc//G5xE+MngLATHDfTKMsq4K1PpnIkBg5ANslrpOZX8zz1Z1TLfUbgtsw/gdP9MjbB7xnW0ljRT159f3HL4WvgWX7530VZW869AhV0wqoHUGkpVcUmjBXc98XRBLQdpzY3p8YIek9q39EGJ9a0foc50cN3VeeIEV021xWZIG1L3i9UjNjsKwuY2EnUGJWhqoSySJZXtOR9O+PzSrtgFzy60WvKyax4WvkfrWgRNdXAwQvMf96xt67RxBWdDJC+PRGW3ZOj1Z9cjZEaHh2Lm5JL76PliV3EfaQHXKZ0ph4LfVfOEa9SZej/qVULPI4R6HRU1VmqIsUp7ie+gVWAprvYEvzVx33oSp77iZSngeFLuHa53WzkX2d6e3DtIzrXjMY5D7kVYrddhSK7b6OxzUgvqtsy9z0oTkEyv6zEvP6ZCHsGevEUGne5sy1+VseQdZQsuR0y6kmaSHN/s8vqTxEz/WoMTH04/8k3OzIS8LWlNPuM/vH5UKunrTv85fDzJgi7BaU4CqCZfGtBrgj0ITa2kgVajihenOnoL/M1x5GXogcccZM3bLpDSk+/78o3j2ZJ0BFQ3B+hDaI56W0xxylNeh9nuGW9bS281MXK2YXh4uSG6kTJqx5rn3cvjI8++jdRIjV2AWAQLM/9GULLislQrQ0wNjM84c588j9UJhjzZ4QVx5Hl8Nzk35Cl2hAXJNs8Qhi6f9bhFGonv+FuYU7Ymn8x249suAlvtFtImz651KxzBYB957fumFqKCtWp4yNyLOOB41wcgUv2/VWmK5TxD9m2TnV+hHuvO69XrCMVIYfSghd8cQOxx8nrHSA0ZvsH13sq6MyR9vAvokJrjOOy6gMH23mwSMv02DHYo3pDi5uJnLBtIORJwtMINSS5hxmXw1aNwwq5+Fa1Hmg4idgcVimXCbeOA2VH/UgvGzmebm/bQS2mkN2Xnw7aWskV15Bb4m1WR4WRgHfW3I8uQlymX6SaIJb0bjmQsKsz7eEaEVL9sB7fFt9HelPdHpnYOsM779t2AdU11e6bcn59vSFkt+KCVOnG3w9myPvn9VuTZ5DNLfFsLpdf5Nvxvpqby327sGNMist1FvVXPY0+TY8vfXiD0G2h7MJVoQFXbb30/VaOnoABptaoPER2laqYD58KtznhY01nbcEM5AuLoqzuOew9PVFVTue7uI147HKfv7ZUlaPcMFVzOVFwpoOYqd43QDfJjx4psMVtB3q7osy+5cgR+aYRYk/9oqOAzDiU5xbpn7xyMorKCacGUuuIPFHT/HabEr7+xn6kY0+aTd5vdhMPrxqLKfeAI05vv+oduiTBlJ7ijvU9+Qj6ua0/6xnPgmON3cHzzNMyKpM1kd9B2OHhHhH5iYm1rd5E5hquuUy63sfOexVrp1tuPIeYPb0e2vNcrJ/FxanlR551DtIcVbuUbPfctmlqpTJrINlJuHbcfpKY27ppksqAmZbS/B1iHcvrEkBstEm5zD2rCXemM0aLRqbwhPZgGdEHn6WzKDejkz9M26KTpj9ugw6nPIFjg2oJE1Sq9ceLgJzvNnaK30LCTKpNao/JLHKOWcEvmfsRlUb16Ef77JKDwIvxHyGuKuf2pAB3PzgvkPGD03BPTD56jx7U3am1AThkGojmTissZaD0Sdx3SfRS6+or/jayPumePgGTbl3jW24bIlcKwtsp6pSJLHO34nfm4vTt2HzGDWPf/9A8YJmiND/zk9QL0cfwRTmcPGU9PT3D04zNyguvHUQNtj9QsZYTPJ6DD8E/YysLc05wXsoaOe4zsbbhb9InpdYreu9P8z0O9kndvjRLfbXLJ/4x7a/hVJply/o8zImGuLPcbWC+oGZkAZdix2wr1ttIvPj5c0G11tglQgwSXnTPWNk5v62/iCSmGz49RUbHd36ibevhxdNCykybcmCa50omQMVkqn7fufjEUxBC0zuoDHWxKX3qeucXJJQan90mno2RIdJ3BQxT56SWmdu5/jHrS8zAk7y499+A4LkKNEcUy54u+G1INjuwoMmXhjh5tkrdpNLkA8ysIFnWm5gbfbMaV9B8klK0/EYPxOqXJ+eWbf7y7IBfunSK/yZHpKxtsM1VSH4Ltx5WKY4tiiC2AXZmDnMi3E8J5e5DFhs51/Tq7FmGYBhpGEG6k4B4tFzQfNIV8ACXX49F1BRk1GhBnS21ztAmffSyXVPDSH8QIEruC8GhdrfcJQuTYFazNrthOdPLbBNLEsBfW1qbgOIM2C2jcyhwMYfQR3CY+l23li9Lcrm+4UUxVVdY+cbfE2+MRHELxEvwV1yB2Lc3ULpaVoLIw5qEG3rqVvQz/PVDb1mhFsfWlxkWt+DHSqmMIewwIYoBIxa0BZCtbUCkHjTNyt5sKqyIiIzHbI7Vt7h6WMPPw97dv3od378XO8t2DYpXe9f0n79nGzVWxVKLJxYA37RxnGebcdJOx23G+jeTWkKceCfMMu3VgYW87UXcHPEGko9SIJpM0extw/SS5DekCk+2igyVozBSYNYIwJRnU1hnKl34PR9orrFY5pa9nvDPY2xHaDtFaaUuU4++v//4mloIbZXvqc6f0/PgJlrsFBlsu1in1zU6ijWL+fvbbxfkFeUevKy7Lbqx3fFsdbUdPw9waojhCViBjQN0+sjr1KV6ymDw921c5FrPjFWw+dBF+S3J2tWPLWRak8vlp6NIbsNiLoTjepjxwr4CW4uq/fN1wV5gjy6Emmfp2o7/EmdAPlN0YxlWjFd8FdStf3PucmCaSok4N+ZuxWsn5v00FZVeCGwvl316Evz3vPuVyBiz+0YxrWFERVWToVPR+Q6gsiVFk5FhqmHNj9dpZ9scUFjW1i9Csv8OB7OIwQBKdUsdC0xdC+3otpnSvC3mnT3aYg7R6/Zf/GwAA//+GnLko" +} diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/config.yml b/x-pack/filebeat/module/cyberarkpas/_meta/config.yml index 9b2cc6d0e27..4ebf2db818d 100644 --- a/x-pack/filebeat/module/cyberarkpas/_meta/config.yml +++ b/x-pack/filebeat/module/cyberarkpas/_meta/config.yml @@ -1,6 +1,6 @@ - module: cyberarkpas audit: - enabled: false + enabled: true # Set which input to use between tcp (default), udp, or file. # diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json b/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json index 9ac5720c6aa..406c258f164 100644 --- a/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json +++ b/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json @@ -972,402 +972,10 @@ "embeddableConfig": { "attributes": { "description": "", - "layerListJSON": [ - { - "alpha": 1, - "id": "a3734143-d6e1-4551-b0b1-8282a37e151b", - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "id": null, - "isAutoSelect": true, - "type": "EMS_TMS" - }, - "style": { - "type": "TILE" - }, - "type": "VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "id": "2ad8e318-4ef4-4e89-94f2-f37e395c488c", - "joins": [], - "label": "Filebeat index | Source Point", - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "applyGlobalQuery": true, - "applyGlobalTime": true, - "filterByMapBounds": true, - "geoField": "source.geo.location", - "id": "5f2b25a1-01ea-45ca-a4a2-f1a670c3b149", - "indexPatternId": "filebeat-*", - "scalingType": "TOP_HITS", - "sortField": "", - "sortOrder": "desc", - "tooltipProperties": [ - "host.name", - "source.ip", - "source.domain", - "source.geo.country_iso_code", - "source.as.organization.name" - ], - "topHitsSize": 22, - "topHitsSplitField": "source.ip", - "type": "ES_SEARCH" - }, - "style": { - "isTimeAware": true, - "properties": { - "fillColor": { - "options": { - "color": "#6092C0" - }, - "type": "STATIC" - }, - "icon": { - "options": { - "value": "home" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "size": 8 - }, - "type": "STATIC" - }, - "labelBorderColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "labelBorderSize": { - "options": { - "size": "SMALL" - } - }, - "labelColor": { - "options": { - "color": "#000000" - }, - "type": "STATIC" - }, - "labelSize": { - "options": { - "size": 14 - }, - "type": "STATIC" - }, - "labelText": { - "options": { - "value": "" - }, - "type": "STATIC" - }, - "lineColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 2 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "icon" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - }, - { - "alpha": 0.75, - "id": "dbb878c8-4039-49f1-b2ff-ab7fb942ba55", - "joins": [], - "label": "Filebeat index | Destination point", - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "applyGlobalQuery": true, - "applyGlobalTime": true, - "filterByMapBounds": true, - "geoField": "destination.geo.location", - "id": "bc95f479-964f-4498-be1e-376d34a01b0a", - "indexPatternId": "filebeat-*", - "scalingType": "TOP_HITS", - "sortField": "", - "sortOrder": "desc", - "tooltipProperties": [ - "host.name", - "destination.ip", - "destination.domain", - "destination.geo.country_iso_code", - "destination.as.organization.name" - ], - "topHitsSize": 35, - "topHitsSplitField": "destination.ip", - "type": "ES_SEARCH" - }, - "style": { - "isTimeAware": true, - "properties": { - "fillColor": { - "options": { - "color": "#D36086" - }, - "type": "STATIC" - }, - "icon": { - "options": { - "value": "marker" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "size": 8 - }, - "type": "STATIC" - }, - "labelBorderColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "labelBorderSize": { - "options": { - "size": "SMALL" - } - }, - "labelColor": { - "options": { - "color": "#000000" - }, - "type": "STATIC" - }, - "labelSize": { - "options": { - "size": 14 - }, - "type": "STATIC" - }, - "labelText": { - "options": { - "value": "" - }, - "type": "STATIC" - }, - "lineColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 2 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "icon" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - }, - { - "alpha": 0.75, - "id": "9c450fbf-b009-4b53-9810-2f47ca8dcfa8", - "joins": [], - "label": "Filebeat index | Line", - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "applyGlobalQuery": true, - "applyGlobalTime": true, - "destGeoField": "destination.geo.location", - "id": "faf6884d-b7cb-41dd-ab86-95970d7c59d2", - "indexPatternId": "filebeat-*", - "metrics": [ - { - "type": "count" - }, - { - "field": "destination.bytes", - "type": "sum" - } - ], - "sourceGeoField": "source.geo.location", - "type": "ES_PEW_PEW" - }, - "style": { - "isTimeAware": true, - "properties": { - "fillColor": { - "options": { - "color": "#54B399" - }, - "type": "STATIC" - }, - "icon": { - "options": { - "value": "marker" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "size": 6 - }, - "type": "STATIC" - }, - "labelBorderColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "labelBorderSize": { - "options": { - "size": "SMALL" - } - }, - "labelColor": { - "options": { - "color": "#000000" - }, - "type": "STATIC" - }, - "labelSize": { - "options": { - "size": 14 - }, - "type": "STATIC" - }, - "labelText": { - "options": { - "value": "" - }, - "type": "STATIC" - }, - "lineColor": { - "options": { - "color": "#6092C0" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "field": { - "name": "doc_count", - "origin": "source" - }, - "fieldMetaOptions": { - "isEnabled": true, - "sigma": 3 - }, - "maxSize": 8, - "minSize": 1 - }, - "type": "DYNAMIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - } - ], - "mapStateJSON": { - "center": { - "lat": 7.87497, - "lon": -49.38072 - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "refreshConfig": { - "interval": 0, - "isPaused": true - }, - "settings": { - "autoFitToDataBounds": false, - "backgroundColor": "#ffffff", - "browserLocation": { - "zoom": 2 - }, - "disableInteractive": false, - "disableTooltipControl": false, - "fixedLocation": { - "lat": 0, - "lon": 0, - "zoom": 2 - }, - "hideLayerControl": false, - "hideToolbarOverlay": false, - "hideViewControl": false, - "initialLocation": "LAST_SAVED_LOCATION", - "maxZoom": 24, - "minZoom": 0, - "showScaleControl": false, - "showSpatialFilters": true, - "spatialFiltersAlpa": 0.3, - "spatialFiltersFillColor": "#DA8B45", - "spatialFiltersLineColor": "#DA8B45" - }, - "timeFilters": { - "from": "now-15w", - "to": "now" - }, - "zoom": 1.24 - }, + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"id\":null,\"isAutoSelect\":true},\"id\":\"a3734143-d6e1-4551-b0b1-8282a37e151b\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\"},{\"label\":\"filebeat-* | Source Point\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"geoField\":\"source.geo.location\",\"scalingType\":\"TOP_HITS\",\"topHitsSplitField\":\"source.ip\",\"tooltipProperties\":[\"host.name\",\"source.ip\",\"source.domain\",\"source.geo.country_iso_code\",\"source.as.organization.name\"],\"id\":\"5f2b25a1-01ea-45ca-a4a2-f1a670c3b149\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"filterByMapBounds\":true,\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":22},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"home\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#6092C0\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":8}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"icon\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"2ad8e318-4ef4-4e89-94f2-f37e395c488c\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]},{\"label\":\"filebeat-* | Destination point\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"geoField\":\"destination.geo.location\",\"scalingType\":\"TOP_HITS\",\"topHitsSplitField\":\"destination.ip\",\"tooltipProperties\":[\"host.name\",\"destination.ip\",\"destination.domain\",\"destination.geo.country_iso_code\",\"destination.as.organization.name\"],\"id\":\"bc95f479-964f-4498-be1e-376d34a01b0a\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"filterByMapBounds\":true,\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":35},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#D36086\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":8}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"icon\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"dbb878c8-4039-49f1-b2ff-ab7fb942ba55\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]},{\"label\":\"filebeat-* | Line\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"sourceGeoField\":\"source.geo.location\",\"destGeoField\":\"destination.geo.location\",\"metrics\":[{\"type\":\"count\"},{\"type\":\"sum\",\"field\":\"destination.bytes\"}],\"id\":\"faf6884d-b7cb-41dd-ab86-95970d7c59d2\",\"type\":\"ES_PEW_PEW\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#6092C0\"}},\"lineWidth\":{\"type\":\"DYNAMIC\",\"options\":{\"minSize\":1,\"maxSize\":8,\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3}}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"9c450fbf-b009-4b53-9810-2f47ca8dcfa8\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]}]", + "mapStateJSON": "{\"zoom\":1.24,\"center\":{\"lon\":-49.38072,\"lat\":7.87497},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", "title": "", - "uiStateJSON": { - "isLayerTOCOpen": true, - "openTOCDetails": [] - } + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" }, "enhancements": {}, "hiddenLayers": [], diff --git a/x-pack/filebeat/module/cylance/_meta/config.yml b/x-pack/filebeat/module/cylance/_meta/config.yml index 3025ab38401..f48f72b6065 100644 --- a/x-pack/filebeat/module/cylance/_meta/config.yml +++ b/x-pack/filebeat/module/cylance/_meta/config.yml @@ -1,6 +1,6 @@ - module: cylance protect: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/envoyproxy/_meta/config.yml b/x-pack/filebeat/module/envoyproxy/_meta/config.yml index 8009773045d..c0fada4e3ae 100644 --- a/x-pack/filebeat/module/envoyproxy/_meta/config.yml +++ b/x-pack/filebeat/module/envoyproxy/_meta/config.yml @@ -1,7 +1,7 @@ - module: envoyproxy # Fileset for native deployment log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/f5/_meta/config.yml b/x-pack/filebeat/module/f5/_meta/config.yml index 48ccc13d31a..a939fc021f8 100644 --- a/x-pack/filebeat/module/f5/_meta/config.yml +++ b/x-pack/filebeat/module/f5/_meta/config.yml @@ -1,6 +1,6 @@ - module: f5 bigipapm: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -19,7 +19,7 @@ # var.tz_offset: local bigipafm: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/fortinet/_meta/config.yml b/x-pack/filebeat/module/fortinet/_meta/config.yml index f71e5732b14..5f5561c7925 100644 --- a/x-pack/filebeat/module/fortinet/_meta/config.yml +++ b/x-pack/filebeat/module/fortinet/_meta/config.yml @@ -1,6 +1,6 @@ - module: fortinet firewall: - enabled: false + enabled: true # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -23,7 +23,7 @@ #var.external_interfaces: [ "WAN" ] clientendpoint: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -42,7 +42,7 @@ # var.tz_offset: local fortimail: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -61,7 +61,7 @@ # var.tz_offset: local fortimanager: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/gcp/_meta/config.yml b/x-pack/filebeat/module/gcp/_meta/config.yml index 7b804388694..b32c5a65957 100644 --- a/x-pack/filebeat/module/gcp/_meta/config.yml +++ b/x-pack/filebeat/module/gcp/_meta/config.yml @@ -1,6 +1,6 @@ - module: gcp vpcflow: - enabled: false + enabled: true # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -28,7 +28,7 @@ #var.internal_networks: [ "private" ] firewall: - enabled: false + enabled: true # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -55,7 +55,7 @@ #var.internal_networks: [ "private" ] audit: - enabled: false + enabled: true # Google Cloud project ID. var.project_id: my-gcp-project-id diff --git a/x-pack/filebeat/module/gcp/_meta/kibana/7/map/a97de660-73a5-11ea-a345-f985c61fe654.json b/x-pack/filebeat/module/gcp/_meta/kibana/7/map/a97de660-73a5-11ea-a345-f985c61fe654.json index fcafb6c5428..4632935ce64 100644 --- a/x-pack/filebeat/module/gcp/_meta/kibana/7/map/a97de660-73a5-11ea-a345-f985c61fe654.json +++ b/x-pack/filebeat/module/gcp/_meta/kibana/7/map/a97de660-73a5-11ea-a345-f985c61fe654.json @@ -1,148 +1,8 @@ { "attributes": { "description": "", - "layerListJSON": [ - { - "alpha": 1, - "id": "866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0", - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "isAutoSelect": true, - "type": "EMS_TMS" - }, - "style": {}, - "type": "VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "id": "279da950-e9a7-4287-ab37-25906e448455", - "joins": [], - "label": "Source Locations", - "maxZoom": 24, - "minZoom": 0, - "query": { - "language": "kuery", - "query": "event.dataset:gcp.audit" - }, - "sourceDescriptor": { - "applyGlobalQuery": true, - "filterByMapBounds": true, - "geoField": "source.geo.location", - "id": "79ec6461-7561-45e4-a6a2-9d6fbd4cf986", - "indexPatternRefName": "layer_1_source_index_pattern", - "scalingType": "LIMIT", - "sortField": "", - "sortOrder": "desc", - "tooltipProperties": [], - "topHitsSize": 1, - "type": "ES_SEARCH" - }, - "style": { - "isTimeAware": true, - "properties": { - "fillColor": { - "options": { - "color": "#54B399" - }, - "type": "STATIC" - }, - "icon": { - "options": { - "value": "marker" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "size": 6 - }, - "type": "STATIC" - }, - "labelBorderColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "labelBorderSize": { - "options": { - "size": "SMALL" - } - }, - "labelColor": { - "options": { - "color": "#000000" - }, - "type": "STATIC" - }, - "labelSize": { - "options": { - "size": 14 - }, - "type": "STATIC" - }, - "labelText": { - "options": { - "value": "" - }, - "type": "STATIC" - }, - "lineColor": { - "options": { - "color": "#41937c" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 1 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - } - ], - "mapStateJSON": { - "center": { - "lat": 19.94277, - "lon": 0 - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "refreshConfig": { - "interval": 0, - "isPaused": false - }, - "settings": { - "autoFitToDataBounds": false - }, - "timeFilters": { - "from": "now-7d", - "to": "now" - }, - "zoom": 1.97 - }, + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\",\"geoField\":\"source.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"LIMIT\",\"topHitsSize\":1,\"type\":\"ES_SEARCH\",\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"279da950-e9a7-4287-ab37-25906e448455\",\"label\":\"Source Locations\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[],\"query\":{\"query\":\"event.dataset:gcp.audit\",\"language\":\"kuery\"}}]", + "mapStateJSON": "{\"zoom\":1.97,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false}}", "title": "Audit Source Locations [Filebeat GCP]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/google_workspace/_meta/config.yml b/x-pack/filebeat/module/google_workspace/_meta/config.yml index 58d6a754b1e..1d6c5ad4589 100644 --- a/x-pack/filebeat/module/google_workspace/_meta/config.yml +++ b/x-pack/filebeat/module/google_workspace/_meta/config.yml @@ -1,6 +1,6 @@ - module: google_workspace saml: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -8,7 +8,7 @@ # var.user_key: all # var.interval: 2h user_accounts: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -16,7 +16,7 @@ # var.user_key: all # var.interval: 2h login: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -24,7 +24,7 @@ # var.user_key: all # var.interval: 2h admin: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -32,7 +32,7 @@ # var.user_key: all # var.interval: 2h drive: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -40,7 +40,7 @@ # var.user_key: all # var.interval: 2h groups: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h diff --git a/x-pack/filebeat/module/googlecloud/_meta/config.yml b/x-pack/filebeat/module/googlecloud/_meta/config.yml new file mode 100644 index 00000000000..2c535fb4664 --- /dev/null +++ b/x-pack/filebeat/module/googlecloud/_meta/config.yml @@ -0,0 +1,55 @@ +# googlecloud module is deprecated, please use gcp instead +- module: gcp + vpcflow: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be + # configured to use this topic as a sink for VPC flow logs. + var.topic: gcp-vpc-flowlogs + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-vpc-flowlogs-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + firewall: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-firewall + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-firewall-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + audit: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-audit + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-audit + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json diff --git a/x-pack/filebeat/module/googlecloud/module.yml b/x-pack/filebeat/module/googlecloud/module.yml new file mode 100644 index 00000000000..e5d6de04886 --- /dev/null +++ b/x-pack/filebeat/module/googlecloud/module.yml @@ -0,0 +1 @@ +movedTo: gcp diff --git a/x-pack/filebeat/module/gsuite/_meta/config.yml b/x-pack/filebeat/module/gsuite/_meta/config.yml new file mode 100644 index 00000000000..0badc11284e --- /dev/null +++ b/x-pack/filebeat/module/gsuite/_meta/config.yml @@ -0,0 +1,50 @@ +# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. +- module: gsuite + saml: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + user_accounts: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h diff --git a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc new file mode 100644 index 00000000000..38402d773a0 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc @@ -0,0 +1,133 @@ +[role="xpack"] + +:modulename: gsuite +:has-dashboards: false + +== GSuite module + +beta[] + +deprecated::[7.12] + +This is a module for ingesting data from the different GSuite audit reports API's. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +It is compatible with a subset of applications under the https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started[Google Reports API v1]. As of today it supports: + +[options="header"] +|=========================================================================================================================================================================================================================== +| GSuite Service | Description | +| SAML https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[api docs] https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054[help] | View users’ successful and failed sign-ins to SAML applications. | +| User Accounts https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[api docs] https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054[help] | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | +| Login https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[api docs] https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054[help] | Track user sign-in activity to your domain. | +| Admin https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[api docs] https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054[help] | View administrator activity performed within the Google Admin console. | +| Drive https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[api docs] https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054[help] | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | +| Groups https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[api docs] https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054[help] | Track changes to groups, group memberships and group messages. | +|=========================================================================================================================================================================================================================== + +[float] +=== Configure the module + +In order for Filebeat to ingest data from the Google Reports API you must: + +- Have an *administrator account*. +- https://support.google.com/gsuitemigrate/answer/9222993?hl=en[Set up a ServiceAccount] using the administrator account. +- https://support.google.com/gsuitemigrate/answer/9222865?hl=en[Set up access to the Admin SDK API] for the ServiceAccount. +- https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Enable Domain-Wide Delegation] for your ServiceAccount. + +This module will make use of the following *oauth2 scope*: + +- `https://www.googleapis.com/auth/admin.reports.audit.readonly` + +Once you have downloaded your service account credentials as a JSON file, +you can set up your module: + +[float] +===== Configuration options + +[source,yaml] +---- +- module: gsuite + saml: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + user_accounts: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + login: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + admin: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + drive: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + groups: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" +---- + +Every fileset has the following configuration options: + +*`var.jwt_file`*:: + +Specifies the path to the JWT credentials file. + +*`var.delegated_account`*:: + +Email of the admin user used to access the API. + +*`var.http_client_timeout`*:: + +Duration of the time limit on HTTP requests made by the module. Defaults to +`60s`. + +*`var.interval`*:: + +Duration between requests to the API. Defaults to `2h`. + +NOTE: GSuite defaults to a 2 hour polling interval because Google reports can go from +some minutes up to 3 days of delay. For more details on this, you can read more https://support.google.com/a/answer/7061566[here]. + +*`var.user_key`*:: + +Specifies the user key to fetch reports from. Defaults to `all`. + +*`var.initial_interval`*:: + +It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to `24h`. + +[float] +==== GSuite Reports ECS fields + +This is a list of GSuite Reports fields that are mapped to ECS. + +[options="header"] +|=============================================================================================== +| GSuite Reports | ECS Fields | +| `items[].id.time` | `@timestamp` | +| `items[].id.uniqueQualifier` | `event.id` | +| `items[].id.applicationName` | `event.provider` | +| `items[].events[].name` | `event.action` | +| `items[].customerId` | `organization.id` | +| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` | +| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | +| `items[].actor.profileId` | `source.user.id` | +|=============================================================================================== + +These are the common ones to all filesets. + +:has-dashboards!: + +:modulename!: diff --git a/x-pack/filebeat/module/gsuite/_meta/fields.yml b/x-pack/filebeat/module/gsuite/_meta/fields.yml new file mode 100644 index 00000000000..21ef9c6e692 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/_meta/fields.yml @@ -0,0 +1,42 @@ +- key: gsuite + title: "gsuite" + description: > + gsuite Module + fields: + - name: gsuite + default_field: false + type: group + description: > + Gsuite specific fields. + + More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + fields: + - name: actor.type + type: keyword + description: > + The type of actor. + + Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + - name: actor.key + type: keyword + description: > + Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. + - name: event.type + type: keyword + description: > + The type of GSuite event, mapped from `items[].events[].type` in the original payload. + Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + example: audit#activity + - name: kind + type: keyword + description: > + The type of API resource, mapped from `kind` in the original payload. + More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + example: audit#activity + - name: organization.domain + type: keyword + description: > + The domain that is affected by the report's event. diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml new file mode 100644 index 00000000000..7c82f3ed6e7 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -0,0 +1,271 @@ +- name: admin + type: group + fields: + - name: application.edition + type: keyword + description: The GSuite edition. + - name: application.name + type: keyword + description: The application's name. + - name: application.enabled + type: keyword + description: The enabled application. + - name: application.licences_order_number + type: keyword + description: Order number used to redeem licenses. + - name: application.licences_purchased + type: keyword + description: Number of licences purchased. + - name: application.id + type: keyword + description: The application ID. + - name: application.asp_id + type: keyword + description: The application specific password ID. + - name: application.package_id + type: keyword + description: The mobile application package ID. + - name: group.email + type: keyword + description: The group's primary email address. + - name: new_value + type: keyword + description: The new value for the setting. + - name: old_value + type: keyword + description: The old value for the setting. + - name: org_unit.name + type: keyword + description: The organizational unit name. + - name: org_unit.full + type: keyword + description: The org unit full path including the root org unit name. + - name: setting.name + type: keyword + description: The setting name. + - name: user_defined_setting.name + type: keyword + description: The name of the user-defined setting. + - name: setting.description + type: keyword + description: The setting name. + - name: group.priorities + type: keyword + description: Group priorities. + - name: domain.alias + type: keyword + description: The domain alias. + - name: domain.name + type: keyword + description: The primary domain name. + - name: domain.secondary_name + type: keyword + description: The secondary domain name. + - name: managed_configuration + type: keyword + description: The name of the managed configuration. + - name: non_featured_services_selection + type: keyword + description: > + Non-featured services selection. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED + - name: field + type: keyword + description: The name of the field. + - name: resource.id + type: keyword + description: The name of the resource identifier. + - name: user.email + type: keyword + description: The user's primary email address. + - name: user.nickname + type: keyword + description: The user's nickname. + - name: user.birthdate + type: date + description: The user's birth date. + - name: gateway.name + type: keyword + description: Gateway name. Present on some chat settings. + - name: chrome_os.session_type + type: keyword + description: Chrome OS session type. + - name: device.serial_number + type: keyword + description: Device serial number. + - name: device.id + type: keyword + - name: device.type + type: keyword + description: Device type. + - name: print_server.name + type: keyword + description: The name of the print server. + - name: printer.name + type: keyword + description: The name of the printer. + - name: device.command_details + type: keyword + description: Command details. + - name: role.id + type: keyword + description: Unique identifier for this role privilege. + - name: role.name + type: keyword + description: > + The role name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + - name: privilege.name + type: keyword + description: Privilege name. + - name: service.name + type: keyword + description: The service name. + - name: url.name + type: keyword + description: The website name. + - name: product.name + type: keyword + description: The product name. + - name: product.sku + type: keyword + description: The product SKU. + - name: bulk_upload.failed + type: long + description: Number of failed records in bulk upload operation. + - name: bulk_upload.total + type: long + description: Number of total records in bulk upload operation. + - name: group.allowed_list + type: keyword + description: Names of allow-listed groups. + - name: email.quarantine_name + type: keyword + description: The name of the quarantine. + - name: email.log_search_filter.message_id + type: keyword + description: The log search filter's email message ID. + - name: email.log_search_filter.start_date + type: date + description: The log search filter's start date. + - name: email.log_search_filter.end_date + type: date + description: The log search filter's ending date. + - name: email.log_search_filter.recipient.value + type: keyword + description: The log search filter's email recipient. + - name: email.log_search_filter.sender.value + type: keyword + description: The log search filter's email sender. + - name: email.log_search_filter.recipient.ip + type: ip + description: The log search filter's email recipient's IP address. + - name: email.log_search_filter.sender.ip + type: ip + description: The log search filter's email sender's IP address. + - name: chrome_licenses.enabled + type: keyword + description: > + Licences enabled. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: chrome_licenses.allowed + type: keyword + description: > + Licences enabled. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: oauth2.service.name + type: keyword + description: > + OAuth2 service name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: oauth2.application.id + type: keyword + description: OAuth2 application ID. + - name: oauth2.application.name + type: keyword + description: OAuth2 application name. + - name: oauth2.application.type + type: keyword + description: > + OAuth2 application type. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: verification_method + type: keyword + description: > + Related verification method. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and + https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: alert.name + type: keyword + description: The alert name. + - name: rule.name + type: keyword + description: The rule name. + - name: api.client.name + type: keyword + description: The API client name. + - name: api.scopes + type: keyword + description: The API scopes. + - name: mdm.token + type: keyword + description: The MDM vendor enrollment token. + - name: mdm.vendor + type: keyword + description: The MDM vendor's name. + - name: info_type + type: keyword + description: > + This will be used to state what kind of information was changed. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: email_monitor.dest_email + type: keyword + description: The destination address of the email monitor. + - name: email_monitor.level.chat + type: keyword + description: The chat email monitor level. + - name: email_monitor.level.draft + type: keyword + description: The draft email monitor level. + - name: email_monitor.level.incoming + type: keyword + description: The incoming email monitor level. + - name: email_monitor.level.outgoing + type: keyword + description: The outgoing email monitor level. + - name: email_dump.include_deleted + type: boolean + description: Indicates if deleted emails are included in the export. + - name: email_dump.package_content + type: keyword + description: The contents of the mailbox package. + - name: email_dump.query + type: keyword + description: The search query used for the dump. + - name: request.id + type: keyword + description: The request ID. + - name: mobile.action.id + type: keyword + description: The mobile device action's ID. + - name: mobile.action.type + type: keyword + description: > + The mobile device action's type. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: mobile.certificate.name + type: keyword + description: The mobile certificate common name. + - name: mobile.company_owned_devices + type: long + description: The number of devices a company owns. + - name: distribution.entity.name + type: keyword + description: > + The distribution entity value, which can be a group name or an org-unit name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: distribution.entity.type + type: keyword + description: > + The distribution entity type, which can be a group or an org-unit. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings diff --git a/x-pack/filebeat/module/gsuite/admin/config/config.yml b/x-pack/filebeat/module/gsuite/admin/config/config.yml new file mode 100644 index 00000000000..409da0182e3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/config/config.yml @@ -0,0 +1,54 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/admin +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.11.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-admin + file: ${path.home}/module/gsuite/admin/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js new file mode 100644 index 00000000000..9fdaa12998e --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -0,0 +1,967 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var login = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + // not convinced that these should be iam + evt.Put("event.category", ["iam"]); + switch (evt.Get("event.action")) { + case "CHANGE_APPLICATION_SETTING": + case "UPDATE_MANAGED_CONFIGURATION": + case "CHANGE_CALENDAR_SETTING": + case "CHANGE_CHAT_SETTING": + case "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING": + case "GPLUS_PREMIUM_FEATURES": + case "UPDATE_CALENDAR_RESOURCE_FEATURE": + case "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED": + case "MEET_INTEROP_MODIFY_GATEWAY": + case "CHANGE_CHROME_OS_APPLICATION_SETTING": + case "CHANGE_CHROME_OS_DEVICE_SETTING": + case "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING": + case "CHANGE_CHROME_OS_SETTING": + case "CHANGE_CHROME_OS_USER_SETTING": + case "CHANGE_CONTACTS_SETTING": + case "CHANGE_DOCS_SETTING": + case "CHANGE_SITES_SETTING": + case "CHANGE_EMAIL_SETTING": + case "CHANGE_GMAIL_SETTING": + case "ALLOW_STRONG_AUTHENTICATION": + case "ALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID": + case "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY": + case "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_START_DATE": + case "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS": + case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": + case "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY": + case "ENFORCE_STRONG_AUTHENTICATION": + case "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS": + case "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED": + case "SESSION_CONTROL_SETTINGS_CHANGE": + case "CHANGE_SESSION_LENGTH": + case "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS": + case "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET": + case "ENABLE_API_ACCESS": + case "CHANGE_WHITELIST_SETTING": + case "COMMUNICATION_PREFERENCES_SETTING_CHANGE": + case "ENABLE_FEEDBACK_SOLICITATION": + case "TOGGLE_CONTACT_SHARING": + case "TOGGLE_USE_CUSTOM_LOGO": + case "CHANGE_DATA_LOCALIZATION_SETTING": + case "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY": + case "TOGGLE_SSO_ENABLED": + case "TOGGLE_SSL": + case "TOGGLE_NEW_APP_FEATURES": + case "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL": + case "TOGGLE_OPEN_ID_ENABLED": + case "TOGGLE_OUTBOUND_RELAY": + case "CHANGE_SSO_SETTINGS": + case "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS": + case "CHANGE_MOBILE_APPLICATION_SETTINGS": + case "CHANGE_MOBILE_SETTING": + evt.AppendTo("event.category", "configuration") + evt.Put("event.type", ["change"]); + break; + case "UPDATE_BUILDING": + case "RENAME_CALENDAR_RESOURCE": + case "UPDATE_CALENDAR_RESOURCE": + case "CANCEL_CALENDAR_EVENTS": + case "RELEASE_CALENDAR_RESOURCES": + case "CHANGE_DEVICE_STATE": + case "CHANGE_CHROME_OS_DEVICE_ANNOTATION": + case "CHANGE_CHROME_OS_DEVICE_STATE": + case "UPDATE_CHROME_OS_PRINT_SERVER": + case "UPDATE_CHROME_OS_PRINTER": + case "MOVE_DEVICE_TO_ORG_UNIT_DETAILED": + case "UPDATE_DEVICE": + case "SEND_CHROME_OS_DEVICE_COMMAND": + case "ASSIGN_ROLE": + case "ADD_PRIVILEGE": + case "REMOVE_PRIVILEGE": + case "RENAME_ROLE": + case "UPDATE_ROLE": + case "UNASSIGN_ROLE": + case "TRANSFER_DOCUMENT_OWNERSHIP": + case "ORG_USERS_LICENSE_ASSIGNMENT": + case "ORG_ALL_USERS_LICENSE_ASSIGNMENT": + case "USER_LICENSE_ASSIGNMENT": + case "CHANGE_LICENSE_AUTO_ASSIGN": + case "USER_LICENSE_REASSIGNMENT": + case "ORG_LICENSE_REVOKE": + case "USER_LICENSE_REVOKE": + case "UPDATE_DYNAMIC_LICENSE": + case "DROP_FROM_QUARANTINE": + case "REJECT_FROM_QUARANTINE": + case "RELEASE_FROM_QUARANTINE": + case "CHROME_LICENSES_ENABLED": + case "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED": + case "ASSIGN_CUSTOM_LOGO": + case "UNASSIGN_CUSTOM_LOGO": + case "REVOKE_ENROLLMENT_TOKEN": + case "CHROME_LICENSES_ALLOWED": + case "EDIT_ORG_UNIT_DESCRIPTION": + case "MOVE_ORG_UNIT": + case "EDIT_ORG_UNIT_NAME": + case "REVOKE_DEVICE_ENROLLMENT_TOKEN": + case "TOGGLE_SERVICE_ENABLED": + case "ADD_TO_TRUSTED_OAUTH2_APPS": + case "REMOVE_FROM_TRUSTED_OAUTH2_APPS": + case "BLOCK_ON_DEVICE_ACCESS": + case "TOGGLE_CAA_ENABLEMENT": + case "CHANGE_CAA_ERROR_MESSAGE": + case "CHANGE_CAA_APP_ASSIGNMENTS": + case "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS": + case "TRUST_DOMAIN_OWNED_OAUTH2_APPS": + case "UNBLOCK_ON_DEVICE_ACCESS": + case "CHANGE_ACCOUNT_AUTO_RENEWAL": + case "ADD_APPLICATION": + case "ADD_APPLICATION_TO_WHITELIST": + case "CHANGE_ADVERTISEMENT_OPTION": + case "CHANGE_ALERT_CRITERIA": + case "ALERT_RECEIVERS_CHANGED": + case "RENAME_ALERT": + case "ALERT_STATUS_CHANGED": + case "ADD_DOMAIN_ALIAS": + case "REMOVE_DOMAIN_ALIAS": + case "AUTHORIZE_API_CLIENT_ACCESS": + case "REMOVE_API_CLIENT_ACCESS": + case "CHROME_LICENSES_REDEEMED": + case "TOGGLE_AUTO_ADD_NEW_SERVICE": + case "CHANGE_PRIMARY_DOMAIN": + case "CHANGE_CONFLICT_ACCOUNT_ACTION": + case "CHANGE_CUSTOM_LOGO": + case "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA": + case "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO": + case "CHANGE_DOMAIN_DEFAULT_LOCALE": + case "CHANGE_DOMAIN_DEFAULT_TIMEZONE": + case "CHANGE_DOMAIN_NAME": + case "TOGGLE_ENABLE_PRE_RELEASE_FEATURES": + case "CHANGE_DOMAIN_SUPPORT_MESSAGE": + case "ADD_TRUSTED_DOMAINS": + case "REMOVE_TRUSTED_DOMAINS": + case "CHANGE_EDU_TYPE": + case "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO": + case "CHANGE_LOGIN_BACKGROUND_COLOR": + case "CHANGE_LOGIN_BORDER_COLOR": + case "CHANGE_LOGIN_ACTIVITY_TRACE": + case "PLAY_FOR_WORK_ENROLL": + case "PLAY_FOR_WORK_UNENROLL": + case "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL": + case "CHANGE_ORGANIZATION_NAME": + case "CHANGE_PASSWORD_MAX_LENGTH": + case "CHANGE_PASSWORD_MIN_LENGTH": + case "REMOVE_APPLICATION": + case "REMOVE_APPLICATION_FROM_WHITELIST": + case "CHANGE_RENEW_DOMAIN_REGISTRATION": + case "CHANGE_RESELLER_ACCESS": + case "RULE_ACTIONS_CHANGED": + case "CHANGE_RULE_CRITERIA": + case "RENAME_RULE": + case "RULE_STATUS_CHANGED": + case "ADD_SECONDARY_DOMAIN": + case "REMOVE_SECONDARY_DOMAIN": + case "UPDATE_DOMAIN_SECONDARY_EMAIL": + case "UPDATE_RULE": + case "ADD_MOBILE_CERTIFICATE": + case "COMPANY_OWNED_DEVICE_BLOCKED": + case "COMPANY_OWNED_DEVICE_UNBLOCKED": + case "COMPANY_OWNED_DEVICE_WIPED": + case "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT": + case "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER": + case "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST": + case "ADD_MOBILE_APPLICATION_TO_WHITELIST": + case "CHANGE_ADMIN_RESTRICTIONS_PIN": + case "CHANGE_MOBILE_WIRELESS_NETWORK": + case "ADD_MOBILE_WIRELESS_NETWORK": + case "REMOVE_MOBILE_WIRELESS_NETWORK": + case "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD": + case "REMOVE_MOBILE_CERTIFICATE": + evt.Put("event.type", ["change"]); + break; + case "CREATE_APPLICATION_SETTING": + case "CREATE_GMAIL_SETTING": + evt.AppendTo("event.category", "configuration") + evt.Put("event.type", ["creation"]); + break; + case "CREATE_MANAGED_CONFIGURATION": + case "CREATE_BUILDING": + case "CREATE_CALENDAR_RESOURCE": + case "CREATE_CALENDAR_RESOURCE_FEATURE": + case "MEET_INTEROP_CREATE_GATEWAY": + case "INSERT_CHROME_OS_PRINT_SERVER": + case "INSERT_CHROME_OS_PRINTER": + case "CREATE_ROLE": + case "ADD_WEB_ADDRESS": + case "EMAIL_UNDELETE": + case "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED": + case "CREATE_DEVICE_ENROLLMENT_TOKEN": + case "CREATE_ENROLLMENT_TOKEN": + case "CREATE_ORG_UNIT": + case "CREATE_ALERT": + case "CREATE_PLAY_FOR_WORK_TOKEN": + case "GENERATE_TRANSFER_TOKEN": + case "REGENERATE_OAUTH_CONSUMER_SECRET": + case "CREATE_RULE": + case "GENERATE_PIN": + case "COMPANY_DEVICES_BULK_CREATION": + evt.Put("event.type", ["creation"]); + break; + case "DELETE_APPLICATION_SETTING": + case "DELETE_GMAIL_SETTING": + evt.AppendTo("event.category", "configuration") + evt.Put("event.type", ["deletion"]); + break; + case "DELETE_MANAGED_CONFIGURATION": + case "DELETE_BUILDING": + case "DELETE_CALENDAR_RESOURCE": + case "DELETE_CALENDAR_RESOURCE_FEATURE": + case "MEET_INTEROP_DELETE_GATEWAY": + case "DELETE_CHROME_OS_PRINT_SERVER": + case "DELETE_CHROME_OS_PRINTER": + case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": + case "DELETE_ROLE": + case "DELETE_WEB_ADDRESS": + case "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED": + case "REMOVE_ORG_UNIT": + case "DELETE_ALERT": + case "DELETE_PLAY_FOR_WORK_TOKEN": + case "DELETE_RULE": + case "COMPANY_DEVICE_DELETION": + evt.Put("event.type", ["deletion"]); + break; + case "DELETE_GROUP": + evt.Put("event.type", ["group", "creation"]); + break; + case "CREATE_GROUP": + evt.Put("event.type", ["group", "creation"]); + break; + case "REORDER_GROUP_BASED_POLICIES_EVENT": + case "CHANGE_GROUP_DESCRIPTION": + case "ADD_GROUP_MEMBER": + case "REMOVE_GROUP_MEMBER": + case "UPDATE_GROUP_MEMBER": + case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS": + case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE": + case "CHANGE_GROUP_NAME": + case "CHANGE_GROUP_SETTING": + case "GROUP_MEMBER_BULK_UPLOAD": + case "WHITELISTED_GROUPS_UPDATED": + evt.Put("event.type", ["group", "change"]); + break; + case "REVOKE_3LO_DEVICE_TOKENS": + case "REVOKE_3LO_TOKEN": + case "ADD_RECOVERY_EMAIL": + case "ADD_RECOVERY_PHONE": + case "GRANT_ADMIN_PRIVILEGE": + case "REVOKE_ADMIN_PRIVILEGE": + case "REVOKE_ASP": + case "TOGGLE_AUTOMATIC_CONTACT_SHARING": + case "CANCEL_USER_INVITE": + case "CHANGE_USER_CUSTOM_FIELD": + case "CHANGE_USER_EXTERNAL_ID": + case "CHANGE_USER_GENDER": + case "CHANGE_USER_IM": + case "ENABLE_USER_IP_WHITELIST": + case "CHANGE_USER_KEYWORD": + case "CHANGE_USER_LANGUAGE": + case "CHANGE_USER_LOCATION": + case "CHANGE_USER_ORGANIZATION": + case "CHANGE_USER_PHONE_NUMBER": + case "CHANGE_RECOVERY_EMAIL": + case "CHANGE_RECOVERY_PHONE": + case "CHANGE_USER_RELATION": + case "CHANGE_USER_ADDRESS": + case "GRANT_DELEGATED_ADMIN_PRIVILEGES": + case "CHANGE_FIRST_NAME": + case "GMAIL_RESET_USER": + case "CHANGE_LAST_NAME": + case "MAIL_ROUTING_DESTINATION_ADDED": + case "MAIL_ROUTING_DESTINATION_REMOVED": + case "ADD_NICKNAME": + case "REMOVE_NICKNAME": + case "CHANGE_PASSWORD": + case "CHANGE_PASSWORD_ON_NEXT_LOGIN": + case "REMOVE_RECOVERY_EMAIL": + case "REMOVE_RECOVERY_PHONE": + case "RESET_SIGNIN_COOKIES": + case "SECURITY_KEY_REGISTERED_FOR_USER": + case "REVOKE_SECURITY_KEY": + case "TURN_OFF_2_STEP_VERIFICATION": + case "UNBLOCK_USER_SESSION": + case "UNENROLL_USER_FROM_TITANIUM": + case "ARCHIVE_USER": + case "UPDATE_BIRTHDATE": + case "DOWNGRADE_USER_FROM_GPLUS": + case "USER_ENROLLED_IN_TWO_STEP_VERIFICATION": + case "MOVE_USER_TO_ORG_UNIT": + case "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD": + case "RENAME_USER": + case "UNENROLL_USER_FROM_STRONG_AUTH": + case "SUSPEND_USER": + case "UNARCHIVE_USER": + case "UNSUSPEND_USER": + case "UPGRADE_USER_TO_GPLUS": + case "MOBILE_DEVICE_APPROVE": + case "MOBILE_DEVICE_BLOCK": + case "MOBILE_DEVICE_WIPE": + case "MOBILE_ACCOUNT_WIPE": + case "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE": + case "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK": + evt.Put("event.type", ["user", "change"]); + break; + case "DELETE_2SV_SCRATCH_CODES": + case "DELETE_ACCOUNT_INFO_DUMP": + case "DELETE_EMAIL_MONITOR": + case "DELETE_MAILBOX_DUMP": + case "DELETE_USER": + case "MOBILE_DEVICE_DELETE": + evt.Put("event.type", ["user", "deletion"]); + break; + case "GENERATE_2SV_SCRATCH_CODES": + case "CREATE_EMAIL_MONITOR": + case "CREATE_DATA_TRANSFER_REQUEST": + case "CREATE_USER": + case "UNDELETE_USER": + evt.Put("event.type", ["user", "creation"]); + break; + case "ISSUE_DEVICE_COMMAND": + case "DRIVE_DATA_RESTORE": + case "VIEW_SITE_DETAILS": + case "EMAIL_LOG_SEARCH": + case "SKIP_DOMAIN_ALIAS_MX": + case "VERIFY_DOMAIN_ALIAS_MX": + case "VERIFY_DOMAIN_ALIAS": + case "VIEW_DNS_LOGIN_DETAILS": + case "MX_RECORD_VERIFICATION_CLAIM": + case "UPLOAD_OAUTH_CERTIFICATE": + case "SKIP_SECONDARY_DOMAIN_MX": + case "VERIFY_SECONDARY_DOMAIN_MX": + case "VERIFY_SECONDARY_DOMAIN": + case "BULK_UPLOAD": + case "DOWNLOAD_PENDING_INVITES_LIST": + case "DOWNLOAD_USERLIST_CSV": + case "USERS_BULK_UPLOAD": + case "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT": + case "USE_GOOGLE_MOBILE_MANAGEMENT": + case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS": + case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS": + evt.Put("event.type", ["info"]); + break; + case "GROUP_LIST_DOWNLOAD": + case "GROUP_MEMBERS_DOWNLOAD": + evt.Put("event.type", ["group", "info"]); + break; + case "REQUEST_ACCOUNT_INFO": + case "REQUEST_MAILBOX_DUMP": + case "RESEND_USER_INVITE": + case "BULK_UPLOAD_NOTIFICATION_SENT": + case "USER_INVITE": + case "VIEW_TEMP_PASSWORD": + case "USERS_BULK_UPLOAD_NOTIFICATION_SENT": + case "ACTION_CANCELLED": + case "ACTION_REQUESTED": + evt.Put("event.type", ["user", "info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + if (param.intValue !== null) { + return param.intValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("gsuite.admin."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setGroupInfo = function(evt) { + var email = evt.Get("gsuite.admin.group.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("group.name", data[0]); + evt.Put("group.domain", data[1]); + }; + + var setRelatedUserInfo = function(evt) { + var email = evt.Get("gsuite.admin.user.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.Put("user.target.email", email); + var groupName = evt.Get("group.name"); + if (groupName) { + evt.Put("user.target.group.name", groupName); + } + var groupDomain = evt.Get("group.domain"); + if (groupDomain) { + evt.Put("user.target.group.domain", groupDomain); + } + }; + + var setEventDuration = function(evt) { + var start = evt.Get("event.start"); + var end = evt.Get("event.end"); + if (!start || !end) { + return; + } + + evt.Put("event.duration", end.UnixNano() - start.UnixNano()); + }; + + var setEventOutcome = function(evt) { + var failed = evt.Get("gsuite.admin.group.bulk_upload.failed"); + if (failed === null) { + return; + } + + if (failed === 0) { + evt.Put("event.outcome", "success"); + } else { + evt.Put("event.outcome", "failure"); + } + }; + + var setGroupAllowedlist = function(evt) { + var allowedList = evt.Get("gsuite.admin.WHITELISTED_GROUPS"); + if (!allowedList) { + return; + } + + evt.Put("gsuite.admin.group.allowed_list", allowedList.split(",")); + evt.Delete("gsuite.admin.WHITELISTED_GROUPS"); + }; + + var deleteField = function(field) { + return function(evt) { + evt.Delete(field); + }; + }; + + var parseDate = function(field, targetField) { + return new processor.Chain() + .Add(new processor.Timestamp({ + field: field, + target_field: targetField, + timezone: "UTC", + layouts: [ + "2006-01-02T15:04:05Z", + "2006-01-02T15:04:05.999Z", + "2006/01/02 15:04:05 UTC", + ], + tests: [ + "2020-02-05T18:19:23Z", + "2020-02-05T18:19:23.599Z", + "2020/07/28 04:59:59 UTC", + ], + ignore_missing: true, + })) + .Add(deleteField(field)) + .Build() + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "gsuite.admin.APPLICATION_EDITION", + to: "gsuite.admin.application.edition", + }, + { + from: "gsuite.admin.APPLICATION_NAME", + to: "gsuite.admin.application.name", + }, + { + from: "gsuite.admin.APPLICATION_ENABLED", + to: "gsuite.admin.application.enabled", + }, + { + from: "gsuite.admin.APP_LICENSES_ORDER_NUMBER", + to: "gsuite.admin.application.licences_order_number", + }, + { + from: "gsuite.admin.CHROME_NUM_LICENSES_PURCHASED", + to: "gsuite.admin.application.licences_purchased", + type: "long", + }, + { + from: "gsuite.admin.REAUTH_APPLICATION", + to: "gsuite.admin.application.name", + }, + { + from: "gsuite.admin.GROUP_EMAIL", + to: "gsuite.admin.group.email", + }, + { + from: "gsuite.admin.GROUP_NAME", + to: "group.name", + }, + { + from: "gsuite.admin.NEW_VALUE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.OLD_VALUE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ORG_UNIT_NAME", + to: "gsuite.admin.org_unit.name", + }, + { + from: "gsuite.admin.SETTING_NAME", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.SETTING_DESCRIPTION", + to: "gsuite.admin.setting.description", + }, + { + from: "gsuite.admin.USER_DEFINED_SETTING_NAME", + to: "gsuite.admin.user_defined_setting.name", + }, + { + from: "gsuite.admin.GROUP_PRIORITIES", + to: "gsuite.admin.group.priorities", + }, + { + from: "gsuite.admin.DOMAIN_NAME", + to: "gsuite.admin.domain.name", + }, + { + from: "gsuite.admin.DOMAIN_ALIAS", + to: "gsuite.admin.domain.alias", + }, + { + from: "gsuite.admin.SECONDARY_DOMAIN_NAME", + to: "gsuite.admin.domain.secondary_name", + }, + { + from: "gsuite.admin.MANAGED_CONFIGURATION_NAME", + to: "gsuite.admin.managed_configuration", + }, + { + from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", + to: "gsuite.admin.application.package_id", + }, + { + from: "gsuite.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION", + to: "gsuite.admin.non_featured_services_selection", + }, + { + from: "gsuite.admin.FIELD_NAME", + to: "gsuite.admin.field", + }, + { + from: "gsuite.admin.RESOURCE_IDENTIFIER", + to: "gsuite.admin.resource.id", + }, + { + from: "gsuite.admin.USER_EMAIL", + to: "gsuite.admin.user.email", + }, + { + from: "gsuite.admin.GATEWAY_NAME", + to: "gsuite.admin.gateway.name", + }, + { + from: "gsuite.admin.APP_ID", + to: "gsuite.admin.application.id", + }, + { + from: "gsuite.admin.ASP_ID", + to: "gsuite.admin.application.asp_id", + }, + { + from: "gsuite.admin.CHROME_OS_SESSION_TYPE", + to: "gsuite.admin.chrome_os.session_type", + }, + { + from: "gsuite.admin.DEVICE_NEW_STATE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.DEVICE_PREVIOUS_STATE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.DEVICE_SERIAL_NUMBER", + to: "gsuite.admin.device.serial_number", + }, + { + from: "gsuite.admin.DEVICE_ID", + to: "gsuite.admin.device.id", + }, + { + from: "gsuite.admin.DEVICE_TYPE", + to: "gsuite.admin.device.type", + }, + { + from: "gsuite.admin.PRINT_SERVER_NAME", + to: "gsuite.admin.print_server.name", + }, + { + from: "gsuite.admin.PRINTER_NAME", + to: "gsuite.admin.printer.name", + }, + { + from: "gsuite.admin.DEVICE_COMMAND_DETAILS", + to: "gsuite.admin.device.command_details", + }, + { + from: "gsuite.admin.DEVICE_NEW_ORG_UNIT", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.DEVICE_PREVIOUS_ORG_UNIT", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ROLE_NAME", + to: "gsuite.admin.role.name", + }, + { + from: "gsuite.admin.ROLE_ID", + to: "gsuite.admin.role.id", + }, + { + from: "gsuite.admin.PRIVILEGE_NAME", + to: "gsuite.admin.privilege.name", + }, + { + from: "gsuite.admin.SITE_LOCATION", + to: "url.path", + }, + { + from: "gsuite.admin.WEB_ADDRESS", + to: "url.full", + }, + { + from: "gsuite.admin.SITE_NAME", + to: "gsuite.admin.url.name", + }, + { + from: "gsuite.admin.SERVICE_NAME", + to: "gsuite.admin.service.name", + }, + { + from: "gsuite.admin.PRODUCT_NAME", + to: "gsuite.admin.product.name", + }, + { + from: "gsuite.admin.SKU_NAME", + to: "gsuite.admin.product.sku", + }, + { + from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER", + to: "gsuite.admin.bulk_upload.failed", + type: "long", + }, + { + from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER", + to: "gsuite.admin.bulk_upload.total", + type: "long", + }, + { + from: "gsuite.admin.BULK_UPLOAD_FAIL_USERS_NUMBER", + to: "gsuite.admin.bulk_upload.failed", + type: "long", + }, + { + from: "gsuite.admin.BULK_UPLOAD_TOTAL_USERS_NUMBER", + to: "gsuite.admin.bulk_upload.total", + type: "long", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_MSG_ID", + to: "gsuite.admin.email.log_search_filter.message_id", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_RECIPIENT", + to: "gsuite.admin.email.log_search_filter.recipient.value", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SENDER", + to: "gsuite.admin.email.log_search_filter.sender.value", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP", + to: "gsuite.admin.email.log_search_filter.recipient.ip", + type: "ip", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP", + to: "gsuite.admin.email.log_search_filter.sender.ip", + type: "ip", + }, + { + from: "gsuite.admin.QUARANTINE_NAME", + to: "gsuite.admin.email.quarantine_name", + }, + { + from: "gsuite.admin.CHROME_LICENSES_ENABLED", + to: "gsuite.admin.chrome_licenses.enabled", + }, + { + from: "gsuite.admin.CHROME_LICENSES_ALLOWED", + to: "gsuite.admin.chrome_licenses.allowed", + }, + { + from: "gsuite.admin.FULL_ORG_UNIT_PATH", + to: "gsuite.admin.org_unit.full", + }, + { + from: "gsuite.admin.OAUTH2_SERVICE_NAME", + to: "gsuite.admin.oauth2.service.name", + }, + { + from: "gsuite.admin.OAUTH2_APP_ID", + to: "gsuite.admin.oauth2.application.id", + }, + { + from: "gsuite.admin.OAUTH2_APP_NAME", + to: "gsuite.admin.oauth2.application.name", + }, + { + from: "gsuite.admin.OAUTH2_APP_TYPE", + to: "gsuite.admin.oauth2.application.type", + }, + { + from: "gsuite.admin.ALLOWED_TWO_STEP_VERIFICATION_METHOD", + to: "gsuite.admin.verification_method", + }, + { + from: "gsuite.admin.DOMAIN_VERIFICATION_METHOD", + to: "gsuite.admin.verification_method", + }, + { + from: "gsuite.admin.CAA_ASSIGNMENTS_NEW", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.CAA_ASSIGNMENTS_OLD", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.REAUTH_SETTING_NEW", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.REAUTH_SETTING_OLD", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ALERT_NAME", + to: "gsuite.admin.alert.name", + }, + { + from: "gsuite.admin.API_CLIENT_NAME", + to: "gsuite.admin.api.client.name", + }, + { + from: "gsuite.admin.API_SCOPES", + to: "gsuite.admin.api.scopes", + }, + { + from: "gsuite.admin.PLAY_FOR_WORK_TOKEN_ID", + to: "gsuite.admin.mdm.token", + }, + { + from: "gsuite.admin.PLAY_FOR_WORK_MDM_VENDOR_NAME", + to: "gsuite.admin.mdm.vendor", + }, + { + from: "gsuite.admin.INFO_TYPE", + to: "gsuite.admin.info_type", + }, + { + from: "gsuite.admin.RULE_NAME", + to: "gsuite.admin.rule.name", + }, + { + from: "gsuite.admin.USER_CUSTOM_FIELD", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_DEST_EMAIL", + to: "gsuite.admin.email_monitor.dest_email", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_CHAT", + to: "gsuite.admin.email_monitor.level.chat", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_DRAFT_EMAIL", + to: "gsuite.admin.email_monitor.level.draft", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_INCOMING_EMAIL", + to: "gsuite.admin.email_monitor.level.incoming", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL", + to: "gsuite.admin.email_monitor.level.outgoing", + }, + { + from: "gsuite.admin.EMAIL_EXPORT_INCLUDE_DELETED", + to: "gsuite.admin.email_dump.include_deleted", + }, + { + from: "gsuite.admin.EMAIL_EXPORT_PACKAGE_CONTENT", + to: "gsuite.admin.email_dump.package_content", + }, + { + from: "gsuite.admin.SEARCH_QUERY_FOR_DUMP", + to: "gsuite.admin.email_dump.query", + }, + { + from: "gsuite.admin.DESTINATION_USER_EMAIL", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.REQUEST_ID", + to: "gsuite.admin.request.id", + }, + { + from: "gsuite.admin.GMAIL_RESET_REASON", + to: "message", + }, + { + from: "gsuite.admin.USER_NICKNAME", + to: "gsuite.admin.user.nickname", + }, + { + from: "gsuite.admin.ACTION_ID", + to: "gsuite.admin.mobile.action.id", + }, + { + from: "gsuite.admin.ACTION_TYPE", + to: "gsuite.admin.mobile.action.type", + }, + { + from: "gsuite.admin.MOBILE_CERTIFICATE_COMMON_NAME", + to: "gsuite.admin.mobile.certificate.name", + }, + { + from: "gsuite.admin.NUMBER_OF_COMPANY_OWNED_DEVICES", + to: "gsuite.admin.mobile.company_owned_devices", + type: "long", + }, + { + from: "gsuite.admin.COMPANY_DEVICE_ID", + to: "gsuite.admin.device.id", + }, + { + from: "gsuite.admin.DISTRIBUTION_ENTITY_NAME", + to: "gsuite.admin.distribution.entity.name", + }, + { + from: "gsuite.admin.DISTRIBUTION_ENTITY_TYPE", + to: "gsuite.admin.distribution.entity.type", + }, + { + from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", + to: "gsuite.admin.application.package_id", + }, + { + from: "gsuite.admin.NEW_PERMISSION_GRANT_STATE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.OLD_PERMISSION_GRANT_STATE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.PERMISSION_GROUP_NAME", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.MOBILE_WIRELESS_NETWORK_NAME", + to: "network.name", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(parseDate( + "gsuite.admin.EMAIL_LOG_SEARCH_END_DATE", + "gsuite.admin.email.log_search_filter.end_date" + )) + .Add(parseDate( + "gsuite.admin.EMAIL_LOG_SEARCH_START_DATE", + "gsuite.admin.email.log_search_filter.start_date" + )) + .Add(parseDate( + "gsuite.admin.BIRTHDATE", + "gsuite.admin.user.birthdate" + )) + .Add(parseDate( + "gsuite.admin.BEGIN_DATE_TIME", + "event.start" + )) + .Add(parseDate( + "gsuite.admin.START_DATE", + "event.start" + )) + .Add(parseDate( + "gsuite.admin.END_DATE", + "event.end" + )) + .Add(parseDate( + "gsuite.admin.END_DATE_TIME", + "event.end" + )) + .Add(setGroupInfo) + .Add(setRelatedUserInfo) + .Add(setEventDuration) + .Add(setEventOutcome) + .Add(setGroupAllowedlist) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return login.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/admin/manifest.yml b/x-pack/filebeat/module/gsuite/admin/manifest.yml new file mode 100644 index 00000000000..c5992776ac0 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/manifest.yml @@ -0,0 +1,25 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + - name: proxy_url + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log new file mode 100644 index 00000000000..2d2d36e96a3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json new file mode 100644 index 00000000000..ab7e42ab458 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -0,0 +1,499 @@ +[ + { + "event.action": "CHANGE_APPLICATION_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CREATE_APPLICATION_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_APPLICATION_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "group" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.priorities": [ + "a", + "b" + ], + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1853, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "GPLUS_PREMIUM_FEATURES", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2346, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CREATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2770, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3218, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPDATE_MANAGED_CONFIGURATION", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.non_featured_services_selection": "FLASHLIGHT_EDU_SELECTION_MANUAL", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4114, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log new file mode 100644 index 00000000000..bcbed9ee886 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log @@ -0,0 +1,13 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json new file mode 100644 index 00000000000..3772a9892a4 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -0,0 +1,702 @@ +[ + { + "event.action": "CREATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 414, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPDATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 828, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CREATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1361, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1784, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2207, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2638, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3069, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "RENAME_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3619, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPDATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4077, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CALENDAR_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4619, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CANCEL_CALENDAR_EVENTS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5208, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "RELEASE_CALENDAR_RESOURCES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5598, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log new file mode 100644 index 00000000000..b078b332402 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log @@ -0,0 +1,4 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json new file mode 100644 index 00000000000..74ff813ecdd --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -0,0 +1,215 @@ +[ + { + "event.action": "MEET_INTEROP_CREATE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "MEET_INTEROP_DELETE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 384, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "MEET_INTEROP_MODIFY_GATEWAY", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 768, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CHAT_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1152, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log new file mode 100644 index 00000000000..9c3bd721f39 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log @@ -0,0 +1,21 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json new file mode 100644 index 00000000000..ed4950f5b6c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -0,0 +1,1132 @@ +[ + { + "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "2345", + "gsuite.admin.chrome_os.session_type": "type", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "prev", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 648, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "2345", + "gsuite.admin.chrome_os.session_type": "type", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1162, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "2345", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1802, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "2345", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2634, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3136, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "INSERT_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4151, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4546, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4941, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "INSERT_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5406, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPDATE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6178, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CHROME_OS_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6634, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CHROME_OS_USER_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7135, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ISSUE_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.command_details": [ + "-a", + "command" + ], + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7635, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "prev", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8124, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "1234", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPDATE_DEVICE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CONTACTS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9465, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log new file mode 100644 index 00000000000..5aececc68aa --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log @@ -0,0 +1 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json new file mode 100644 index 00000000000..00c54f3096f --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -0,0 +1,58 @@ +[ + { + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CONTACTS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log new file mode 100644 index 00000000000..da76df3f767 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json new file mode 100644 index 00000000000..01b558fdf49 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json @@ -0,0 +1,430 @@ +[ + { + "event.action": "ASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CREATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 483, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 912, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ADD_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.privilege.name": "privilege", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.privilege.name": "privilege", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1818, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "RENAME_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2298, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPDATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2728, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UNASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3157, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log new file mode 100644 index 00000000000..c3166fb87d2 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log @@ -0,0 +1,3 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json new file mode 100644 index 00000000000..e22c5444b0f --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -0,0 +1,176 @@ +[ + { + "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "DRIVE_DATA_RESTORE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 10800000000000, + "event.end": "2002-10-02T15:00:00.000Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T12:00:00.000Z", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 471, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_DOCS_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 967, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log new file mode 100644 index 00000000000..b452d9e8d94 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log @@ -0,0 +1,85 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ACCOUNT_AUTO_RENEWAL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"NON_AUTO_RENEWAL"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_ENABLED","value":"app enabled"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_ALERT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_STATUS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"DOMAIN_VERIFICATION_METHOD","value":"ANALYTICS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_API_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"true"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"AUTHORIZE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"},{"name":"API_SCOPES","multiValue":["a","b"]}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHROME_LICENSES_REDEEMED","parameters":[{"name":"APP_LICENSES_ORDER_NUMBER","value":"abcd123"},{"name":"APPLICATION_NAME","value":"app name"},{"name":"CHROME_NUM_LICENSES_PURCHASED","intValue":1}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_AUTO_ADD_NEW_SERVICE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PRIMARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_WHITELIST_SETTING","parameters":[{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"COMMUNICATION_PREFERENCES_SETTING_CHANGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CONFLICT_ACCOUNT_ACTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_FEEDBACK_SOLICITATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_CONTACT_SHARING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VIEW_DNS_LOGIN_DETAILS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_LOCALE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_TIMEZONE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_PRE_RELEASE_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_SUPPORT_MESSAGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EDU_TYPE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSO_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_TRANSFER_TOKEN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BACKGROUND_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BORDER_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_ACTIVITY_TRACE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_ENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"},{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_UNENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"MX_RECORD_VERIFICATION_CLAIM","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_NEW_APP_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPLOAD_OAUTH_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REGENERATE_OAUTH_CONSUMER_SECRET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OPEN_ID_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ORGANIZATION_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OUTBOUND_RELAY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MAX_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MIN_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RENEW_DOMAIN_REGISTRATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RESELLER_ACCESS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_ACTIONS_CHANGED","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RULE_CRITERIA","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_RULE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_STATUS_CHANGED","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_SECONDARY_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_SSO_SETTINGS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_PIN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json new file mode 100644 index 00000000000..404587a6647 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -0,0 +1,4459 @@ +[ + { + "event.action": "CHANGE_ACCOUNT_AUTO_RENEWAL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "NON_AUTO_RENEWAL", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ADD_APPLICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.enabled": "app enabled", + "gsuite.admin.application.id": "id", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 437, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ADD_APPLICATION_TO_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "id", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 900, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_ADVERTISEMENT_OPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1323, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CREATE_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1782, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_ALERT_CRITERIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2154, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2535, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ALERT_RECEIVERS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2907, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "RENAME_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3360, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ALERT_STATUS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ADD_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4209, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4627, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "SKIP_DOMAIN_ALIAS_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5048, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "VERIFY_DOMAIN_ALIAS_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5470, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "VERIFY_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.verification_method": "ANALYTICS", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5894, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6373, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6803, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ENABLE_API_ACCESS", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "true", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7235, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "AUTHORIZE_API_CLIENT_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.api.client.name": "api client", + "gsuite.admin.api.scopes": [ + "a", + "b" + ], + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7687, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_API_CLIENT_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.api.client.name": "api client", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8169, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHROME_LICENSES_REDEEMED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.licences_order_number": "abcd123", + "gsuite.admin.application.licences_purchased": 1, + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8603, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9100, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_PRIMARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9526, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_WHITELIST_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9946, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10401, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10917, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ENABLE_FEEDBACK_SOLICITATION", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11381, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_CONTACT_SHARING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11843, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12264, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_USE_CUSTOM_LOGO", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13078, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13458, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13919, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.info_type": "ADDRESS", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14377, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14846, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "VIEW_DNS_LOGIN_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15239, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15623, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16083, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_DOMAIN_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16545, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17391, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ADD_TRUSTED_DOMAINS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17852, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_TRUSTED_DOMAINS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_EDU_TYPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18617, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19064, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_SSO_ENABLED", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19493, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_SSL", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19908, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.info_type": "ADDRESS", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20315, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "GENERATE_TRANSFER_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20778, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21103, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_LOGIN_BORDER_COLOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21564, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22021, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "PLAY_FOR_WORK_ENROLL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.admin.mdm.vendor": "vendor", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22480, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "PLAY_FOR_WORK_UNENROLL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.vendor": "vendor", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22925, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "MX_RECORD_VERIFICATION_CLAIM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23322, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "TOGGLE_NEW_APP_FEATURES", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23761, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24181, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPLOAD_OAUTH_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24611, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24997, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_OPEN_ID_ENABLED", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25391, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_ORGANIZATION_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25810, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_OUTBOUND_RELAY", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26266, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_PASSWORD_MAX_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26758, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_PASSWORD_MIN_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27216, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27674, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28139, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_APPLICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "appid", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28610, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "appid", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29026, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_RESELLER_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29921, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "RULE_ACTIONS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30330, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CREATE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30703, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_RULE_CRITERIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31067, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31440, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "RENAME_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31804, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "RULE_STATUS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32202, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ADD_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32644, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33082, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "SKIP_SECONDARY_DOMAIN_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33523, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "VERIFY_SECONDARY_DOMAIN_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33965, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "VERIFY_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34409, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34850, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_SSO_SETTINGS", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35311, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "GENERATE_PIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35692, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPDATE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 36006, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log new file mode 100644 index 00000000000..dc0842dc0d4 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2020/07/28 04:59:59 UTC"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json new file mode 100644 index 00000000000..69ddb7692a2 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -0,0 +1,497 @@ +[ + { + "event.action": "DROP_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "EMAIL_LOG_SEARCH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2020/07/28 04:59:59 UTC\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.end_date": "2020-07-28T04:59:59.000Z", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.log_search_filter.recipient.ip": "1.1.1.1", + "gsuite.admin.email.log_search_filter.recipient.value": "recipient", + "gsuite.admin.email.log_search_filter.sender.ip": "1.1.1.1", + "gsuite.admin.email.log_search_filter.sender.value": "sender", + "gsuite.admin.email.log_search_filter.start_date": "2002-10-02T10:00:00.000Z", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 432, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "EMAIL_UNDELETE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 7200000000000, + "event.end": "2002-10-02T12:00:00.000Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T10:00:00.000Z", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1188, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_EMAIL_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1671, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_GMAIL_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2254, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CREATE_GMAIL_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_GMAIL_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3330, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REJECT_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3868, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "RELEASE_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4302, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log new file mode 100644 index 00000000000..2c60ded89cc --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log @@ -0,0 +1,14 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json new file mode 100644 index 00000000000..7cc876ea788 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json @@ -0,0 +1,798 @@ +[ + { + "event.action": "CREATE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation", + "group" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation", + "group" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 379, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_GROUP_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "group" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 758, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "GROUP_LIST_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "group", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1149, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ADD_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "group" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1469, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "REMOVE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "group" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1901, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "UPDATE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "group" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2336, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "group" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2841, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "group" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "GROUP_MEMBER_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "group" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 0, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3906, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "GROUP_MEMBERS_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "group", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4370, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_GROUP_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "group" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4693, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_GROUP_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "group" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5112, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "WHITELISTED_GROUPS_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "group" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.group.allowed_list": [ + "a", + "b", + "c" + ], + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5611, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log new file mode 100644 index 00000000000..c028ff6ba1c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json new file mode 100644 index 00000000000..2f36dd24262 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json @@ -0,0 +1,440 @@ +[ + { + "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 463, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "USER_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 930, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.product.name": "product", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1398, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "USER_LICENSE_REASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1854, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "ORG_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2359, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "USER_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2812, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "UPDATE_DYNAMIC_LICENSE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3276, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log new file mode 100644 index 00000000000..69c376c4453 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log @@ -0,0 +1,31 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_CANCELLED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_REQUESTED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"name"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICES_BULK_CREATION","parameters":[{"name":"NUMBER_OF_COMPANY_OWNED_DEVICES","intValue":10}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_BLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICE_DELETION","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_UNBLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_WIPED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","parameters":[{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"GROUP"},{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"NEW_PERMISSION_GRANT_STATE","value":"GRANTED"},{"name":"OLD_PERMISSION_GRANT_STATE","value":"DENIED"},{"name":"PERMISSION_GROUP_NAME","value":"LOCATION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_SETTINGS","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_APPLICATION_TO_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_DELETE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_ADMIN_RESTRICTIONS_PIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"cert"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_ACCOUNT_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json new file mode 100644 index 00000000000..2dbefb68450 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json @@ -0,0 +1,1688 @@ +[ + { + "event.action": "ACTION_CANCELLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.mobile.action.id": "id", + "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "ACTION_REQUESTED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.mobile.action.id": "id", + "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 534, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "ADD_MOBILE_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.mobile.certificate.name": "name", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1068, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "COMPANY_DEVICES_BULK_CREATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mobile.company_owned_devices": 10, + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1548, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1951, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "COMPANY_DEVICE_DELETION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2376, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2796, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "COMPANY_OWNED_DEVICE_WIPED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3223, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "GROUP", + "gsuite.admin.new_value": "GRANTED", + "gsuite.admin.old_value": "DENIED", + "gsuite.admin.setting.name": "LOCATION", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3646, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4354, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4795, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "MOBILE_DEVICE_APPROVE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6534, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "MOBILE_DEVICE_BLOCK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "MOBILE_DEVICE_DELETE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7450, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "MOBILE_DEVICE_WIPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7908, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_MOBILE_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8898, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9328, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ADD_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9817, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10303, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10792, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_MOBILE_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.mobile.certificate.name": "cert", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11290, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11773, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12110, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12440, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12782, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "MOBILE_ACCOUNT_WIPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13120, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13577, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14053, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log new file mode 100644 index 00000000000..3ad1efedd6a --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log @@ -0,0 +1,17 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json new file mode 100644 index 00000000000..854d75f96fd --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json @@ -0,0 +1,890 @@ +[ + { + "event.action": "CHROME_LICENSES_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.chrome_licenses.enabled": "DISABLED", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 472, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 982, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.full": "full/org/path", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2002, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2400, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UNASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2771, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CREATE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3144, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REVOKE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3520, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHROME_LICENSES_ALLOWED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.chrome_licenses.allowed": "EMPTY", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3896, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CREATE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4365, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4733, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "EDIT_ORG_UNIT_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5101, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "MOVE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5479, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "EDIT_ORG_UNIT_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5880, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.full": "full/org/path", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6286, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_SERVICE_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.service.name": "new", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6684, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log new file mode 100644 index 00000000000..1035f42a2fb --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log @@ -0,0 +1,24 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ADD_TO_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"REMOVE_FROM_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"BLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_START_DATE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"ALLOWED_TWO_STEP_VERIFICATION_METHOD","value":"ONLY_SECURITY_KEY"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TOGGLE_CAA_ENABLEMENT","parameters":[{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_ERROR_MESSAGE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_APP_ASSIGNMENTS","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CAA_ASSIGNMENTS_NEW","value":"new"},{"name":"CAA_ASSIGNMENTS_OLD","value":"old"},{"name":"GROUP_NAME","value":"group"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENFORCE_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json new file mode 100644 index 00000000000..b55578f2e10 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -0,0 +1,1309 @@ +[ + { + "event.action": "ALLOW_STRONG_AUTHENTICATION", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 461, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 903, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1348, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.application.id": "id", + "gsuite.admin.oauth2.application.name": "appname", + "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1903, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.application.id": "id", + "gsuite.admin.oauth2.application.name": "appname", + "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2424, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "BLOCK_ON_DEVICE_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2950, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3383, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3917, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4434, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4963, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.verification_method": "ONLY_SECURITY_KEY", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5481, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TOGGLE_CAA_ENABLEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6010, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CAA_ERROR_MESSAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6385, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6802, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7356, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7746, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8134, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "ENFORCE_STRONG_AUTHENTICATION", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8652, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9718, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "ADMIN_CONSOLE", + "gsuite.admin.new_value": "INHERIT", + "gsuite.admin.old_value": "NEVER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10237, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_SESSION_LENGTH", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10774, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "UNBLOCK_ON_DEVICE_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "CALENDAR", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log new file mode 100644 index 00000000000..ff07d024c4c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log @@ -0,0 +1,5 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json new file mode 100644 index 00000000000..75de8c3c13c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -0,0 +1,275 @@ +[ + { + "event.action": "ADD_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "DELETE_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 594, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_SITES_SETTING", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1191, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.service.name": "service", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1723, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "VIEW_SITE_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.url.name": "site", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log new file mode 100644 index 00000000000..bed874fc9a4 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log @@ -0,0 +1,74 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GENERATE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_DEVICE_TOKENS","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_TOKEN","parameters":[{"name":"APP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ASP","parameters":[{"name":"ASP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TOGGLE_AUTOMATIC_CONTACT_SHARING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"1"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CANCEL_USER_INVITE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_CUSTOM_FIELD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_CUSTOM_FIELD","value":"custom"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_EXTERNAL_ID","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_GENDER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_IM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ENABLE_USER_IP_WHITELIST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_KEYWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LANGUAGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LOCATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ORGANIZATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_PHONE_NUMBER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_RELATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ADDRESS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"},{"name":"EMAIL_MONITOR_LEVEL_CHAT","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL","value":"info"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_DATA_TRANSFER_REQUEST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DESTINATION_USER_EMAIL","value":"dest@example.com"},{"name":"APPLICATION_NAME","value":"a,b,c"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_DELEGATED_ADMIN_PRIVILEGES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_ACCOUNT_INFO_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_FIRST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GMAIL_RESET_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"GMAIL_RESET_REASON","value":"reason"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_LAST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_ADDED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_REMOVED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD_ON_NEXT_LOGIN","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_PENDING_INVITES_LIST"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_ACCOUNT_INFO","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_EXPORT_INCLUDE_DELETED","value":"true"},{"name":"EMAIL_EXPORT_PACKAGE_CONTENT","value":"contents"},{"name":"SEARCH_QUERY_FOR_DUMP","value":"foo bar"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESEND_USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESET_SIGNIN_COOKIES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SECURITY_KEY_REGISTERED_FOR_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_SECURITY_KEY","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"VIEW_TEMP_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TURN_OFF_2_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNBLOCK_USER_SESSION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_TITANIUM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPDATE_BIRTHDATE","parameters":[{"name":"BIRTHDATE","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNGRADE_USER_FROM_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_ENROLLED_IN_TWO_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_USERLIST_CSV"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MOVE_USER_TO_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RENAME_USER","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_STRONG_AUTH","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNDELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNSUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPGRADE_USER_TO_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"0"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json new file mode 100644 index 00000000000..dc713f9ae92 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json @@ -0,0 +1,4198 @@ +[ + { + "event.action": "DELETE_2SV_SCRATCH_CODES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "GENERATE_2SV_SCRATCH_CODES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 388, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "REVOKE_3LO_DEVICE_TOKENS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 778, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "REVOKE_3LO_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1238, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "ADD_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1649, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "ADD_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2031, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "GRANT_ADMIN_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2413, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "REVOKE_ADMIN_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2798, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "REVOKE_ASP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.asp_id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3589, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 1, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4020, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4499, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CANCEL_USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4937, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_USER_CUSTOM_FIELD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "custom", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_USER_EXTERNAL_ID", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5868, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_USER_GENDER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6325, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_USER_IM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6777, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "ENABLE_USER_IP_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7225, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_USER_KEYWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7683, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_USER_LANGUAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8136, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_USER_LOCATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8590, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_USER_ORGANIZATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9044, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_USER_PHONE_NUMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9502, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10345, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_USER_RELATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10730, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_USER_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CREATE_EMAIL_MONITOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 3600000000000, + "event.end": "2002-10-02T16:00:00.000Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T15:00:00.000Z", + "event.type": [ + "creation", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_monitor.dest_email": "dest@example.com", + "gsuite.admin.email_monitor.level.chat": "info", + "gsuite.admin.email_monitor.level.draft": "info", + "gsuite.admin.email_monitor.level.incoming": "info", + "gsuite.admin.email_monitor.level.outgoing": "info", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11637, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CREATE_DATA_TRANSFER_REQUEST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "a,b,c", + "gsuite.admin.new_value": "dest@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12429, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12926, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "DELETE_ACCOUNT_INFO_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.request.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13357, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "DELETE_EMAIL_MONITOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_monitor.dest_email": "dest@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13780, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "DELETE_MAILBOX_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.request.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14227, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_FIRST_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14645, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "GMAIL_RESET_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15096, + "message": "reason", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_LAST_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15523, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "MAIL_ROUTING_DESTINATION_ADDED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15973, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16402, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "ADD_NICKNAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.admin.user.nickname": "nick", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16833, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "REMOVE_NICKNAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.admin.user.nickname": "nick", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17249, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17668, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "DOWNLOAD_PENDING_INVITES_LIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18510, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "REMOVE_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18839, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "REMOVE_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19224, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "REQUEST_ACCOUNT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19609, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "REQUEST_MAILBOX_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 3600000000000, + "event.end": "2002-10-02T16:00:00.000Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T15:00:00.000Z", + "event.type": [ + "info", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_dump.include_deleted": "true", + "gsuite.admin.email_dump.package_content": "contents", + "gsuite.admin.email_dump.query": "foo bar", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "RESEND_USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20656, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "RESET_SIGNIN_COOKIES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21083, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21467, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "REVOKE_SECURITY_KEY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21863, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22246, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "VIEW_TEMP_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "TURN_OFF_2_STEP_VERIFICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23093, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "UNBLOCK_USER_SESSION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23485, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "UNENROLL_USER_FROM_TITANIUM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23869, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "ARCHIVE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24260, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "UPDATE_BIRTHDATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.birthdate": "2002-10-02T15:00:00.000Z", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24636, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "CREATE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25068, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "DELETE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25443, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "DOWNGRADE_USER_FROM_GPLUS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25818, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26207, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "DOWNLOAD_USERLIST_CSV", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26609, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "MOVE_USER_TO_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26930, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27389, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "RENAME_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27834, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28244, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "SUSPEND_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28638, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "UNARCHIVE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29014, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "UNDELETE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29392, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "UNSUSPEND_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29769, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "UPGRADE_USER_TO_GPLUS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30147, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + }, + { + "event.action": "USERS_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 0, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30532, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info", + "user" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30972, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/config/common.js b/x-pack/filebeat/module/gsuite/config/common.js new file mode 100644 index 00000000000..64ce7b0620f --- /dev/null +++ b/x-pack/filebeat/module/gsuite/config/common.js @@ -0,0 +1,86 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var gsuite = (function () { + var processor = require("processor"); + + var decodeJson = new processor.DecodeJSONFields({ + fields: ["message"], + target: "json", + }); + + var parseTimestamp = new processor.Timestamp({ + field: "json.id.time", + timezone: "UTC", + layouts: ["2006-01-02T15:04:05.999Z"], + tests: ["2020-02-05T18:19:23.599Z"], + ignore_missing: true, + }); + + var convertFields = new processor.Convert({ + fields: [ + { from: "message", to: "event.original" }, + { from: "json.events.name", to: "event.action" }, + { from: "json.id.applicationName", to: "event.provider" }, + { from: "json.id.uniqueQualifier", to: "event.id", type: "string" }, + { from: "json.actor.email", to: "source.user.email" }, + { from: "json.actor.profileId", to: "source.user.id", type: "string" }, + { from: "json.ipAddress", to: "source.ip", type: "ip" }, + { from: "json.kind", to: "gsuite.kind" }, + { from: "json.id.customerId", to: "organization.id", type: "string" }, + { from: "json.actor.callerType", to: "gsuite.actor.type" }, + { from: "json.actor.key", to: "gsuite.actor.key" }, + { from: "json.ownerDomain", to: "gsuite.organization.domain" }, + { from: "json.events.type", to: "gsuite.event.type" }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }); + + var completeUserData = function(evt) { + var email = evt.Get("source.user.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("user.id", evt.Get("source.user.id")); + evt.Put("user.name", data[0]); + evt.Put("source.user.name", data[0]); + evt.Put("user.domain", data[1]); + evt.Put("source.user.domain", data[1]); + }; + + var copyFields = function(evt) { + var ip = evt.Get("source.ip"); + if (ip) { + evt.Put("related.ip", [ip]); + } + var userName = evt.Get("source.user.name"); + if (userName) { + evt.Put("related.user", [userName]); + } + }; + + var pipeline = new processor.Chain() + .Add(decodeJson) + .Add(parseTimestamp) + .Add(convertFields) + .Add(completeUserData) + .Add(copyFields) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return gsuite.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml b/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml new file mode 100644 index 00000000000..9c031b89ce5 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml @@ -0,0 +1,89 @@ +- name: drive + type: group + fields: + - name: billable + type: boolean + description: Whether this activity is billable. + - name: source_folder_id + type: keyword + - name: source_folder_title + type: keyword + - name: destination_folder_id + type: keyword + - name: destination_folder_title + type: keyword + - name: file.id + type: keyword + - name: file.type + type: keyword + description: > + Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: originating_app_id + type: keyword + description: > + The Google Cloud Project ID of the application that performed the action. + - name: file.owner.email + type: keyword + - name: file.owner.is_shared_drive + type: boolean + description: > + Boolean flag denoting whether owner is a shared drive. + - name: primary_event + type: boolean + description: > + Whether this is a primary event. A single user action in Drive may generate several events. + - name: shared_drive_id + type: keyword + description: > + The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. + - name: visibility + type: keyword + description: > + Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: new_value + type: keyword + description: > + When a setting or property of the file changes, the new value for it will appear here. + - name: old_value + type: keyword + description: > + When a setting or property of the file changes, the old value for it will appear here. + - name: sheets_import_range_recipient_doc + type: keyword + description: Doc ID of the recipient of a sheets import range. + - name: old_visibility + type: keyword + description: > + When visibility changes, this holds the old value. + - name: visibility_change + type: keyword + description: > + When visibility changes, this holds the new overall visibility of the file. + - name: target_domain + type: keyword + description: > + The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. + - name: added_role + type: keyword + description: > + Added membership role of a user/group in a Team Drive. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: membership_change_type + type: keyword + description: > + Type of change in Team Drive membership of a user/group. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: shared_drive_settings_change_type + type: keyword + description: > + Type of change in Team Drive settings. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: removed_role + type: keyword + description: > + Removed membership role of a user/group in a Team Drive. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: target + type: keyword + description: Target user or group. + diff --git a/x-pack/filebeat/module/gsuite/drive/config/config.yml b/x-pack/filebeat/module/gsuite/drive/config/config.yml new file mode 100644 index 00000000000..1fc56ba1ee5 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/config/config.yml @@ -0,0 +1,54 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/drive +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.11.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-drive + file: ${path.home}/module/gsuite/drive/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/drive/config/pipeline.js b/x-pack/filebeat/module/gsuite/drive/config/pipeline.js new file mode 100644 index 00000000000..31403a880ae --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/config/pipeline.js @@ -0,0 +1,191 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var drive = (function () { + var path = require("path"); + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["file"]); + switch (evt.Get("event.action")) { + case "add_to_folder": + case "edit": + case "add_lock": + case "move": + case "remove_from_folder": + case "rename": + case "remove_lock": + case "sheets_import_range": + evt.Put("event.type", ["change"]); + break; + case "approval_canceled": + case "approval_comment_added": + case "approval_requested": + case "approval_reviewer_responded": + case "change_acl_editors": + case "change_document_access_scope": + case "change_document_visibility": + case "shared_drive_membership_change": + case "shared_drive_settings_change": + case "sheets_import_range_access_change": + case "change_user_access": + evt.AppendTo("event.category", "iam"); + evt.AppendTo("event.category", "configuration"); + evt.Put("event.type", ["change"]); + break; + case "create": + case "untrash": + case "upload": + evt.Put("event.type", ["creation"]); + break; + case "delete": + case "trash": + evt.Put("event.type", ["deletion"]); + break; + case "download": + case "preview": + case "print": + case "view": + evt.Put("event.type", ["info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + if (param.boolValue !== null) { + return param.boolValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("gsuite.drive."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setFileInfo = function(evt) { + var type = evt.Get("gsuite.drive.file.type"); + if (!type) { + return; + } + + switch (type) { + case "folder": + case "shared_drive": + evt.Put("file.type", "dir"); + break; + default: + evt.Put("file.type", "file"); + } + + // path returns extensions with a preceding ., e.g.: .tmp, .png + // according to ecs the expected format is without it, so we need to remove it. + var ext = path.extname(evt.Get("file.name")); + if (!ext) { + return; + } + + if (ext.charAt(0) === ".") { + ext = ext.substr(1); + } + evt.Put("file.extension", ext); + }; + + var setOwnerInfo = function(evt) { + var email = evt.Get("gsuite.drive.file.owner.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("file.owner", data[0]); + evt.AppendTo("related.user", data[0]); + }; + + var setTargetRelatedUser = function(evt) { + var email = evt.Get("gsuite.drive.target"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "gsuite.drive.doc_id", + to: "gsuite.drive.file.id", + }, + { + from: "gsuite.drive.doc_title", + to: "file.name", + }, + { + from: "gsuite.drive.doc_type", + to: "gsuite.drive.file.type", + }, + { + from: "gsuite.drive.owner", + to: "gsuite.drive.file.owner.email", + }, + { + from: "gsuite.drive.owner_is_shared_drive", + to: "gsuite.drive.file.owner.is_shared_drive", + }, + { + from: "gsuite.drive.new_settings_state", + to: "gsuite.drive.new_value", + }, + { + from: "gsuite.drive.old_settings_state", + to: "gsuite.drive.old_value", + }, + { + from: "gsuite.drive.target_user", + to: "gsuite.drive.target", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setFileInfo) + .Add(setOwnerInfo) + .Add(setTargetRelatedUser) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return drive.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/drive/manifest.yml b/x-pack/filebeat/module/gsuite/drive/manifest.yml new file mode 100644 index 00000000000..c5992776ac0 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/manifest.yml @@ -0,0 +1,25 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + - name: proxy_url + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log new file mode 100644 index 00000000000..3cd073a7379 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log @@ -0,0 +1,28 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_to_folder","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_canceled","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_comment_added","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_requested","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_reviewer_responded","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"create","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"download","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"edit","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"move","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"preview","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"print","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_from_folder","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"rename","parameters":[{"name":"billable","boolValue":true},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"bar.gif"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_value","value":"foo.gif","new_value":"bar.gif"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"untrash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"sheets_import_range","parameters":[{"name":"sheets_import_range_recipient_doc","value":"1234"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"trash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"view","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"shared_drive_id","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_editors","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_access_scope","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_visibility","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_membership_change","parameters":[{"name":"added_role","value":"editor"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"removed_role","value":"content_manager"},{"name":"membership_change_type","value":"add_to_shared_drive"},{"name":"target","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_settings_change","parameters":[{"name":"new_settings_state","value":"restricted"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_settings_state","value":"unrestricted"},{"name":"shared_drive_settings_change_type","value":"direct_acl"},{"name":"target","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"sheets_import_range_access_change","parameters":[{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"sheets_import_range_recipient_doc","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_user_access","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"old_visibility","value":"people_with_link"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"target_user","value":"user@example.com"},{"name":"visibility","value":"private"},{"name":"visibility_change","value":"external"}]}} diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json new file mode 100644 index 00000000000..4068a18c494 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json @@ -0,0 +1,1801 @@ +[ + { + "event.action": "add_to_folder", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_to_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.destination_folder_id": "1234", + "gsuite.drive.destination_folder_title": "folder title", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "approval_canceled", + "event.category": [ + "configuration", + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_canceled\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 816, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "approval_comment_added", + "event.category": [ + "configuration", + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_comment_added\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1529, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "approval_requested", + "event.category": [ + "configuration", + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_requested\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "approval_reviewer_responded", + "event.category": [ + "configuration", + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_reviewer_responded\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2961, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "create", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"create\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3684, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "delete", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "deletion" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4386, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "download", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"download\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5088, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "edit", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "add_lock", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6492, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "move", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"move\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.destination_folder_id": "1234", + "gsuite.drive.destination_folder_title": "folder title", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.source_folder_id": "1234", + "gsuite.drive.source_folder_title": "a folder title", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7196, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "preview", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"preview\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8102, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "print", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"print\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8805, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "remove_from_folder", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_from_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.source_folder_id": "1234", + "gsuite.drive.source_folder_title": "a folder title", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9506, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "rename", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"rename\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"bar.gif\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_value\",\"value\":\"foo.gif\",\"new_value\":\"bar.gif\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.extension": "gif", + "file.name": "bar.gif", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": true, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.old_value": "foo.gif", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10319, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "untrash", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"untrash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11074, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "sheets_import_range", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.sheets_import_range_recipient_doc": "1234", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11777, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "trash", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"trash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "deletion" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12514, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "remove_lock", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13215, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "upload", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13922, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "view", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"view\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"1234\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.shared_drive_id": "1234", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14624, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "change_acl_editors", + "event.category": [ + "configuration", + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_editors\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "owner", + "gsuite.drive.old_value": "writers", + "gsuite.drive.old_visibility": "people_within_domain_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15366, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "change_document_access_scope", + "event.category": [ + "configuration", + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_access_scope\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "owner", + "gsuite.drive.old_value": "writers", + "gsuite.drive.old_visibility": "people_within_domain_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.target_domain": "all", + "gsuite.drive.visibility": "people_with_link", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16275, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "change_document_visibility", + "event.category": [ + "configuration", + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_visibility\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "owner", + "gsuite.drive.old_value": "writers", + "gsuite.drive.old_visibility": "people_within_domain_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.target_domain": "all", + "gsuite.drive.visibility": "people_with_link", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "shared_drive_membership_change", + "event.category": [ + "configuration", + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_membership_change\",\"parameters\":[{\"name\":\"added_role\",\"value\":\"editor\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"removed_role\",\"value\":\"content_manager\"},{\"name\":\"membership_change_type\",\"value\":\"add_to_shared_drive\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.added_role": "editor", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.membership_change_type": "add_to_shared_drive", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.removed_role": "content_manager", + "gsuite.drive.target": "user@example.com", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18189, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "shared_drive_settings_change", + "event.category": [ + "configuration", + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_settings_change\",\"parameters\":[{\"name\":\"new_settings_state\",\"value\":\"restricted\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_settings_state\",\"value\":\"unrestricted\"},{\"name\":\"shared_drive_settings_change_type\",\"value\":\"direct_acl\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "restricted", + "gsuite.drive.old_value": "unrestricted", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.shared_drive_settings_change_type": "direct_acl", + "gsuite.drive.target": "user@example.com", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19117, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "sheets_import_range_access_change", + "event.category": [ + "configuration", + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"sheets_import_range_access_change\",\"parameters\":[{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.sheets_import_range_recipient_doc": "1234", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20060, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "change_user_access", + "event.category": [ + "configuration", + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"old_visibility\",\"value\":\"people_with_link\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"target_user\",\"value\":\"user@example.com\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "can_comment", + "gsuite.drive.old_value": "can_view", + "gsuite.drive.old_visibility": "people_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.target": "user@example.com", + "gsuite.drive.visibility": "private", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20815, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go new file mode 100644 index 00000000000..8ade2ec3e32 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package gsuite + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "gsuite", asset.ModuleFieldsPri, AssetGsuite); err != nil { + panic(err) + } +} + +// AssetGsuite returns asset data. +// This is the base64 encoded zlib format compressed contents of module/gsuite. +func AssetGsuite() string { + return "eJzkXFtz3Dayfvev6EoefE4qGtXJox5OldaaOK5IlkqSs5va2qIwRJNEBAI0AM549tdv4cIRZ4bkXEDZk6xe7BoS39do3Lob3TyDZ1xeQK5rZvANgGGG4wV853/47g0ARZ0qVhkmxQX8/xsACG/DjaQ1t40yhpzqC/fsDAQpsYVo/yhmpOYmcS9eQEa4bh6ZZWXfVrKuVi9vEdq/955UV5iyjKWBdPJm9cKNVAhMZFKVxDYGMpO12WwAKREwQ8hkLSgQA4Uxlb44P6c4Ry4rVHqSS5lznKSyPCe0ZOJM0+dzhZVURp/P/+9cYYYKRYrnJDVszgxDfc6ZNkGWtj7aOiGpkWpie7x61CjgGZcLqWjr9x412L/HAl0zkFnAfLP2/DfCa2x6erH2COCHTw/T+x8u4FJIU6CCWqMCJsAUCJqUCFSWhInJZrPpPx6n9x8vr5OmvW8pa6MZRde8p+Wv09/d+0KKs6IuiWiE7tbPMy7j1HMr+BIqhRqFgUWBAp5eNP8ETMPTr9Pfnybwzk8FK/pTKoWuS1TJMy6frGLtrwo/16iNVJBJBbeXtSngp+tbuLz70DzTIBUQAYyiMCxj6N9VciYNkDSVtTB6u6s4R2FGngrvH9wKcdA/QkmqCilkSpbwxAyW+p//mrhn9j9BFX7YpWI5E4RDRZZcEro+glOSFpAxjhqNm1MFmSMQoCxzy8CAfSAzmPtpZ7vPrAB2PVI0hPGvsursH34hZWU3MFJTZr4PLy631P/MBB1P8X46aFmrFDcUb4n21PPNCetLqpwI9m+3r078Mo9Tn1egRwJTEGOXJckyTA1SmC3D8rOdeavDatneL2y3t+RonyXQsRuvIVQVZ6nvFlJm/90Qs69vW/2z/WlWoEea7KS0v8TwtbDeaoe/mxMFmXHchD6INkCswe7k5Sy1k1EnUlFUiajLGapjpbi1GOAx7DlEwUhQSBFLcEQa9QEiVbVKC6KP18pHL4nMoMGEFeZuOVjUaLSQ4MPVbjaiq2Q8xpV5VRGtbeO9ZKhI+kxyjJSjlDPG18UJwL1CuM1hgiVhPIbZwbzVUClWErUEBwiEUoW6Z+IJXCTuhIzhFbjwx6w7ZZ3JhsYwkXdzSk7jOSWnB3GqPKkFM9GbW/vMIRws5sAWt6LNah41tFLlnssCQUVMAUykvKZM5P5UktK8vNUvUaOlWD0EnAEma4gnFDMmkCZj0dr2jR1sCc4CwfDoNw9bcK/bd7+gK8WkchbOsWzvLQ684HSzBQ+HcEaOZmoZPg5nkCl2FJsNKhD26zHwaUyloEQtk/hpG5B2c5dEkBxpkkqRsbxWJHbatOduAIc18J4tWookQ2Jq5daRmjNrHGjkmMZItGn5AnyU4qwhgoYIVkSbHjTAz9bJBGu8225VUms249h4XM7StxbQEV6CdVYEZV8aJ2EZXmsdqmdhFervf76+fPjl+sP7Xx6T6dWn5OPtx+Tn6eXjp/vpVfIwvf/tw7vpQ/IwvZ6+e5xedarYGeNjDa0D6x7Kxh2LtK3abA1ky9Xv347jTQyLcpiF4XgFS59jl26gbqAG2GZMmYIS003X8aCPywG5Bj3bPDG4IMuo/fC9x/AbEdyFAJG1YWWJkFontJnp3UKkhZIlJlJPNGrNpEg2AjgHifPOocHtAwQ017Rnd0a7RUw0KkZ4pO905bDAYwUfapD1gCW00TJGPUHMfp1Uignjtmk77Ue0dhwwBOB+6tdg3TESqSxLImgSokRHzzwP0wSbenZQyWN2z0+Cfa5xMyxqCqYdsu3unHHMewbXsceod/vQfXS2O8cOQwS+yRFLkaPd1+hZaBY2n74pF/QVo5W7BmXQb3H2yAh+i8MZ8lsUj2ZZ4EwzM8RSKUnrNN4fDTh7MOnnegyih18/dfPMav6c1JULIWeE9UXzuBT5fkErDwIKU6moBiYcBXgKsLN8wGpuS2OkId1Wz/7COIwjZfHeIOFcLpAmG8HugwbiIylRuws2C3ZmoZB6/J4N01lok881UUQYJjDag2qfDi+wQ+Rc5olGotIiyRi3p0mJWscH2rjMweOCx32rg0Ea8HvjbX1yaUOUSaIsxy6hHOyAGdknDtpDdWxh7KYv8iOkUZiyiqEwk+jgXf/IvZAcNnAoKKrXFCwwHKkxVnVKtfXzMZp6q+HD3bAPtkNtryCdR95DtOC9rK5HIi+Ctg2s6+bqIyCfgo0lVT5sV21qJZwd/+VakaQ2xU+TMUzBbY24PIqfBuzDb6MUjWmtmFnupZlxru+CJva5wevgjRmVDuaBu5Vt7hjPvndGtKXZ9vtPeVbMUbEsiJ6UaAo54g5yj9x6iWsk4ElOUkNAxGYPYVS/2d0nDA8I4ajiXT6HMrAwVB0ZpXAxibozJvFybc4mKXe2TSzT5d0H8FA7+HQqq+Ov0hoqj9Jz5UPLiZHPGHXNc3N1A3MUVCpAoSTnpe2ag+1n9Q3GoR1MumEik1EB4q4QFtOwYJzDDFdpL9oQg7AoiHFpbXbZt7NgF0RDWhCRn4bpsc/idYZtUkrBjFQTitok0dcpFoWJkBjszeTGtw6ebKDbQyJu1TBJC3J0dMFK5C4c1rjBA+8tAVUkixLBAcTJwEQqS7YV2zlIjAYjThJZm1xGStJgHCoJrctq4tNEMKHI0fS4EDMpOZLNXW9Njg+C2kMeNbAMApan0UBcirujoU1WKX6xi26ndE3KVSqFQRE3cz2EfrliZ3wmvzTJVztF+VyjWsaFlp0n7HD8PtikJjn87rPa52tHXggHlF4z3aekTUg6QmJfSG/zdz/gIa2fvxf12AdPrzinYqh78YYPlqCiFJXxlnS89Ra00oKEVJbloD/ViCHLiohlIhcCaeL12m107Qqeu2jxKoAekIBAYAC5EH1pRkwbxWZ1SA02zMTdsXdPnTYLeBY/FX6ERcHSokl3Jz7AHiLfrq5CqvysJ9HudOdZl1bHX5BdWrWQPUpd1+cpq3KlRsXm2/Uxh+T3zxjnZMa7Fb/HWfz3Al2RlLu3bqQHplfAPVeoLlEoySSnqA65e+kGcEV5B2O0LN4ISTpQjhMnY4flE6y1G3fxXMm0dq7ilZ1g/gT7qtN/c2K305hdiZBdDwmpYhL1u/eM905WeMdlTeFOyT8wtcZMY8mtReCsf1Khsq6k9TSL5tDvnvNunOxRdmjuWwcA04kuiLKn4pamDli92yr4m28EGSc5UBTSZRcvwip35K4QCTy934F6c4BKopaJq00aT8K1HceJssoAdEVQcAmaCTuGrvzSj4h1BfxcLskSchSorCGicY6KcN+yxwBo63n02VZvJQGFefaIpPQST0K5pqxqH+XMQrWlFxoUcrca7NojrXbgqgyxdM4IcYnpTLhK1PZb3X2eM81mjLcL3aK7+9sK0/WRqByNn9InsrNE1590zlVh10pI0pcKKmUFDzpwGbocQ/RJ/+h+Wa9gYcaHs2xHiIICVd8VRGwlyzjSr9fC7C29LhCNTlhpRy5RFjBZ3SonVKbH9upKpq3dewXp8lYCK3hWcKwDyn2FNeE0/ALcViXTUEhO9bpWdy3XxCN8fQntrJVuM+Xt11vzpFt0vw8kWxWzkWK3SkjsPPTmvj+g0xS19qH3tdCvjx1bl4BwLZuyd1eAArZXRgILgacGqRPIEdoGnl97M8GVhLcUs8r1pMHU6rlroBRpouQB5uRO3VxaTCjResO6YJXP+XQLwp6Y594ZYmLgnICv7A31b9ov3QhTf+wLhVDB7sGtVlonbEuHG+o7VXWtGTONW/kNNNddRnA6elJYyvnoK+/eo/5V1p7fu4+ODXoL0H8jRcHGstkKdfjE0qhYB0l5UqEqmSsmGW9YQ2XkCnllMdUVtRb7tx2/LcVt3DiMrQef4DewWcdVfm3T3jjUPXjHXcyB1tVhnOoAh4k49hD/Web3K3h0Hxvv7H/0/zbWbd5WyskqI9ZB3OrXbeOU/OlUMfKccF8T+3NpIFQlRNy/bqvh4ebx7qXcwaXZELFeBbGtj6bI1PpDpaShdmUwINdgvbyekJHLz29CL1oSdUV2XQc2hpAohCdSVcpaek9ABIUnhX+4zzY99QQ/DDH10clkHQ5eQAzvzZrvcsjaVLUJ49JTJ9TbJV8BFTqk6zRFpGs92rLYuMxjPz4VPnflk5uSkJV0cNw8LQjnaD2csRNPr20XX/CbnNOvusqdmntuHAjjtRrbsfOdDtjf4G5ooMOv0dFUoYvOE65Pq7NMJ/4TIknmvt7Y2fGuK5Y2QK0rljLZs/1stl7tWKTkcSv75Rotqgqw4xQiJYeHuz0T9/+aK8QOT1/KLTPM2uzJbMQw9r3P+fK3Vw+XN9dAalPYRTP07Tup8lowk1TEFOPJAvDJRxTy7SSO9QM3SSUdc+LZfoeD1yL31Y67FevyJZNXlMPR+LTMdaH+EwAA///6ieSc" +} diff --git a/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml b/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml new file mode 100644 index 00000000000..05cd6b68590 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml @@ -0,0 +1,57 @@ +- name: groups + type: group + fields: + - name: acl_permission + type: keyword + description: > + Group permission setting updated. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: email + type: keyword + description: > + Group email. + - name: member.email + type: keyword + description: > + Member email. + - name: member.role + type: keyword + description: > + Member role. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: setting + type: keyword + description: > + Group setting updated. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: new_value + type: keyword + description: > + New value(s) of the group setting. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: old_value + type: keyword + description: + Old value(s) of the group setting. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: value + type: keyword + description: > + Value of the group setting. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: message.id + type: keyword + description: > + SMTP message Id of an email message. + Present for moderation events. + - name: message.moderation_action + type: keyword + description: > + Message moderation action. + Possible values are `approved` and `rejected`. + - name: status + type: keyword + description: > + A status describing the output of an operation. + Possible values are `failed` and `succeeded`. + diff --git a/x-pack/filebeat/module/gsuite/groups/config/config.yml b/x-pack/filebeat/module/gsuite/groups/config/config.yml new file mode 100644 index 00000000000..75b9d16063b --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/config/config.yml @@ -0,0 +1,54 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/groups +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.11.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-groups + file: ${path.home}/module/gsuite/groups/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js new file mode 100644 index 00000000000..a0144435049 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js @@ -0,0 +1,223 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var groups = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["iam"]); + evt.Put("event.type", ["group"]); + switch (evt.Get("event.action")) { + case "change_basic_setting": + case "change_identity_setting": + case "change_info_setting": + case "change_new_members_restrictions_setting": + case "change_post_replies_setting": + case "change_spam_moderation_setting": + case "change_topic_setting": + evt.AppendTo("event.category", "configuration"); + evt.AppendTo("event.type", "change"); + break; + case "change_acl_permission": + evt.AppendTo("event.type", "change"); + break; + case "accept_invitation": + evt.AppendTo("event.type", "info"); + evt.AppendTo("event.type", "user"); + break; + case "approve_join_request": + case "join": + evt.AppendTo("event.type", "user"); + evt.AppendTo("event.type", "change"); + break; + case "request_to_join": + case "ban_user_with_moderation": + case "revoke_invitation": + case "invite_user": + case "reject_join_request": + case "reinvite_user": + evt.AppendTo("event.type", "info"); + evt.AppendTo("event.type", "user"); + break; + case "create_group": + evt.AppendTo("event.type", "creation"); + break; + case "add_info_setting": + evt.AppendTo("event.category", "configuration"); + evt.AppendTo("event.type", "creation"); + break; + case "delete_group": + evt.AppendTo("event.type", "deletion"); + break; + case "remove_info_setting": + evt.AppendTo("event.category", "configuration"); + evt.AppendTo("event.type", "deletion"); + break; + case "moderate_message": + case "always_post_from_user": + evt.AppendTo("event.type", "info"); + break; + case "add_user": + evt.AppendTo("event.type", "creation"); + evt.AppendTo("event.type", "user"); + break; + case "remove_user": + evt.AppendTo("event.type", "deletion"); + evt.AppendTo("event.type", "user"); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("gsuite.groups."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setOutcome = function(evt) { + switch (evt.Get("gsuite.groups.status")) { + case "failed": + evt.Put("event.outcome", "failure"); + break; + case "succeeded": + evt.Put("event.outcome", "success"); + break; + } + }; + + var setGroupInfo = function(evt) { + var email = evt.Get("gsuite.groups.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("group.name", data[0]); + evt.Put("group.domain", data[1]); + }; + + var setRelatedMemberInfo = function(evt) { + var email = evt.Get("gsuite.groups.member.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.Put("user.target.email", email); + var groupName = evt.Get("group.name"); + if (groupName) { + evt.Put("user.target.group.name", groupName); + } + var groupDomain = evt.Get("group.domain"); + if (groupDomain) { + evt.Put("user.target.group.domain", groupDomain); + } + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "gsuite.groups.group_email", + to: "gsuite.groups.email", + }, + { + from: "gsuite.groups.new_value_repeated", + to: "gsuite.groups.new_value", + }, + { + from: "gsuite.groups.old_value_repeated", + to: "gsuite.groups.old_value", + }, + { + from: "gsuite.groups.user_email", + to: "gsuite.groups.member.email", + }, + { + from: "gsuite.groups.basic_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.identity_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.info_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.new_members_restrictions_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.post_replies_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.spam_moderation_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.topic_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.message_id", + to: "gsuite.groups.message.id", + }, + { + from: "gsuite.groups.message_moderation_action", + to: "gsuite.groups.message.moderation_action", + }, + { + from: "gsuite.groups.member_role", + to: "gsuite.groups.member.role", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setOutcome) + .Add(setGroupInfo) + .Add(setRelatedMemberInfo) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return groups.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/groups/manifest.yml b/x-pack/filebeat/module/gsuite/groups/manifest.yml new file mode 100644 index 00000000000..c5992776ac0 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/manifest.yml @@ -0,0 +1,25 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + - name: proxy_url + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log new file mode 100644 index 00000000000..e67fe7571a3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log @@ -0,0 +1,25 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_permission","parameters":[{"name":"acl_permission","value":"can_add_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value_repeated","multiValue":["managers","members"]},{"name":"old_value_repeated","multiValue":["managers"]}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"accept_invitation","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"approve_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"join","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"request_to_join","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_basic_setting","parameters":[{"name":"basic_setting","value":"allow_external_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value","value":"true"},{"name":"old_value","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"create_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"delete_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_identity_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"identity_setting","value":"required_forms_of_identity"},{"name":"new_value","value":"display_name_only"},{"name":"old_value","value":"display_name_or_google_profile"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"new_value","value":"footer"},{"name":"old_value","value":"old footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_new_members_restrictions_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"new_members_restrictions_setting","value":"new_members_can_post"},{"name":"new_value","value":"inherit"},{"name":"old_value","value":"overriden_to_false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_post_replies_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"post_replies_setting","value":"where_should_replies_be_sent"},{"name":"new_value","value":"reply_to_custom_address"},{"name":"old_value","value":"reply_to_author_only"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_spam_moderation_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"spam_moderation_setting","value":"how_to_handle_suspected_spam_messages"},{"name":"new_value","value":"moderate_and_do_not_send_notifications"},{"name":"old_value","value":"moderate_and_send_notifications"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_topic_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"topic_setting","value":"allowed_topic_types"},{"name":"new_value","value":"discussions_questions"},{"name":"old_value","value":"discussions"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"moderate_message","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"message_moderation_action","value":"approved"},{"name":"status","value":"succeeded"},{"name":"message_id","value":"message id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"always_post_from_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"status","value":"succeeded"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"ban_user_with_moderation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"revoke_invitation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"invite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reject_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reinvite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json new file mode 100644 index 00000000000..758ba9ba2b1 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json @@ -0,0 +1,1476 @@ +[ + { + "event.action": "change_acl_permission", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}", + "event.provider": "groups", + "event.type": [ + "change", + "group" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "acl_change", + "gsuite.groups.acl_permission": "can_add_members", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": [ + "managers", + "members" + ], + "gsuite.groups.old_value": [ + "managers" + ], + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "accept_invitation", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"accept_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 559, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "approve_join_request", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "change", + "group", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 946, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "join", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "change", + "group", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1385, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "request_to_join", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"request_to_join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "change_basic_setting", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}", + "event.provider": "groups", + "event.type": [ + "change", + "group" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "true", + "gsuite.groups.old_value": "false", + "gsuite.groups.setting": "allow_external_members", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2144, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "create_group", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "creation", + "group" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2665, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "delete_group", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "deletion", + "group" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "change_identity_setting", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}", + "event.provider": "groups", + "event.type": [ + "change", + "group" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "display_name_only", + "gsuite.groups.old_value": "display_name_or_google_profile", + "gsuite.groups.setting": "required_forms_of_identity", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3429, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "add_info_setting", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", + "event.provider": "groups", + "event.type": [ + "creation", + "group" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.setting": "custom_footer", + "gsuite.groups.value": "footer", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3998, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "change_info_setting", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}", + "event.provider": "groups", + "event.type": [ + "change", + "group" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "footer", + "gsuite.groups.old_value": "old footer", + "gsuite.groups.setting": "custom_footer", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4466, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "remove_info_setting", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", + "event.provider": "groups", + "event.type": [ + "deletion", + "group" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.setting": "custom_footer", + "gsuite.groups.value": "footer", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4983, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "change_new_members_restrictions_setting", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}", + "event.provider": "groups", + "event.type": [ + "change", + "group" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "inherit", + "gsuite.groups.old_value": "overriden_to_false", + "gsuite.groups.setting": "new_members_can_post", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5454, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "change_post_replies_setting", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}", + "event.provider": "groups", + "event.type": [ + "change", + "group" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "reply_to_custom_address", + "gsuite.groups.old_value": "reply_to_author_only", + "gsuite.groups.setting": "where_should_replies_be_sent", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6027, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "change_spam_moderation_setting", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}", + "event.provider": "groups", + "event.type": [ + "change", + "group" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "moderate_and_do_not_send_notifications", + "gsuite.groups.old_value": "moderate_and_send_notifications", + "gsuite.groups.setting": "how_to_handle_suspected_spam_messages", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6602, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "change_topic_setting", + "event.category": [ + "configuration", + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}", + "event.provider": "groups", + "event.type": [ + "change", + "group" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "discussions_questions", + "gsuite.groups.old_value": "discussions", + "gsuite.groups.setting": "allowed_topic_types", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7218, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "moderate_message", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"moderate_message\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"message_moderation_action\",\"value\":\"approved\"},{\"name\":\"status\",\"value\":\"succeeded\"},{\"name\":\"message_id\",\"value\":\"message id\"}]}}", + "event.outcome": "success", + "event.provider": "groups", + "event.type": [ + "group", + "info" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.message.id": "message id", + "gsuite.groups.message.moderation_action": "approved", + "gsuite.groups.status": "succeeded", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "always_post_from_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"always_post_from_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"status\",\"value\":\"succeeded\"}]}}", + "event.outcome": "success", + "event.provider": "groups", + "event.type": [ + "group", + "info" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.groups.status": "succeeded", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8282, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "add_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", + "event.provider": "groups", + "event.type": [ + "creation", + "group", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.groups.member.role": "manager", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8760, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "ban_user_with_moderation", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"ban_user_with_moderation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.groups.member.role": "manager", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9228, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "revoke_invitation", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"revoke_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9712, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "invite_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"invite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10148, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "reject_join_request", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reject_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10578, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "reinvite_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reinvite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11016, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + }, + { + "event.action": "remove_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "deletion", + "group", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11448, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/ingest/common.yml b/x-pack/filebeat/module/gsuite/ingest/common.yml new file mode 100644 index 00000000000..f35335c1846 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/ingest/common.yml @@ -0,0 +1,33 @@ +description: Pipeline for parsing gsuite logs +processors: + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - remove: + field: json + ignore_missing: true + - set: + field: event.ingested + value: "{{ _ingest.timestamp }}" + +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/gsuite/login/_meta/fields.yml b/x-pack/filebeat/module/gsuite/login/_meta/fields.yml new file mode 100644 index 00000000000..dc8e9711616 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/_meta/fields.yml @@ -0,0 +1,21 @@ +- name: login + type: group + fields: + - name: affected_email_address + type: keyword + - name: challenge_method + type: keyword + description: > + Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: failure_type + type: keyword + description: > + Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: type + type: keyword + description: > + Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: is_second_factor + type: boolean + - name: is_suspicious + type: boolean diff --git a/x-pack/filebeat/module/gsuite/login/config/config.yml b/x-pack/filebeat/module/gsuite/login/config/config.yml new file mode 100644 index 00000000000..8575999100c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/config/config.yml @@ -0,0 +1,54 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/login +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.11.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-login + file: ${path.home}/module/gsuite/login/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/login/config/pipeline.js b/x-pack/filebeat/module/gsuite/login/config/pipeline.js new file mode 100644 index 00000000000..2ad5d52f7de --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/config/pipeline.js @@ -0,0 +1,117 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var login = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["authentication"]); + switch (evt.Get("event.action")) { + case "login_failure": + evt.AppendTo("event.category", "session"); + evt.Put("event.type", ["start"]); + evt.Put("event.outcome", "failure"); + break; + case "login_success": + evt.AppendTo("event.category", "session"); + evt.Put("event.type", ["start"]); + evt.Put("event.outcome", "success"); + break; + case "logout": + evt.AppendTo("event.category", "session"); + evt.Put("event.type", ["end"]); + break; + case "account_disabled_generic": + case "account_disabled_spamming_through_relay": + case "account_disabled_spamming": + case "account_disabled_hijacked": + case "account_disabled_password_leak": + evt.Put("event.type", ["user", "change"]); + break; + case "gov_attack_warning": + case "login_challenge": + case "login_verification": + case "suspicious_login": + case "suspicious_login_less_secure_app": + case "suspicious_programmatic_login": + evt.Put("event.type", ["info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + }; + + var processParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + var prefixRegex = /^(login_)/; + + params.forEach(function(p){ + p.name = p.name.replace(prefixRegex, ""); + switch (p.name) { + // According to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login + // this is a timestamp in microseconds + case "timestamp": + var millis = p.intValue / 1000; + evt.Put("event.start", new Date(millis)); + break; + case "challenge_status": + if (p.value === "Challenge Passed") { + evt.Put("event.outcome", "success"); + } else { + evt.Put("event.outcome", "failure"); + } + break; + case "is_second_factor": + case "is_suspicious": + evt.Put("gsuite.login."+p.name, p.boolValue); + break; + // the rest of params are strings + default: + evt.Put("gsuite.login."+p.name, getParamValue(p)); + } + }); + + evt.Delete("json.events.parameters"); + }; + + var addTargetUser = function(evt) { + var affectedEmail = evt.Get("google_workspace.login.affected_email_address"); + if (affectedEmail) { + evt.Put("user.target.email", affectedEmail); + var data = affectedEmail.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.AppendTo("related.user", data[0]); + } + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(processParams) + .Add(addTargetUser) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return login.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/login/manifest.yml b/x-pack/filebeat/module/gsuite/login/manifest.yml new file mode 100644 index 00000000000..c5992776ac0 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/manifest.yml @@ -0,0 +1,25 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + - name: proxy_url + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log new file mode 100644 index 00000000000..b721c74bf48 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log @@ -0,0 +1,14 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_password_leak","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login_less_secure_app","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_programmatic_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_generic","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming_through_relay","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_hijacked","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"gov_attack_warning"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_failure_type","value":"login_failure_access_code_disallowed"},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_challenge","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_verification","parameters":[{"name":"is_second_factor","boolValue":false},{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"logout","parameters":[{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"is_suspicious","boolValue":false},{"name":"login_type","value":"exchange"}]}} diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json new file mode 100644 index 00000000000..aa37acec18e --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json @@ -0,0 +1,738 @@ +[ + { + "event.action": "account_disabled_password_leak", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "change", + "user" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "suspicious_login", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "event.provider": "login", + "event.start": "2020-07-02T13:08:25.123Z", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 406, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "suspicious_login_less_secure_app", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login_less_secure_app\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "event.provider": "login", + "event.start": "2020-07-02T13:08:25.123Z", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 853, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "suspicious_programmatic_login", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_programmatic_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "event.provider": "login", + "event.start": "2020-07-02T13:08:25.123Z", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1316, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "account_disabled_generic", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "change", + "user" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1776, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "account_disabled_spamming_through_relay", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "change", + "user" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2176, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "account_disabled_spamming", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "change", + "user" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2591, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "account_disabled_hijacked", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_hijacked\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", + "event.provider": "login", + "event.start": "2020-07-02T13:08:25.123Z", + "event.type": [ + "change", + "user" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2992, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "gov_attack_warning", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"gov_attack_warning\"}}", + "event.provider": "login", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3448, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "login_failure", + "event.category": [ + "authentication", + "session" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_failure_type\",\"value\":\"login_failure_access_code_disallowed\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "failure", + "event.provider": "login", + "event.type": [ + "start" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.challenge_method": "backup_code", + "gsuite.login.failure_type": "login_failure_access_code_disallowed", + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3768, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "login_challenge", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_challenge\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "failure", + "event.provider": "login", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.challenge_method": "backup_code", + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4262, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "login_verification", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_verification\",\"parameters\":[{\"name\":\"is_second_factor\",\"boolValue\":false},{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "failure", + "event.provider": "login", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.challenge_method": "backup_code", + "gsuite.login.is_second_factor": false, + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4743, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "logout", + "event.category": [ + "authentication", + "session" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"logout\",\"parameters\":[{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.provider": "login", + "event.type": [ + "end" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5273, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "login_success", + "event.category": [ + "authentication", + "session" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"is_suspicious\",\"boolValue\":false},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "success", + "event.provider": "login", + "event.type": [ + "start" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.challenge_method": "backup_code", + "gsuite.login.is_suspicious": false, + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5627, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml b/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml new file mode 100644 index 00000000000..fc0adfcb55c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml @@ -0,0 +1,27 @@ +- name: saml + type: group + fields: + - name: application_name + type: keyword + description: > + Saml SP application name. + - name: failure_type + type: keyword + description: > + Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. + - name: initiated_by + type: keyword + description: > + Requester of SAML authentication. + - name: orgunit_path + type: keyword + description: > + User orgunit. + - name: status_code + type: keyword + description: > + SAML status code. + - name: second_level_status_code + type: keyword + description: > + SAML second level status code. diff --git a/x-pack/filebeat/module/gsuite/saml/config/config.yml b/x-pack/filebeat/module/gsuite/saml/config/config.yml new file mode 100644 index 00000000000..1db5796e670 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/saml/config/config.yml @@ -0,0 +1,54 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/saml +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.11.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-saml + file: ${path.home}/module/gsuite/saml/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/saml/config/pipeline.js b/x-pack/filebeat/module/gsuite/saml/config/pipeline.js new file mode 100644 index 00000000000..705db7f2f1e --- /dev/null +++ b/x-pack/filebeat/module/gsuite/saml/config/pipeline.js @@ -0,0 +1,53 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var saml = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.type", ["start"]); + evt.Put("event.category", ["authentication", "session"]); + switch (evt.Get("event.action")) { + case "login_failure": + evt.Put("event.outcome", "failure"); + break; + case "login_success": + evt.Put("event.outcome", "success"); + break; + } + }; + + var processParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + var prefixRegex = /^(saml_)/; + + params.forEach(function(p){ + p.name = p.name.replace(prefixRegex, ""); + + // all saml event parameters are strings. + // for this reason we know for sure they are in the 'value' field. + // https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml + evt.Put("google_workspace.saml."+p.name, p.value); + }); + + evt.Delete("json.events.parameters"); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(processParams) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return saml.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/saml/manifest.yml b/x-pack/filebeat/module/gsuite/saml/manifest.yml new file mode 100644 index 00000000000..c5992776ac0 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/saml/manifest.yml @@ -0,0 +1,25 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + - name: proxy_url + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log new file mode 100644 index 00000000000..ed672b58a56 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log @@ -0,0 +1,2 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"application_name","value":"app"},{"name":"failure_type","value":"failure_app_not_configured_for_user"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_second_level_status_code","value":"SUCCESS_URI"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:01Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"application_name","value":"app"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json new file mode 100644 index 00000000000..7763ca17881 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json @@ -0,0 +1,116 @@ +[ + { + "event.action": "login_failure", + "event.category": [ + "authentication", + "session" + ], + "event.dataset": "gsuite.saml", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", + "event.outcome": "failure", + "event.provider": "saml", + "event.type": [ + "start" + ], + "fileset.name": "saml", + "google_workspace.saml.application_name": "app", + "google_workspace.saml.failure_type": "failure_app_not_configured_for_user", + "google_workspace.saml.initiated_by": "idp", + "google_workspace.saml.orgunit_path": "ounit", + "google_workspace.saml.second_level_status_code": "SUCCESS_URI", + "google_workspace.saml.status_code": "SUCCESS_URI", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "login_success", + "event.category": [ + "authentication", + "session" + ], + "event.dataset": "gsuite.saml", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", + "event.outcome": "success", + "event.provider": "saml", + "event.type": [ + "start" + ], + "fileset.name": "saml", + "google_workspace.saml.application_name": "app", + "google_workspace.saml.initiated_by": "idp", + "google_workspace.saml.orgunit_path": "ounit", + "google_workspace.saml.status_code": "SUCCESS_URI", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 622, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml new file mode 100644 index 00000000000..1200b3ac499 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml @@ -0,0 +1,54 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/user_accounts +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ if .proxy_url }} +request.proxy_url: {{ .proxy_url }} +{{ end }} + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.11.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-user_accounts + file: ${path.home}/module/gsuite/user_accounts/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/user_accounts/config/pipeline.js b/x-pack/filebeat/module/gsuite/user_accounts/config/pipeline.js new file mode 100644 index 00000000000..89b54fa72db --- /dev/null +++ b/x-pack/filebeat/module/gsuite/user_accounts/config/pipeline.js @@ -0,0 +1,24 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var userAccounts = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.type", ["change", "user"]); + evt.Put("event.category", ["iam"]); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return userAccounts.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml b/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml new file mode 100644 index 00000000000..c5992776ac0 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml @@ -0,0 +1,25 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + - name: proxy_url + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log new file mode 100644 index 00000000000..7da8fdec935 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"2sv_change","name":"2sv_disable"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"2sv_change","name":"2sv_enroll"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"password_change","name":"password_edit"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_email_edit"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_phone_edit"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_secret_qa_edit"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"titanium_change","name":"titanium_enroll"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"titanium_change","name":"titanium_unenroll"}} diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json new file mode 100644 index 00000000000..5943488f324 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json @@ -0,0 +1,410 @@ +[ + { + "event.action": "2sv_disable", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.user_accounts", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_disable\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "gsuite.actor.type": "USER", + "gsuite.event.type": "2sv_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "2sv_enroll", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.user_accounts", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_enroll\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "gsuite.actor.type": "USER", + "gsuite.event.type": "2sv_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 316, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "password_edit", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.user_accounts", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"password_change\",\"name\":\"password_edit\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "gsuite.actor.type": "USER", + "gsuite.event.type": "password_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 631, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "recovery_email_edit", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.user_accounts", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_email_edit\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "gsuite.actor.type": "USER", + "gsuite.event.type": "recovery_info_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 954, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "recovery_phone_edit", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.user_accounts", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_phone_edit\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "gsuite.actor.type": "USER", + "gsuite.event.type": "recovery_info_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1288, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "recovery_secret_qa_edit", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.user_accounts", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_secret_qa_edit\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "gsuite.actor.type": "USER", + "gsuite.event.type": "recovery_info_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1622, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "titanium_enroll", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.user_accounts", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_enroll\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "gsuite.actor.type": "USER", + "gsuite.event.type": "titanium_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + }, + { + "event.action": "titanium_unenroll", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.user_accounts", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_unenroll\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "gsuite.actor.type": "USER", + "gsuite.event.type": "titanium_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2285, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/ibmmq/_meta/config.yml b/x-pack/filebeat/module/ibmmq/_meta/config.yml index e81a5fca28e..320922d37e0 100644 --- a/x-pack/filebeat/module/ibmmq/_meta/config.yml +++ b/x-pack/filebeat/module/ibmmq/_meta/config.yml @@ -1,7 +1,7 @@ - module: ibmmq # All logs errorlog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/imperva/_meta/config.yml b/x-pack/filebeat/module/imperva/_meta/config.yml index 1ffb9f5d708..2b5660cd4c2 100644 --- a/x-pack/filebeat/module/imperva/_meta/config.yml +++ b/x-pack/filebeat/module/imperva/_meta/config.yml @@ -1,6 +1,6 @@ - module: imperva securesphere: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/infoblox/_meta/config.yml b/x-pack/filebeat/module/infoblox/_meta/config.yml index 03c704cc5ba..85df3964b38 100644 --- a/x-pack/filebeat/module/infoblox/_meta/config.yml +++ b/x-pack/filebeat/module/infoblox/_meta/config.yml @@ -1,6 +1,6 @@ - module: infoblox nios: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/iptables/_meta/config.yml b/x-pack/filebeat/module/iptables/_meta/config.yml index 3b791196985..0de64687f6e 100644 --- a/x-pack/filebeat/module/iptables/_meta/config.yml +++ b/x-pack/filebeat/module/iptables/_meta/config.yml @@ -1,6 +1,6 @@ - module: iptables log: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml index 2ad874d9c4f..7f992656788 100644 --- a/x-pack/filebeat/module/juniper/_meta/config.yml +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -1,6 +1,6 @@ - module: juniper junos: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -19,7 +19,7 @@ # var.tz_offset: local netscreen: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -38,7 +38,7 @@ # var.tz_offset: local srx: - enabled: false + enabled: true # Set which input to use between tcp, udp (default) or file. #var.input: udp diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml index 96b1f3db1db..a168b621ba5 100644 --- a/x-pack/filebeat/module/microsoft/_meta/config.yml +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -1,7 +1,7 @@ - module: microsoft # ATP configuration defender_atp: - enabled: false + enabled: true # How often the API should be polled #var.interval: 5m @@ -14,7 +14,7 @@ # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" m365_defender: - enabled: false + enabled: true # How often the API should be polled #var.interval: 5m @@ -31,7 +31,7 @@ #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" dhcp: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/misp/_meta/config.yml b/x-pack/filebeat/module/misp/_meta/config.yml index 1e6ce8928d1..0eab72db205 100644 --- a/x-pack/filebeat/module/misp/_meta/config.yml +++ b/x-pack/filebeat/module/misp/_meta/config.yml @@ -2,7 +2,7 @@ - module: misp threat: - enabled: false + enabled: true # API key to access MISP #var.api_key diff --git a/x-pack/filebeat/module/mssql/_meta/config.yml b/x-pack/filebeat/module/mssql/_meta/config.yml index 3735debfcfd..a56e658f7b7 100644 --- a/x-pack/filebeat/module/mssql/_meta/config.yml +++ b/x-pack/filebeat/module/mssql/_meta/config.yml @@ -1,7 +1,7 @@ - module: mssql # Fileset for native deployment log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml b/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml index ee13c51ec1e..a4350a0ac60 100644 --- a/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml +++ b/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml @@ -1,6 +1,6 @@ - module: mysqlenterprise audit: - enabled: false + enabled: true # Sets the input type. Currently only supports file #var.input: file diff --git a/x-pack/filebeat/module/netflow/_meta/config.yml b/x-pack/filebeat/module/netflow/_meta/config.yml index 5fed6db3581..91fe3953e94 100644 --- a/x-pack/filebeat/module/netflow/_meta/config.yml +++ b/x-pack/filebeat/module/netflow/_meta/config.yml @@ -1,6 +1,6 @@ - module: netflow log: - enabled: false + enabled: true var: netflow_host: localhost netflow_port: 2055 diff --git a/x-pack/filebeat/module/netscout/_meta/config.yml b/x-pack/filebeat/module/netscout/_meta/config.yml index d7bcfcf2e7f..168d7284a9f 100644 --- a/x-pack/filebeat/module/netscout/_meta/config.yml +++ b/x-pack/filebeat/module/netscout/_meta/config.yml @@ -1,6 +1,6 @@ - module: netscout sightline: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/o365/_meta/config.yml b/x-pack/filebeat/module/o365/_meta/config.yml index 9ff4f9fb926..b1a30d6dbe9 100644 --- a/x-pack/filebeat/module/o365/_meta/config.yml +++ b/x-pack/filebeat/module/o365/_meta/config.yml @@ -1,6 +1,6 @@ - module: o365 audit: - enabled: false + enabled: true # Set the application_id (also known as client ID): var.application_id: "" diff --git a/x-pack/filebeat/module/o365/_meta/kibana/7/map/dbae13c0-685c-11ea-8d6a-292ef5d68366.json b/x-pack/filebeat/module/o365/_meta/kibana/7/map/dbae13c0-685c-11ea-8d6a-292ef5d68366.json index bc30cc657b4..1c3afa633e7 100644 --- a/x-pack/filebeat/module/o365/_meta/kibana/7/map/dbae13c0-685c-11ea-8d6a-292ef5d68366.json +++ b/x-pack/filebeat/module/o365/_meta/kibana/7/map/dbae13c0-685c-11ea-8d6a-292ef5d68366.json @@ -1,162 +1,8 @@ { "attributes": { "description": "", - "layerListJSON": [ - { - "alpha": 1, - "id": "0b910b6c-77c8-4223-892a-1ebf69b0ccb4", - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "isAutoSelect": true, - "type": "EMS_TMS" - }, - "style": {}, - "type": "VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "id": "acc53b7b-3411-406b-9371-6fa62b6b9365", - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "applyGlobalQuery": true, - "geoField": "source.geo.location", - "id": "3ba31ffc-7051-44bf-96a0-a684020cd2a3", - "indexPatternRefName": "layer_1_source_index_pattern", - "requestType": "point", - "resolution": "FINE", - "type": "ES_GEO_GRID" - }, - "style": { - "isTimeAware": true, - "properties": { - "fillColor": { - "options": { - "color": "Yellow to Red", - "colorCategory": "palette_0", - "field": { - "name": "doc_count", - "origin": "source" - }, - "fieldMetaOptions": { - "isEnabled": true, - "sigma": 3 - }, - "type": "ORDINAL", - "useCustomColorRamp": false - }, - "type": "DYNAMIC" - }, - "icon": { - "options": { - "value": "airfield" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "field": { - "name": "doc_count", - "origin": "source" - }, - "fieldMetaOptions": { - "isEnabled": true, - "sigma": 3 - }, - "maxSize": 32, - "minSize": 8 - }, - "type": "DYNAMIC" - }, - "labelBorderColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "labelBorderSize": { - "options": { - "size": "SMALL" - } - }, - "labelColor": { - "options": { - "color": "#000000" - }, - "type": "STATIC" - }, - "labelSize": { - "options": { - "size": 14 - }, - "type": "STATIC" - }, - "labelText": { - "options": { - "field": { - "name": "doc_count", - "origin": "source" - } - }, - "type": "DYNAMIC" - }, - "lineColor": { - "options": { - "color": "#FFF" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 0 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - } - ], - "mapStateJSON": { - "center": { - "lat": 30.87292, - "lon": 16.67387 - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"o365.audit\" " - }, - "refreshConfig": { - "interval": 0, - "isPaused": false - }, - "settings": { - "autoFitToDataBounds": false - }, - "timeFilters": { - "from": "now-7d", - "to": "now" - }, - "zoom": 2.88 - }, + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"0b910b6c-77c8-4223-892a-1ebf69b0ccb4\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"id\":\"3ba31ffc-7051-44bf-96a0-a684020cd2a3\",\"geoField\":\"source.geo.location\",\"requestType\":\"point\",\"resolution\":\"FINE\",\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\",\"useCustomColorRamp\":false}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":0}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"minSize\":8,\"maxSize\":32,\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3}}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"}}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}}},\"isTimeAware\":true},\"id\":\"acc53b7b-3411-406b-9371-6fa62b6b9365\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\"}]", + "mapStateJSON": "{\"zoom\":2.88,\"center\":{\"lon\":16.67387,\"lat\":30.87292},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"event.dataset:\\\"o365.audit\\\" \",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false}}", "title": "Client Geo Map [Filebeat o365 audit]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/okta/_meta/config.yml b/x-pack/filebeat/module/okta/_meta/config.yml index 21fc87b737d..bb2da13eca4 100644 --- a/x-pack/filebeat/module/okta/_meta/config.yml +++ b/x-pack/filebeat/module/okta/_meta/config.yml @@ -1,6 +1,6 @@ - module: okta system: - enabled: false + enabled: true # You must configure the URL with your Okta domain and provide an # API token to access the logs API. #var.url: https://yourOktaDomain/api/v1/logs diff --git a/x-pack/filebeat/module/okta/_meta/kibana/7/map/281ca660-67b1-11ea-a76f-bf44814e437d.json b/x-pack/filebeat/module/okta/_meta/kibana/7/map/281ca660-67b1-11ea-a76f-bf44814e437d.json index 1daf57ec1d8..8e84bedce4a 100644 --- a/x-pack/filebeat/module/okta/_meta/kibana/7/map/281ca660-67b1-11ea-a76f-bf44814e437d.json +++ b/x-pack/filebeat/module/okta/_meta/kibana/7/map/281ca660-67b1-11ea-a76f-bf44814e437d.json @@ -1,169 +1,8 @@ { "attributes": { "description": "", - "layerListJSON": [ - { - "alpha": 1, - "id": "6908e81b-1695-4445-aee4-8bc8c9f65600", - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "isAutoSelect": true, - "type": "EMS_TMS" - }, - "style": {}, - "type": "VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "id": "dc52e707-92d7-4de7-becf-a3a8bfaa2c2d", - "label": "Okta ", - "maxZoom": 24, - "minZoom": 0, - "query": { - "language": "kuery", - "query": "event.dataset : \"okta.system\" " - }, - "sourceDescriptor": { - "applyGlobalQuery": true, - "filterByMapBounds": false, - "geoField": "client.geo.location", - "id": "4b8bd321-4b90-4d97-83e0-2b12bf091f66", - "indexPatternRefName": "layer_1_source_index_pattern", - "scalingType": "LIMIT", - "sortField": "", - "sortOrder": "desc", - "tooltipProperties": [], - "topHitsSize": 1, - "type": "ES_SEARCH" - }, - "style": { - "isTimeAware": true, - "properties": { - "fillColor": { - "options": { - "color": "#54B399" - }, - "type": "STATIC" - }, - "icon": { - "options": { - "value": "marker" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "size": 6 - }, - "type": "STATIC" - }, - "labelBorderColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "labelBorderSize": { - "options": { - "size": "SMALL" - } - }, - "labelColor": { - "options": { - "color": "#000000" - }, - "type": "STATIC" - }, - "labelSize": { - "options": { - "size": 14 - }, - "type": "STATIC" - }, - "labelText": { - "options": { - "value": "" - }, - "type": "STATIC" - }, - "lineColor": { - "options": { - "color": "#41937c" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 1 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - } - ], - "mapStateJSON": { - "center": { - "lat": 26.54701, - "lon": -44.69098 - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "filebeat-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "okta.system" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "okta.system" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "refreshConfig": { - "interval": 0, - "isPaused": false - }, - "settings": { - "autoFitToDataBounds": false - }, - "timeFilters": { - "from": "now-15w", - "to": "now" - }, - "zoom": 2.75 - }, + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"6908e81b-1695-4445-aee4-8bc8c9f65600\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"4b8bd321-4b90-4d97-83e0-2b12bf091f66\",\"geoField\":\"client.geo.location\",\"filterByMapBounds\":false,\"type\":\"ES_SEARCH\",\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":1,\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"dc52e707-92d7-4de7-becf-a3a8bfaa2c2d\",\"label\":\"Okta \",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"query\":{\"query\":\"event.dataset : \\\"okta.system\\\" \",\"language\":\"kuery\"}}]", + "mapStateJSON": "{\"zoom\":2.75,\"center\":{\"lon\":-44.69098,\"lat\":26.54701},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"filebeat-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"okta.system\"}}}],\"settings\":{\"autoFitToDataBounds\":false}}", "title": "Geolocation [Filebeat Okta]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/oracle/_meta/config.yml b/x-pack/filebeat/module/oracle/_meta/config.yml index 230ad88e684..7b1f569b835 100644 --- a/x-pack/filebeat/module/oracle/_meta/config.yml +++ b/x-pack/filebeat/module/oracle/_meta/config.yml @@ -1,6 +1,6 @@ - module: oracle database_audit: - enabled: false + enabled: true # Set which input to use between syslog or file (default). #var.input: file diff --git a/x-pack/filebeat/module/panw/_meta/config.yml b/x-pack/filebeat/module/panw/_meta/config.yml index 8b28631ddd9..737825f598c 100644 --- a/x-pack/filebeat/module/panw/_meta/config.yml +++ b/x-pack/filebeat/module/panw/_meta/config.yml @@ -1,6 +1,6 @@ - module: panw panos: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/module/proofpoint/_meta/config.yml b/x-pack/filebeat/module/proofpoint/_meta/config.yml index 05dcc780bcd..d25f23041e3 100644 --- a/x-pack/filebeat/module/proofpoint/_meta/config.yml +++ b/x-pack/filebeat/module/proofpoint/_meta/config.yml @@ -1,6 +1,6 @@ - module: proofpoint emailsecurity: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/rabbitmq/_meta/config.yml b/x-pack/filebeat/module/rabbitmq/_meta/config.yml index 966f2169acc..246c13225c6 100644 --- a/x-pack/filebeat/module/rabbitmq/_meta/config.yml +++ b/x-pack/filebeat/module/rabbitmq/_meta/config.yml @@ -1,7 +1,7 @@ - module: rabbitmq # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/radware/_meta/config.yml b/x-pack/filebeat/module/radware/_meta/config.yml index 5341bf6064f..dc134fbe59f 100644 --- a/x-pack/filebeat/module/radware/_meta/config.yml +++ b/x-pack/filebeat/module/radware/_meta/config.yml @@ -1,6 +1,6 @@ - module: radware defensepro: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/snort/_meta/config.yml b/x-pack/filebeat/module/snort/_meta/config.yml index e428234a180..e3804a605b9 100644 --- a/x-pack/filebeat/module/snort/_meta/config.yml +++ b/x-pack/filebeat/module/snort/_meta/config.yml @@ -1,6 +1,6 @@ - module: snort log: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/snyk/_meta/config.yml b/x-pack/filebeat/module/snyk/_meta/config.yml index 6c224738076..2d433139638 100644 --- a/x-pack/filebeat/module/snyk/_meta/config.yml +++ b/x-pack/filebeat/module/snyk/_meta/config.yml @@ -1,6 +1,6 @@ - module: snyk audit: - enabled: false + enabled: true # Set which input to use between httpjson (default) or file. #var.input: httpjson # @@ -29,7 +29,7 @@ #var.email_address: "" vulnerabilities: - enabled: false + enabled: true # Set which input to use between httpjson (default) or file. #var.input: httpjson # How often the API should be polled. Data from the Snyk API is automatically updated diff --git a/x-pack/filebeat/module/sonicwall/_meta/config.yml b/x-pack/filebeat/module/sonicwall/_meta/config.yml index 92a71910286..fcc2abefb79 100644 --- a/x-pack/filebeat/module/sonicwall/_meta/config.yml +++ b/x-pack/filebeat/module/sonicwall/_meta/config.yml @@ -1,6 +1,6 @@ - module: sonicwall firewall: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/sophos/_meta/config.yml b/x-pack/filebeat/module/sophos/_meta/config.yml index 4b07d941401..5388cbdfcbc 100644 --- a/x-pack/filebeat/module/sophos/_meta/config.yml +++ b/x-pack/filebeat/module/sophos/_meta/config.yml @@ -1,6 +1,6 @@ - module: sophos xg: - enabled: false + enabled: true # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -24,7 +24,7 @@ utm: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc index 19b6df5e14a..58d9add8037 100644 --- a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc @@ -11,17 +11,17 @@ logs in syslog format or from a file for the following devices: - `xg` fileset: supports Sophos XG SFOS logs. - `utm` fileset: supports Sophos UTM logs. -To configure a remote syslog destination, please reference the https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/SyslogServerAdd.html[SophosXG/SFOS Documentation]. +To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. -The syslog format choosen in Sophos configuration should be `Central Reporting Format`. +The syslog format choosen should be `Default`. include::../include/gs-link.asciidoc[] [float] === Compatibility -This module has been tested against SFOS version 17.5.x, 18.0.x, and 18.5.x. -Versions above this and between 18.0 - 18.5 are expected to work but have not been tested. +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. include::../include/configuring-intro.asciidoc[] diff --git a/x-pack/filebeat/module/squid/_meta/config.yml b/x-pack/filebeat/module/squid/_meta/config.yml index ad0f3f2053c..e3d681dac2a 100644 --- a/x-pack/filebeat/module/squid/_meta/config.yml +++ b/x-pack/filebeat/module/squid/_meta/config.yml @@ -1,6 +1,6 @@ - module: squid log: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/suricata/_meta/config.yml b/x-pack/filebeat/module/suricata/_meta/config.yml index 1ad37b0427e..1556d5d0451 100644 --- a/x-pack/filebeat/module/suricata/_meta/config.yml +++ b/x-pack/filebeat/module/suricata/_meta/config.yml @@ -1,7 +1,7 @@ - module: suricata # All logs eve: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/threatintel/_meta/config.yml b/x-pack/filebeat/module/threatintel/_meta/config.yml index 41451f6e33a..f2cf00bcf0d 100644 --- a/x-pack/filebeat/module/threatintel/_meta/config.yml +++ b/x-pack/filebeat/module/threatintel/_meta/config.yml @@ -1,6 +1,6 @@ - module: threatintel abuseurl: - enabled: false + enabled: true # Input used for ingesting threat intel data. var.input: httpjson @@ -12,7 +12,7 @@ var.interval: 10m abusemalware: - enabled: false + enabled: true # Input used for ingesting threat intel data. var.input: httpjson @@ -24,7 +24,7 @@ var.interval: 10m malwarebazaar: - enabled: false + enabled: true # Input used for ingesting threat intel data. var.input: httpjson @@ -36,7 +36,7 @@ var.interval: 10m misp: - enabled: false + enabled: true # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson @@ -65,7 +65,7 @@ var.interval: 5m otx: - enabled: false + enabled: true # Input used for ingesting threat intel data var.input: httpjson @@ -92,7 +92,7 @@ var.interval: 5m anomali: - enabled: false + enabled: true # Input used for ingesting threat intel data var.input: httpjson @@ -114,7 +114,7 @@ var.interval: 5m anomalithreatstream: - enabled: false + enabled: true # Input used for ingesting threat intel data var.input: http_endpoint @@ -139,7 +139,7 @@ # var.ssl_key: path/to/ssl_key.pem recordedfuture: - enabled: false + enabled: true # Input used for ingesting threat intel data var.input: httpjson diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json index 63e7825a56b..a5db3f4515c 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json @@ -1,184 +1,8 @@ { "attributes": { "description": "Origin country of the indicator ingested by the threat intel Filebeat module.", - "layerListJSON": [ - { - "alpha": 1, - "id": "ea2479ec-b43e-4377-a068-91d93265081d", - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "isAutoSelect": true, - "type": "EMS_TMS" - }, - "style": { - "type": "TILE" - }, - "type": "VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "id": "66df8b3a-7f7c-4969-929e-2c1ac5b64584", - "joins": [ - { - "leftField": "iso2", - "right": { - "applyGlobalQuery": true, - "applyGlobalTime": true, - "id": "81d209f7-b068-4b0d-90f4-baf9a3eefb55", - "indexPatternRefName": "layer_1_join_0_index_pattern", - "indexPatternTitle": "filebeat-*", - "metrics": [ - { - "type": "count" - } - ], - "term": "threatintel.indicator.geo.country_iso_code", - "type": "ES_TERM_SOURCE" - } - } - ], - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "id": "world_countries", - "tooltipProperties": [ - "name" - ], - "type": "EMS_FILE" - }, - "style": { - "isTimeAware": true, - "properties": { - "fillColor": { - "options": { - "color": "Yellow to Red", - "colorCategory": "palette_0", - "field": { - "name": "__kbnjoin__count__81d209f7-b068-4b0d-90f4-baf9a3eefb55", - "origin": "join" - }, - "fieldMetaOptions": { - "isEnabled": true, - "sigma": 3 - }, - "type": "ORDINAL" - }, - "type": "DYNAMIC" - }, - "icon": { - "options": { - "value": "marker" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "size": 6 - }, - "type": "STATIC" - }, - "labelBorderColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "labelBorderSize": { - "options": { - "size": "SMALL" - } - }, - "labelColor": { - "options": { - "color": "#000000" - }, - "type": "STATIC" - }, - "labelSize": { - "options": { - "size": 14 - }, - "type": "STATIC" - }, - "labelText": { - "options": { - "value": "" - }, - "type": "STATIC" - }, - "lineColor": { - "options": { - "color": "#3d3d3d" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 1 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - } - ], - "mapStateJSON": { - "center": { - "lat": 19.94277, - "lon": 0 - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "refreshConfig": { - "interval": 0, - "isPaused": true - }, - "settings": { - "autoFitToDataBounds": false, - "backgroundColor": "#ffffff", - "browserLocation": { - "zoom": 2 - }, - "fixedLocation": { - "lat": 0, - "lon": 0, - "zoom": 2 - }, - "initialLocation": "LAST_SAVED_LOCATION", - "maxZoom": 24, - "minZoom": 0, - "showSpatialFilters": true, - "spatialFiltersAlpa": 0.3, - "spatialFiltersFillColor": "#DA8B45", - "spatialFiltersLineColor": "#DA8B45" - }, - "timeFilters": { - "from": "now-30d", - "to": "now" - }, - "zoom": 2.08 - }, + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"ea2479ec-b43e-4377-a068-91d93265081d\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\"},{\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"81d209f7-b068-4b0d-90f4-baf9a3eefb55\",\"indexPatternTitle\":\"filebeat-*\",\"term\":\"threatintel.indicator.geo.country_iso_code\",\"metrics\":[{\"type\":\"count\"}],\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"indexPatternRefName\":\"layer_1_join_0_index_pattern\"}}],\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"name\"]},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"__kbnjoin__count__81d209f7-b068-4b0d-90f4-baf9a3eefb55\",\"origin\":\"join\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#3d3d3d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"66df8b3a-7f7c-4969-929e-2c1ac5b64584\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\"}]", + "mapStateJSON": "{\"zoom\":2.08,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-30d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showSpatialFilters\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", "title": "Indicator Origin Country [Filebeat Threat Intel]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json index 8100b60e6b3..6f7918fe90d 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json @@ -1,174 +1,8 @@ { "attributes": { "description": "Geographic location of Anomali indicators ingested by the threat intel Filebeat module.", - "layerListJSON": [ - { - "alpha": 1, - "id": "9027343a-f725-4467-9b08-8566ad0b2a52", - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "isAutoSelect": true, - "type": "EMS_TMS" - }, - "style": { - "type": "TILE" - }, - "type": "VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "id": "83ede860-fe89-43c9-8e74-fa2703efbb85", - "joins": [], - "label": "Indicator Geographic Location", - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "applyGlobalQuery": true, - "applyGlobalTime": true, - "filterByMapBounds": true, - "geoField": "threatintel.indicator.geo.location", - "id": "a3ecc6af-0299-4cb9-a29c-0b70f666b011", - "indexPatternRefName": "layer_1_source_index_pattern", - "scalingType": "LIMIT", - "sortField": "", - "sortOrder": "desc", - "tooltipProperties": [ - "threatintel.indicator.as.number", - "threatintel.indicator.as.organization.name", - "threatintel.indicator.geo.country_iso_code" - ], - "topHitsSize": 1, - "topHitsSplitField": "", - "type": "ES_SEARCH" - }, - "style": { - "isTimeAware": true, - "properties": { - "fillColor": { - "options": { - "color": "#D36086" - }, - "type": "STATIC" - }, - "icon": { - "options": { - "value": "danger" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "size": 6 - }, - "type": "STATIC" - }, - "labelBorderColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "labelBorderSize": { - "options": { - "size": "SMALL" - } - }, - "labelColor": { - "options": { - "color": "#000000" - }, - "type": "STATIC" - }, - "labelSize": { - "options": { - "size": 14 - }, - "type": "STATIC" - }, - "labelText": { - "options": { - "value": "" - }, - "type": "STATIC" - }, - "lineColor": { - "options": { - "color": "#41937c" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 1 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - } - ], - "mapStateJSON": { - "center": { - "lat": 19.94277, - "lon": 0 - }, - "filters": [], - "query": { - "language": "kuery", - "query": "event.dataset:\"threatintel.anomalithreatstream\" " - }, - "refreshConfig": { - "interval": 0, - "isPaused": true - }, - "settings": { - "autoFitToDataBounds": false, - "backgroundColor": "#ffffff", - "browserLocation": { - "zoom": 2 - }, - "disableInteractive": false, - "disableTooltipControl": false, - "fixedLocation": { - "lat": 0, - "lon": 0, - "zoom": 2 - }, - "hideLayerControl": false, - "hideToolbarOverlay": false, - "hideViewControl": false, - "initialLocation": "LAST_SAVED_LOCATION", - "maxZoom": 24, - "minZoom": 0, - "showScaleControl": false, - "showSpatialFilters": true, - "spatialFiltersAlpa": 0.3, - "spatialFiltersFillColor": "#DA8B45", - "spatialFiltersLineColor": "#DA8B45" - }, - "timeFilters": { - "from": "now-7d", - "to": "now" - }, - "zoom": 2.08 - }, + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"9027343a-f725-4467-9b08-8566ad0b2a52\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"geoField\":\"threatintel.indicator.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"LIMIT\",\"id\":\"a3ecc6af-0299-4cb9-a29c-0b70f666b011\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"tooltipProperties\":[\"threatintel.indicator.as.number\",\"threatintel.indicator.as.organization.name\",\"threatintel.indicator.geo.country_iso_code\"],\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSplitField\":\"\",\"topHitsSize\":1,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"id\":\"83ede860-fe89-43c9-8e74-fa2703efbb85\",\"label\":\"Indicator Geographic Location\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"danger\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#D36086\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"type\":\"VECTOR\",\"joins\":[]}]", + "mapStateJSON": "{\"zoom\":2.08,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"event.dataset:\\\"threatintel.anomalithreatstream\\\" \",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", "title": "Anomali Indicator Geographic Location [Filebeat Threat Intel]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/tomcat/_meta/config.yml b/x-pack/filebeat/module/tomcat/_meta/config.yml index e04b9201704..e3640165f61 100644 --- a/x-pack/filebeat/module/tomcat/_meta/config.yml +++ b/x-pack/filebeat/module/tomcat/_meta/config.yml @@ -1,6 +1,6 @@ - module: tomcat log: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/zeek/_meta/config.yml b/x-pack/filebeat/module/zeek/_meta/config.yml index 496581963fa..dbe6012df6b 100644 --- a/x-pack/filebeat/module/zeek/_meta/config.yml +++ b/x-pack/filebeat/module/zeek/_meta/config.yml @@ -1,82 +1,82 @@ - module: zeek capture_loss: - enabled: false + enabled: true connection: - enabled: false + enabled: true dce_rpc: - enabled: false + enabled: true dhcp: - enabled: false + enabled: true dnp3: - enabled: false + enabled: true dns: - enabled: false + enabled: true dpd: - enabled: false + enabled: true files: - enabled: false + enabled: true ftp: - enabled: false + enabled: true http: - enabled: false + enabled: true intel: - enabled: false + enabled: true irc: - enabled: false + enabled: true kerberos: - enabled: false + enabled: true modbus: - enabled: false + enabled: true mysql: - enabled: false + enabled: true notice: - enabled: false + enabled: true ntp: - enabled: false + enabled: true ntlm: - enabled: false + enabled: true ocsp: - enabled: false + enabled: true pe: - enabled: false + enabled: true radius: - enabled: false + enabled: true rdp: - enabled: false + enabled: true rfb: - enabled: false + enabled: true signature: - enabled: false + enabled: true sip: - enabled: false + enabled: true smb_cmd: - enabled: false + enabled: true smb_files: - enabled: false + enabled: true smb_mapping: - enabled: false + enabled: true smtp: - enabled: false + enabled: true snmp: - enabled: false + enabled: true socks: - enabled: false + enabled: true ssh: - enabled: false + enabled: true ssl: - enabled: false + enabled: true stats: - enabled: false + enabled: true syslog: - enabled: false + enabled: true traceroute: - enabled: false + enabled: true tunnel: - enabled: false + enabled: true weird: - enabled: false + enabled: true x509: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/zookeeper/_meta/config.yml b/x-pack/filebeat/module/zookeeper/_meta/config.yml index e14f9d1020f..a31d217a5ec 100644 --- a/x-pack/filebeat/module/zookeeper/_meta/config.yml +++ b/x-pack/filebeat/module/zookeeper/_meta/config.yml @@ -1,14 +1,14 @@ - module: zookeeper # All logs audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/zoom/_meta/config.yml b/x-pack/filebeat/module/zoom/_meta/config.yml index a010f43f3a9..43c8ed43628 100644 --- a/x-pack/filebeat/module/zoom/_meta/config.yml +++ b/x-pack/filebeat/module/zoom/_meta/config.yml @@ -1,6 +1,6 @@ - module: zoom webhook: - enabled: false + enabled: true # The type of input to use #var.input: http_endpoint diff --git a/x-pack/filebeat/module/zscaler/_meta/config.yml b/x-pack/filebeat/module/zscaler/_meta/config.yml index d7c47dc6e70..9afb8712afb 100644 --- a/x-pack/filebeat/module/zscaler/_meta/config.yml +++ b/x-pack/filebeat/module/zscaler/_meta/config.yml @@ -1,6 +1,6 @@ - module: zscaler zia: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/activemq.yml.disabled b/x-pack/filebeat/modules.d/activemq.yml.disabled index 82c70b16947..1c6728dd8c4 100644 --- a/x-pack/filebeat/modules.d/activemq.yml.disabled +++ b/x-pack/filebeat/modules.d/activemq.yml.disabled @@ -4,7 +4,7 @@ - module: activemq # Audit logs audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Application logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/azure.yml.disabled b/x-pack/filebeat/modules.d/azure.yml.disabled index 89ccfff8204..dcf5b1764d7 100644 --- a/x-pack/filebeat/modules.d/azure.yml.disabled +++ b/x-pack/filebeat/modules.d/azure.yml.disabled @@ -4,7 +4,7 @@ - module: azure # All logs activitylogs: - enabled: false + enabled: true var: # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub eventhub: "insights-operational-logs" diff --git a/x-pack/filebeat/modules.d/barracuda.yml.disabled b/x-pack/filebeat/modules.d/barracuda.yml.disabled index 6327b8d6a75..20552d4c503 100644 --- a/x-pack/filebeat/modules.d/barracuda.yml.disabled +++ b/x-pack/filebeat/modules.d/barracuda.yml.disabled @@ -3,7 +3,7 @@ - module: barracuda waf: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -22,7 +22,7 @@ # var.tz_offset: local spamfirewall: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/bluecoat.yml.disabled b/x-pack/filebeat/modules.d/bluecoat.yml.disabled index 98a4cef099b..df71bb8ab04 100644 --- a/x-pack/filebeat/modules.d/bluecoat.yml.disabled +++ b/x-pack/filebeat/modules.d/bluecoat.yml.disabled @@ -3,7 +3,7 @@ - module: bluecoat director: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/cef.yml.disabled b/x-pack/filebeat/modules.d/cef.yml.disabled index cda083f4a5e..bb8eca97d6b 100644 --- a/x-pack/filebeat/modules.d/cef.yml.disabled +++ b/x-pack/filebeat/modules.d/cef.yml.disabled @@ -3,7 +3,7 @@ - module: cef log: - enabled: false + enabled: true var: syslog_host: localhost syslog_port: 9003 diff --git a/x-pack/filebeat/modules.d/checkpoint.yml.disabled b/x-pack/filebeat/modules.d/checkpoint.yml.disabled index 05fdfc0aa27..03db911f192 100644 --- a/x-pack/filebeat/modules.d/checkpoint.yml.disabled +++ b/x-pack/filebeat/modules.d/checkpoint.yml.disabled @@ -3,7 +3,7 @@ - module: checkpoint firewall: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: syslog diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index 3ad2d76a875..6a933610336 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -3,7 +3,7 @@ - module: cisco asa: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: syslog @@ -29,7 +29,7 @@ #var.external_zones: [ "External" ] ftd: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: syslog @@ -55,7 +55,7 @@ #var.external_zones: [ "External" ] ios: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: syslog @@ -72,7 +72,7 @@ #var.paths: nexus: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -91,7 +91,7 @@ # var.tz_offset: local meraki: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -110,7 +110,7 @@ # var.tz_offset: local umbrella: - enabled: false + enabled: true #var.input: aws-s3 # AWS SQS queue url @@ -125,7 +125,7 @@ #var.api_timeout: 120s amp: - enabled: false + enabled: true # Set which input to use between httpjson (default) or file. #var.input: httpjson diff --git a/x-pack/filebeat/modules.d/coredns.yml.disabled b/x-pack/filebeat/modules.d/coredns.yml.disabled index fb7e9995130..d4a871455fd 100644 --- a/x-pack/filebeat/modules.d/coredns.yml.disabled +++ b/x-pack/filebeat/modules.d/coredns.yml.disabled @@ -4,7 +4,7 @@ - module: coredns # Fileset for native deployment log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/crowdstrike.yml.disabled b/x-pack/filebeat/modules.d/crowdstrike.yml.disabled index aea362f2e40..a51bf2818a1 100644 --- a/x-pack/filebeat/modules.d/crowdstrike.yml.disabled +++ b/x-pack/filebeat/modules.d/crowdstrike.yml.disabled @@ -4,7 +4,7 @@ - module: crowdstrike falcon: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/cyberark.yml.disabled b/x-pack/filebeat/modules.d/cyberark.yml.disabled new file mode 100644 index 00000000000..833a92645b1 --- /dev/null +++ b/x-pack/filebeat/modules.d/cyberark.yml.disabled @@ -0,0 +1,24 @@ +# Module: cyberark +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-cyberark.html + +# The cyberark module is deprecated and will be removed in future releases. +# Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. +- module: cyberark + corepas: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9527 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled b/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled index f2168e9d453..2045718a6b7 100644 --- a/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled +++ b/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled @@ -3,7 +3,7 @@ - module: cyberarkpas audit: - enabled: false + enabled: true # Set which input to use between tcp (default), udp, or file. # diff --git a/x-pack/filebeat/modules.d/cylance.yml.disabled b/x-pack/filebeat/modules.d/cylance.yml.disabled index 164642f0738..8f16f29ca5b 100644 --- a/x-pack/filebeat/modules.d/cylance.yml.disabled +++ b/x-pack/filebeat/modules.d/cylance.yml.disabled @@ -3,7 +3,7 @@ - module: cylance protect: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/envoyproxy.yml.disabled b/x-pack/filebeat/modules.d/envoyproxy.yml.disabled index d95316b3c30..a46cf279282 100644 --- a/x-pack/filebeat/modules.d/envoyproxy.yml.disabled +++ b/x-pack/filebeat/modules.d/envoyproxy.yml.disabled @@ -4,7 +4,7 @@ - module: envoyproxy # Fileset for native deployment log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/f5.yml.disabled b/x-pack/filebeat/modules.d/f5.yml.disabled index 4db5209693d..fdf357dae44 100644 --- a/x-pack/filebeat/modules.d/f5.yml.disabled +++ b/x-pack/filebeat/modules.d/f5.yml.disabled @@ -3,7 +3,7 @@ - module: f5 bigipapm: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -22,7 +22,7 @@ # var.tz_offset: local bigipafm: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/fortinet.yml.disabled b/x-pack/filebeat/modules.d/fortinet.yml.disabled index e31eb967d73..f77f2169d6d 100644 --- a/x-pack/filebeat/modules.d/fortinet.yml.disabled +++ b/x-pack/filebeat/modules.d/fortinet.yml.disabled @@ -3,7 +3,7 @@ - module: fortinet firewall: - enabled: false + enabled: true # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -26,7 +26,7 @@ #var.external_interfaces: [ "WAN" ] clientendpoint: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -45,7 +45,7 @@ # var.tz_offset: local fortimail: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -64,7 +64,7 @@ # var.tz_offset: local fortimanager: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/gcp.yml.disabled b/x-pack/filebeat/modules.d/gcp.yml.disabled index b0b5f636b10..0a1971525a3 100644 --- a/x-pack/filebeat/modules.d/gcp.yml.disabled +++ b/x-pack/filebeat/modules.d/gcp.yml.disabled @@ -3,7 +3,7 @@ - module: gcp vpcflow: - enabled: false + enabled: true # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -31,7 +31,7 @@ #var.internal_networks: [ "private" ] firewall: - enabled: false + enabled: true # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -58,7 +58,7 @@ #var.internal_networks: [ "private" ] audit: - enabled: false + enabled: true # Google Cloud project ID. var.project_id: my-gcp-project-id diff --git a/x-pack/filebeat/modules.d/google_workspace.yml.disabled b/x-pack/filebeat/modules.d/google_workspace.yml.disabled index 85142dfcaf0..b5eb0051965 100644 --- a/x-pack/filebeat/modules.d/google_workspace.yml.disabled +++ b/x-pack/filebeat/modules.d/google_workspace.yml.disabled @@ -3,7 +3,7 @@ - module: google_workspace saml: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -11,7 +11,7 @@ # var.user_key: all # var.interval: 2h user_accounts: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -19,7 +19,7 @@ # var.user_key: all # var.interval: 2h login: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -27,7 +27,7 @@ # var.user_key: all # var.interval: 2h admin: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -35,7 +35,7 @@ # var.user_key: all # var.interval: 2h drive: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -43,7 +43,7 @@ # var.user_key: all # var.interval: 2h groups: - enabled: false + enabled: true # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h diff --git a/x-pack/filebeat/modules.d/googlecloud.yml.disabled b/x-pack/filebeat/modules.d/googlecloud.yml.disabled new file mode 100644 index 00000000000..6f3e6b53e21 --- /dev/null +++ b/x-pack/filebeat/modules.d/googlecloud.yml.disabled @@ -0,0 +1,58 @@ +# Module: googlecloud +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-googlecloud.html + +# googlecloud module is deprecated, please use gcp instead +- module: gcp + vpcflow: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be + # configured to use this topic as a sink for VPC flow logs. + var.topic: gcp-vpc-flowlogs + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-vpc-flowlogs-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + firewall: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-firewall + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-firewall-sub + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json + + audit: + enabled: true + + # Google Cloud project ID. + var.project_id: my-gcp-project-id + + # Google Pub/Sub topic containing firewall logs. Stackdriver must be + # configured to use this topic as a sink for firewall logs. + var.topic: gcp-vpc-audit + + # Google Pub/Sub subscription for the topic. Filebeat will create this + # subscription if it does not exist. + var.subscription_name: filebeat-gcp-audit + + # Credentials file for the service account with authorization to read from + # the subscription. + var.credentials_file: ${path.config}/gcp-service-account-xyz.json diff --git a/x-pack/filebeat/modules.d/gsuite.yml.disabled b/x-pack/filebeat/modules.d/gsuite.yml.disabled new file mode 100644 index 00000000000..ddb160dcbac --- /dev/null +++ b/x-pack/filebeat/modules.d/gsuite.yml.disabled @@ -0,0 +1,53 @@ +# Module: gsuite +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-gsuite.html + +# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. +- module: gsuite + saml: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + user_accounts: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h diff --git a/x-pack/filebeat/modules.d/ibmmq.yml.disabled b/x-pack/filebeat/modules.d/ibmmq.yml.disabled index 4ad3209a90e..0acfa0b0bce 100644 --- a/x-pack/filebeat/modules.d/ibmmq.yml.disabled +++ b/x-pack/filebeat/modules.d/ibmmq.yml.disabled @@ -4,7 +4,7 @@ - module: ibmmq # All logs errorlog: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/imperva.yml.disabled b/x-pack/filebeat/modules.d/imperva.yml.disabled index cd864075960..f5e69959cf9 100644 --- a/x-pack/filebeat/modules.d/imperva.yml.disabled +++ b/x-pack/filebeat/modules.d/imperva.yml.disabled @@ -3,7 +3,7 @@ - module: imperva securesphere: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/infoblox.yml.disabled b/x-pack/filebeat/modules.d/infoblox.yml.disabled index 24d524d259d..ec5385c6df7 100644 --- a/x-pack/filebeat/modules.d/infoblox.yml.disabled +++ b/x-pack/filebeat/modules.d/infoblox.yml.disabled @@ -3,7 +3,7 @@ - module: infoblox nios: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/iptables.yml.disabled b/x-pack/filebeat/modules.d/iptables.yml.disabled index 2d51c67f24e..833fd91537b 100644 --- a/x-pack/filebeat/modules.d/iptables.yml.disabled +++ b/x-pack/filebeat/modules.d/iptables.yml.disabled @@ -3,7 +3,7 @@ - module: iptables log: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled index 583f47bb7f7..6ffe87834a4 100644 --- a/x-pack/filebeat/modules.d/juniper.yml.disabled +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -3,7 +3,7 @@ - module: juniper junos: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -22,7 +22,7 @@ # var.tz_offset: local netscreen: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -41,7 +41,7 @@ # var.tz_offset: local srx: - enabled: false + enabled: true # Set which input to use between tcp, udp (default) or file. #var.input: udp diff --git a/x-pack/filebeat/modules.d/microsoft.yml.disabled b/x-pack/filebeat/modules.d/microsoft.yml.disabled index e4af73ad6ed..43944caad29 100644 --- a/x-pack/filebeat/modules.d/microsoft.yml.disabled +++ b/x-pack/filebeat/modules.d/microsoft.yml.disabled @@ -4,7 +4,7 @@ - module: microsoft # ATP configuration defender_atp: - enabled: false + enabled: true # How often the API should be polled #var.interval: 5m @@ -17,7 +17,7 @@ # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" m365_defender: - enabled: false + enabled: true # How often the API should be polled #var.interval: 5m @@ -34,7 +34,7 @@ #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" dhcp: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/misp.yml.disabled b/x-pack/filebeat/modules.d/misp.yml.disabled index 4e405aaac70..610cc874073 100644 --- a/x-pack/filebeat/modules.d/misp.yml.disabled +++ b/x-pack/filebeat/modules.d/misp.yml.disabled @@ -5,7 +5,7 @@ - module: misp threat: - enabled: false + enabled: true # API key to access MISP #var.api_key diff --git a/x-pack/filebeat/modules.d/mssql.yml.disabled b/x-pack/filebeat/modules.d/mssql.yml.disabled index c8473c91dd5..3fdaac9e8a6 100644 --- a/x-pack/filebeat/modules.d/mssql.yml.disabled +++ b/x-pack/filebeat/modules.d/mssql.yml.disabled @@ -4,7 +4,7 @@ - module: mssql # Fileset for native deployment log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled b/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled index 33c1731cd19..c04fb9c1908 100644 --- a/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled +++ b/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled @@ -3,7 +3,7 @@ - module: mysqlenterprise audit: - enabled: false + enabled: true # Sets the input type. Currently only supports file #var.input: file diff --git a/x-pack/filebeat/modules.d/netflow.yml.disabled b/x-pack/filebeat/modules.d/netflow.yml.disabled index 7f365e90b43..f0d03a1fef2 100644 --- a/x-pack/filebeat/modules.d/netflow.yml.disabled +++ b/x-pack/filebeat/modules.d/netflow.yml.disabled @@ -3,7 +3,7 @@ - module: netflow log: - enabled: false + enabled: true var: netflow_host: localhost netflow_port: 2055 diff --git a/x-pack/filebeat/modules.d/netscout.yml.disabled b/x-pack/filebeat/modules.d/netscout.yml.disabled index c6d5520629b..988f1b98899 100644 --- a/x-pack/filebeat/modules.d/netscout.yml.disabled +++ b/x-pack/filebeat/modules.d/netscout.yml.disabled @@ -3,7 +3,7 @@ - module: netscout sightline: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/o365.yml.disabled b/x-pack/filebeat/modules.d/o365.yml.disabled index ab61528d6f9..a2bdc1ecee3 100644 --- a/x-pack/filebeat/modules.d/o365.yml.disabled +++ b/x-pack/filebeat/modules.d/o365.yml.disabled @@ -3,7 +3,7 @@ - module: o365 audit: - enabled: false + enabled: true # Set the application_id (also known as client ID): var.application_id: "" diff --git a/x-pack/filebeat/modules.d/okta.yml.disabled b/x-pack/filebeat/modules.d/okta.yml.disabled index 062856ce4e4..66965ac4ba2 100644 --- a/x-pack/filebeat/modules.d/okta.yml.disabled +++ b/x-pack/filebeat/modules.d/okta.yml.disabled @@ -3,7 +3,7 @@ - module: okta system: - enabled: false + enabled: true # You must configure the URL with your Okta domain and provide an # API token to access the logs API. #var.url: https://yourOktaDomain/api/v1/logs diff --git a/x-pack/filebeat/modules.d/oracle.yml.disabled b/x-pack/filebeat/modules.d/oracle.yml.disabled index aa24b1f6755..d8b1d8c58e2 100644 --- a/x-pack/filebeat/modules.d/oracle.yml.disabled +++ b/x-pack/filebeat/modules.d/oracle.yml.disabled @@ -3,7 +3,7 @@ - module: oracle database_audit: - enabled: false + enabled: true # Set which input to use between syslog or file (default). #var.input: file diff --git a/x-pack/filebeat/modules.d/panw.yml.disabled b/x-pack/filebeat/modules.d/panw.yml.disabled index 1a630f8fb4e..0bd5bf33419 100644 --- a/x-pack/filebeat/modules.d/panw.yml.disabled +++ b/x-pack/filebeat/modules.d/panw.yml.disabled @@ -3,7 +3,7 @@ - module: panw panos: - enabled: false + enabled: true # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/modules.d/proofpoint.yml.disabled b/x-pack/filebeat/modules.d/proofpoint.yml.disabled index 34b31277086..b0f94ac3022 100644 --- a/x-pack/filebeat/modules.d/proofpoint.yml.disabled +++ b/x-pack/filebeat/modules.d/proofpoint.yml.disabled @@ -3,7 +3,7 @@ - module: proofpoint emailsecurity: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/rabbitmq.yml.disabled b/x-pack/filebeat/modules.d/rabbitmq.yml.disabled index 437cf9a5721..c446834f99e 100644 --- a/x-pack/filebeat/modules.d/rabbitmq.yml.disabled +++ b/x-pack/filebeat/modules.d/rabbitmq.yml.disabled @@ -4,7 +4,7 @@ - module: rabbitmq # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/radware.yml.disabled b/x-pack/filebeat/modules.d/radware.yml.disabled index 553d8459127..ad17e4fcd7d 100644 --- a/x-pack/filebeat/modules.d/radware.yml.disabled +++ b/x-pack/filebeat/modules.d/radware.yml.disabled @@ -3,7 +3,7 @@ - module: radware defensepro: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/snort.yml.disabled b/x-pack/filebeat/modules.d/snort.yml.disabled index 89d25c4b556..b8abbd3e370 100644 --- a/x-pack/filebeat/modules.d/snort.yml.disabled +++ b/x-pack/filebeat/modules.d/snort.yml.disabled @@ -3,7 +3,7 @@ - module: snort log: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/snyk.yml.disabled b/x-pack/filebeat/modules.d/snyk.yml.disabled index f92cf1d71f0..b8f62d7b885 100644 --- a/x-pack/filebeat/modules.d/snyk.yml.disabled +++ b/x-pack/filebeat/modules.d/snyk.yml.disabled @@ -3,7 +3,7 @@ - module: snyk audit: - enabled: false + enabled: true # Set which input to use between httpjson (default) or file. #var.input: httpjson # @@ -32,7 +32,7 @@ #var.email_address: "" vulnerabilities: - enabled: false + enabled: true # Set which input to use between httpjson (default) or file. #var.input: httpjson # How often the API should be polled. Data from the Snyk API is automatically updated diff --git a/x-pack/filebeat/modules.d/sonicwall.yml.disabled b/x-pack/filebeat/modules.d/sonicwall.yml.disabled index f267d355b37..975b4577c13 100644 --- a/x-pack/filebeat/modules.d/sonicwall.yml.disabled +++ b/x-pack/filebeat/modules.d/sonicwall.yml.disabled @@ -3,7 +3,7 @@ - module: sonicwall firewall: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/sophos.yml.disabled b/x-pack/filebeat/modules.d/sophos.yml.disabled index e875354ad62..d0a7b23c632 100644 --- a/x-pack/filebeat/modules.d/sophos.yml.disabled +++ b/x-pack/filebeat/modules.d/sophos.yml.disabled @@ -3,7 +3,7 @@ - module: sophos xg: - enabled: false + enabled: true # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -27,7 +27,7 @@ utm: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/squid.yml.disabled b/x-pack/filebeat/modules.d/squid.yml.disabled index 81d5f6e0af0..3656c1b8eed 100644 --- a/x-pack/filebeat/modules.d/squid.yml.disabled +++ b/x-pack/filebeat/modules.d/squid.yml.disabled @@ -3,7 +3,7 @@ - module: squid log: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/suricata.yml.disabled b/x-pack/filebeat/modules.d/suricata.yml.disabled index 98e905fff23..d710dac848f 100644 --- a/x-pack/filebeat/modules.d/suricata.yml.disabled +++ b/x-pack/filebeat/modules.d/suricata.yml.disabled @@ -4,7 +4,7 @@ - module: suricata # All logs eve: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/threatintel.yml.disabled b/x-pack/filebeat/modules.d/threatintel.yml.disabled index 55f192feb11..e150fe8835a 100644 --- a/x-pack/filebeat/modules.d/threatintel.yml.disabled +++ b/x-pack/filebeat/modules.d/threatintel.yml.disabled @@ -3,7 +3,7 @@ - module: threatintel abuseurl: - enabled: false + enabled: true # Input used for ingesting threat intel data. var.input: httpjson @@ -15,7 +15,7 @@ var.interval: 10m abusemalware: - enabled: false + enabled: true # Input used for ingesting threat intel data. var.input: httpjson @@ -27,7 +27,7 @@ var.interval: 10m malwarebazaar: - enabled: false + enabled: true # Input used for ingesting threat intel data. var.input: httpjson @@ -39,7 +39,7 @@ var.interval: 10m misp: - enabled: false + enabled: true # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson @@ -68,7 +68,7 @@ var.interval: 5m otx: - enabled: false + enabled: true # Input used for ingesting threat intel data var.input: httpjson @@ -95,7 +95,7 @@ var.interval: 5m anomali: - enabled: false + enabled: true # Input used for ingesting threat intel data var.input: httpjson @@ -117,7 +117,7 @@ var.interval: 5m anomalithreatstream: - enabled: false + enabled: true # Input used for ingesting threat intel data var.input: http_endpoint @@ -142,7 +142,7 @@ # var.ssl_key: path/to/ssl_key.pem recordedfuture: - enabled: false + enabled: true # Input used for ingesting threat intel data var.input: httpjson diff --git a/x-pack/filebeat/modules.d/tomcat.yml.disabled b/x-pack/filebeat/modules.d/tomcat.yml.disabled index dc7a8d7eadd..3dde8911ac0 100644 --- a/x-pack/filebeat/modules.d/tomcat.yml.disabled +++ b/x-pack/filebeat/modules.d/tomcat.yml.disabled @@ -3,7 +3,7 @@ - module: tomcat log: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/zeek.yml.disabled b/x-pack/filebeat/modules.d/zeek.yml.disabled index 2ceeeea911d..d1349bf1388 100644 --- a/x-pack/filebeat/modules.d/zeek.yml.disabled +++ b/x-pack/filebeat/modules.d/zeek.yml.disabled @@ -3,83 +3,83 @@ - module: zeek capture_loss: - enabled: false + enabled: true connection: - enabled: false + enabled: true dce_rpc: - enabled: false + enabled: true dhcp: - enabled: false + enabled: true dnp3: - enabled: false + enabled: true dns: - enabled: false + enabled: true dpd: - enabled: false + enabled: true files: - enabled: false + enabled: true ftp: - enabled: false + enabled: true http: - enabled: false + enabled: true intel: - enabled: false + enabled: true irc: - enabled: false + enabled: true kerberos: - enabled: false + enabled: true modbus: - enabled: false + enabled: true mysql: - enabled: false + enabled: true notice: - enabled: false + enabled: true ntp: - enabled: false + enabled: true ntlm: - enabled: false + enabled: true ocsp: - enabled: false + enabled: true pe: - enabled: false + enabled: true radius: - enabled: false + enabled: true rdp: - enabled: false + enabled: true rfb: - enabled: false + enabled: true signature: - enabled: false + enabled: true sip: - enabled: false + enabled: true smb_cmd: - enabled: false + enabled: true smb_files: - enabled: false + enabled: true smb_mapping: - enabled: false + enabled: true smtp: - enabled: false + enabled: true snmp: - enabled: false + enabled: true socks: - enabled: false + enabled: true ssh: - enabled: false + enabled: true ssl: - enabled: false + enabled: true stats: - enabled: false + enabled: true syslog: - enabled: false + enabled: true traceroute: - enabled: false + enabled: true tunnel: - enabled: false + enabled: true weird: - enabled: false + enabled: true x509: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/zookeeper.yml.disabled b/x-pack/filebeat/modules.d/zookeeper.yml.disabled index f632c0de9e7..34273eacff4 100644 --- a/x-pack/filebeat/modules.d/zookeeper.yml.disabled +++ b/x-pack/filebeat/modules.d/zookeeper.yml.disabled @@ -4,14 +4,14 @@ - module: zookeeper # All logs audit: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # All logs log: - enabled: false + enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/zoom.yml.disabled b/x-pack/filebeat/modules.d/zoom.yml.disabled index a04706cf15a..f5320d112b9 100644 --- a/x-pack/filebeat/modules.d/zoom.yml.disabled +++ b/x-pack/filebeat/modules.d/zoom.yml.disabled @@ -3,7 +3,7 @@ - module: zoom webhook: - enabled: false + enabled: true # The type of input to use #var.input: http_endpoint diff --git a/x-pack/filebeat/modules.d/zscaler.yml.disabled b/x-pack/filebeat/modules.d/zscaler.yml.disabled index 732a033073b..2c8f03ebcc3 100644 --- a/x-pack/filebeat/modules.d/zscaler.yml.disabled +++ b/x-pack/filebeat/modules.d/zscaler.yml.disabled @@ -3,7 +3,7 @@ - module: zscaler zia: - enabled: false + enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/heartbeat/monitors/browser/source/zipurl.go b/x-pack/heartbeat/monitors/browser/source/zipurl.go index 9dc9c8ab633..400bf258910 100644 --- a/x-pack/heartbeat/monitors/browser/source/zipurl.go +++ b/x-pack/heartbeat/monitors/browser/source/zipurl.go @@ -14,8 +14,6 @@ import ( "path/filepath" "strings" "time" - - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" ) type ZipURLSource struct { @@ -25,25 +23,13 @@ type ZipURLSource struct { Password string `config:"password" json:"password"` Retries int `config:"retries" default:"3" json:"retries"` BaseSource - TargetDirectory string `config:"target_directory" json:"target_directory"` - // Etag from last successful fetch - etag string - - Transport httpcommon.HTTPTransportSettings `config:",inline" yaml:",inline"` - - httpClient *http.Client + etag string + TargetDirectory string `config:"target_directory" json:"target_directory"` } var ErrNoEtag = fmt.Errorf("No ETag header in zip file response. Heartbeat requires an etag to efficiently cache downloaded code") -func (z *ZipURLSource) Validate() (err error) { - if z.httpClient == nil { - z.httpClient, _ = z.Transport.Client() - } - return err -} - func (z *ZipURLSource) Fetch() error { changed, err := checkIfChanged(z) if err != nil { @@ -195,7 +181,6 @@ func retryingZipRequest(method string, z *ZipURLSource) (resp *http.Response, er } func zipRequest(method string, z *ZipURLSource) (*http.Response, error) { - req, err := http.NewRequest(method, z.URL, nil) if err != nil { return nil, fmt.Errorf("could not issue request to: %s %w", z.URL, err) @@ -203,7 +188,7 @@ func zipRequest(method string, z *ZipURLSource) (*http.Response, error) { if z.Username != "" && z.Password != "" { req.SetBasicAuth(z.Username, z.Password) } - return z.httpClient.Do(req) + return http.DefaultClient.Do(req) } func download(z *ZipURLSource, tf *os.File) (etag string, err error) { diff --git a/x-pack/heartbeat/monitors/browser/source/zipurl_test.go b/x-pack/heartbeat/monitors/browser/source/zipurl_test.go index 9c160684642..2283fcf443f 100644 --- a/x-pack/heartbeat/monitors/browser/source/zipurl_test.go +++ b/x-pack/heartbeat/monitors/browser/source/zipurl_test.go @@ -5,9 +5,9 @@ package source import ( + "context" "fmt" "net/http" - "net/http/httptest" "os" "path" "path/filepath" @@ -15,121 +15,59 @@ import ( "testing" "github.com/stretchr/testify/require" - "gopkg.in/yaml.v2" - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/x-pack/heartbeat/monitors/browser/source/fixtures" ) -func TestSimpleCases(t *testing.T) { - type testCase struct { - name string - cfg common.MapStr - tlsServer bool - wantFetchErr bool - } - testCases := []testCase{ - { - "basics", - common.MapStr{ - "folder": "/", - "retries": 3, - }, - false, - false, - }, - { - "targetdir", - common.MapStr{ - "folder": "/", - "retries": 3, - "target_directory": "/tmp/synthetics/blah", - }, - false, - false, - }, - { - "auth success", - common.MapStr{ - "folder": "/", - "retries": 3, - "username": "testuser", - "password": "testpass", - }, - false, - false, - }, - { - "auth failure", - common.MapStr{ - "folder": "/", - "retries": 3, - "username": "testuser", - "password": "badpass", - }, - false, - true, - }, - { - "ssl ignore cert errors", - common.MapStr{ - "folder": "/", - "retries": 3, - "ssl": common.MapStr{ - "enabled": "true", - "verification_mode": "none", - }, - }, - true, - false, - }, - { - "bad ssl", - common.MapStr{ - "folder": "/", - "retries": 3, - "ssl": common.MapStr{ - "enabled": "true", - "certificate_authorities": []string{}, - }, - }, - true, - true, - }, +func TestZipUrlFetchNoAuth(t *testing.T) { + address, teardown := setupTests() + defer teardown() + + zus := &ZipURLSource{ + URL: fmt.Sprintf("http://%s/fixtures/todos.zip", address), + Folder: "/", + Retries: 3, } + fetchAndCheckDir(t, zus) +} - for _, tc := range testCases { - url, teardown := setupTests(tc.tlsServer) - defer teardown() - t.Run(tc.name, func(t *testing.T) { - tc.cfg["url"] = fmt.Sprintf("%s/fixtures/todos.zip", url) - zus, err := dummyZus(tc.cfg) - require.NoError(t, err) +func TestZipUrlFetchWithAuth(t *testing.T) { + address, teardown := setupTests() + defer teardown() - require.NotNil(t, zus.httpClient) + zus := &ZipURLSource{ + URL: fmt.Sprintf("http://%s/fixtures/todos.zip", address), + Folder: "/", + Retries: 3, + Username: "testuser", + Password: "testpass", + } + fetchAndCheckDir(t, zus) +} - if tc.wantFetchErr == true { - err := zus.Fetch() - require.Error(t, err) - return - } +func TestZipUrlTargetDirectory(t *testing.T) { + address, teardown := setupTests() + defer teardown() - fetchAndCheckDir(t, zus) - }) + zus := &ZipURLSource{ + URL: fmt.Sprintf("http://%s/fixtures/todos.zip", address), + Folder: "/", + Retries: 3, + TargetDirectory: "/tmp/synthetics/blah", } + fetchAndCheckDir(t, zus) } func TestZipUrlWithSameEtag(t *testing.T) { - address, teardown := setupTests(false) + address, teardown := setupTests() defer teardown() - zus, err := dummyZus(common.MapStr{ - "url": fmt.Sprintf("%s/fixtures/todos.zip", address), - "folder": "/", - "retries": 3, - }) - require.NoError(t, err) - err = zus.Fetch() + zus := ZipURLSource{ + URL: fmt.Sprintf("http://%s/fixtures/todos.zip", address), + Folder: "/", + Retries: 3, + } + err := zus.Fetch() defer zus.Close() require.NoError(t, err) @@ -142,33 +80,32 @@ func TestZipUrlWithSameEtag(t *testing.T) { } func TestZipUrlWithBadUrl(t *testing.T) { - _, teardown := setupTests(false) + _, teardown := setupTests() defer teardown() - zus, err := dummyZus(common.MapStr{ - "url": "http://notahost.notadomaintoehutoeuhn", - "folder": "/", - "retries": 2, - }) - require.NoError(t, err) - err = zus.Fetch() + zus := ZipURLSource{ + URL: "http://notahost.notadomaintoehutoeuhn", + Folder: "/", + Retries: 2, + } + err := zus.Fetch() defer zus.Close() require.Error(t, err) } -func setupTests(tls bool) (addr string, teardown func()) { +func setupTests() (addr string, teardown func()) { // go offline, so we dont invoke npm install for unit tests GoOffline() - srv := createServer(tls) - address := srv.URL + srv := createServer() + address := srv.Addr return address, func() { GoOnline() - srv.Close() + srv.Shutdown(context.Background()) } } -func createServer(tls bool) (addr *httptest.Server) { +func createServer() (addr *http.Server) { _, filename, _, _ := runtime.Caller(0) fixturesPath := path.Join(filepath.Dir(filename), "fixtures") fileServer := http.FileServer(http.Dir(fixturesPath)) @@ -184,12 +121,10 @@ func createServer(tls bool) (addr *httptest.Server) { http.StripPrefix("/fixtures", fileServer).ServeHTTP(resp, req) }) - var srv *httptest.Server - if tls { - srv = httptest.NewTLSServer(mux) - } else { - srv = httptest.NewServer(mux) - } + srv := &http.Server{Addr: "localhost:1234", Handler: mux} + go func() { + srv.ListenAndServe() + }() return srv } @@ -205,14 +140,3 @@ func fetchAndCheckDir(t *testing.T, zip *ZipURLSource) { _, err = os.Stat(zip.TargetDirectory) require.True(t, os.IsNotExist(err), "TargetDirectory %s should have been deleted", zip.TargetDirectory) } - -func dummyZus(conf map[string]interface{}) (*ZipURLSource, error) { - zus := &ZipURLSource{} - y, _ := yaml.Marshal(conf) - c, err := common.NewConfigWithYAML(y, string(y)) - if err != nil { - return nil, err - } - err = c.Unpack(zus) - return zus, err -} diff --git a/x-pack/libbeat/persistentcache/store.go b/x-pack/libbeat/persistentcache/store.go index a114a51cc3f..e14b90fedda 100644 --- a/x-pack/libbeat/persistentcache/store.go +++ b/x-pack/libbeat/persistentcache/store.go @@ -10,7 +10,7 @@ import ( "path/filepath" "time" - badger "github.com/dgraph-io/badger/v3" + badger "github.com/dgraph-io/badger/v2" "github.com/elastic/beats/v7/libbeat/logp" ) diff --git a/x-pack/metricbeat/module/gcp/billing/_meta/docs.asciidoc b/x-pack/metricbeat/module/gcp/billing/_meta/docs.asciidoc index d66330f927f..ccf26a17600 100644 --- a/x-pack/metricbeat/module/gcp/billing/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/gcp/billing/_meta/docs.asciidoc @@ -27,7 +27,7 @@ tax, adjustment, or rounding error. Default to `regular`. === Configuration example [source,yaml] ---- -- module: gcp +- module: googlecloud metricsets: - billing period: 24h diff --git a/x-pack/metricbeat/module/gcp/metrics/_meta/docs.asciidoc b/x-pack/metricbeat/module/gcp/metrics/_meta/docs.asciidoc index 45b5be522a0..157e336e08b 100644 --- a/x-pack/metricbeat/module/gcp/metrics/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/gcp/metrics/_meta/docs.asciidoc @@ -58,7 +58,7 @@ given aggregation aligner applied for each metric type. + [source,yaml] ---- -- module: gcp +- module: googlecloud metricsets: - metrics zone: "europe-west1-c" @@ -91,7 +91,7 @@ ignored. + [source,yaml] ---- -- module: gcp +- module: googlecloud metricsets: - metrics zone: "europe-west1-c" @@ -125,7 +125,7 @@ every minute with no aggregation. The metric types in `compute` service with + [source,yaml] ---- -- module: gcp +- module: googlecloud metricsets: - metrics zone: "europe-west1-c" @@ -149,7 +149,7 @@ metric prefix, as for GKE metrics the required prefix is `kubernetes.io/` + [source,yaml] ---- -- module: gcp +- module: googlecloud metricsets: - metrics zone: "europe-west1-c" diff --git a/x-pack/osquerybeat/beater/logger_plugin.go b/x-pack/osquerybeat/beater/logger_plugin.go index deefbc6d9b0..bbf327eef44 100644 --- a/x-pack/osquerybeat/beater/logger_plugin.go +++ b/x-pack/osquerybeat/beater/logger_plugin.go @@ -35,19 +35,15 @@ const osqueryLogMessageFieldsCount = 6 type osqLogSeverity int -// The severity levels are taken from osquery source -// https://github.com/osquery/osquery/blob/master/osquery/core/plugins/logger.h#L39 -// enum StatusLogSeverity { -// O_INFO = 0, -// O_WARNING = 1, -// O_ERROR = 2, -// O_FATAL = 3, -// }; const ( - severityInfo osqLogSeverity = iota - severityWarning - severityError - severityFatal + severityEmerg osqLogSeverity = iota + severityAlert + severityCrit + severityErr + severityWarn + severityNotice + severityInfo + severityDebug ) func (m *osqueryLogMessage) Log(typ logger.LogType, log *logp.Logger) { @@ -69,12 +65,14 @@ func (m *osqueryLogMessage) Log(typ logger.LogType, log *logp.Logger) { args = append(args, m.UnixTime) switch osqLogSeverity(m.Severity) { - case severityError, severityFatal: + case severityEmerg, severityAlert, severityCrit: log.Errorw(m.Message, args...) - case severityWarning: + case severityWarn, severityNotice: log.Warnw(m.Message, args...) case severityInfo: log.Infow(m.Message, args...) + case severityDebug: + log.Debugw(m.Message, args...) default: log.Debugw(m.Message, args...) } diff --git a/x-pack/osquerybeat/beater/osquerybeat.go b/x-pack/osquerybeat/beater/osquerybeat.go index 5e5923bc909..6e1406b739f 100644 --- a/x-pack/osquerybeat/beater/osquerybeat.go +++ b/x-pack/osquerybeat/beater/osquerybeat.go @@ -194,7 +194,7 @@ func (bt *osquerybeat) Run(b *beat.Beat) error { for { select { case <-ctx.Done(): - bt.log.Info("osquerybeat context cancelled, exiting") + bt.log.Info("context cancelled, exiting") return ctx.Err() case inputConfigs := <-inputConfigCh: bt.pub.Configure(inputConfigs) @@ -258,6 +258,11 @@ func (bt *osquerybeat) runOsquery(ctx context.Context, b *beat.Beat, osq *osqd.O bt.handleSnapshotResult(ctx, cli, configPlugin, res) }) + // Run extensions + g.Go(func() error { + return runExtensionServer(ctx, socketPath, configPlugin, loggerPlugin, osqueryTimeout) + }) + // Run main loop g.Go(func() error { // Connect to osqueryd @@ -267,11 +272,6 @@ func (bt *osquerybeat) runOsquery(ctx context.Context, b *beat.Beat, osq *osqd.O } defer cli.Close() - // Run extensions only after succesful connect, otherwise the extension server fails with windows pipes if the pipe was not created by osqueryd yet - g.Go(func() error { - return runExtensionServer(ctx, socketPath, configPlugin, loggerPlugin, osqueryTimeout) - }) - // Register action handler ah := bt.registerActionHandler(b, cli) defer bt.unregisterActionHandler(b, ah) @@ -280,7 +280,7 @@ func (bt *osquerybeat) runOsquery(ctx context.Context, b *beat.Beat, osq *osqd.O for { select { case <-ctx.Done(): - bt.log.Info("runOsquery context cancelled, exiting") + bt.log.Info("context cancelled, exiting") return ctx.Err() case inputConfigs := <-inputCh: err = configPlugin.Set(inputConfigs) From 6906076f5d6346afdfb0cf26b001efe09a22d422 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 18:50:48 -0700 Subject: [PATCH 24/63] Fix lint error for missing HdrHistogram/hdrhistogram-go entry in go.sum --- go.sum | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/go.sum b/go.sum index b70e27e1d6c..501fc99a763 100644 --- a/go.sum +++ b/go.sum @@ -97,8 +97,6 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/zstd v1.4.1 h1:3oxKN3wbHibqx897utPC2LTQU4J+IHWWJO+glkAkpFM= github.com/DataDog/zstd v1.4.1/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= -github.com/HdrHistogram/hdrhistogram-go v1.0.1 h1:GX8GAYDuhlFQnI2fRDHQhTlkHMz8bEn0jTI6LJU0mpw= -github.com/HdrHistogram/hdrhistogram-go v1.0.1/go.mod h1:BWJ+nMSHY3L41Zj7CA3uXnloDp7xxV0YvstAE7nKTaM= github.com/Masterminds/semver v1.4.2 h1:WBLTQ37jOCzSLtXNdoo8bNM8876KhNqOKvrlGITgsTc= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Microsoft/hcsshim v0.8.7 h1:ptnOoufxGSzauVTsdE+wMYnCWA301PdoN4xg5oRdZpg= @@ -1073,3 +1071,5 @@ sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= +github.com/HdrHistogram/hdrhistogram-go v1.0.1 h1:GX8GAYDuhlFQnI2fRDHQhTlkHMz8bEn0jTI6LJU0mpw= +github.com/HdrHistogram/hdrhistogram-go v1.0.1/go.mod h1:BWJ+nMSHY3L41Zj7CA3uXnloDp7xxV0YvstAE7nKTaM= From 651e55cc0b0bb391a0e63622a92f352465b168f2 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 19:03:40 -0700 Subject: [PATCH 25/63] Fix lint error for missing alecthomas/units entry in go.sum --- go.sum | 3 +++ 1 file changed, 3 insertions(+) diff --git a/go.sum b/go.sum index 501fc99a763..e4230116529 100644 --- a/go.sum +++ b/go.sum @@ -122,6 +122,9 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= +github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15 h1:AUNCr9CiJuwrRYS3XieqF+Z9B9gNxo/eANAJCF2eiN4= +github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE= github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20 h1:7rj9qZ63knnVo2ZeepYHvHuRdG76f3tRUTdIQDzRBeI= github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20/go.mod h1:cI59GRkC2FRaFYtgbYEqMlgnnfvAwXzjojyZKXwklNg= github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43 h1:WFwa9pqou0Nb4DdfBOyaBTH0GqLE74Qwdf61E7ITHwQ= From 2a1e9b700eb9887b336252c3888c302d72f971c2 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 19:45:42 -0700 Subject: [PATCH 26/63] Fix lint error for missing aws/aws-sdk-go entry in go.sum --- go.sum | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/go.sum b/go.sum index e4230116529..d151dfff7d1 100644 --- a/go.sum +++ b/go.sum @@ -143,6 +143,13 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/aws/aws-lambda-go v1.6.0 h1:T+u/g79zPKw1oJM7xYhvpq7i4Sjc0iVsXZUaqRVVSOg= github.com/aws/aws-lambda-go v1.6.0/go.mod h1:zUsUQhAUjYzR8AuduJPCfhBuKWUaDbQiPOG+ouzmE1A= +github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.29.16/go.mod h1:1KvfttTE3SPKMpo8g2c6jL3ZKfXtFvKscTgahTma5Xg= +github.com/aws/aws-sdk-go v1.30.12/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= +github.com/aws/aws-sdk-go v1.34.28/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48= +github.com/aws/aws-sdk-go v1.38.60 h1:MgyEsX0IMwivwth1VwEnesBpH0vxbjp5a0w1lurMOXY= +github.com/aws/aws-sdk-go v1.38.60/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= +github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/aws/aws-sdk-go-v2 v0.24.0 h1:R0lL0krk9EyTI1vmO1ycoeceGZotSzCKO51LbPGq3rU= github.com/aws/aws-sdk-go-v2 v0.24.0/go.mod h1:2LhT7UgHOXK3UXONKI5OMgIyoQL6zTAw/jwIeX6yqzw= github.com/awslabs/goformation/v3 v3.1.0/go.mod h1:hQ5RXo3GNm2laHWKizDzU5DsDy+yNcenSca2UxN0850= From 7951dfb1ebc2b3ceec0aec9d11749f986e1c5914 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 20:12:06 -0700 Subject: [PATCH 27/63] Fix lint error for missing containerd/containerd entry in go.sum --- go.sum | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.sum b/go.sum index d151dfff7d1..5b5810c352a 100644 --- a/go.sum +++ b/go.sum @@ -193,6 +193,8 @@ github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.3 h1:LoIzb5y9x5l8VKAlyrbusNPXqBY0+kviRloxFUMFwKc= github.com/containerd/containerd v1.3.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.4.3 h1:ijQT13JedHSHrQGWFcGEwzcNKrAGIiZ+jSD5QQG07SY= +github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20200107194136-26c1120b8d41 h1:kIFnQBO7rQ0XkMe6xEwbybYHBEaWmh/f++laI6Emt7M= github.com/containerd/continuity v0.0.0-20200107194136-26c1120b8d41/go.mod h1:Dq467ZllaHgAtVp4p1xUQWBrFXR9s/wyoTpG8zOJGkY= From 94199be36373d8d14eb12375cc7fee267c01687b Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 20:44:39 -0700 Subject: [PATCH 28/63] Fix lint error for missing dgryski/go-sip13 entry in go.sum --- go.sum | 3 +++ 1 file changed, 3 insertions(+) diff --git a/go.sum b/go.sum index 5b5810c352a..0a8de44fdb9 100644 --- a/go.sum +++ b/go.sum @@ -236,6 +236,9 @@ github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de/go.mod h1:KP github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= +github.com/dgryski/go-sip13 v0.0.0-20190329191031-25c5027a8c7b/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= +github.com/dgryski/go-sip13 v0.0.0-20200911182023-62edffca9245 h1:9cOfvEwjQxdwKuNDTQSaMKNRvwKwgZG+U4HrjeRKHso= +github.com/dgryski/go-sip13 v0.0.0-20200911182023-62edffca9245/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1 h1:eG5K5GNAAHvQlFmfIuy0Ocjg5dvyX22g/KknwTpmBko= github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1/go.mod h1:PRcPVAAma6zcLpFd4GZrjR/MRpood3TamjKI2m/z/Uw= github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4= From 571e238e2206c6d51ee2893b446adc30ea5102e4 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 20:57:15 -0700 Subject: [PATCH 29/63] Fix lint error for missing digitalocean/godo entry in go.sum --- go.sum | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.sum b/go.sum index 0a8de44fdb9..1123da79eff 100644 --- a/go.sum +++ b/go.sum @@ -241,6 +241,8 @@ github.com/dgryski/go-sip13 v0.0.0-20200911182023-62edffca9245 h1:9cOfvEwjQxdwKu github.com/dgryski/go-sip13 v0.0.0-20200911182023-62edffca9245/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1 h1:eG5K5GNAAHvQlFmfIuy0Ocjg5dvyX22g/KknwTpmBko= github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1/go.mod h1:PRcPVAAma6zcLpFd4GZrjR/MRpood3TamjKI2m/z/Uw= +github.com/digitalocean/godo v1.62.0 h1:7Gw2KFsWkxl36qJa0s50tgXaE0Cgm51JdRP+MFQvNnM= +github.com/digitalocean/godo v1.62.0/go.mod h1:p7dOjjtSBqCTUksqtA5Fd3uaKs9kyTq2xcz76ulEJRU= github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf h1:uOWCk+L8abzw0BzmnCn7j7VT3g6bv9zW8fkR0yOP0Q4= From 91ce3e2853eadee47d23d20064d6ea5722de241d Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 21:16:07 -0700 Subject: [PATCH 30/63] Fix lint error for missing edsrzf/mmap-go entry in go.sum --- go.sum | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.sum b/go.sum index 1123da79eff..8ec2ce8dfc0 100644 --- a/go.sum +++ b/go.sum @@ -276,6 +276,8 @@ github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/eclipse/paho.mqtt.golang v1.3.5 h1:sWtmgNxYM9P2sP+xEItMozsR3w0cqZFlqnNN1bdl41Y= github.com/eclipse/paho.mqtt.golang v1.3.5/go.mod h1:eTzb4gxwwyWpqBUHGQZ4ABAV7+Jgm1PklsYT/eo8Hcc= +github.com/edsrzf/mmap-go v1.0.0 h1:CEBF7HpRnUCSJgGUb5h1Gm7e3VkmVDrR8lvWVLtrOFw= +github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= github.com/elastic/ecs v1.11.0 h1:eqcKejxlTzy+6TsCIkd0aBnKHEQOkSfeXnu+pmGYMUY= From 36dddcd3505b0cc89df781ed15baff3808cac245 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 22:09:06 -0700 Subject: [PATCH 31/63] Fix lint error for missing go-kit/kit entry in go.sum --- go.sum | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.sum b/go.sum index 8ec2ce8dfc0..45dce945aab 100644 --- a/go.sum +++ b/go.sum @@ -340,6 +340,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0 h1:wDJmvq38kDhkVxi50ni9ykkdUr1PKgqKOoi01fa0Mdk= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/kit v0.10.0 h1:dXFJfIHVvUcpSgDOV+Ne6t7jXri8Tfv2uOLHUZ2XNuo= +github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0 h1:MP4Eh7ZCb31lleYCFuwm0oe4/YGak+5l1vA2NOE80nA= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= From 3152943264e6712041de599d40b1eb7a6ee408bf Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 22:18:43 -0700 Subject: [PATCH 32/63] Fix lint error for missing go-kit/log entry in go.sum --- go.sum | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.sum b/go.sum index 45dce945aab..f627127a057 100644 --- a/go.sum +++ b/go.sum @@ -342,6 +342,8 @@ github.com/go-kit/kit v0.9.0 h1:wDJmvq38kDhkVxi50ni9ykkdUr1PKgqKOoi01fa0Mdk= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.10.0 h1:dXFJfIHVvUcpSgDOV+Ne6t7jXri8Tfv2uOLHUZ2XNuo= github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o= +github.com/go-kit/log v0.1.0 h1:DGJh0Sm43HbOeYDNnVZFl8BvcYVvjD5bqYJvp0REbwQ= +github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0 h1:MP4Eh7ZCb31lleYCFuwm0oe4/YGak+5l1vA2NOE80nA= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= From 57f2168224c167e084a90ed14cbb8957b9fd618f Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 22:32:56 -0700 Subject: [PATCH 33/63] Fix lint error for missing go-logfmt/logfmt entry in go.sum --- go.sum | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.sum b/go.sum index f627127a057..20451f9ba2f 100644 --- a/go.sum +++ b/go.sum @@ -347,6 +347,8 @@ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vb github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0 h1:MP4Eh7ZCb31lleYCFuwm0oe4/YGak+5l1vA2NOE80nA= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-logfmt/logfmt v0.5.0 h1:TrB8swr/68K7m9CcGut2g3UOihhbcbiMAYiuTXdEih4= +github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= From 35bb0d711baedac070ce23c230583ef9e2d2f963 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 22:48:38 -0700 Subject: [PATCH 34/63] Fix lint error for missing go-openapi/strfmt entry in go.sum --- go.sum | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/go.sum b/go.sum index 20451f9ba2f..acd118f80d9 100644 --- a/go.sum +++ b/go.sum @@ -359,6 +359,17 @@ github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647/go.mod h1:pprOEPIf github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= +github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= +github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY= +github.com/go-openapi/strfmt v0.19.2/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU= +github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU= +github.com/go-openapi/strfmt v0.19.4/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk= +github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk= +github.com/go-openapi/strfmt v0.19.11/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= +github.com/go-openapi/strfmt v0.20.0/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= +github.com/go-openapi/strfmt v0.20.1 h1:1VgxvehFne1mbChGeCmZ5pc0LxUf6yaACVSIYAR91Xc= +github.com/go-openapi/strfmt v0.20.1/go.mod h1:43urheQI9dNtE5lTZQfuFJvjYJKPrxicATpEfZwHUNk= github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= github.com/go-sourcemap/sourcemap v2.1.2+incompatible h1:0b/xya7BKGhXuqFESKM4oIiRo9WOt2ebz7KxfreD6ug= github.com/go-sourcemap/sourcemap v2.1.2+incompatible/go.mod h1:F8jJfvm2KbVjc5NqelyYJmf/v5J0dwNLS2mL4sNA1Jg= From 083fc29b3843ea70945e42fdd067ccefc5b8899a Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 23:03:21 -0700 Subject: [PATCH 35/63] Fix lint error for missing go-zookeeper/zk entry in go.sum --- go.sum | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.sum b/go.sum index acd118f80d9..d344e46f473 100644 --- a/go.sum +++ b/go.sum @@ -379,6 +379,8 @@ github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= +github.com/go-zookeeper/zk v1.0.2 h1:4mx0EYENAdX/B/rbunjlt5+4RTA/a9SMHBRuSKdGxPM= +github.com/go-zookeeper/zk v1.0.2/go.mod h1:nOB03cncLtlp4t+UAkGSV+9beXP/akpekBwL+UX1Qcw= github.com/gobuffalo/here v0.6.0 h1:hYrd0a6gDmWxBM4TnrGw8mQg24iSVoIkHEk7FodQcBI= github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM= github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be h1:zXHeEEJ231bTf/IXqvCfeaqjLpXsq42ybLoT4ROSR6Y= From a9fed46e37296c04dcc82da5782b84b6e6064564 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 23:16:08 -0700 Subject: [PATCH 36/63] Fix lint error for missing google/pprof entry in go.sum --- go.sum | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/go.sum b/go.sum index d344e46f473..3191656aa8d 100644 --- a/go.sum +++ b/go.sum @@ -453,6 +453,18 @@ github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXi github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200417002340-c6e0a841f49a/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9 h1:2tft2559dNwKl2znYB58oVTql0grRB+Ml3LWIBbc4WM= +github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= From f1ddf0bee2d749fc1ea7cf9cc935a64709e1da0e Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Thu, 16 Sep 2021 23:31:09 -0700 Subject: [PATCH 37/63] Fix lint error for missing gophercloud/gophercloud entry in go.sum --- go.sum | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go.sum b/go.sum index 3191656aa8d..61e2f430f05 100644 --- a/go.sum +++ b/go.sum @@ -476,6 +476,10 @@ github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gnostic v0.4.1 h1:DLJCy1n/vrD4HPjOvYcT8aYQXpPIzoRZONaYwyycI+I= github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gophercloud/gophercloud v0.10.0/go.mod h1:gmC5oQqMDOMO1t1gq5DquX/yAU808e/4mzjjDA76+Ss= +github.com/gophercloud/gophercloud v0.18.0 h1:V6hcuMPmjXg+js9flU8T3RIHDCjV7F5CG5GD0MRhP/w= +github.com/gophercloud/gophercloud v0.18.0/go.mod h1:wRtmUelyIIv3CSSDI47aUwbs075O6i+LY+pXsKCBsb4= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75 h1:f0n1xnMSmBLzVfsMMvriDyA75NB/oBgILX2GcHXIQzY= From 9e5a0bf228d3065704827ffe43fc9c766a60f531 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sat, 18 Sep 2021 22:24:36 -0700 Subject: [PATCH 38/63] Fix lint error for missing grpc-ecosystem/grpc-gateway entry in go.sum --- go.mod | 53 ++-- go.sum | 743 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 765 insertions(+), 31 deletions(-) diff --git a/go.mod b/go.mod index 13c15c2e3a4..62f167f8281 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 // indirect github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 - github.com/aws/aws-lambda-go v1.6.0 + github.com/aws/aws-lambda-go v1.13.3 github.com/aws/aws-sdk-go-v2 v0.24.0 github.com/awslabs/goformation/v4 v4.1.0 github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2 @@ -43,12 +43,12 @@ require ( github.com/coreos/go-systemd/v22 v22.0.0 github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea github.com/davecgh/go-xdr v0.0.0-20161123171359-e6a2ba005892 // indirect - github.com/denisenkom/go-mssqldb v0.0.0-20200206145737-bbfc9a55622e + github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2 // indirect github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1 github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf // indirect - github.com/docker/docker v1.4.2-0.20170802015333-8af4db6f002a + github.com/docker/docker v20.10.7+incompatible github.com/docker/go-connections v0.4.0 github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-plugins-helpers v0.0.0-20181025120712-1e6269c305b8 @@ -85,7 +85,7 @@ require ( github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e github.com/godror/godror v0.10.4 github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b - github.com/gofrs/uuid v3.3.0+incompatible + github.com/gofrs/uuid v4.0.0+incompatible github.com/gogo/protobuf v1.3.1 github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.4.3 @@ -96,8 +96,7 @@ require ( github.com/google/gopacket v1.1.18-0.20191009163724-0ad7f2610e34 github.com/google/uuid v1.1.2 github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75 - github.com/gorilla/mux v1.7.2 - github.com/grpc-ecosystem/grpc-gateway v1.13.0 // indirect + github.com/gorilla/mux v1.7.3 github.com/h2non/filetype v1.1.1 github.com/hashicorp/go-multierror v1.1.0 github.com/hashicorp/go-retryablehttp v0.6.6 @@ -112,21 +111,18 @@ require ( github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd github.com/jpillora/backoff v1.0.0 // indirect github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7 - github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 github.com/magefile/mage v1.11.0 - github.com/mailru/easyjson v0.7.1 // indirect github.com/mattn/go-colorable v0.1.6 github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect - github.com/miekg/dns v1.1.25 + github.com/miekg/dns v1.1.42 github.com/mitchellh/gox v1.0.1 github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51 - github.com/mitchellh/mapstructure v1.3.3 + github.com/mitchellh/mapstructure v1.4.1 github.com/morikuni/aec v1.0.0 // indirect github.com/oklog/ulid v1.3.1 github.com/olekukonko/tablewriter v0.0.5 - github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483 // indirect github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 // indirect github.com/osquery/osquery-go v0.0.0-20210622151333-99b4efa62ec5 github.com/otiai10/copy v1.2.0 @@ -135,14 +131,13 @@ require ( github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc // indirect github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 - github.com/prometheus/common v0.7.0 + github.com/prometheus/common v0.7.00 github.com/prometheus/procfs v0.0.11 github.com/prometheus/prometheus v1.8.2-0.20210701133801-b0944590a1c9 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e // indirect github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54 github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522 // indirect - github.com/satori/go.uuid v1.2.0 // indirect github.com/shirou/gopsutil v3.20.12+incompatible github.com/shopspring/decimal v1.2.0 github.com/spf13/cobra v0.0.5 @@ -162,22 +157,22 @@ require ( go.elastic.co/ecszap v0.3.0 go.elastic.co/go-licence-detector v0.4.0 go.etcd.io/bbolt v1.3.4 - go.uber.org/atomic v1.5.0 - go.uber.org/multierr v1.3.0 - go.uber.org/zap v1.14.0 + go.uber.org/atomic v1.8.0 + go.uber.org/multierr v1.5.0 + go.uber.org/zap v1.14.1 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e - golang.org/x/lint v0.0.0-20200130185559-910be7a94367 + golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 golang.org/x/net v0.0.0-20210614182718-04defd469f4e - golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d - golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a + golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c + golang.org/x/sync v0.0.0-20210220032951-036812b2e83c golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c golang.org/x/text v0.3.6 - golang.org/x/time v0.0.0-20191024005414-555d28b269f0 - golang.org/x/tools v0.1.1 - google.golang.org/api v0.15.0 - google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb - google.golang.org/grpc v1.29.1 - google.golang.org/protobuf v1.25.0 + golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6 + golang.org/x/tools v0.1.3 + google.golang.org/api v0.48.0 + google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08 + google.golang.org/grpc v1.38.0 + google.golang.org/protobuf v1.26.0 gopkg.in/inf.v0 v0.9.1 gopkg.in/jcmturner/aescts.v1 v1.0.1 // indirect gopkg.in/jcmturner/dnsutils.v1 v1.0.1 // indirect @@ -185,13 +180,13 @@ require ( gopkg.in/jcmturner/gokrb5.v7 v7.5.0 gopkg.in/jcmturner/rpc.v1 v1.1.0 // indirect gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528 - gopkg.in/yaml.v2 v2.3.0 + gopkg.in/yaml.v2 v2.4.0 gotest.tools v2.2.0+incompatible gotest.tools/gotestsum v0.6.0 howett.net/plist v0.0.0-20181124034731-591f970eefbb - k8s.io/api v0.19.4 - k8s.io/apimachinery v0.19.4 - k8s.io/client-go v0.19.4 + k8s.io/api v0.21.1 + k8s.io/apimachinery v0.21.1 + k8s.io/client-go v0.21.1 ) replace ( diff --git a/go.sum b/go.sum index 61e2f430f05..0f9bb192b60 100644 --- a/go.sum +++ b/go.sum @@ -24,6 +24,7 @@ code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f h1:UrKzEwTg code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f/go.mod h1:sk5LnIjB/nIEU7yP5sDQExVm62wu0pBh3yrElngUisI= code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a h1:8rqv2w8xEceNwckcF5ONeRt0qBHlh5bnNfFnYTrZbxs= code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a/go.mod h1:tkZo8GtzBjySJ7USvxm4E36lNQw1D3xM6oKHGqdaAJ4= +collectd.org v0.3.0/go.mod h1:A/8DzQBkF6abtvrT2j/AU/4tiBgJWYyh0y/oB/4MlWE= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/azure-amqp-common-go/v3 v3.0.0 h1:j9tjcwhypb/jek3raNrwlCIl7iKQYOug7CLpSyBBodc= github.com/Azure/azure-amqp-common-go/v3 v3.0.0/go.mod h1:SY08giD/XbhTz07tJdpw1SoxQXHPN30+DI3Z04SYqyg= @@ -87,6 +88,7 @@ github.com/Azure/go-autorest/autorest/validation v0.2.0 h1:15vMO4y76dehZSq7pAaOL github.com/Azure/go-autorest/autorest/validation v0.2.0/go.mod h1:3EEqHnBxQGHXRYq3HT1WyXAvT7LLY3tl70hw6tQIbjI= github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= @@ -95,27 +97,42 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= +github.com/DATA-DOG/go-sqlmock v1.4.1/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= +github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/DataDog/zstd v1.4.1 h1:3oxKN3wbHibqx897utPC2LTQU4J+IHWWJO+glkAkpFM= github.com/DataDog/zstd v1.4.1/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= +github.com/HdrHistogram/hdrhistogram-go v1.0.1 h1:GX8GAYDuhlFQnI2fRDHQhTlkHMz8bEn0jTI6LJU0mpw= +github.com/HdrHistogram/hdrhistogram-go v1.0.1/go.mod h1:BWJ+nMSHY3L41Zj7CA3uXnloDp7xxV0YvstAE7nKTaM= +github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= github.com/Masterminds/semver v1.4.2 h1:WBLTQ37jOCzSLtXNdoo8bNM8876KhNqOKvrlGITgsTc= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= +github.com/Masterminds/sprig v2.16.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/Microsoft/hcsshim v0.8.7 h1:ptnOoufxGSzauVTsdE+wMYnCWA301PdoN4xg5oRdZpg= github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/SAP/go-hdb v0.14.1/go.mod h1:7fdQLVC2lER3urZLjZCm0AuMQfApof92n3aylBPEkMo= github.com/Shopify/toxiproxy v2.1.4+incompatible h1:TKdv8HiTLgE5wdJuEML90aBgNWsokNbMijUGhmcoBJc= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6 h1:2Gl9Tray0NEjP9KC0FjdGWlszbmTIsBP3JYzgyFdL4E= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= +github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g= github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d h1:g0M6kedfjDpyAAuxqBvJzMNjFzlrQ7Av6LCDFqWierk= github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d/go.mod h1:VykaKG/ofkKje+MSvqjrDsz1wfyHIvEVFljhq2EOZ4g= github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41 h1:9OmEpkkO4vm8Wz+JKWHDLZdzYrqXr4dovxIJDkTltKE= github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41/go.mod h1:UdDNZ1OO62aGYVnPhxT1U6aI7ukYtA/kB8vaU0diBUM= github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc h1:9iW/Fbn/R/nyUOiqo6AgwBe8uirqUIoTGF3vKG8qjoc= github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc/go.mod h1:zj8LBEnWBDOVEIJt8LvaRvDG5ARAoa5dBeHaB472NRc= +github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c= +github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= +github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw= github.com/akavel/rsrc v0.8.0 h1:zjWn7ukO9Kc5Q62DOJCcxGpXC18RawVtYAGdz2aLlfw= github.com/akavel/rsrc v0.8.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -129,20 +146,38 @@ github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20 h1:7rj9qZ63knnVo2Z github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20/go.mod h1:cI59GRkC2FRaFYtgbYEqMlgnnfvAwXzjojyZKXwklNg= github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43 h1:WFwa9pqou0Nb4DdfBOyaBTH0GqLE74Qwdf61E7ITHwQ= github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43/go.mod h1:tJPYQG4mnMeUtQvQKNkbsFrnmZOg59Qnf8CcctFv5v4= +github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= +github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d h1:OE3kzLBpy7pOJEzE55j9sdgrSilUPzzj++FWvp1cmIs= github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d/go.mod h1:T7PbCXFs94rrTttyxjbyT5+/1V8T2TYDejxUfHJjw1Y= +github.com/aokoli/goutils v1.0.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g9DP+DQ= +github.com/apache/arrow/go/arrow v0.0.0-20191024131854-af6fa24be0db/go.mod h1:VTxUBvSJ3s3eHAg65PNgrsn5BtqCRPdmyXh6rAfdxN0= +github.com/apache/arrow/go/arrow v0.0.0-20200923215132-ac86123a3f01/go.mod h1:QNYViu/X0HXDHw7m3KXzWSVXIbfUvJqBFe6Gj8/pYA0= +github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= +github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f h1:33BV5v3u8I6dA2dEoPuXWCsAaHHOJfPtdxZhAMQV4uo= github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 h1:afT88tB6u9JCKQZVAAaa9ICz/uGn5Uw9ekn6P22mYKM= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77/go.mod h1:bXvGk6IkT1Agy7qzJ+DjIw/SJ1AaB3AvAuMDVV+Vkoo= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-metrics v0.3.3/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A= +github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/asaskevich/govalidator v0.0.0-20200108200545-475eaeb16496/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= +github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= +github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-lambda-go v1.6.0 h1:T+u/g79zPKw1oJM7xYhvpq7i4Sjc0iVsXZUaqRVVSOg= github.com/aws/aws-lambda-go v1.6.0/go.mod h1:zUsUQhAUjYzR8AuduJPCfhBuKWUaDbQiPOG+ouzmE1A= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.29.16/go.mod h1:1KvfttTE3SPKMpo8g2c6jL3ZKfXtFvKscTgahTma5Xg= github.com/aws/aws-sdk-go v1.30.12/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= @@ -155,29 +190,45 @@ github.com/aws/aws-sdk-go-v2 v0.24.0/go.mod h1:2LhT7UgHOXK3UXONKI5OMgIyoQL6zTAw/ github.com/awslabs/goformation/v3 v3.1.0/go.mod h1:hQ5RXo3GNm2laHWKizDzU5DsDy+yNcenSca2UxN0850= github.com/awslabs/goformation/v4 v4.1.0 h1:JRxIW0IjhYpYDrIZOTJGMu2azXKI+OK5dP56ubpywGU= github.com/awslabs/goformation/v4 v4.1.0/go.mod h1:MBDN7u1lMNDoehbFuO4uPvgwPeolTMA2TzX1yO6KlxI= +github.com/benbjohnson/immutable v0.2.1/go.mod h1:uc6OHo6PN2++n98KHLxW8ef4W42ylHiQSENghE1ezxI= +github.com/benbjohnson/tmpl v1.0.0/go.mod h1:igT620JFIi44B6awvU9IsDhR77IXWtFigTLil/RPdps= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/bi-zone/go-winio v0.4.15 h1:viLHm+U7bzIkfVHuWgc3Wp/sT5zaLoRG7XdOEy1b12w= github.com/bi-zone/go-winio v0.4.15/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2 h1:oMCHnXa6CCCafdPDbMh/lWRhRByN0VFLvv+g+ayx1SI= github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/bmizerany/pat v0.0.0-20170815010413-6226ea591a40/go.mod h1:8rLXio+WjiTceGBHIoTvn60HIbs7Hm7bcHjyrSqYB9c= +github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps= +github.com/bonitoo-io/go-sql-bigquery v0.3.4-1.4.0/go.mod h1:J4Y6YJm0qTWB9aFziB7cPeSyc6dOZFyJdteSeybVpXQ= github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible h1:4g18+HnTDwEtO0n7K8B1Kjq+04MEKJRkhJNQ/hb9d5A= github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible/go.mod h1:r7ao+4tTNXvWm+VRpRJchr2kQhqxgmAp2iEX5W96gMM= +github.com/c-bata/go-prompt v0.2.2/go.mod h1:VzqtzE2ksDBcdln8G7mk2RX9QyGjH+OVqOCSiVIqS34= +github.com/cactus/go-statsd-client/statsd v0.0.0-20191106001114-12b4e2b38748/go.mod h1:l/bIBLeOl9eX+wxJAzxS4TveKRtAqlyDpHjhkfO0MEI= +github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ= github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e h1:YYUjy5BRwO5zPtfk+aa2gw255FIIoi93zMmuy19o0bc= github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e/go.mod h1:V284PjgVwSk4ETmz84rpu9ehpGg7swlIH8npP9k2bGw= github.com/cavaliercoder/go-rpm v0.0.0-20190131055624-7a9c54e3d83e h1:Gbx+iVCXG/1m5WSnidDGuHgN+vbIwl+6fR092ANU+Y8= github.com/cavaliercoder/go-rpm v0.0.0-20190131055624-7a9c54e3d83e/go.mod h1:AZIh1CCnMrcVm6afFf96PBvE2MRpWFco91z8ObJtgDY= +github.com/cenkalti/backoff v0.0.0-20181003080854-62661b46c409/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= +github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= +github.com/cenkalti/backoff/v4 v4.1.0/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/cespare/xxhash/v2 v2.1.0/go.mod h1:dgIUBU3pDso/gPgZ1osOZ0iQf77oPR28Tjxl5dIMyVM= github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= +github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= +github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cloudfoundry-community/go-cfclient v0.0.0-20190808214049-35bcce23fc5f h1:fK3ikA1s77arBhpDwFuyO0hUZ2Aa8O6o2Uzy8Q6iLbs= github.com/cloudfoundry-community/go-cfclient v0.0.0-20190808214049-35bcce23fc5f/go.mod h1:RtIewdO+K/czvxvIFCMbPyx7jdxSLL1RZ+DA/Vk8Lwg= @@ -186,6 +237,10 @@ github.com/cloudfoundry/noaa v2.1.0+incompatible/go.mod h1:5LmacnptvxzrTvMfL9+EJ github.com/cloudfoundry/sonde-go v0.0.0-20171206171820-b33733203bb4 h1:cWfya7mo/zbnwYVio6eWGsFJHqYw4/k/uhwIJ1eqRPI= github.com/cloudfoundry/sonde-go v0.0.0-20171206171820-b33733203bb4/go.mod h1:GS0pCHd7onIsewbw8Ue9qa9pZPv2V88cUZDttK6KzgI= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 h1:sDMmm+q/3+BukdIpxwO365v/Rbspp2Nt5XntgQRXq8Q= github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM= github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko= @@ -207,18 +262,24 @@ github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kw github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.0.0 h1:XJIw/+VlJ+87J+doOxznsAWIdmWuViOVhkQamW5YV28= github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea h1:n2Ltr3SrfQlf/9nOna1DoGKxLx3qTSI8Ttl6Xrqp6mw= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cucumber/godog v0.8.1 h1:lVb+X41I4YDreE+ibZ50bdXmySxgRviYFgKY6Aw4XE8= github.com/cucumber/godog v0.8.1/go.mod h1:vSh3r/lM+psC1BPXvdkSEuNjmXfpVqrMGYAElF6hxnA= github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg= github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= +github.com/dave/jennifer v1.2.0/go.mod h1:fIb+770HOpJ2fmN9EPPKOqm1vMGhB+TwXKMZhrIygKg= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -226,6 +287,7 @@ github.com/davecgh/go-xdr v0.0.0-20161123171359-e6a2ba005892 h1:qg9VbHo1TlL0KDM0 github.com/davecgh/go-xdr v0.0.0-20161123171359-e6a2ba005892/go.mod h1:CTDl0pzVzE5DEzZhPfvhY/9sPFMQIxaJ9VAMs9AagrE= github.com/denisenkom/go-mssqldb v0.0.0-20200206145737-bbfc9a55622e h1:LzwWXEScfcTu7vUZNlDDWDARoSGEtvlDKK2BYHowNeE= github.com/denisenkom/go-mssqldb v0.0.0-20200206145737-bbfc9a55622e/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= +github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2 h1:6+hM8KeYKV0Z9EIINNqIEDyyIRAcNc2FW+/TUYNmWyw= github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= @@ -234,6 +296,8 @@ github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b/go.mod h1 github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de h1:t0UHb5vdojIDUqktM6+xJAfScFBsVpXZmqC9dsgJmeA= github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4= +github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8/go.mod h1:VMaSuZ+SZcx/wljOQKvp5srsbCiKDEb6K2wC4+PiBmQ= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= github.com/dgryski/go-sip13 v0.0.0-20190329191031-25c5027a8c7b/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= @@ -247,6 +311,7 @@ github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TR github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf h1:uOWCk+L8abzw0BzmnCn7j7VT3g6bv9zW8fkR0yOP0Q4= github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/engine v0.0.0-20191113042239-ea84732a7725 h1:j0zqmciWFnhB01BT/CyfoXNEONoxerGjkcxM8i6tlXI= @@ -268,12 +333,14 @@ github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6/go.mod h1:hn7BA github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-resiliency v1.2.0 h1:v7g92e/KSN71Rq7vSThKaWIq68fL4YHvWyiUKorFR1Q= github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 h1:YEetp8/yCZMuEPMUDHG0CW/brkkEp8mzqk2+ODEitlw= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= +github.com/eclipse/paho.mqtt.golang v1.2.0/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= github.com/eclipse/paho.mqtt.golang v1.3.5 h1:sWtmgNxYM9P2sP+xEItMozsR3w0cqZFlqnNN1bdl41Y= github.com/eclipse/paho.mqtt.golang v1.3.5/go.mod h1:eTzb4gxwwyWpqBUHGQZ4ABAV7+Jgm1PklsYT/eo8Hcc= github.com/edsrzf/mmap-go v1.0.0 h1:CEBF7HpRnUCSJgGUb5h1Gm7e3VkmVDrR8lvWVLtrOFw= @@ -319,24 +386,43 @@ github.com/elastic/gosigar v0.14.1 h1:T0aQ7n/n2ZA9W7DmAnj60v+qzqKERdBgJBO1CG2W6r github.com/elastic/gosigar v0.14.1/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs= github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752 h1:5/RUNg7rkIvayjPhAIoI3v8p45NfWcfWs5DZSElycis= github.com/elastic/sarama v1.19.1-0.20210823122811-11c3ef800752/go.mod h1:mdtqvCSg8JOxk8PmpTNGyo6wzd4BMm4QXSfDnTXmgkE= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.9.0+incompatible h1:kLcOMZeuLAJvL2BPWLMIj5oaZQobrkAqrL+WFZwQses= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= +github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= +github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo= +github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= +github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= github.com/frankban/quicktest v1.11.3 h1:8sXhOn0uLys67V8EsXLc6eszDs8VXWxL3iRvebPhedY= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= +github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= +github.com/glycerine/go-unsnap-stream v0.0.0-20180323001048-9f0cb55181dd/go.mod h1:/20jfyN9Y5QPEAprSgKAUr+glWDY39ZiUEAYOEv5dsE= +github.com/glycerine/goconvey v0.0.0-20190410193231-58a59202ab31/go.mod h1:Ogl1Tioa0aV7gstGFO7KhffUsb9M4ydbEbbxpcEDc24= +github.com/go-chi/chi v4.1.0+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= +github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0 h1:wDJmvq38kDhkVxi50ni9ykkdUr1PKgqKOoi01fa0Mdk= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= @@ -352,13 +438,72 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab h1:xveKWz2iaueeTaUgdetzel+U7exyigDYBryyVfV/rZk= github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8= github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647 h1:whypLownH338a3Ork2w9t0KUKtVxbXYySuz7V1YGsJo= github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI= +github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= +github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= +github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk= +github.com/go-openapi/analysis v0.19.4/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk= +github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU= +github.com/go-openapi/analysis v0.19.10/go.mod h1:qmhS3VNFxBlquFJ0RGoDtylO9y4pgTAUNE9AEEMdlJQ= +github.com/go-openapi/analysis v0.19.16/go.mod h1:GLInF007N83Ad3m8a/CbQ5TPzdnGT7workfHwuVjNVk= +github.com/go-openapi/analysis v0.20.0/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og= +github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= +github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= +github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= +github.com/go-openapi/errors v0.19.3/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= +github.com/go-openapi/errors v0.19.4/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= +github.com/go-openapi/errors v0.19.6/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.19.7/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.20.0/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= +github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= +github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs= +github.com/go-openapi/loads v0.19.3/go.mod h1:YVfqhUCdahYwR3f3iiwQLhicVRvLlU/WO5WPaZvcvSI= +github.com/go-openapi/loads v0.19.4/go.mod h1:zZVHonKd8DXyxyw4yfnVjPzBjIQcLt0CCsn0N0ZrQsk= +github.com/go-openapi/loads v0.19.5/go.mod h1:dswLCAdonkRufe/gSUC3gN8nTSaB9uaS2es0x5/IbjY= +github.com/go-openapi/loads v0.19.6/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc= +github.com/go-openapi/loads v0.19.7/go.mod h1:brCsvE6j8mnbmGBh103PT/QLHfbyDxA4hsKvYBNEGVc= +github.com/go-openapi/loads v0.20.0/go.mod h1:2LhKquiE513rN5xC6Aan6lYOSddlL8Mp20AW9kpviM4= +github.com/go-openapi/loads v0.20.2/go.mod h1:hTVUotJ+UonAMMZsvakEgmWKgtulweO9vYP2bQYKA/o= +github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA= +github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64= +github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4= +github.com/go-openapi/runtime v0.19.15/go.mod h1:dhGWCTKRXlAfGnQG0ONViOZpjfg0m2gUt9nTQPQZuoo= +github.com/go-openapi/runtime v0.19.16/go.mod h1:5P9104EJgYcizotuXhEuUrzVc+j1RiSjahULvYmlv98= +github.com/go-openapi/runtime v0.19.24/go.mod h1:Lm9YGCeecBnUUkFTxPC4s1+lwrkJ0pthx8YvyjCfkgk= +github.com/go-openapi/runtime v0.19.28/go.mod h1:BvrQtn6iVb2QmiVXRsFAm6ZCAZBpbVKFfN6QWCp582M= github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= +github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= +github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/spec v0.19.6/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= +github.com/go-openapi/spec v0.19.7/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= +github.com/go-openapi/spec v0.19.8/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= +github.com/go-openapi/spec v0.19.15/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU= +github.com/go-openapi/spec v0.20.0/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU= +github.com/go-openapi/spec v0.20.1/go.mod h1:93x7oh+d+FQsmsieroS4cmR3u0p/ywH649a3qwC9OsQ= +github.com/go-openapi/spec v0.20.3/go.mod h1:gG4F8wdEDN+YPBMVnzE85Rbhf+Th2DTvA9nFPQ5AYEg= github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY= @@ -371,9 +516,30 @@ github.com/go-openapi/strfmt v0.20.0/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF github.com/go-openapi/strfmt v0.20.1 h1:1VgxvehFne1mbChGeCmZ5pc0LxUf6yaACVSIYAR91Xc= github.com/go-openapi/strfmt v0.20.1/go.mod h1:43urheQI9dNtE5lTZQfuFJvjYJKPrxicATpEfZwHUNk= github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= +github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.7/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY= +github.com/go-openapi/swag v0.19.9/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfTe5McPyhY= +github.com/go-openapi/swag v0.19.12/go.mod h1:eFdyEBkTdoAf/9RXBvj4cr1nH7GD8Kzo5HTt47gr72M= +github.com/go-openapi/swag v0.19.13/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= +github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA= +github.com/go-openapi/validate v0.19.3/go.mod h1:90Vh6jjkTn+OT1Eefm0ZixWNFjhtOH7vS9k0lo6zwJo= +github.com/go-openapi/validate v0.19.8/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4= +github.com/go-openapi/validate v0.19.10/go.mod h1:RKEZTUWDkxKQxN2jDT7ZnZi2bhZlbNMAuKvKB+IaGx8= +github.com/go-openapi/validate v0.19.12/go.mod h1:Rzou8hA/CBw8donlS6WNEUQupNvUZ0waH08tGe6kAQ4= +github.com/go-openapi/validate v0.19.15/go.mod h1:tbn/fdOwYHgrhPBzidZfJC2MIVvs9GA7monOmWBbeCI= +github.com/go-openapi/validate v0.20.1/go.mod h1:b60iJT+xNNLfaQJUqLI7946tYiFEOuE9E4k54HpKcJ0= +github.com/go-openapi/validate v0.20.2/go.mod h1:e7OJoKNgd0twXZwIn0A43tHbvIcr/rZIVCbJBpTUoY0= +github.com/go-resty/resty/v2 v2.1.1-0.20191201195748-d7b97669fe48/go.mod h1:dZGr0i9PLlaaTD4H/hoZIDjQ+r6xq8mgbRzHZf7f2J8= github.com/go-sourcemap/sourcemap v2.1.2+incompatible h1:0b/xya7BKGhXuqFESKM4oIiRo9WOt2ebz7KxfreD6ug= github.com/go-sourcemap/sourcemap v2.1.2+incompatible/go.mod h1:F8jJfvm2KbVjc5NqelyYJmf/v5J0dwNLS2mL4sNA1Jg= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -381,8 +547,32 @@ github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= github.com/go-zookeeper/zk v1.0.2 h1:4mx0EYENAdX/B/rbunjlt5+4RTA/a9SMHBRuSKdGxPM= github.com/go-zookeeper/zk v1.0.2/go.mod h1:nOB03cncLtlp4t+UAkGSV+9beXP/akpekBwL+UX1Qcw= +github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0= +github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY= +github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg= +github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= +github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= +github.com/gobuffalo/flect v0.1.0/go.mod h1:d2ehjJqGOH/Kjqcoz+F7jHTBbmDb38yXA598Hb50EGs= +github.com/gobuffalo/flect v0.1.1/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= +github.com/gobuffalo/flect v0.1.3/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= +github.com/gobuffalo/genny v0.0.0-20190329151137-27723ad26ef9/go.mod h1:rWs4Z12d1Zbf19rlsn0nurr75KqhYp52EAGGxTbBhNk= +github.com/gobuffalo/genny v0.0.0-20190403191548-3ca520ef0d9e/go.mod h1:80lIj3kVJWwOrXWWMRzzdhW3DsrdjILVil/SFKBzF28= +github.com/gobuffalo/genny v0.1.0/go.mod h1:XidbUqzak3lHdS//TPu2OgiFB+51Ur5f7CSnXZ/JDvo= +github.com/gobuffalo/genny v0.1.1/go.mod h1:5TExbEyY48pfunL4QSXxlDOmdsD44RRq4mVZ0Ex28Xk= +github.com/gobuffalo/gitgen v0.0.0-20190315122116-cc086187d211/go.mod h1:vEHJk/E9DmhejeLeNt7UVvlSGv3ziL+djtTr3yyzcOw= +github.com/gobuffalo/gogen v0.0.0-20190315121717-8f38393713f5/go.mod h1:V9QVDIxsgKNZs6L2IYiGR8datgMhB577vzTDqypH360= +github.com/gobuffalo/gogen v0.1.0/go.mod h1:8NTelM5qd8RZ15VjQTFkAW6qOMx5wBbW4dSCS3BY8gg= +github.com/gobuffalo/gogen v0.1.1/go.mod h1:y8iBtmHmGc4qa3urIyo1shvOD8JftTtfcKi+71xfDNE= github.com/gobuffalo/here v0.6.0 h1:hYrd0a6gDmWxBM4TnrGw8mQg24iSVoIkHEk7FodQcBI= github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM= +github.com/gobuffalo/logger v0.0.0-20190315122211-86e12af44bc2/go.mod h1:QdxcLw541hSGtBnhUc4gaNIXRjiDppFGaDqzbrBd3v8= +github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= +github.com/gobuffalo/mapi v1.0.2/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= +github.com/gobuffalo/packd v0.0.0-20190315124812-a385830c7fc0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= +github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= +github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ= +github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0= +github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be h1:zXHeEEJ231bTf/IXqvCfeaqjLpXsq42ybLoT4ROSR6Y= github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be/go.mod h1:/oj50ZdPq/cUjA02lMZhijk5kR31SEydKyqah1OgBuo= github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e h1:BWhy2j3IXJhjCbC68FptL43tDKIq8FladmaTs3Xs7Z8= @@ -396,21 +586,33 @@ github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b h1:3QNh5Xo2pmr2nZXEN github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/uuid v3.3.0+incompatible h1:8K4tyRfvU1CYPgJsveYFQMhpFd/wXNM7iK6rR7UHz84= github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= +github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= +github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0 h1:RAqyYixv1p7uEnocuy8P1nru5wprCh/MH2BIlW5z5/o= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= +github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= +github.com/golang/geo v0.0.0-20190916061304-5b978397cfec/go.mod h1:QZ0nwyI2jOfgRAoBvP+ab5aRr7c9x7lhGEJrKvBwjWI= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -426,6 +628,7 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= @@ -443,6 +646,7 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -450,6 +654,9 @@ github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0 h1:OggOMm github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M= github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -468,12 +675,15 @@ github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLe github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.4.0/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= github.com/googleapis/gnostic v0.4.1 h1:DLJCy1n/vrD4HPjOvYcT8aYQXpPIzoRZONaYwyycI+I= github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= @@ -484,55 +694,119 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGa github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75 h1:f0n1xnMSmBLzVfsMMvriDyA75NB/oBgILX2GcHXIQzY= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA= +github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= +github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.2 h1:zoNxOV7WjqXptQOVngLmcSQgXmgk4NMz1HibBchjl/I= github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.13.0 h1:sBDQoHXrOlfPobnKw69FIKa1wg9qsLLvvQ/Y19WtFgI= github.com/grpc-ecosystem/grpc-gateway v1.13.0/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= +github.com/grpc-ecosystem/grpc-gateway v1.14.4/go.mod h1:6CwZWGDSPRJidgKAtJVvND6soZe6fT7iteq8wDPdhb0= +github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/h2non/filetype v1.1.1 h1:xvOwnXKAckvtLWsN398qS9QhlxlnVXBjXBydK2/UFB4= github.com/h2non/filetype v1.1.1/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY= +github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE= +github.com/hashicorp/consul/api v1.4.0/go.mod h1:xc8u05kyMa3Wjr9eEAsIAo3dg8+LywT5E/Cl7cNS5nU= +github.com/hashicorp/consul/api v1.8.1/go.mod h1:sDjTOq0yUyv5G4h+BqSea7Fn6BU+XbolEz1952UB+mk= +github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/consul/sdk v0.4.0/go.mod h1:fY08Y9z5SvJqevyZNy6WWPXiG3KwBPAvlcdx16zZ0fM= +github.com/hashicorp/consul/sdk v0.7.0/go.mod h1:fY08Y9z5SvJqevyZNy6WWPXiG3KwBPAvlcdx16zZ0fM= github.com/hashicorp/cronexpr v1.1.0 h1:dnNsWtH0V2ReN7JccYe8m//Bj14+PjJDntR1dz0Cixk= github.com/hashicorp/cronexpr v1.1.0/go.mod h1:P4wA0KBl9C5q2hABiMO7cp6jcIg96CDh1Efb3g1PWA4= github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVoDkXMzJM= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxCsHI= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-hclog v0.12.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-immutable-radix v1.2.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM= github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= +github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE= github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.0.0 h1:21MVWPKDphxa7ineQQTrCU5brh7OuVVAzGOCnnCPtE8= github.com/hashicorp/go-version v1.0.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/memberlist v0.1.4/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/memberlist v0.2.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= +github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= +github.com/hashicorp/memberlist v0.2.3/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= github.com/hashicorp/nomad/api v0.0.0-20201203164818-6318a8ac7bf8 h1:Yrz9yGVJf5Ce2KS7x8hS/MUTIeBmGEhF8nhzolRpSqY= github.com/hashicorp/nomad/api v0.0.0-20201203164818-6318a8ac7bf8/go.mod h1:vYHP9jMXk4/T2qNUbWlQ1OHCA1hHLil3nvqSmz8mtgc= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/hashicorp/serf v0.9.0/go.mod h1:YL0HO+FifKOW2u1ke99DGVu1zhcpZzNwrLIqBC7vbYU= +github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk= github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95 h1:S4qyfL2sEm5Budr4KVMyEniCy+PbS55651I/a+Kn/NQ= github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95/go.mod h1:QiyDdbZLaJ/mZP4Zwc9g2QsfaEA4o7XvvgZegSci5/E= +github.com/hetznercloud/hcloud-go v1.26.2/go.mod h1:2C5uMtBiMoFr3m7lBFPf7wXTdh33CevmZpQIIDPGYJI= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo= +github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/influxdata/flux v0.65.0/go.mod h1:BwN2XG2lMszOoquQaFdPET8FRQfrXiZsWmcMO9rkaVY= +github.com/influxdata/flux v0.113.0/go.mod h1:3TJtvbm/Kwuo5/PEo5P6HUzwVg4bXWkb2wPQHPtQdlU= +github.com/influxdata/httprouter v1.3.1-0.20191122104820-ee83e2772f69/go.mod h1:pwymjR6SrP3gD3pRj9RJwdl1j5s3doEEV8gS4X9qSzA= +github.com/influxdata/influxdb v1.8.0/go.mod h1:SIzcnsjaHRFpmlxpJ4S3NT64qtEKYweNTUMb/vh0OMQ= +github.com/influxdata/influxdb v1.9.2/go.mod h1:UEe3MeD9AaP5rlPIes102IhYua3FhIWZuOXNHxDjSrI= +github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= +github.com/influxdata/influxql v1.1.0/go.mod h1:KpVI7okXjK6PRi3Z5B+mtKZli+R1DnZgb3N+tzevNgo= +github.com/influxdata/influxql v1.1.1-0.20210223160523-b6ab99450c93/go.mod h1:gHp9y86a/pxhjJ+zMjNXiQAA197Xk9wLxaz+fGG+kWk= +github.com/influxdata/line-protocol v0.0.0-20180522152040-32c6aa80de5e/go.mod h1:4kt73NQhadE3daL3WhR5EJ/J2ocX0PZzwxQ0gXJ7oFE= +github.com/influxdata/pkg-config v0.2.6/go.mod h1:EMS7Ll0S4qkzDk53XS3Z72/egBsPInt+BeRxb0WeSwk= +github.com/influxdata/pkg-config v0.2.7/go.mod h1:EMS7Ll0S4qkzDk53XS3Z72/egBsPInt+BeRxb0WeSwk= +github.com/influxdata/promql/v2 v2.12.0/go.mod h1:fxOPu+DY0bqCTCECchSRtWfc+0X19ybifQhZoQNF5D8= +github.com/influxdata/roaring v0.4.13-0.20180809181101-fc520f41fab6/go.mod h1:bSgUQ7q5ZLSO+bKBGqJiCBGAl+9DxyW63zLTujjUlOE= +github.com/influxdata/tdigest v0.0.0-20181121200506-bf2b5ad3c0a9/go.mod h1:Js0mqiSBE6Ffsg94weZZ2c+v/ciT8QRHFOap7EKDrR0= +github.com/influxdata/tdigest v0.0.2-0.20210216194612-fc98d27c9e8b/go.mod h1:Z0kXnxzbTC2qrx4NaIzYkE1k66+6oEDQTvL95hQFh5Y= +github.com/influxdata/usage-client v0.0.0-20160829180054-6d3895376368/go.mod h1:Wbbw6tYNvwa5dlB6304Sd+82Z3f7PmVZHVKU637d4po= github.com/jarcoal/httpmock v1.0.4 h1:jp+dy/+nonJE4g4xbVtl9QdrUNbn6/3hDT5R4nDIZnA= github.com/jarcoal/httpmock v1.0.4/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik= github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= @@ -548,8 +822,12 @@ github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aW github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5 h1:lrdPtrORjGv1HbbEvKWDUAy97mPpFm4B8hp77tcCUJY= github.com/jmoiron/sqlx v1.2.1-0.20190826204134-d7d95172beb5/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks= github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 h1:rp+c0RAYOWj8l6qbCUTSiRLG/iKnW3K3/QfPPuSsBt4= @@ -561,31 +839,49 @@ github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9q github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd h1:KikNiFwUO3QLyeKyN4k9yBH9Pcu/gU/yficWi61cJIw= github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd/go.mod h1:eJTEwMjXb7kZ633hO3Ln9mBUCOjX2+FlTljvpl9SYdE= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0= github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfEUpgAwUN0o= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/jsternberg/zap-logfmt v1.0.0/go.mod h1:uvPs/4X51zdkcm5jXl5SYoN+4RK21K8mysFmDaM/h+o= +github.com/jsternberg/zap-logfmt v1.2.0/go.mod h1:kz+1CUmCutPWABnNkOu9hOHKdT2q3TDYCcsFy9hpqb0= github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= +github.com/jwilder/encoding v0.0.0-20170811194829-b4e1701a28ef/go.mod h1:Ct9fl0F6iIOGgxJ5npU/IUOhOhqlVrGjyIZc8/MagT0= github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7 h1:oohm9Rk9JAxxmp2NLZa7Kebgz9h4+AJDcc64txg3dQ0= github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM= +github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= +github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA= github.com/karrick/godirwalk v1.15.6 h1:Yf2mmR8TJy+8Fa0SuQVto5SYap6IF7lNVX4Jdl8G1qA= github.com/karrick/godirwalk v1.15.6/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.4.0/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= +github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/compress v1.12.2 h1:2KCfW3I9M7nSc5wOqXAlW2v2U6v+w6cbjvbfp+OykW8= github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= +github.com/klauspost/cpuid v0.0.0-20170728055534-ae7887de9fa5/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= +github.com/klauspost/crc32 v0.0.0-20161016154125-cb6bfca970f6/go.mod h1:+ZoRqAPRLkC4NPOvfYeR5KNOrY6TD+/sAC3HXPZgDYg= +github.com/klauspost/pgzip v1.0.2-0.20170402124221-0bf5dcad4ada/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 h1:T+h1c/A9Gawja4Y9mFVWj2vyii2bbUNDw3kt9VxK2EY= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -593,73 +889,130 @@ github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v0.0.0-20160406211939-eadb3ce320cb/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 h1:EPw7R3OAyxHBCyl0oqh3lUZqS5lu3KSxzzGasE0opXQ= github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= +github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4= +github.com/linode/linodego v0.28.5/go.mod h1:BR0gVkCJffEdIGJSl6bHR80Ty+Uvg/2jkjmrWaFectM= +github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= github.com/magefile/mage v1.9.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/magefile/mage v1.11.0 h1:C/55Ywp9BpgVVclD3lRnSYCwXTYxmSppIgLeDYlNuls= github.com/magefile/mage v1.11.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= github.com/mailru/easyjson v0.7.1 h1:mdxE1MF9o53iCb2Ghj1VfWvh7ZOwHpnVG/xwXrV90U8= github.com/mailru/easyjson v0.7.1/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= github.com/markbates/pkger v0.17.0 h1:RFfyBPufP2V6cddUyyEVSHBpaAnM1WzaMNyqomeT+iY= github.com/markbates/pkger v0.17.0/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI= +github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11 h1:YFh+sjyJTMQSYjKwM4dFKhJPJC/wfo98tPUc17HdoYw= github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11/go.mod h1:Ah2dBMoxZEqk118as2T4u4fjfXarE0pPnMJaArZQZsI= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6 h1:6Su7aK7lXmJ/U79bYtBjLNaha4Fs1Rg9plHpcH+vvnE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-ieproxy v0.0.0-20190610004146-91bb50d98149/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc= github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe h1:YioO2TiJyAHWHyCRQCP8jk5IzTqmsbGc5qQPIhHo6xs= github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-runewidth v0.0.3/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-sqlite3 v1.9.0 h1:pDRiWfl+++eC2FEFRy6jXmQlvp4Yh3z1MJKg4UeYM/4= github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/mattn/go-tty v0.0.0-20180907095812-13ff1204f104/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/miekg/dns v1.1.22/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= github.com/miekg/dns v1.1.25 h1:dFwPR6SfLtrSwgDcIq2bcU/gVutB4sNApq2HBdqcakg= github.com/miekg/dns v1.1.25/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= +github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= +github.com/miekg/dns v1.1.29/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= +github.com/miekg/dns v1.1.42/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= +github.com/mileusna/useragent v0.0.0-20190129205925-3e331f0949a5/go.mod h1:JWhYAp2EXqUtsxTKdeGlY8Wp44M7VxThC9FEoNGi2IE= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= github.com/mitchellh/gox v1.0.1 h1:x0jD3dcHk9a9xPSDN6YEL4xL6Qz0dvNYm8yZqui5chI= github.com/mitchellh/gox v1.0.1/go.mod h1:ED6BioOGXMswlXa2zxfh/xdd5QhwYliBFn9V18Ap4z4= github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51 h1:qdHlMllk/PTLUrX3XdtXDrLL1lPSfcqUmJD1eYfbapg= github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ= github.com/mitchellh/iochan v1.0.0 h1:C+X3KsSTLFVBr/tK1eYN/vs4rJcvsiLU338UhYPJWeY= github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.2.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.3.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.3.3 h1:SzB1nHZ2Xi+17FP0zVQBHIZqvwRN9408fJO8h+eeNA8= github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/mschoch/smat v0.0.0-20160514031455-90eadee771ae/go.mod h1:qAyveg+e4CE+eKJXWVjKXM4ck2QobLqTDytGJbLLhJg= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg= +github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= +github.com/nats-io/nats-server/v2 v2.1.2/go.mod h1:Afk+wRZqkMQs/p45uXdrVLuab3gwv3Z8C4HTBu8GD/k= +github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzEE/Zbp4w= +github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= +github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= +github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= +github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= +github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.5.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -668,10 +1021,12 @@ github.com/onsi/gomega v1.2.0/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483 h1:eFd3FsB01m/zNg/yBMYdm/XqiqCztcN9SVRPtGtzDHo= github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 h1:yN8BPXVwMBAm3Cuvh1L5XE8XpvYRMdsVLd82ILprhUU= github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= @@ -681,6 +1036,18 @@ github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rm github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= +github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis= +github.com/opentracing-contrib/go-stdlib v0.0.0-20190519235532-cf7a6c988dc9/go.mod h1:PLldrQSroqzH70Xl+1DQcGnefIbqsKR7UDaiux3zV+w= +github.com/opentracing-contrib/go-stdlib v1.0.0/go.mod h1:qtI1ogk+2JhVPIXVc6q+NHziSmy2W5GbdQZFUHADCBU= +github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74= +github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/opentracing/opentracing-go v1.0.3-0.20180606204148-bd9c31933947/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= +github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxSfWAKL3wpBW7V8scJMt8N8gnaMCS9E/cA= +github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= +github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= +github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= github.com/osquery/osquery-go v0.0.0-20210622151333-99b4efa62ec5 h1:E275nJIUAvIK/RSN8cq9MAcRLk23jaZq+s24B0I8bEw= github.com/osquery/osquery-go v0.0.0-20210622151333-99b4efa62ec5/go.mod h1:JKR5QhjsYdnIPY7hakgas5sxf8qlA/9wQnLqaMfWdcg= github.com/otiai10/copy v1.2.0 h1:HvG945u96iNadPoG2/Ja2+AUJeW5YuFQMixq9yirC+k= @@ -692,21 +1059,41 @@ github.com/otiai10/mint v1.3.1 h1:BCmzIS3n71sGfHB5NMNDB3lHYPz8fWSkCAErHed//qc= github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2 h1:CXwSGu/LYmbjEab5aMCs5usQRVBGThelUKBNnoSOuso= github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOThbttwfYRNFOWLLVXMhk5Lkio4GGOtw5UrxS0= +github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/paulbellamy/ratecounter v0.2.0/go.mod h1:Hfx1hDpSGoqxkVVpBi/IlYD7kChlfo5C6hzIHwPqfFE= +github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo= +github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= +github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/peterh/liner v1.0.1-0.20180619022028-8c1271fcf47f/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc= +github.com/philhofer/fwd v1.0.0/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU= +github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= +github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrec/lz4 v2.6.0+incompatible h1:Ix9yFKn1nSPBLFl/yZknTp8TU5G4Ps0JDmguYK6iH1A= github.com/pierrec/lz4 v2.6.0+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 h1:i5VIxp6QB8oWZ8IkK8zrDgeT6ORGIUeiN+61iETwJbI= github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0/go.mod h1:4xpMLz7RBWyB+ElzHu8Llua96TRCB3YwX+l5EP1wmHk= +github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1-0.20170505043639-c605e284fe17/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA= +github.com/pkg/term v0.0.0-20180730021639-bffc007b7fd5/go.mod h1:eCbImbZ95eXtAUIbLAuAVnBnwf83mjf6QIVH8SHYwqQ= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= +github.com/prometheus/alertmanager v0.20.0/go.mod h1:9g2i48FAyZW6BtbsnvHtMHQXl2aVtrORKwKVCQ+nbrg= +github.com/prometheus/alertmanager v0.22.2/go.mod h1:rYinOWxFuCnNssc3iOjn2oMTlhLaPcUuqV5yk5JKUAE= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc h1:6B8wpniGN4FtqzqWhe2OBOGkeZFbhwZpCh+V/pv/oik= @@ -719,6 +1106,8 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8 github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= github.com/prometheus/common v0.7.0 h1:L+1lyG48J1zAQXA3RBX/nG/B3gjlHq0zTt2tlbJLyCY= github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA= +github.com/prometheus/exporter-toolkit v0.5.1/go.mod h1:OCkM4805mmisBhLmVFw858QYi3v0wKdY6/UxrT0pZVg= +github.com/prometheus/exporter-toolkit v0.6.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -726,17 +1115,29 @@ github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDa github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.0.11 h1:DhHlBtkHWPYi8O2y31JkK0TF+DGM+51OopZjH/Ia5qI= github.com/prometheus/procfs v0.0.11/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= +github.com/prometheus/prometheus v0.0.0-20200609090129-a6600f564e3c/go.mod h1:S5n0C6tSgdnwWshBUceRx5G1OsjLv/EeZ9t3wIfEtsY= github.com/prometheus/prometheus v1.8.2-0.20210701133801-b0944590a1c9 h1:If7jYp33vwa8ZQ7GGwrAs0SBjiW0aWeAB/oV1aG7bZ4= github.com/prometheus/prometheus v1.8.2-0.20210701133801-b0944590a1c9/go.mod h1:A97P+iwS3Ffpxpejz4+ASZl6i9EqSJDzxObq8DjV2SU= +github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/retailnext/hllpp v1.0.1-0.20180308014038-101a6d2f8b52/go.mod h1:RDpi1RftBQPUCDRw6SmxeaREsAaRKnOclghuzp/WRzc= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rs/cors v1.6.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= +github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e h1:hUGyBE/4CXRPThr4b6kt+f1CN90no4Fs5CNrYOKYSIg= github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e/go.mod h1:Sb6li54lXV0yYEjI4wX8cucdQ9gqUJV3+Ngg3l9g30I= github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54 h1:jbchLJWyhKcmOjkbC4zDvT/n5EEd7g6hnnF760rEyRA= github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54/go.mod h1:Vrkh1pnjV9Bl8c3P9zH0/D4NlOHWP5d4/hF4YTULaec= +github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b h1:jUK33OXuZP/l6babJtnLo1qsGvq6G9so9KMflGAm4YA= github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b/go.mod h1:8458kAagoME2+LN5//WxE71ysZ3B7r22fdgb7qVmXSY= github.com/sanathkr/yaml v0.0.0-20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ= @@ -744,8 +1145,14 @@ github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522 h1:39BJIaZIhIBmXAT github.com/sanathkr/yaml v1.0.1-0.20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ= github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis= github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4= +github.com/satori/go.uuid v0.0.0-20160603004225-b111a074d5ef/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/satori/go.uuid v1.2.1-0.20181028125025-b2ce2384e17b/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/scaleway/scaleway-sdk-go v1.0.0-beta.7.0.20210223165440-c65ae3540d44/go.mod h1:CJJ5VAbozOl0yEw7nHB9+7BXTJbIn6h7W+f6Gau5IP8= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/segmentio/kafka-go v0.1.0/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo= +github.com/segmentio/kafka-go v0.2.0/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= @@ -753,15 +1160,25 @@ github.com/shirou/gopsutil v3.20.12+incompatible h1:6VEGkOXP/eP4o2Ilk8cSsX0PhOEf github.com/shirou/gopsutil v3.20.12+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= +github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/shurcooL/vfsgen v0.0.0-20181202132449-6a9ea43bcacd/go.mod h1:TrYk7fJVaAttu97ZZKrO9UbRa8izdowaMIZcxYMbVaw= +github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546/go.mod h1:TrYk7fJVaAttu97ZZKrO9UbRa8izdowaMIZcxYMbVaw= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a h1:pa8hGb/2YqsZKovtsgrwcDH1RZhVbTKCjLp47XpqCDs= github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/snowflakedb/gosnowflake v1.3.4/go.mod h1:NsRq2QeiMUuoNUJhp5Q6xGC4uBrsS9g6LwZVEkTWgsE= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI= github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= @@ -769,20 +1186,26 @@ github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= +github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= +github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.0/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -792,16 +1215,29 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= +github.com/tinylib/msgp v1.0.2/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE= +github.com/tinylib/msgp v1.1.0/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b h1:X/8hkb4rQq3+QuOxpJK7gWmAXmZucF0EI1s1BfBLq6U= github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b/go.mod h1:jAqhj/JBVC1PwcLTWd6rjQyGyItxxrhpiBl8LSuAGmw= github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786 h1:B/IVHYiI0d04dudYw+CvCAGqSMq8d0yWy56eD6p85BQ= github.com/tsg/gopacket v0.0.0-20200626092518-2ab8e397a786/go.mod h1:RIkfovP3Y7my19aXEjjbNd9E5TlHozzAyt7B8AaEcwg= +github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= +github.com/uber-go/tally v3.3.15+incompatible/go.mod h1:YDTIBxdXyOU/sCWilKB4bgyufu1cEi0jdVnRdxvjnmU= +github.com/uber/athenadriver v1.1.4/go.mod h1:tQjho4NzXw55LGfSZEcETuYydpY1vtmixUabHkC1K/E= +github.com/uber/jaeger-client-go v2.23.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk= +github.com/uber/jaeger-client-go v2.29.1+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk= +github.com/uber/jaeger-lib v2.2.0+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U= +github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U= github.com/ugorji/go v1.1.8 h1:/D9x7IRpfMHDlizVOgxrag5Fh+/NY+LtI8bsr+AswRA= github.com/ugorji/go v1.1.8/go.mod h1:0lNM99SwWUIRhCXnigEMClngXBk/EmpTXa7mgiewYWA= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= github.com/ugorji/go/codec v1.1.8 h1:4dryPvxMP9OtkjIbuNeK2nb27M38XMHLGlfNSNph/5s= github.com/ugorji/go/codec v1.1.8/go.mod h1:X00B19HDtwvKbQY2DcYjvZxKQp8mzrJoQ6EgoIY/D2E= github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urso/diag v0.0.0-20200210123136-21b3cc8eb797 h1:OHNw/6pXODJAB32NujjdQO/KIYQ3KAbHQfCzH81XdCs= github.com/urso/diag v0.0.0-20200210123136-21b3cc8eb797/go.mod h1:pNWFTeQ+V1OYT/TzWpnWb6eQBdoXpdx+H+lrH97/Oyo= github.com/urso/go-bin v0.0.0-20180220135811-781c575c9f0e h1:NiofbjIUI5gR+ybDsGSVH1fWyjSeDYiYVJHT1+kcsak= @@ -813,10 +1249,18 @@ github.com/urso/qcgen v0.0.0-20180131103024-0b059e7db4f4/go.mod h1:RspW+E2Yb7Fs7 github.com/urso/sderr v0.0.0-20210525210834-52b04e8f5c71 h1:CehQeKbysHV8J2V7AD0w8NL2x1h04kmmo/Ft5su4lU0= github.com/urso/sderr v0.0.0-20210525210834-52b04e8f5c71/go.mod h1:Wp40HwmjM59FkDIVFfcCb9LzBbnc0XAMp8++hJuWvSU= github.com/vbatts/tar-split v0.11.1/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g= +github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41 h1:NeNpIvfvaFOh0BH7nMEljE5Rk/VJlxhm58M41SeOD20= github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/willf/bitset v1.1.3/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= +github.com/willf/bitset v1.1.9/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= +github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= +github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= +github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM= +github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= github.com/xdg/scram v1.0.3 h1:nTadYh2Fs4BK2xdldEa2g5bbaZp0/+1nJMMPtPxS/to= github.com/xdg/scram v1.0.3/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= +github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= github.com/xdg/stringprep v1.0.3 h1:cmL5Enob4W83ti/ZHuZLuKD/xqJfus4fVPwE+/BDm+4= github.com/xdg/stringprep v1.0.3/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -824,7 +1268,11 @@ github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= github.com/xeipuuv/gojsonschema v0.0.0-20181112162635-ac52e6811b56/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xlab/treeprint v0.0.0-20180616005107-d6fb6747feb6/go.mod h1:ce1O1j6UtZfjr22oyGxGLbauSBp2YVXpARAosm7dHBg= +github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7 h1:0gYLpmzecnaDCoeWxSfEJ7J1b6B/67+NV++4HKQXx+Y= github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7/go.mod h1:aEV29XrmTYFr3CiRxZeGHpkvbwq+prZduBqMaascyCU= go.elastic.co/apm v1.7.2/go.mod h1:tCw6CkOJgkWnzEthFN9HUP1uL3Gjc/Ur6m7gRPLaoH0= @@ -841,43 +1289,98 @@ go.elastic.co/fastjson v1.1.0 h1:3MrGBWWVIxe/xvsbpghtkFoPciPhOCmjsR/HfwEeQR4= go.elastic.co/fastjson v1.1.0/go.mod h1:boNGISWMjQsUPy/t6yqt2/1Wx4YNPSe+mZjlyw9vKKI= go.elastic.co/go-licence-detector v0.4.0 h1:it5dP+6LPxLsosdhtbAqk/zJQxzS0QSSpdNkKVuwKMs= go.elastic.co/go-licence-detector v0.4.0/go.mod h1:fSJQU8au4SAgDK+UQFbgUPsXKYNBDv4E/dwWevrMpXU= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg= go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= +go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= +go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= +go.mongodb.org/mongo-driver v1.3.0/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE= +go.mongodb.org/mongo-driver v1.3.2/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE= +go.mongodb.org/mongo-driver v1.3.4/go.mod h1:MSWZXKOynuguX+JSvwP8i+58jYCXxbia8HS3gZBapIE= +go.mongodb.org/mongo-driver v1.4.3/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= +go.mongodb.org/mongo-driver v1.4.4/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= +go.mongodb.org/mongo-driver v1.4.6/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= +go.mongodb.org/mongo-driver v1.5.1/go.mod h1:gRXCHX4Jo7J0IJ1oDQyUxF7jfy19UfxniMS4xxMmUqw= +go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= +go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2 h1:75k/FF0Q2YM8QYo07VPddOLBslDt1MZOdEslOHvmzAs= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= +go.uber.org/atomic v1.5.1/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= +go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= +go.uber.org/atomic v1.8.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.0.0 h1:qsup4IcBdlmsnGfqyLl4Ntn3C2XCCuKAE7DwHpScyUo= go.uber.org/goleak v1.0.0/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= +go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0 h1:sFPn2GLc3poCkfrpIXGhBD2X0CMIo4Q/zSULXrj/+uc= go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= +go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= +go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= +go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= go.uber.org/zap v1.14.0 h1:/pduUoebOeeJzTDFuoMgC6nRkiasr1sBCIEorly7m4o= go.uber.org/zap v1.14.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= +go.uber.org/zap v1.14.1/go.mod h1:Mb2vm2krFEG5DV0W9qcHBYFtp/Wku1cvYaqPsS/WYfc= golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20180505025534-4ec37c66abab/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191202143827-86a70503ff7e/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200422194213-44a606286825/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e h1:gsTQYXdTw2Gq7RBsWvlQ91b+aEQ6bXFUngBGuR8sPpI= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= +golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20191227195350-da58074b4299 h1:zQpM52jfKHG6II1ISZY1ZcpygvuSFZpLwfluuF89XOg= golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -890,20 +1393,35 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367 h1:0IiAsCRByjO2QjX7ZPkw5oU9x+n1YqRL802rjC0c3Aw= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -911,18 +1429,46 @@ golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191021144547-ec77196f6094/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200425230154-ff2c4b7c35a0/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= +golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= +golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q= golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -932,71 +1478,141 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190412183630-56d357773e84/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180810173357-98c5dad5d1a0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190529164535-6a60838ec259/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191025021431-6c3a3bfe00ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191128015809-6d18c012aee9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191220142924-d4481acd189f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200107162124-548cf772de50/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0 h1:6txNFSnY+tteYoO+hf01EpdYcYZiurdC9MDIrcUzEu4= golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1004,42 +1620,126 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo= +gonum.org/v1/gonum v0.0.0-20181121035319-3f7ecaa7e8ca/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo= +gonum.org/v1/gonum v0.6.0/go.mod h1:9mxDZsDKxgMAuccQkewq682L+0eCu4dCN2yonUJTCLU= +gonum.org/v1/netlib v0.0.0-20181029234149-ec6d1f5cefe6/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/plot v0.0.0-20190515093506-e2840ee46a6b/go.mod h1:Wt8AAjI+ypCyYX3nZBvf6cAIx93T+c/OS2HFAYskSZc= +google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.15.0 h1:yzlyyDW/J0w8yNFJIhiAJy4kq74S+1DOLdawELNxFMA= google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= +google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= +google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= +google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= +google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= +google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= +google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= +google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190530194941-fb225487d101/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= +google.golang.org/genproto v0.0.0-20190716160619-c506a9f90610/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200108215221-bd8f9a0ef82f/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= +google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200420144010-e5e8543f8aeb/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= +google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb h1:hcskBH5qZCOa7WpTUFUFvoebnSFZBYpjykLtjIp9DVk= google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= +google.golang.org/grpc v1.29.0/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.29.1 h1:EC2SB8S04d2r73uptxphDSUG+kTKVgjRPF+N3xpxRB4= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= +google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1051,17 +1751,23 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/fsnotify/fsnotify.v1 v1.4.7/go.mod h1:Fyux9zXlo4rWoMSIzpn9fDAYjalPqJ/K1qJ27s+7ltE= +gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= @@ -1077,53 +1783,86 @@ gopkg.in/jcmturner/rpc.v1 v1.1.0 h1:QHIUxTX1ISuAv9dD2wJ9HWQVuWDX/Zc0PfeC2tjc4rU= gopkg.in/jcmturner/rpc.v1 v1.1.0/go.mod h1:YIdkC4XfD6GXbzje11McwsDuOlZQSb9W4vfLvuNnlv8= gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528 h1:/saqWwm73dLmuzbNhe92F0QsZ/KiFND+esHco2v1hiY= gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/gotestsum v0.6.0 h1:0zIxynXq9gkAcRpboAi3qOQIkZkCt/stfQzd7ab7Czs= gotest.tools/gotestsum v0.6.0/go.mod h1:LEX+ioCVdeWhZc8GYfiBRag360eBhwixWJ62R9eDQtI= +gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= howett.net/plist v0.0.0-20181124034731-591f970eefbb h1:jhnBjNi9UFpfpl8YZhA9CrOqpnJdvzuiHsl/dnxl11M= howett.net/plist v0.0.0-20181124034731-591f970eefbb/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0= +k8s.io/api v0.17.5/go.mod h1:0zV5/ungglgy2Rlm3QK8fbxkXVs+BSJWpJP/+8gUVLY= k8s.io/api v0.19.4 h1:I+1I4cgJYuCDgiLNjKx7SLmIbwgj9w7N7Zr5vSIdwpo= k8s.io/api v0.19.4/go.mod h1:SbtJ2aHCItirzdJ36YslycFNzWADYH3tgOhvBEFtZAk= +k8s.io/api v0.21.1/go.mod h1:FstGROTmsSHBarKc8bylzXih8BLNYTiS3TZcsoEDg2s= +k8s.io/apimachinery v0.17.5/go.mod h1:ioIo1G/a+uONV7Tv+ZmCbMG1/a3kVw5YcDdncd8ugQ0= k8s.io/apimachinery v0.19.4 h1:+ZoddM7nbzrDCp0T3SWnyxqf8cbWPT2fkZImoyvHUG0= k8s.io/apimachinery v0.19.4/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= +k8s.io/apimachinery v0.21.1/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY= +k8s.io/client-go v0.17.5/go.mod h1:S8uZpBpjJJdEH/fEyxcqg7Rn0P5jH+ilkgBHjriSmNo= k8s.io/client-go v0.19.4 h1:85D3mDNoLF+xqpyE9Dh/OtrJDyJrSRKkHmDXIbEzer8= k8s.io/client-go v0.19.4/go.mod h1:ZrEy7+wj9PjH5VMBCuu/BDlvtUAku0oVFk4MmnW9mWA= +k8s.io/client-go v0.21.1/go.mod h1:/kEw4RgW+3xnBGzvp9IWxKSNA+lXn3A7AuH3gdOAzLs= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= +k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= +k8s.io/kube-openapi v0.0.0-20200316234421-82d701f24f9d/go.mod h1:F+5wygcW0wmRTnM3cOgIqGivxkwSWIWT5YdsDbeAOaU= k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6 h1:+WnxoVtG8TMiudHBSEtrVL1egv36TkkJm+bA8AxicmQ= k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= +k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +k8s.io/utils v0.0.0-20200414100711-2df71ebbae66/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20200729134348-d5654de09c73 h1:uJmqzgNWG7XyClnU/mLPBWwfKKF1K8Hf8whTseBgJcg= k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= +rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= +rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +sigs.k8s.io/structured-merge-diff/v2 v2.0.1/go.mod h1:Wb7vfKAodbKgf6tn1Kl0VvGj7mRH6DGaRcixXEJXTsE= sigs.k8s.io/structured-merge-diff/v4 v4.0.1 h1:YXTMot5Qz/X1iBRJhAt+vI+HVttY0WkSqqhKxQ0xVbA= sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.1.0/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= -github.com/HdrHistogram/hdrhistogram-go v1.0.1 h1:GX8GAYDuhlFQnI2fRDHQhTlkHMz8bEn0jTI6LJU0mpw= -github.com/HdrHistogram/hdrhistogram-go v1.0.1/go.mod h1:BWJ+nMSHY3L41Zj7CA3uXnloDp7xxV0YvstAE7nKTaM= +sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= From 942cc6223b7a0420c275ea1b0a04114f3c3431e0 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sat, 18 Sep 2021 22:45:25 -0700 Subject: [PATCH 39/63] Merge conflict --- go.mod | 9 ++++---- go.sum | 69 +++++++++++----------------------------------------------- 2 files changed, 18 insertions(+), 60 deletions(-) diff --git a/go.mod b/go.mod index 62f167f8281..524d3dee491 100644 --- a/go.mod +++ b/go.mod @@ -45,7 +45,7 @@ require ( github.com/davecgh/go-xdr v0.0.0-20161123171359-e6a2ba005892 // indirect github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2 // indirect - github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b + github.com/dgraph-io/badger/v3 v3.2103.1 github.com/digitalocean/go-libvirt v0.0.0-20180301200012-6075ea3c39a1 github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf // indirect github.com/docker/docker v20.10.7+incompatible @@ -85,13 +85,13 @@ require ( github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e github.com/godror/godror v0.10.4 github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b - github.com/gofrs/uuid v4.0.0+incompatible - github.com/gogo/protobuf v1.3.1 + github.com/gofrs/uuid v3.3.0+incompatible + github.com/gogo/protobuf v1.3.2 github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.4.3 github.com/golang/snappy v0.0.3 github.com/gomodule/redigo v1.8.3 - github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9 + github.com/google/flatbuffers v1.12.0 github.com/google/go-cmp v0.5.4 github.com/google/gopacket v1.1.18-0.20191009163724-0ad7f2610e34 github.com/google/uuid v1.1.2 @@ -199,6 +199,7 @@ replace ( github.com/dop251/goja_nodejs => github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6 github.com/fsnotify/fsevents => github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 github.com/fsnotify/fsnotify => github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d + github.com/golang/glog => github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4 github.com/google/gopacket => github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41 github.com/insomniacslk/dhcp => github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 // indirect github.com/tonistiigi/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c diff --git a/go.sum b/go.sum index 0f9bb192b60..62ad26fe9dc 100644 --- a/go.sum +++ b/go.sum @@ -97,14 +97,6 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= -github.com/DATA-DOG/go-sqlmock v1.4.1/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= -github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= -github.com/DataDog/zstd v1.4.1 h1:3oxKN3wbHibqx897utPC2LTQU4J+IHWWJO+glkAkpFM= -github.com/DataDog/zstd v1.4.1/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= -github.com/HdrHistogram/hdrhistogram-go v1.0.1 h1:GX8GAYDuhlFQnI2fRDHQhTlkHMz8bEn0jTI6LJU0mpw= -github.com/HdrHistogram/hdrhistogram-go v1.0.1/go.mod h1:BWJ+nMSHY3L41Zj7CA3uXnloDp7xxV0YvstAE7nKTaM= -github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= github.com/Masterminds/semver v1.4.2 h1:WBLTQ37jOCzSLtXNdoo8bNM8876KhNqOKvrlGITgsTc= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/sprig v2.16.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= @@ -291,10 +283,10 @@ github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc/go.mod h1:xb github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2 h1:6+hM8KeYKV0Z9EIINNqIEDyyIRAcNc2FW+/TUYNmWyw= github.com/devigned/tab v0.1.2-0.20190607222403-0c15cf42f9a2/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= -github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b h1:mUDs72Rlzv6A4YN8w3Ra3hU9x/plOQPcQjZYL/1f5SM= -github.com/dgraph-io/badger/v2 v2.2007.3-0.20201012072640-f5a7e0a1c83b/go.mod h1:26P/7fbL4kUZVEVKLAKXkBXKOydDmM2p1e+NhhnBCAE= -github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de h1:t0UHb5vdojIDUqktM6+xJAfScFBsVpXZmqC9dsgJmeA= -github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= +github.com/dgraph-io/badger/v3 v3.2103.1 h1:zaX53IRg7ycxVlkd5pYdCeFp1FynD6qBGQoQql3R3Hk= +github.com/dgraph-io/badger/v3 v3.2103.1/go.mod h1:dULbq6ehJ5K0cGW/1TQ9iSfUk0gbSiToDWmWmTsJ53E= +github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI= +github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4= github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8/go.mod h1:VMaSuZ+SZcx/wljOQKvp5srsbCiKDEb6K2wC4+PiBmQ= @@ -353,6 +345,8 @@ github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6 h1 github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6/go.mod h1:uh/Gj9a0XEbYoM4NYz4LvaBVARz3QXLmlNjsrKY9fTc= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 h1:cWPqxlPtir4RoQVCpGSRXmLqjEHpJKbR60rxh1nQZY4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng= +github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4 h1:ViJxdtOsHeO+SWVekzM82fYHH1xnvZ8CvGPXZj+G4YI= +github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/elastic/go-concert v0.2.0 h1:GAQrhRVXprnNjtvTP9pWJ1d4ToEA4cU5ci7TwTa20xg= github.com/elastic/go-concert v0.2.0/go.mod h1:HWjpO3IAEJUxOeaJOWXWEp7imKd27foxz9V5vegC/38= github.com/elastic/go-libaudit/v2 v2.2.0 h1:TY3FDpG4Zr9Qnv6KYW6olYr/U+nfu0rD2QAbv75VxMQ= @@ -590,17 +584,13 @@ github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRx github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= -github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0 h1:RAqyYixv1p7uEnocuy8P1nru5wprCh/MH2BIlW5z5/o= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= -github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= -github.com/golang/geo v0.0.0-20190916061304-5b978397cfec/go.mod h1:QZ0nwyI2jOfgRAoBvP+ab5aRr7c9x7lhGEJrKvBwjWI= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -628,16 +618,14 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomodule/redigo v1.8.3 h1:HR0kYDX2RJZvAup8CsiJwxB4dTCSC0AaUq6S4SiLwUc= github.com/gomodule/redigo v1.8.3/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9 h1:b4EyQBj8pgtcWOr7YCSxK6NUQzJr0n4hxJ3mc+dtKk4= -github.com/google/flatbuffers v1.7.2-0.20170925184458-7a6b2bf521e9/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/flatbuffers v1.12.0 h1:/PtAHvnBY4Kqnx/xCQ3OIV9uYcSFGScBsWI3Oogeh6w= +github.com/google/flatbuffers v1.12.0/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -871,13 +859,9 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.4.0/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= -github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= -github.com/klauspost/compress v1.12.2 h1:2KCfW3I9M7nSc5wOqXAlW2v2U6v+w6cbjvbfp+OykW8= github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= -github.com/klauspost/cpuid v0.0.0-20170728055534-ae7887de9fa5/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= -github.com/klauspost/crc32 v0.0.0-20161016154125-cb6bfca970f6/go.mod h1:+ZoRqAPRLkC4NPOvfYeR5KNOrY6TD+/sAC3HXPZgDYg= -github.com/klauspost/pgzip v1.0.2-0.20170402124221-0bf5dcad4ada/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= +github.com/klauspost/compress v1.12.3 h1:G5AfA94pHPysR56qqrkO2pxEexdDzrpFJ6yt/VqWxVU= +github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -1307,13 +1291,9 @@ go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= -go.opencensus.io v0.22.2 h1:75k/FF0Q2YM8QYo07VPddOLBslDt1MZOdEslOHvmzAs= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.5 h1:dntmOdLpSpHlVqbW5Eay97DelsZHe+55D+xC6i0dDS0= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= -go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.5.1/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= @@ -1455,14 +1435,7 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= @@ -1527,8 +1500,6 @@ golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1565,25 +1536,11 @@ golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= From 8a6f791ca4012e7a5ef5d61012613e61ebc48eaf Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sat, 18 Sep 2021 22:59:04 -0700 Subject: [PATCH 40/63] Merge conflict --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 524d3dee491..7993231e45d 100644 --- a/go.mod +++ b/go.mod @@ -131,7 +131,7 @@ require ( github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc // indirect github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 - github.com/prometheus/common v0.7.00 + github.com/prometheus/common v0.7.0 github.com/prometheus/procfs v0.0.11 github.com/prometheus/prometheus v1.8.2-0.20210701133801-b0944590a1c9 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 From e9c6afdb290663b38194fed9508411c24bf2d628 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sat, 18 Sep 2021 23:12:24 -0700 Subject: [PATCH 41/63] Fix lint error for missing golang.org/x/sys entry in go.sum --- go.sum | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/go.sum b/go.sum index 62ad26fe9dc..904ae874b5f 100644 --- a/go.sum +++ b/go.sum @@ -1500,6 +1500,7 @@ golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1536,11 +1537,25 @@ golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= From 22f0c9ca3496d99d42b5e5e837a5682668aad66a Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sat, 18 Sep 2021 23:32:45 -0700 Subject: [PATCH 42/63] Fix lint error for missing golang.org/x/sys entry in go.sum --- go.sum | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/go.sum b/go.sum index 904ae874b5f..26f5c70df86 100644 --- a/go.sum +++ b/go.sum @@ -1500,7 +1500,6 @@ golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1537,25 +1536,11 @@ golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1838,3 +1823,18 @@ sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= From c9b0392575228e5baab752bed1aa9e5aa9bcbd78 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sat, 18 Sep 2021 23:43:19 -0700 Subject: [PATCH 43/63] Fix lint error for missing github.com/HdrHistogram/hdrhistogram-go entry in go.sum --- go.sum | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go.sum b/go.sum index 26f5c70df86..9a8948653ff 100644 --- a/go.sum +++ b/go.sum @@ -1838,3 +1838,5 @@ golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +github.com/HdrHistogram/hdrhistogram-go v1.0.1 h1:GX8GAYDuhlFQnI2fRDHQhTlkHMz8bEn0jTI6LJU0mpw= +github.com/HdrHistogram/hdrhistogram-go v1.0.1/go.mod h1:BWJ+nMSHY3L41Zj7CA3uXnloDp7xxV0YvstAE7nKTaM= From c6cb7a98894df09e5b80a414a743f61fe3aff755 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 09:07:46 -0700 Subject: [PATCH 44/63] Fix lint error for missing github.com/prometheus/client_golang entry in go.sum --- go.sum | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go.sum b/go.sum index 9a8948653ff..1d8099bfe80 100644 --- a/go.sum +++ b/go.sum @@ -1082,6 +1082,14 @@ github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5Fsn github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc h1:6B8wpniGN4FtqzqWhe2OBOGkeZFbhwZpCh+V/pv/oik= github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc/go.mod h1:ikMPikHu8SMvBGWoKulvvOOZN227amf2E9eMYqyAwAY= +github.com/prometheus/client_golang v1.2.1/go.mod h1:XMU6Z2MjaRKVu/dC1qupJI9SiNkDYzz3xecMgSW/F+U= +github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og= +github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= +github.com/prometheus/client_golang v1.5.1/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= +github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= +github.com/prometheus/client_golang v1.10.0/go.mod h1:WJM3cc3yu7XKBKa/I8WeZm+V3eltZnBwfENSU7mdogU= +github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ= +github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 h1:gQz4mCbXsO+nc9n1hCxHcGA3Zx3Eo+UHZoInFGUIXNM= From 9145e82449e74f4789b09b6395b4ffb684f7549d Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 09:40:33 -0700 Subject: [PATCH 45/63] Fix lint error for missing github.com/prometheus/client_model entry in go.sum --- go.sum | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go.sum b/go.sum index 1d8099bfe80..8114aa188ac 100644 --- a/go.sum +++ b/go.sum @@ -1091,9 +1091,13 @@ github.com/prometheus/client_golang v1.10.0/go.mod h1:WJM3cc3yu7XKBKa/I8WeZm+V3e github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 h1:gQz4mCbXsO+nc9n1hCxHcGA3Zx3Eo+UHZoInFGUIXNM= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= +github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= github.com/prometheus/common v0.7.0 h1:L+1lyG48J1zAQXA3RBX/nG/B3gjlHq0zTt2tlbJLyCY= From e79c8c79b280ecc63082e9ea6a4c4bc7463501b1 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 09:57:08 -0700 Subject: [PATCH 46/63] Fix lint error for missing github.com/prometheus/common entry in go.sum --- go.mod | 6 +++--- go.sum | 9 +++++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 7993231e45d..395dfc53c1a 100644 --- a/go.mod +++ b/go.mod @@ -130,9 +130,9 @@ require ( github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc // indirect - github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 - github.com/prometheus/common v0.7.0 - github.com/prometheus/procfs v0.0.11 + github.com/prometheus/client_model v0.2.0 + github.com/prometheus/common v0.29.0 + github.com/prometheus/procfs v0.6.0 github.com/prometheus/prometheus v1.8.2-0.20210701133801-b0944590a1c9 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e // indirect diff --git a/go.sum b/go.sum index 8114aa188ac..2885dabf389 100644 --- a/go.sum +++ b/go.sum @@ -1098,10 +1098,19 @@ github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1: github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= github.com/prometheus/common v0.7.0 h1:L+1lyG48J1zAQXA3RBX/nG/B3gjlHq0zTt2tlbJLyCY= github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA= +github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= +github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= +github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= +github.com/prometheus/common v0.18.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= +github.com/prometheus/common v0.23.0/go.mod h1:H6QK/N6XVT42whUeIdI3dp36w49c+/iMDk7UAI2qm7Q= +github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= +github.com/prometheus/common v0.29.0 h1:3jqPBvKT4OHAbje2Ql7KeaaSicDBCxMYwEJU1zRJceE= +github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/exporter-toolkit v0.5.1/go.mod h1:OCkM4805mmisBhLmVFw858QYi3v0wKdY6/UxrT0pZVg= github.com/prometheus/exporter-toolkit v0.6.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= From d241aeb848e890bb211026b2829b93b267d5ddc6 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 10:15:10 -0700 Subject: [PATCH 47/63] Fix lint error for missing github.com/prometheus/procfs entry in go.sum --- go.sum | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go.sum b/go.sum index 2885dabf389..24f9e32d006 100644 --- a/go.sum +++ b/go.sum @@ -1118,8 +1118,12 @@ github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7z github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= +github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= github.com/prometheus/procfs v0.0.11 h1:DhHlBtkHWPYi8O2y31JkK0TF+DGM+51OopZjH/Ia5qI= github.com/prometheus/procfs v0.0.11/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= +github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= +github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4= +github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/prometheus v0.0.0-20200609090129-a6600f564e3c/go.mod h1:S5n0C6tSgdnwWshBUceRx5G1OsjLv/EeZ9t3wIfEtsY= github.com/prometheus/prometheus v1.8.2-0.20210701133801-b0944590a1c9 h1:If7jYp33vwa8ZQ7GGwrAs0SBjiW0aWeAB/oV1aG7bZ4= github.com/prometheus/prometheus v1.8.2-0.20210701133801-b0944590a1c9/go.mod h1:A97P+iwS3Ffpxpejz4+ASZl6i9EqSJDzxObq8DjV2SU= From 2aa82fb1b7eca7101c61d3e934530c7ea73d7817 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 22:00:45 -0700 Subject: [PATCH 48/63] Fix lint error for missing cloud.google.com/go entry in go.sum --- go.mod | 2 +- go.sum | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 395dfc53c1a..02b6424cc70 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/elastic/beats/v7 go 1.16 require ( - cloud.google.com/go v0.51.0 + cloud.google.com/go v0.83.0 cloud.google.com/go/bigquery v1.0.1 cloud.google.com/go/pubsub v1.0.1 cloud.google.com/go/storage v1.0.0 diff --git a/go.sum b/go.sum index 24f9e32d006..6eaa166c346 100644 --- a/go.sum +++ b/go.sum @@ -2,12 +2,28 @@ bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxo cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.43.0/go.mod h1:BOSR3VbTLkk6FDC/TcffxP4NF/FFBGA5ku+jvKOP7pg= cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= cloud.google.com/go v0.51.0 h1:PvKAVQWCtlGUSlZkGW3QLelKaWq7KYv/MW1EboG8bfM= cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= +cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= +cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= +cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= +cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= +cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= +cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= +cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= +cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= +cloud.google.com/go v0.83.0 h1:bAMqZidYkmIsUqe6PtkEPT7Q+vfizScn+jfNA6jwK9c= +cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= cloud.google.com/go/bigquery v1.0.1 h1:hL+ycaJpVE9M7nLoiXb/Pn10ENE2u+oddxbD8uu0ZVU= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/datastore v1.0.0 h1:Kt+gOPPp2LEPWp8CSfxhsM8ik9CcyE/gYu+0r+RnZvM= From f975a8042357bab579d5798a2588df7cb3fd8f13 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 22:11:32 -0700 Subject: [PATCH 49/63] Fix lint error for missing cloud.google.com/go/storage entry in go.sum --- go.mod | 2 +- go.sum | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 02b6424cc70..daa8fb2df35 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( cloud.google.com/go v0.83.0 cloud.google.com/go/bigquery v1.0.1 cloud.google.com/go/pubsub v1.0.1 - cloud.google.com/go/storage v1.0.0 + cloud.google.com/go/storage v1.10.0 code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee // indirect code.cloudfoundry.org/go-loggregator v7.4.0+incompatible code.cloudfoundry.org/rfc5424 v0.0.0-20180905210152-236a6d29298a // indirect diff --git a/go.sum b/go.sum index 6eaa166c346..c5cd6791323 100644 --- a/go.sum +++ b/go.sum @@ -32,6 +32,11 @@ cloud.google.com/go/pubsub v1.0.1 h1:W9tAK3E57P75u0XLLR82LZyw8VpAnhmyTOxW9qzmyj8 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/storage v1.0.0 h1:VV2nUM3wwLLGh9lSABFgZMjInyUbJeaRSE64WuAIQ+4= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= +cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= +cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0 h1:STgFzyU5/8miMl0//zKh2aQeTyeaUH3WN9bSUiJ09bA= +cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee h1:iAAPf9s7/+BIiGf+RjgcXLm3NoZaLIJsBXJuUa63Lx8= code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee/go.mod h1:Jzi+ccHgo/V/PLQUaQ6hnZcC1c4BS790gx21LRRui4g= code.cloudfoundry.org/go-loggregator v7.4.0+incompatible h1:KqZYloMQWM5Zg/BQKunOIA4OODh7djZbk48qqbowNFI= From c248bf4f45c87308e19e27a6413d13a7412e0f84 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 22:24:57 -0700 Subject: [PATCH 50/63] Fix lint error for missing github.com/golang/protobuf entry in go.sum --- go.mod | 2 +- go.sum | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index daa8fb2df35..60f2b527ddd 100644 --- a/go.mod +++ b/go.mod @@ -88,7 +88,7 @@ require ( github.com/gofrs/uuid v3.3.0+incompatible github.com/gogo/protobuf v1.3.2 github.com/golang/mock v1.6.0 - github.com/golang/protobuf v1.4.3 + github.com/golang/protobuf v1.5.2 github.com/golang/snappy v0.0.3 github.com/gomodule/redigo v1.8.3 github.com/google/flatbuffers v1.12.0 diff --git a/go.sum b/go.sum index c5cd6791323..2f6cba592be 100644 --- a/go.sum +++ b/go.sum @@ -626,10 +626,13 @@ github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= @@ -639,6 +642,10 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomodule/redigo v1.8.3 h1:HR0kYDX2RJZvAup8CsiJwxB4dTCSC0AaUq6S4SiLwUc= From d0e4f0f6139583ff7e383676b509f1ce56f1a8be Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 22:30:49 -0700 Subject: [PATCH 51/63] Fix merge conflict for github.com/golang/protobuf in go.sum --- go.sum | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/go.sum b/go.sum index 2f6cba592be..d83aead926f 100644 --- a/go.sum +++ b/go.sum @@ -642,10 +642,6 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= -github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomodule/redigo v1.8.3 h1:HR0kYDX2RJZvAup8CsiJwxB4dTCSC0AaUq6S4SiLwUc= @@ -1893,3 +1889,7 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= github.com/HdrHistogram/hdrhistogram-go v1.0.1 h1:GX8GAYDuhlFQnI2fRDHQhTlkHMz8bEn0jTI6LJU0mpw= github.com/HdrHistogram/hdrhistogram-go v1.0.1/go.mod h1:BWJ+nMSHY3L41Zj7CA3uXnloDp7xxV0YvstAE7nKTaM= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= From 7188df3a0d49b8baaaf9e0eea7289d3a09a02e69 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 22:56:49 -0700 Subject: [PATCH 52/63] Fix lint error for missing github.com/google/go-cmp entry in go.sum --- go.mod | 2 +- go.sum | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 60f2b527ddd..4f434e58775 100644 --- a/go.mod +++ b/go.mod @@ -92,7 +92,7 @@ require ( github.com/golang/snappy v0.0.3 github.com/gomodule/redigo v1.8.3 github.com/google/flatbuffers v1.12.0 - github.com/google/go-cmp v0.5.4 + github.com/google/go-cmp v0.5.6 github.com/google/gopacket v1.1.18-0.20191009163724-0ad7f2610e34 github.com/google/uuid v1.1.2 github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75 diff --git a/go.sum b/go.sum index d83aead926f..4d5dcf63e7c 100644 --- a/go.sum +++ b/go.sum @@ -654,10 +654,16 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= From 4c3c34ef7199263d9f5fdc4712a08fae1d0ee6d9 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 23:00:17 -0700 Subject: [PATCH 53/63] Fix merge conflict for github.com/google/go-cmp in go.sum --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 4f434e58775..60f2b527ddd 100644 --- a/go.mod +++ b/go.mod @@ -92,7 +92,7 @@ require ( github.com/golang/snappy v0.0.3 github.com/gomodule/redigo v1.8.3 github.com/google/flatbuffers v1.12.0 - github.com/google/go-cmp v0.5.6 + github.com/google/go-cmp v0.5.4 github.com/google/gopacket v1.1.18-0.20191009163724-0ad7f2610e34 github.com/google/uuid v1.1.2 github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75 From 1be887ef4f2cbf057246476b141ad14c37eb74b1 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 23:14:22 -0700 Subject: [PATCH 54/63] Fix lint error for missing go.opencensus.io entry in go.sum --- go.sum | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go.sum b/go.sum index 4d5dcf63e7c..6bff2e90bac 100644 --- a/go.sum +++ b/go.sum @@ -1347,8 +1347,12 @@ go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5 h1:dntmOdLpSpHlVqbW5Eay97DelsZHe+55D+xC6i0dDS0= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.5.1/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= From 76aedd474cdfa781d8e05639f228a2cb08640f17 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 23:20:21 -0700 Subject: [PATCH 55/63] Fix merge conflict for go.opencensus.io in go.sum --- go.sum | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/go.sum b/go.sum index 6bff2e90bac..08f5955cb71 100644 --- a/go.sum +++ b/go.sum @@ -1347,12 +1347,8 @@ go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5 h1:dntmOdLpSpHlVqbW5Eay97DelsZHe+55D+xC6i0dDS0= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= -go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.5.1/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= @@ -1903,3 +1899,7 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= From 1915e14f5c418ca4f4fd804f7d9763809bb5fe05 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 19 Sep 2021 23:51:19 -0700 Subject: [PATCH 56/63] Fix lint error for missing cloud.google.com/go/bigquery entry in go.sum --- go.sum | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/go.sum b/go.sum index 08f5955cb71..7753a0986d1 100644 --- a/go.sum +++ b/go.sum @@ -26,6 +26,12 @@ cloud.google.com/go v0.83.0 h1:bAMqZidYkmIsUqe6PtkEPT7Q+vfizScn+jfNA6jwK9c= cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= cloud.google.com/go/bigquery v1.0.1 h1:hL+ycaJpVE9M7nLoiXb/Pn10ENE2u+oddxbD8uu0ZVU= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= +cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= +cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= +cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= +cloud.google.com/go/bigquery v1.8.0 h1:PQcPefKFdaIzjQFbiyOgAqyx8q5djaE7x9Sqe712DPA= +cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/datastore v1.0.0 h1:Kt+gOPPp2LEPWp8CSfxhsM8ik9CcyE/gYu+0r+RnZvM= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/pubsub v1.0.1 h1:W9tAK3E57P75u0XLLR82LZyw8VpAnhmyTOxW9qzmyj8= From ef6835c862aa987f9e95d543b2606900f364050d Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Tue, 21 Sep 2021 00:48:25 -0700 Subject: [PATCH 57/63] Fix lint error for missing golang.org/x/net entry in go.sum --- go.mod | 11 ++++---- go.sum | 84 +++++++++++++++++++++++++++++++++++++++++----------------- 2 files changed, 64 insertions(+), 31 deletions(-) diff --git a/go.mod b/go.mod index 808b23323b2..d065b19c5ee 100644 --- a/go.mod +++ b/go.mod @@ -4,8 +4,8 @@ go 1.16 require ( cloud.google.com/go v0.83.0 - cloud.google.com/go/bigquery v1.0.1 - cloud.google.com/go/pubsub v1.0.1 + cloud.google.com/go/bigquery v1.8.0 + cloud.google.com/go/pubsub v1.3.1 cloud.google.com/go/storage v1.10.0 code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee // indirect code.cloudfoundry.org/go-loggregator v7.4.0+incompatible @@ -19,7 +19,7 @@ require ( github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 github.com/Azure/go-autorest/autorest/date v0.3.0 github.com/Masterminds/semver v1.4.2 - github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 + github.com/Microsoft/go-winio v0.4.16 github.com/Shopify/sarama v1.27.0 github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6 github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc @@ -85,14 +85,14 @@ require ( github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e github.com/godror/godror v0.10.4 github.com/gofrs/flock v0.7.2-0.20190320160742-5135e617513b - github.com/gofrs/uuid v3.3.0+incompatible + github.com/gofrs/uuid v4.0.0+incompatible github.com/gogo/protobuf v1.3.2 github.com/golang/mock v1.6.0 github.com/golang/protobuf v1.5.2 github.com/golang/snappy v0.0.3 github.com/gomodule/redigo v1.8.3 github.com/google/flatbuffers v1.12.0 - github.com/google/go-cmp v0.5.4 + github.com/google/go-cmp v0.5.6 github.com/google/gopacket v1.1.18-0.20191009163724-0ad7f2610e34 github.com/google/uuid v1.1.2 github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75 @@ -129,7 +129,6 @@ require ( github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 - github.com/prometheus/client_golang v1.1.1-0.20190913103102-20428fa0bffc // indirect github.com/prometheus/client_model v0.2.0 github.com/prometheus/common v0.29.0 github.com/prometheus/procfs v0.6.0 diff --git a/go.sum b/go.sum index eb530ead19b..f30a9d92fbf 100644 --- a/go.sum +++ b/go.sum @@ -32,10 +32,16 @@ cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUM cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0 h1:PQcPefKFdaIzjQFbiyOgAqyx8q5djaE7x9Sqe712DPA= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/bigtable v1.2.0/go.mod h1:JcVAOl45lrTmQfLj7T6TxyMzIN/3FGGcFm+2xVAli2o= +cloud.google.com/go/bigtable v1.3.0/go.mod h1:z5EyKrPE8OQmeg4h5MNdKvuSnI9CCT49Ki3f23aBzio= cloud.google.com/go/datastore v1.0.0 h1:Kt+gOPPp2LEPWp8CSfxhsM8ik9CcyE/gYu+0r+RnZvM= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/pubsub v1.0.1 h1:W9tAK3E57P75u0XLLR82LZyw8VpAnhmyTOxW9qzmyj8= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= +cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= +cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= cloud.google.com/go/storage v1.0.0 h1:VV2nUM3wwLLGh9lSABFgZMjInyUbJeaRSE64WuAIQ+4= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= @@ -124,6 +130,12 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= +github.com/DATA-DOG/go-sqlmock v1.4.1/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= +github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/HdrHistogram/hdrhistogram-go v1.0.1 h1:GX8GAYDuhlFQnI2fRDHQhTlkHMz8bEn0jTI6LJU0mpw= +github.com/HdrHistogram/hdrhistogram-go v1.0.1/go.mod h1:BWJ+nMSHY3L41Zj7CA3uXnloDp7xxV0YvstAE7nKTaM= +github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= github.com/Masterminds/semver v1.4.2 h1:WBLTQ37jOCzSLtXNdoo8bNM8876KhNqOKvrlGITgsTc= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/sprig v2.16.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= @@ -610,7 +622,10 @@ github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRx github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.2.2-0.20190730201129-28a6bbf47e48/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= @@ -618,6 +633,9 @@ github.com/golang-jwt/jwt/v4 v4.0.0 h1:RAqyYixv1p7uEnocuy8P1nru5wprCh/MH2BIlW5z5 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= +github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= +github.com/golang/geo v0.0.0-20190916061304-5b978397cfec/go.mod h1:QZ0nwyI2jOfgRAoBvP+ab5aRr7c9x7lhGEJrKvBwjWI= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -648,12 +666,19 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomodule/redigo v1.8.3 h1:HR0kYDX2RJZvAup8CsiJwxB4dTCSC0AaUq6S4SiLwUc= github.com/gomodule/redigo v1.8.3/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/flatbuffers v1.11.0/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/flatbuffers v1.12.0 h1:/PtAHvnBY4Kqnx/xCQ3OIV9uYcSFGScBsWI3Oogeh6w= github.com/google/flatbuffers v1.12.0/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -895,9 +920,14 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.4.0/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= +github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/klauspost/compress v1.12.3 h1:G5AfA94pHPysR56qqrkO2pxEexdDzrpFJ6yt/VqWxVU= github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= +github.com/klauspost/cpuid v0.0.0-20170728055534-ae7887de9fa5/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= +github.com/klauspost/crc32 v0.0.0-20161016154125-cb6bfca970f6/go.mod h1:+ZoRqAPRLkC4NPOvfYeR5KNOrY6TD+/sAC3HXPZgDYg= +github.com/klauspost/pgzip v1.0.2-0.20170402124221-0bf5dcad4ada/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -1150,6 +1180,7 @@ github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+ github.com/prometheus/exporter-toolkit v0.5.1/go.mod h1:OCkM4805mmisBhLmVFw858QYi3v0wKdY6/UxrT0pZVg= github.com/prometheus/exporter-toolkit v0.6.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= @@ -1353,8 +1384,13 @@ go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5 h1:dntmOdLpSpHlVqbW5Eay97DelsZHe+55D+xC6i0dDS0= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.5.1/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= @@ -1496,7 +1532,15 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= @@ -1561,6 +1605,7 @@ golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1597,11 +1642,25 @@ golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1884,28 +1943,3 @@ sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= -golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -github.com/HdrHistogram/hdrhistogram-go v1.0.1 h1:GX8GAYDuhlFQnI2fRDHQhTlkHMz8bEn0jTI6LJU0mpw= -github.com/HdrHistogram/hdrhistogram-go v1.0.1/go.mod h1:BWJ+nMSHY3L41Zj7CA3uXnloDp7xxV0YvstAE7nKTaM= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= -github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= -go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= From 6be21bb4dcddc0dbb32de87d3c6569060b2444c0 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Wed, 13 Oct 2021 09:02:52 -0700 Subject: [PATCH 58/63] Change to m.Module().Name() --- metricbeat/module/openmetrics/collector/collector.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metricbeat/module/openmetrics/collector/collector.go b/metricbeat/module/openmetrics/collector/collector.go index ba3e9ea6e59..ab54dca1cfa 100644 --- a/metricbeat/module/openmetrics/collector/collector.go +++ b/metricbeat/module/openmetrics/collector/collector.go @@ -235,7 +235,7 @@ func (m *MetricSet) upMetricFamily(value float64) *p.OpenMetricFamily { } label2 := labels.Label{ Name: upMetricJobLabel, - Value: upMetricJobValue, + Value: m.Module().Name(), } metric := p.OpenMetric{ Gauge: &gauge, From 4400daf1f01ba63a2e8c066d7ecc6b78c444a2ae Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 14 Nov 2021 13:40:53 -0800 Subject: [PATCH 59/63] Restore go.mod --- go.mod | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/go.mod b/go.mod index 230ae8aa0f0..4a676add9ed 100644 --- a/go.mod +++ b/go.mod @@ -12,6 +12,7 @@ require ( github.com/Azure/azure-event-hubs-go/v3 v3.1.2 github.com/Azure/azure-sdk-for-go v57.0.0+incompatible github.com/Azure/azure-storage-blob-go v0.8.0 + github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect github.com/Azure/go-autorest/autorest v0.11.19 github.com/Azure/go-autorest/autorest/adal v0.9.15 github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 @@ -52,6 +53,7 @@ require ( github.com/dlclark/regexp2 v1.1.7-0.20171009020623-7632a260cbaf // indirect github.com/docker/docker v20.10.7+incompatible github.com/docker/go-connections v0.4.0 + github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-plugins-helpers v0.0.0-20181025120712-1e6269c305b8 github.com/docker/go-units v0.4.0 github.com/dolmen-go/contextio v0.0.0-20200217195037-68fc5150bcd5 @@ -110,23 +112,29 @@ require ( github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 github.com/jonboulle/clockwork v0.2.2 github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd + github.com/jpillora/backoff v1.0.0 // indirect github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7 github.com/lib/pq v1.10.3 github.com/magefile/mage v1.11.0 + github.com/mailru/easyjson v0.7.6 // indirect github.com/mattn/go-colorable v0.1.6 github.com/mattn/go-ieproxy v0.0.0-20191113090002-7c0f6868bffe // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/miekg/dns v1.1.42 github.com/mitchellh/gox v1.0.1 github.com/mitchellh/hashstructure v0.0.0-20170116052023-ab25296c0f51 github.com/mitchellh/mapstructure v1.4.1 + github.com/morikuni/aec v1.0.0 // indirect github.com/oklog/ulid v1.3.1 github.com/olekukonko/tablewriter v0.0.5 + github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 // indirect github.com/osquery/osquery-go v0.0.0-20210622151333-99b4efa62ec5 github.com/otiai10/copy v1.2.0 github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 + github.com/prometheus/client_golang v1.11.0 // indirect github.com/prometheus/client_model v0.2.0 github.com/prometheus/common v0.29.0 github.com/prometheus/procfs v0.6.0 @@ -188,11 +196,93 @@ require ( ) require ( + code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f // indirect + github.com/Azure/azure-amqp-common-go/v3 v3.0.0 // indirect + github.com/Azure/azure-pipeline-go v0.2.1 // indirect + github.com/Azure/go-amqp v0.12.6 // indirect + github.com/Azure/go-autorest v14.2.0+incompatible // indirect + github.com/Azure/go-autorest/autorest/azure/cli v0.3.1 // indirect + github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect + github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect + github.com/Azure/go-autorest/logger v0.2.1 // indirect + github.com/Azure/go-autorest/tracing v0.6.0 // indirect + github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f // indirect + github.com/armon/go-radix v1.0.0 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash v1.1.0 // indirect github.com/containerd/containerd v1.5.7 // indirect github.com/cyphar/filepath-securejoin v0.2.3 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/dgraph-io/ristretto v0.1.0 // indirect + github.com/dimchansky/utfbom v1.1.0 // indirect + github.com/docker/distribution v2.7.1+incompatible // indirect + github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 // indirect + github.com/eapache/queue v1.1.0 // indirect + github.com/evanphx/json-patch v4.9.0+incompatible // indirect + github.com/fearful-symmetry/gomsr v0.0.1 // indirect + github.com/go-logr/logr v0.4.0 // indirect + github.com/gobuffalo/here v0.6.0 // indirect github.com/godbus/dbus/v5 v5.0.5 // indirect + github.com/golang-jwt/jwt/v4 v4.0.0 // indirect + github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe // indirect + github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/google/gofuzz v1.1.0 // indirect + github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0 // indirect + github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect + github.com/googleapis/gax-go/v2 v2.0.5 // indirect + github.com/googleapis/gnostic v0.4.1 // indirect + github.com/gorilla/websocket v1.4.2 // indirect + github.com/hashicorp/cronexpr v1.1.0 // indirect + github.com/hashicorp/errwrap v1.0.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.1 // indirect + github.com/hashicorp/go-rootcerts v1.0.2 // indirect + github.com/hashicorp/go-uuid v1.0.2 // indirect + github.com/hashicorp/go-version v1.2.0 // indirect + github.com/imdario/mergo v0.3.12 // indirect + github.com/inconshreveable/mousetrap v1.0.0 // indirect + github.com/jcmturner/aescts/v2 v2.0.0 // indirect + github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect + github.com/jcmturner/gofork v1.0.0 // indirect + github.com/jcmturner/gokrb5/v8 v8.4.2 // indirect + github.com/jcmturner/rpc/v2 v2.0.3 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.11 // indirect + github.com/jstemmer/go-junit-report v0.9.1 // indirect + github.com/karrick/godirwalk v1.15.6 // indirect github.com/klauspost/compress v1.13.6 // indirect + github.com/markbates/pkger v0.17.0 // indirect + github.com/mattn/go-isatty v0.0.12 // indirect + github.com/mattn/go-runewidth v0.0.9 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mitchellh/iochan v1.0.0 // indirect + github.com/moby/spdystream v0.2.0 // indirect + github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.1 // indirect + github.com/pierrec/lz4 v2.6.0+incompatible // indirect + github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b // indirect + github.com/santhosh-tekuri/jsonschema v1.2.4 // indirect + github.com/sergi/go-diff v1.1.0 // indirect + github.com/sirupsen/logrus v1.8.1 // indirect + github.com/stretchr/objx v0.2.0 // indirect + github.com/urso/diag v0.0.0-20200210123136-21b3cc8eb797 // indirect + github.com/urso/go-bin v0.0.0-20180220135811-781c575c9f0e // indirect + github.com/xdg/stringprep v1.0.3 // indirect + go.elastic.co/fastjson v1.1.0 // indirect + go.opencensus.io v0.23.0 // indirect + golang.org/x/mod v0.5.1 // indirect + golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect + golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect + google.golang.org/appengine v1.6.7 // indirect + gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect + k8s.io/klog/v2 v2.9.0 // indirect + k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 // indirect + k8s.io/utils v0.0.0-20201110183641-67b214c5f920 // indirect + kernel.org/pub/linux/libs/security/libcap/psx v1.2.57 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.1.0 // indirect + sigs.k8s.io/yaml v1.2.0 // indirect ) replace ( From b80441a150488840426d983f30b4ef2de6b14311 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 14 Nov 2021 21:10:42 -0800 Subject: [PATCH 60/63] do make update --- metricbeat/docs/fields.asciidoc | 10 ---------- metricbeat/docs/modules/openmetrics/collector.asciidoc | 2 +- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index 08906072372..c6ad13169c6 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -52816,16 +52816,6 @@ type: keyword Metric unit -type: keyword - --- - -*`openmetrics.created`*:: -+ --- -Metric creation time in seconds - - type: keyword -- diff --git a/metricbeat/docs/modules/openmetrics/collector.asciidoc b/metricbeat/docs/modules/openmetrics/collector.asciidoc index d9025cb1ef9..2b184916aa9 100644 --- a/metricbeat/docs/modules/openmetrics/collector.asciidoc +++ b/metricbeat/docs/modules/openmetrics/collector.asciidoc @@ -9,7 +9,7 @@ beta[] include::../../../module/openmetrics/collector/_meta/docs.asciidoc[] -This is a default metricset. +This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields From 24ad943f06289b18b60081336d22688103908937 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Sun, 14 Nov 2021 22:09:00 -0800 Subject: [PATCH 61/63] Make fmt --- metricbeat/module/openmetrics/collector/collector_test.go | 7 ++++--- metricbeat/module/openmetrics/collector/data.go | 3 ++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/metricbeat/module/openmetrics/collector/collector_test.go b/metricbeat/module/openmetrics/collector/collector_test.go index 2c3937ba41b..dd798676612 100644 --- a/metricbeat/module/openmetrics/collector/collector_test.go +++ b/metricbeat/module/openmetrics/collector/collector_test.go @@ -23,14 +23,15 @@ package collector import ( "testing" - "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" - "github.com/elastic/beats/v7/metricbeat/mb" "github.com/golang/protobuf/proto" prometheuslabels "github.com/prometheus/prometheus/pkg/labels" "github.com/prometheus/prometheus/pkg/textparse" "github.com/stretchr/testify/assert" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" + "github.com/elastic/beats/v7/metricbeat/mb" + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" _ "github.com/elastic/beats/v7/metricbeat/module/openmetrics" diff --git a/metricbeat/module/openmetrics/collector/data.go b/metricbeat/module/openmetrics/collector/data.go index e341873c714..a3b83ccd818 100644 --- a/metricbeat/module/openmetrics/collector/data.go +++ b/metricbeat/module/openmetrics/collector/data.go @@ -21,9 +21,10 @@ import ( "math" "strconv" - p "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" "github.com/prometheus/prometheus/pkg/textparse" + p "github.com/elastic/beats/v7/metricbeat/helper/openmetrics" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/helper/labelhash" "github.com/elastic/beats/v7/metricbeat/mb" From 80fe40d2fbaa9f0a0e4b2143f47de9e438a41035 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Mon, 15 Nov 2021 17:05:34 -0800 Subject: [PATCH 62/63] Review comment to change to openmetrics --- metricbeat/docs/modules/openmetrics/collector.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metricbeat/docs/modules/openmetrics/collector.asciidoc b/metricbeat/docs/modules/openmetrics/collector.asciidoc index 2b184916aa9..20acb035935 100644 --- a/metricbeat/docs/modules/openmetrics/collector.asciidoc +++ b/metricbeat/docs/modules/openmetrics/collector.asciidoc @@ -9,7 +9,7 @@ beta[] include::../../../module/openmetrics/collector/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. +This is a default metricset. If the openmetrics module is unconfigured, this metricset is enabled by default. ==== Fields From ff107b4c60e5a8674cb89c6a1ff2cfbc20ecbe07 Mon Sep 17 00:00:00 2001 From: Premendra Singh Date: Mon, 15 Nov 2021 19:55:23 -0800 Subject: [PATCH 63/63] make update reverted openmetrics back to host --- metricbeat/docs/modules/openmetrics/collector.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metricbeat/docs/modules/openmetrics/collector.asciidoc b/metricbeat/docs/modules/openmetrics/collector.asciidoc index 20acb035935..2b184916aa9 100644 --- a/metricbeat/docs/modules/openmetrics/collector.asciidoc +++ b/metricbeat/docs/modules/openmetrics/collector.asciidoc @@ -9,7 +9,7 @@ beta[] include::../../../module/openmetrics/collector/_meta/docs.asciidoc[] -This is a default metricset. If the openmetrics module is unconfigured, this metricset is enabled by default. +This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields